Translate

Friday, June 30, 2017

GET THE TICKET FIRST, BEFORE THE TRAIN COME

GET THE TICKET FIRST, BEFORE THE TRAIN COME

(Beli tiket dulu, sebelum keretanya datang)

Beberapa minggu yang lalu saya diundang ke Bandung untuk sharing session tentang leadership. Dan ternyata acaranya cukup menarik dan dihadiri ratusan peserta dari beberapa perguruan tinggi, perusahaan maupun khalayak ramai.

Kemudian seorang peserta bertanya. Sebut saja  namanya Fauzia, bekerja di Marketing department di sebuah perusahaan. Fauzia kelihatan cerdas, cantik dan anggun di balik jilbabnya yang berwarna biru pada hari itu.
"Pak Pam, saya tertarik banget dengan paparan Pak Pam tentang leadership hari ini. Tetapi saya jadi bertanya tanya ... karena di tempat saya seringkali pemilihan leader itu tidak berdasarkan kompetensi. Dan ini membuat banyak orang frustasi. Terus saya jadi   bertanya tanya, buat apa saya mengembangkan diri. Kalau pemilihan promosi leader seringkali berdasarkan suka atau tidak suka, berdasarkan suku, berdasarkan ini temannya siapa , dan bukannya berdasarkan siapa yang lebih kompeten.  Buat apa saya mengembangkan kompetensi pak? Bagaimana saya harus menyikapi hal ini?"

Fauzia menembakkan kata-kata nya terus menerus tiada henti. Saya melihat frustasi dan kekecewaan di sana. Ternyata session tanya jawab sudah menjadi session curahan hati sekarang 😀.

Tetapi pertanyaan ini sangat valid dan mungkin juga dirasakan banyak orang.

Saya akan menjelaskannya dari dua sudut.
1. Get ready before the opportunity come
2. How to develop your leadership competence

Kita bahas satu persatu ...

Apakah anda harus mengembangkan diri menjadi calon leader yang baik padahal belum tentu mendapatkan posisinya, seperti kata Fauzia dalam cerita di atas.
Well, analogynya adalah seperti membeli ticket sebelum kereta datang.
Kalau anda tidak punya ticket waktu kereta datang, anda tidak akan bisa naik kereta.
Sama, kalau anda tidak mempersiapkan diri dan mengembangkan diri anda, pada saat kesempatan menjadi leader datang, anda tidak akan menjadi leader yang baik.

Terus bagaimana kalau anda sudah belajar dan mengembangkan diri menjadi leader tapi anda tidak dipromosikan di perusahaan anda sekarang ....

3 alternative ...
1) Anda bisa menunggu kesempatan promosi berikutnya (sambil terus menembangkan diri)
2) Anda tidak rugi karena anda tetap menjadi leader yang  baik, buat lingkungan anda, buat keluarga anda dan buat anda sendiri
3) Dan kalau memang anda merasa bagus, tidak ada salahnya mengetes anda sendiri dan melamar ke perusahaan lain (ingat, anda boleh melamar, tetapi harus tetap perform maximum selama belum benar benar pindah ke tempat baru)

Sekarang, bagaimana mengembangkan leadership competence anda?
Kita  bisa mencoba langkah langkah di  bawah ini ...

1. Be a good follower
Ingat, sebelum anda menjadi a good leader , anda harus menjadi a good follower dulu.
Jadi anda harus mencoba untuk memahami leader anda, mengerti arahannya dan menjalankan semua instruksinya.
Susah kan? Kita kan kebiasaan suka protes aja.
Tapi kalau jadi follower aja gak bisa gimana mau jadi leader?

2. Be a good team player
Next, jadilah seorang team player yang baik.
Ini  berarti bagaimana anda  bekerja sama dengan kolega yang satu level dengan anda.
Di mana anda harus bekerja sama dan menempatkan team objective di atas objective anda sendiri.
Di sini anda belajar untuk melakukan "influencing without authority" yang akan sangat berguna di masa depan.

3. Analyze what would you expect from your leader and create your own learning plan
Nah, sekarang anda mulai belajar leadership dengan cara yang sederhana.
Ingat leadership itu mempunyai 3 angle ...
- Lead Your Business
- Lead Your Team
- Lead Yourself
nah, dari ketiga sudut itu amati boss anda sekarang.
Lihat apa yang sudah dilkukan dengan baik.
Amati, pelajari dan tiru dia.
Kemudian kalau ada hal hal yang dia jelek banget ...
Amati, pelajari, jangan ditiru, dan lakukan yang sebaliknya.
Jadi seperti apapun leader yang anda punya, jangan complain tiap hari, gak ada gunanya.
Justru pelajari dari dia from both sides ....
Nah sekarang catat learning points anda tadi dan bikin action plan untuk mengimplementasikannya

4. Start to learn and implement your plan
Di sini anda mulai mempelajari hal hal yang anda identify di step 3 tadi.
Mulailah belajar dengan 3 cara ini ...
- belajar teori dari buku atau Internet
- mulai menerapkan di pekerjaan anda sehari hari
- belajar dari coach/mentor di tempat kerja anda

5. Get the feedbacks from others
Setelah anda menerapkan langkah 3, kemudian anda sebaiknya mendapatkan feedback dari teman kerja anda ...
- what did you do well
(tanyakan 3 area di mana anda sudah melakukan dengan baik)
- what do you need to improve
(tanyakan 3 hal di mana anda perlu memperbaiki diri)
Nah, berikutnya anda bisa berfokus pada hal hal itu.

Repeat from step 1 to 5, continuously, because life is a continuous learning and continuous improvement.

Salam Hangat

Pambudi Sunarsihanto

Sent from my iPhone
at

Thursday, June 29, 2017

China Berlari, Indonesia Sibuk Bermimpi -- benar juga..

*China Berlari, Indonesia Sibuk Bermimpi*

(Budiman Soedjatmiko)

Mengapa China Melaju Cepat Melebihi Bangsa-Bangsa Lain??
Hanya 25 tahun Sejak Reformasi Deng, China Sudah Sejajar Dengan AS Dari Segi Kemakmuran. 
Kini China sudah melewati Barat dari segi ilmu & teknologi. 
Ini terbukti dalam periode 10 tahun terakhir 60% lebih jumlah paten dunia berasal dari China

Mengapa? Karena negara berperan efektif, fokus dan profesional.

1. *Seluruh pejabat dan presiden adalah karir profesional. Presiden diseleksi berdasar track record kerja di pemerintahan selama 30 tahun lebih.*

Jadi tidak berdasarkan partai politik, tetapi karir profesional. 
Para wakil rakyat yang jumlahnya lebih dari 1000 orang dipilih dan merupakan perwakilan daerah dalam proses pemilihan yang sederhana.

Jadi China tidak perlu ongkos untuk Pemilu dan repot membiayai wakil rakyat yang kerjanya nyinyir dan omong kosong belaka. 

Bayangkan saja biaya pemilu adalah 40 Triliun hanya untuk memilih seorang presiden & wakil serta 500 wakil rakyat. 
Biaya yang sama cukup untuk biayai pembangunan Trans Sumatra.

2. *Dalam segi hukum, China sangat sederhana dan murah.*

- Mencuri dengan kekerasan, hukuman mati. 
- Korupsi di atas Rp. 1 miliar, hukuman mati.
- Mencuri ringan tanpa kekerasan, hukumannya kerja paksa. 
- Korupsi di bawah Rp. 1 miliar kerja paksa. 
- Kejahatan sosial seperti PSK, berjudi secara ilegal, berdagang di tempat terlarang, hukumannya kerja paksa.

Lama kerja paksa tergantung kadar hukumannya. 
Proses peradilan di China juga sederhana dan murah. 
Makanya China tidak butuh banyak pengacara dan penjara. 
Bayangkan jika 1,3 miliar penduduk menerapkan hukum seperti Indonesia, berapa banyak penjara harus disediakan dan pengacara yang harus dibiayai negara. 

Selain itu kerja paksa selalu diarahkan negara untuk menyelesaikan proyek-proyek pembangunan, misalnya pembuatan jalan, saluran air dsb maka para tahanan dipekerjakan secara produktif.

3. *Semua orang bisa pinjam uang ke bank tanpa jaminan karena semua asset milik negara dengan bunga yang sangat murah sekitar 3% per tahun dan 0% jika diinvestasikan di luar negeri.*

Semua bank milik negara, jadi jika ngemplang hutang = korupsi, di atas Rp. 1 miliar hukuman mati. 
Di bawah Rp. 1 miliar kena hukuman kerja paksa.
Semua boleh berdagang di tempat yang disediakan pemerintah. 
Apabila dagangan tidak laku karena pemerintah salah menempatkan, maka kerugian ditanggung negara tapi kalau kerugian karena malas, maka di black list untuk berdagang, di China tidak ada tempat untuk orang malas.

4. *Agama tidak dilarang untuk dianut oleh siapapun namun dilarang mengorganisir orang banyak untuk kepentingan politik atas nama agama.*

Pengalaman berbangsa beribu-ribu tahun mengajarkan kepada mereka bahwa hidup damai itu adalah berkah yang luar biasa dan bukan pemberian gratis tapi harus diperjuangkan 

Kehidupan masyarakat yang damai, politik yang stabil, hukum yang tegas tapi sederhana dan murah serta akses kredit perbankan yang terbuka bagi semua orang
menggerakkan seluruh rakyat China untuk fokus membangun. 

Enerji pembangunan dari 1.3 M rakyat inilah yang membuat China terus berlari.

Bagaimana dengan Indonesia?? 
Terus sibuk berpolitik dan rakyatpun dibuai berbagai janji-janji yang membuat mereka sibuk bermimpi.

Fanky Christian
HP.08121057533
at

Wednesday, June 28, 2017

Ancaman Malware Petya

Kepada Yth,
NOC ISP/NAP


PERINGATAN KEAMANAN (SECURITY ALERT)

Setelah maraknya ransomeware Wannacry beberapa waktu lalu kini muncul
kembali ancaman ransomware baru yang serupa dan disebut dengan Malware
Petya.

Sebagai antisipasi meluasnya insiden pada saat awal hari kerja pada hari
Senin 3 Juli 2017 mendatang - setelah libur panjang Iedul Fitri 1438
Hijriah, maka Id-SIRTII/CC telah menyusun langkah-langkah untuk pencegahan
dan mitigasi ransomware tersebut. Mohon untuk disebarkan kepada pemangku
kepentingan (stakeholder) masing-masing dan agar diusahakan dapat
menghubungi secara langsung petugas penanggung jawab insiden - mengingat
saat ini masih dalam suasana cuti nasional.

NOTE: secara umum langkah penanganan Ransomeware Petya mirip dengan
Ransomware Wannacry. Informasi tentang ini dapat diakses di alamat

(Asumsi jika PC dalam keadaan menyala)

PC yang terinfeksi ransomware Petya akan muncul peringatan seperti berikut
pada saat setelah proses reboot:

DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS,YOU COULD DESTROY ALL
OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

Jika muncul pesan seperti ini segera MATIKAN PC Anda, jika PC Anda tetap
dalam keadaan mati maka data Anda akan baik-baik saja.

(Asumsi antisipasi PC dalam keadaan mati)

1. Putuskan koneksi jaringan kabel LAN atau matikan koneksi WiFi (untuk
sementara sampai seluruh langkah mitigasi selesai dilakukan dan telah
dipastikan sistem operasi komputer telah terupdate dan data penting telah
diselamatkan / backup)

2. Lakukan backup semua data yang ada di PC / client / host maupun di
server khususnya file sharing. Untuk keamanan, walaupun servernya
menggunakan Linux, MacOS dll. Disarankan untuk membackup filenya juga ke
external drive kemudian cabut external drive tersebut dan amankan di
tempat lain. Apabila terhubung ke online cloud storage yang
tersinkronisasi, maka putuskan hubungan untuk sementara sampai semuanya aman

3. Download Tools dan Security Patch secara manual dari komputer lain yang
dipastikan aman

4. Install Tools dan Security Patch yang sudah di-download tersebut ke
komputer target (korban)

5. Lakukan Full Scan PC / Laptop menggunakan Anti Virus dengan fitur Total
Security dengan catatan AV tersebut sudah menggunakan update terbaru

6. Non-aktifkan Macro service pada MS.Office dan SMB Service pada PC /
client / host maupun di server, aktifkan Firewall dan block Port 139, 445,
3389 untuk sementara sampai seluruh proses mitigasi, backup dan update
patch tuntas dilaksanakan dan tidak ada masalah lain:

- Cara untuk menonaktifkan macro service:
documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12

- Cara untuk menonaktifkan SMB service:
smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-
windows-server-2008-r2,-windows-8,-and-windows-server-2012

- Cara untuk menonaktifkan WMIC (Windows Management Instrumentation
Command-line)

Untuk komunikasi dan konsultasi lebih lanjut, silahkan menghubungi:

untuk permintaan informasi umum tentang ancaman ini
untuk laporan insiden dan permintaan bantuan teknis

Whatsapp M.S. Manggalanny: +62 811-99-360-71 ; Adi Jaelani: +62 857-2414-4246


Regards,

Team Monitoring
Id-SIRTII/CC
Indonesia Security Incident Response Team on Internet
Infrastructure/Coordination Center

Office:
Ravindo Tower 17th Floor
Kebon Sirih Road No. 75 Central Jakarta - Indonesia 10340
Ph        : +6221-3192 5551
Fax       : +6221-3193 5556

Fanky Christian
Director
PT DAYA CIPTA MANDIRI SOLUSI
datacenter-cabling-monitoring
mobile: 08121057533
at

Tuesday, June 27, 2017

Runtuhnya Seven-Eleven Indonesia bukan masalah kebijakan pemerintah - Tanggapan tulisan Prof. Rhenald Kasali

at

WHAT IS YOUR PURPOSE?

WHAT IS YOUR PURPOSE?

(Apakah tujuan sebenarnya bisnis anda?)

Siang itu saya bertemu Sean Kelly,
seorang CEO di Los Angeles. Perusahaannya menjual healthy snack untuk dijual ke perusahaan-perusahaan di Amerika yang nantinya perusahaan itu akan memberikan secara gratis kepada karyawan-karyawannya. Bisnisnya berkembang pesat, pertumbuhannya sehat dan jumlah customernya bertambah terus.
Pada akhir-akhir ini memang bisnis snack sedang menjadi trend di Amerika.
Dulu mungkin peusahaan hanya menyediakan air minum. Kemudian mereka menyediakan kopi dan teh. Sean bilang bahwa kalau ada perusahaan yang sekarang kalau ada perusahaan di Amerika yang tidak menyediakan kopi bagi karyawannya itu akan dianggap sebagai instansi pemerintah di Korea Utara, dan lama lama talent talent nya pasti kabur semua.
Sekarang trend itu sudah terjadi pada healthy snack. Dan statistik menunjukkan bahwa sekitar 35'persen perusahaan di Amerika sudah menyediakan healthy snack bagi perusahaannya.
Dan trend itu akan terus menerus bertambah.

Sean mengajak saya mengunjungi kantornya . Tempatnya sederhana tapi didesign sangat cool. Saya yakin bahwa para millenial generation akan sangat senang bekerja di situ. Selama mereka bekerja selalu ada musik trendy yang tersengar, ada ruang yoga, senam dan tempat latihan olahraga di mana-mana mengelilingi ruangan.
Di tengah tengahnya barulah mereka mempunyai meja
meja kerja dengan konsep open space.
Bahkan saya melihat ada karyawan yang membawa anjingnya dan dibiarkan duduk tenang di bawah mejanya.
Semuanya tersenyum dan tertawa. Sebagai perusahaan start up yang belum  besar (dan everybody does everything), Saya yakin pekerjaan mereka pasti berat dan challenging. But they have fun,
they happy and they enjoy doing what they do.

Dan saya pun bertanya kepada Sean bagaimana caranya dia sebagai leadernya bisa membuat suasana seperti itu?
Pasti banyak CEO yang juga menginginkan suasana seperti itu?

Sean meminum air mineral sebentar.
"By the way, maaf ya , saya belum  bisa duduk. Kemarin saya ski dan saya terjatuh. Kalau dipakai duduk kaki saya masih sakit. Sekarang saya harus berdiri terus selama 3-4 hari ke depan"

"But listen, we managed to get people excited, because we dont sell snacks"

What? Bukannya tadi baru saja dia bilang bahwa dia menyediakan snack untuk perusahaan perusahaan di Amerika?

Sean meneruskan,"Kami mempunyai purpose. Purpose kami adalah kami ingin membantu perusahaan perusahaan untuk menciptakan tempat kerja yang cool"

We help companies to create great place to work. And by the way we sell snacks.

Jadi kami tidak memulai dengan  berpikir  bahwa kami memnjual snacks. Kami memulai berfikir dengan menyatakan bahwa pertama tama, kami membantu perusahaan perusahaan untuk menciptakan tempat kerja yang great, fun and cool.
That's our purpose!

Siapa yang tidak akan tertarik dengan itu?

Kita lihat cara pandang kita? Kalau kita hanya menjual snack ....
- mungkin karyawan kami melihat bahwa kami juga sama dengan toko kelontong , convenience store atau supermarket yang lain
- mungkin kami berpikir bahwa yang paling penting adalah rasanya yang enak
- mungkin yang penting adalah bahwa harganya harus murah tapi kami tetap mendapatkan keuntungan yang tinggi
... dst ... dst

Tetapi karena kami bertujuan utama untuk "membantu perusahaan menciptakan suasana kerja yang great, fun and cool", maka semuanya berpikir ...
- bahwa product yang kami design juga harus "cool"
- kami harus menjadi trend setter, sedemikian hingga perusahaan bisa membanggakan product kami untuk menarik perhatian para millenial
- para karyawan kami (yang juga millenial generation) juga akan bangga bekerja di tempat kami karena mereka yang terlibat untuk menciptakan dan men-deliver cool product itu!

That's why we have to start with a purpose.
Makanya banyak perusahaan perusahaan yang sudah melakukan itu dengan memulai business nya dengan "starting with a purpose"

Apple dulu memulai bisnisnya untuk "men-challenge the status quo " (melawan dominasi IBM compatible PC) dan mereka berhasil mendesign MacBook yang sangat cool.
Citibank ingin menjadi "the only global bank", maka mereka hadir di 143 negara (padahal saingan terdekat mereka hanya hadir di 82 negara).
Ikea ingin
menyediakan "cool furnitures at affordable price".
Dan mereka menyediakan mebel mebel yang keren dengan harga terjangkau.

Jangan memikirkan business dengan memulai pemikiran untuk mencari keuntungan sebanyak banyaknya. You start your business with a purpose! You start your business with why you want to do your business.
(Saya jadi teringat seorang sahabat saya, bernama Putri), yang bahkan untuk mengarahkan anak-anaknya kuliah di jurusan apa, dia memulai menanyakan dengan "why you want to do that?"

Jelas kan?
Perusahaan yang average atau mediocre akan memulai businessnya dengan menanyakan
- what they will do
- kemudian, how they will do
dan seringkali banyak karyawannya yang tidak pernah mengerti "why they do that".

Great leaders seperti Sean dan juga perusahaan perusahan hebat yang saya sebutkan di atas, start by asking why they want to do it, kemudian what they will do, dan baru pada akhirnya "how they do it".

Sean kemudian menjelaskan lebih dalam tentang pola pikir yang dianutnya ....


1. Understand your purpose

Mulailah segala sesuatu dengan menanyakan sebenarnya apakan tujuan yang hendak dicapai? What is your purpose? Start with why!

2. Develop your product and service accordingly

Design lah product dan service anda sesuai dengan tujuan anda.
Pastikan  bahwa semua features product dan service anda memang mendukung purpose yang ingin anda capai!

3. Put your differentiators

Karena anda sudah mengerti purpose anda, berarti anda juga harus mendesign kelebihan dan keunggulan product anda (yang tidak dipunyai competitor anda), dan yang lebih aligned dengan purpose yang anda ingin capai.

4. Consistent message to your employees and customers

Setelah product anda didesign dan diproduksi sesuai Point No. 1-3, yakinkan bahwa semua karyawan dan customer anda benar benar mengerti itu.
Anda harus mengirimkan message yang consistent secara regular about "your purpose".

5. Everybody has to execute with discipline

Last but not least, the key is the execution. Everybody has to execute with strong discipline, consistently, implemented by every employee at all level from all department.

Dan ternyata dengan langkah langlah itu. Sean berhasil membuat seluruh karyawannya excited,
motivated and engaged!

Menarik untuk dicoba dan ditiru ya?

Jadi ingat ya, to create a meaningfull business where you (and all your people) will be excited, motivated and engaged to work hard together, start with a purpose!

1. Understand your purpose
2. Develop your prosuct and service accordingly
3. Put your differentiators
4. Consistent message to your employees and customers
5. Everybody has to execute with discipline

Selamat mencoba!

Salam Hangat
(Los Angeles, Maret 2017)

Pambudi Sunarsihanto
at

Friday, June 23, 2017

Make Sense of Endpoint Malware Protection Technology

Make Sense of Endpoint Malware Protection Technology

Published: 25 April 2017 ID: G00320339
Analyst(s):
 

Summary

The goal of endpoint malware protection is a solution that offers low administrative overhead, low end-user impact and the best available protection. Security and risk management leaders can make educated trade-offs within endpoint protection to achieve two of these three aims.

Overview

Key Challenges

  • The marketing hype around "next-gen AV" and the IT industry's fascination with machine learning distracts from and creates confusion about the real value provided by different protection techniques.
  • Unclear perceptions turn up constantly, as many techniques have similar names or umbrella terms like "application control," which can vary wildly in terms of actual capabilities.
  • Blending technologies from multiple vendors risks agent bloat and software conflicts, resulting in disabled protection features and less-than-optimal configurations.
  • Not all malware requires an exploit. Users can simply be tricked into downloading and running malware that does not require an exploit.

Recommendations

Security and risk management leaders overseeing endpoint and mobile security should:
  • Design an endpoint protection strategy that consists of good security hygiene, layered protection and detection technologies, and end-user education.
  • Avoid duplication of security capabilities across multiple solutions; instead, fully deploy existing protection and then begin to identify specific areas to augment.
  • Avoid knee-jerk reaction purchases by mapping new purchases to gaps and taking the time to run a useful proof of concept to ensure the technology can fit or enhance existing workflows.
  • Use a combination of internal testing and third-party effectiveness tests to verify vendor claims. Vendor-sponsored or -commissioned comparisons can be useful data points, but should not be given the same weight as impartial tests.

Introduction

Endpoint protection is not simple. Security and risk management leaders struggle to find the right balance between threat coverage, administrative overhead and end-user impact. Table 1 illustrates, at a high level, the impact that the most common anti-malware techniques can have for most organizations.
Table 1.   Common Anti-Malware Techniques
Technique
Threat Coverage
Admin. Requirement
End-User Impact
Signatures
Low
Low
Low
Machine Learning
Medium
Low
Low
Application Control
High
High
High
Application Isolation
Medium
High
High
Behavioral Analysis
High
Medium
Low
Exploit Mitigation
Medium
Low
Low
Source: Gartner (April 2017)
These technologies each carry different capabilities and, importantly, limitations. Although some technologies appear to offer similar functions, they are often marketed as the ideal solution for malware prevention. The hype around artificial intelligence and machine learning is adding more confusion to the matter.
In practice, a combination of technologies will provide the widest protection against malware attacks. Most attacks exploit well-known unpatched vulnerabilities, use social engineering to trick users to install malware, or use interpreted code such as Java to download and install malware. Fileless malware is becoming more and more prevalent in the threat landscape. To address such challenges, security and risk management leaders have a range of options from both established and emerging vendors. Most buyers continue to consider emerging solutions to be complementary, rather than outright endpoint protection platform (EPP) replacements. These options are covered from a technical perspective in "Comparing Endpoint Technologies for Malware Protection."
The expansion of malware protection technologies in EPPs over the past five years has delivered various advantages, including fewer updates and less administrative overhead, and provided for better protection at specific stages of the kill chain or for specific classes of malware.
It is important to consider education as a key part of the fight against malware. Users remain the weak links — they are impressionable, and subject to deception and coercion. Security awareness programming plays an important part in informing staff and partners of their responsibility in limiting vulnerable behavior.
Signature-based detection is the most well-known approach to malware detection. Because signatures and heuristics use pattern matching to identify malicious files — meaning the vendor must have seen the file to create the signature — it is also the most criticized. Of course, no modern malware protection solution relies solely on malware signatures. Modern endpoint protection platforms will also include one or more of the following technologies:
  • Application control limits the applications and processes that may execute on an endpoint. The goal is to apply a "default deny" enforcement model, whereby everything that is not known or trusted is not executed.
  • Isolation or containment solutions allow installed endpoint applications to process potentially malicious files (such as web pages or downloaded documents) safely by isolating the processing of those files from the rest of the system.
  • Behavior analysis provides rule-based monitoring where applications and processes are observed for particular indicators of intrusions that may be blocked or detected.
  • Endpoint detection and response (EDR) technologies monitor endpoint activities and aid in the detection, containment, investigation and remediation of malicious behavior.
  • Exploit technique mitigation prevents software exploits by enforcing in-memory protection. It guards against memory overflow attacks and against other attack methods that take advantage of software vulnerabilities.
By themselves, none of these technologies are a panacea to the intricacies of malware intrusion. Some technologies carry their own weaknesses. Security and risk management leaders should assess new malware protection solutions by discerning what distinguishes these technologies and how the various solutions can combine to form a more formidable malware prevention plan.

Analysis

Include Signature Technology in a Layered Protection and Detection Strategy

The majority of anti-malware solutions, such as EPPs, secure web gateways (SWGs), secure email gateways and unified threat management (UTM) solutions, include some form of signature detection — a fundamental piece of endpoint protection. A purely signature-based detection method has low success rates against sophisticated malware because, by its nature, it can only match to known malware and minor variants. Signature detection is easy to evade and signatures may take a while to develop. They require every endpoint to update frequently or to use cloud-based signature look-ups. For these reasons, it is uncommon to find EPPs that solely rely on signatures.
Most solutions use the cloud to look up the latest reputation information for a previously unseen file; however, the cloud is not available to systems that aren't connected to the internet but are nonetheless vulnerable to malware.
Signature-based detection is strong at blocking common attacks without using more resource-intensive or end-user-impacting technology, but some security vendors incorrectly frame this method of detection as an indicator of outdated technology. Despite some marketing claims to the contrary, signatures and heuristics do have advantages:
  • Proactive protection against known malware. Scanning a file prior to execution prevents infection, assuming a signature exists for that threat. There is no need to utilize more resource-intensive inspection techniques if a file is known to be bad.
  • Very low false-positive rates (FPRs). False positives do occur, especially with more aggressive heuristics engines, but most solutions have a very low FPR. Having a low FPR is critical for EPP solutions that are expected to protect endpoints autonomously. Almost every traditional vendor has at one time incorrectly convicted critical Windows files as malicious, rendering operating systems unusable.
  • Prevents false positives in other, more aggressive techniques. Signatures can be used to help mitigate false positives in more aggressive detection techniques. When used as a method to "protect" known good files instead of purely to detect known bad, signature-based detection is a strong addition to a solution's technology stack.

Use Machine Learning to Reduce the Reliance on the Distribution of Signature Updates

The technology community in general is thrilled by the potential of machine learning, and machine learning has the potential to play an even greater part in the malware prevention space than it does today. Vendors use supervised machine learning engines to process large numbers of malicious files and large numbers of prevalent but known good. The resulting algorithm can be run locally on the endpoint device or in the cloud, and it can test a file for similarities to good or malicious files.
The advantages of this form of detection include:
  • No malicious code is run. The detection is usually made in the pre-execution phase, before running code.
  • No signatures are used when run on the endpoint. A mathematical model is used instead of the traditional signature database, removing the dependence on large disk and memory footprint along with the struggles associated with updating endpoint devices.
  • New malware can be detected by the same model. Predictive models can use the statistical scoring to detect malware that has not been analyzed before.
  • No internet connection is required. All scanning is local, and no cloud-based look-ups are required.
However, security and risk management leaders should also recognize the limitations and current weaknesses of machine learning as a stand-alone anti-malware resource.
The use of packer and encryption technologies limits the inspection model's coverage of the actual malware. Solutions running a purely predictive machine learning model on the endpoints suffer the risk that malware authors will: (1) study the detection behavior of the model on the endpoint, (2) adapt their malware code, and (3) attempt to evade detection.
Solutions should be able to avoid false positives, but it is inevitable that there will be files that are very close to the good and the bad model, resulting in both false positives and false negatives. EPP solutions solely relying on machine-learning-based detection can carry a high false-positive rate. EPP solutions generally combat false positives by adding other techniques, such as whitelisting known good files or cloud lookups for files that are too close to call, or by using signature-based whitelisting. With mathematical models that are infrequently updated, organizations may find themselves building an extremely long and hard-to-manage whitelist.
Recommendations
  • Ignore biased claims by endpoint security vendors that signatures are useless.
  • Update to the latest version of the incumbent EPP, as newer releases are less dependent on signatures and supplemented by additional protection techniques.
  • Ensure the vendor provides a solid workflow to manage false positives and false negatives — be wary of solutions relying on a manual whitelist and blacklist capability.

Improve Visibility With EDR or EPP Tools That Focus on Applications and Processes

Security analysts cannot truly begin to harden systems and infrastructure without a solid understanding of what is running in an environment. EDR and EPP tools that report on applications and processes will provide data points that can be used to strategize a plan to reduce the attack surface.

Application Control/Whitelisting

Application control and application whitelisting apply a default deny enforcement model, where an application or process that is not explicitly whitelisted is deemed to be untrusted. Untrusted processes can be blocked outright or, with solutions that provide for dynamic decision making, can run with extra protection or scrutiny.
As a malware protection technology, application control has various strengths:
  • Provides strong default deny prevention. If tight policies are used, application control provides strong protection against malware, especially when used in concert with technology that prevents legitimate processes from acting maliciously.
  • Incurs low machine overhead. Application control solutions do not have a significant impact on endpoint resources.
  • Offers broad platform support. Application control can be used to keep unsupported and/or unpatched systems secure. Legacy systems that still run on Windows 2000 or Windows XP only, for example, can be locked down by using a restrictive application control policy, typically in combination with some form of memory protection.
  • Requires no signature files/updates. Application control is independent of malware signature files that require frequent updates. However, more advanced use, such as relying on file reputation in a more dynamic environment, requires access to the latest file reputation databases, typically over the internet.
  • Applies to all potentially unwanted programs. Application control catches categories of applications that are not technically malware but might compromise security. Such categories include consumer remote access control applications, and file sync and share agents.
There are several considerations that security and risk management leaders must take into account when exploring application control for wide endpoint deployment. There are notable impacts on users and operations.
Application control can be very successful for fixed-function devices such as servers, where their applications and workloads are predictable. Users with well-defined work styles (for example, call center employees) are also ideal candidates for a successful deployment. For other user types, such as mobile workers or developers, the default deny approach may not provide an acceptable experience, unless workflow procedures can minimize approval delays for unknown, untrusted software.
In terms of operations, managing exceptions introduced from untrusted sources can incur substantial overhead. Organizations should plan for such overhead and provide administrators with the proper tooling. Such tooling will allow administrators to streamline the exception management process and to make the right decisions in the least amount of time. Allowing trusted sources of change minimizes the number of exceptions necessary.
Managing fine-grained application control policies in a dynamic endpoint environment is operationally complex. Leading solutions solve this problem by allowing more lenient policies: Trusted publishers, locations, installers and users may be allowed to install new software, automatically updating the application control policy. However, lenient policies may compromise security.
The strength of application control, as a protection technology against malware, greatly depends on the policy and the additional technology deployed on the endpoint. Malware authors have been able to release digitally signed malware using stolen certificates, exploit legitimate applications in memory and launch fileless malware, thus lowering the effectiveness of application control against sophisticated attackers.
Security and risk management leaders should carefully consider vendor claims around application control features. Simply blacklisting executables by name or file path is not considered a strong application control capability.

Application Isolation

Application containment solutions, also known as isolation solutions, implement malware protection using a paradigm best expressed as: Run risky processes and content, but isolate them from the rest of the system.
Security and risk management leaders should consider several strengths of application isolation, beginning with the provision of unrestricted user access. Malware containment does not block users from accessing sites or from downloading and processing potentially harmful content. In the most extreme form of application containment, users, should they choose to do so, may run malware in the isolated environment.
Some solutions discard the isolated environment and reset it to a clean state at launch or at regular intervals. Others do so when malicious behavior is detected in the isolated environment.
Isolation is valuable as a safeguard against a malware author's evasion techniques. The actual suspicious code runs on the endpoint, but in a contained environment. Even though the code runs, its ability to cause damage is limited by the sandbox. Organizations interested in deploying application containment solutions must be aware of the following cautions:
  • User impact. By design, containment solutions limit interaction between isolated and nonisolated environments, which may impact the user experience.
  • Operational impact. Administrators must manage trusted sites, applications, file locations and policies for moving files between zones of different trust levels.
  • Lack of application support. The isolated environment may not support all preferred applications and versions.
  • Hardware support. Some solutions depend on specific CPUs and chipsets, and the RAM requirements for a successful isolation deployment can be larger than the amount of memory found in typical corporate endpoints.
  • Large differences in implementation. Solutions differ greatly in terms of policy control options, technologies used to enforce isolation, support for multiple zones, supported applications, management and reporting, and malware behavior analysis in the sandbox.
  • Limited protection. Applications that run outside of the contained environment are not protected by the containment solution. Some vendors have started to extend their solutions by offering EDR technologies both inside and outside of the contained environment.
Recommendations
  • Prepare for increased help desk calls, and put a well-tested and well-documented exception workflow in place, as additional administrative overhead is inevitable with a default deny implementation.
  • Enforce default deny only for a subset of devices that have predictable workloads. For other types of users who have a less rigid set of requirements, like developers, use the client in monitoring mode to identify suspicious-looking behavior.
  • Verify the hardware requirements can be met with your devices, and that critical applications are fully supported.
  • Plan to deploy isolation technology to the group of users that are most at risk, rather than attempting to deploy for every single user.

Reduce the Attack Surface With Technologies That Look for Signs of a Malicious Outcome

While there are a steady stream of new vulnerabilities and attack vectors, the outcome is almost always the same. Consider the case of ransomware, where the goal is to encrypt the data — if technologies can detect the behavioral intent behind malware, the method of compromise is less important. That said, mitigating known vulnerabilities should be near the top of all organizations' priority lists.

Behavioral Analysis

Behavioral analysis within endpoint protection has several strengths, even when used as an isolated technology. Such analysis can provide runtime protection against attack activity. The solutions not only provide point-in-time detection, but also monitor the behavior of all, or at least all suspicious, processes over time to generate a greater understand of the context of the behavior.
For example, an Outlook.exe process spawning a Word.exe process is typical behavior for an information worker that receives documents by email. However, when the Word.exe process begins to connect to the internet, or to spawn other processes, the behavior becomes more and more suspicious.
EPP solutions using behavior analysis can also detect and block previously unknown malware without the need for resource-intensive scanning or inspection. This detection is not dependent on the malware code, but rather on the behavior, which means that vendors with a focus on this type of detection do not require any signature databases or file scanning. Behavioral analysis can detect multiple stages of the kill chain, such as droppers, network-borne attacks and some exploit techniques.
Some cautions are associated with deploying behavior analysis as a malware protection technology:
  • Potentially high FPR. There is a fine line between malicious and normal behavior, so any behavior-based blocking technology incurs a risk of false positives. What appears to be malicious behavior is not always malicious. Kernel hooks and OS API calls that seem malicious may be legitimate.
  • Detection instead of prevention. Sophisticated malware that does not trigger clear malicious-behavior-blocking rules will, at best, be detected after it runs, instead of being prevented before execution.
  • Requires tuning, expertise and updates. Behavior-based malware protection requires organizations to carefully select rules, specify actions to take after detection, and whitelist trusted applications or digital certificates.
  • May impact users. Because behavior analysis continuously monitors all activity on the endpoint, it may incur a performance penalty to the endpoint device.

Exploit Technique Mitigation

Exploit technique mitigation aims to stop malicious code from running in memory and, thus, make it more difficult for attackers to exploit software vulnerabilities. It does so by protecting the memory allocated to a process or application. It does not necessarily block the attacker from putting the malicious code into memory; it can also use techniques to prevent the code from being executed. This technology enforces security mechanisms already supported by the operating system, and adds capabilities beyond basic protection.
Security and risk management leaders can expect several benefits for organizations, including low management overhead, as the focus is on a small number of exploit techniques and does not rely on signatures or updates. Solutions generally incur limited performance overhead and operate transparently to the user. Microsoft provides a free Enhanced Mitigation Experience Toolkit (EMET) for free. It is officially supported by Microsoft until mid-2018, can be managed through Group Policy and makes for a good baseline of exploit mitigations.
For more details and recommendations on exploit mitigation, see "Get Ready for 'Fileless' Malware Attacks."
Recommendations
  • Use third-party effectiveness tests to verify vendor claims. Vendor-sponsored or -commissioned comparisons can be useful data points but should not be given the same weight as impartial tests.
  • Ensure that incident response tools are adequate, as behavioral analysis is largely a detect-after-execution technology.

Evidence

This research is based on 1,505 client and vendor inquiries on endpoint security across Gartner for IT Leaders and Gartner for Technical Professionals analysts since January 2016.
at
Subscribe to: Posts (Atom)