©2014 bit9. all rights reserved the evolution of endpoint security: detecting and responding to...
TRANSCRIPT
©2014 Bit9. All Rights Reserved
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain
Mary Ann FitzsimmonsRegional Director
Significant Data Breaches in Last Twelve Months
Jan FebMarch April May June July Sept Oct Nov DecAug
©2014 Bit9. All Rights Reserved
Malware: Actors + Actions + Assets = Endpoint
Actors Actions
Assets
2013 Verizon Data Breach Investigations Report
Why is the Endpoint Under Attack?
1. Host-based security software still relies on AV signatures – Antivirus vendors find a routine process: Takes time and can no longer
keep up with the massive malware volume– Host-based security software’s dependency on signatures and scanning
engines remains an Achilles heel when addressing modern malware
2. Evasion techniques can easily bypass host-based defenses– Malware writers use compression and encryption to bypass AV filters – Malware developers use software polymorphism or metamorphism to
change the appearance of malicious code from system to system
3. Cyber adversaries test malware against popular host-based software– There are criminal web sites where malware authors can submit their
exploits for testing against dozens of AV products
The Malware Problem By the Numbers
66% of malware took months or even years to discover (dwell time)1
69% of intrusions are discovered by an external party1
1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study
$5.4M The average total cost of a data breach3
155k The number of new malware samples that are seen daily2
The State of Information Security
NetDiligence, 2013 Cyber Liability & Data Breach Insurance Claims
2013 Verizon Data Breach Investigations Report
The State of Information Security
Compromise happens in secondsData exfiltration starts minutes later It continues undetected for months
Remediation takes weeksAt $341k per incident in forensics costs
THIS IS UNSUSTAINABLE
The Kill Chain
Reconnaissance
Attacker Researches potential
victim
Weaponization
Attacker creates
deliverable payload
Delivery
Attacker transmits weapon in
environment
Exploitation
Attacker exploits
vulnerability
Installation
Attacker changes system
configuration
C2
Attacker establishes
control channel
Action
Attacker attempt to exfiltrate
data
Protection = Prevention, Detection and Response
“Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.”
“Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.”
Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013
NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014
Prevent
Detect & Respond
Prevention
Visibility
DetectionResponse
Need a Security Lifecycle to Combat Advanced Threats
Reduce Attack Surface with Default-Deny
Traditional EPP failure• Scan/sweep based• Signature based– Block known bad
Success of emerging endpoint prevention solutions• Real time• Policy based– Tailor policies based on environment
• Trust based– Block all but known good
Objective of emerging endpoint prevention solutions• Lock down endpoint/server• Reduce attack surface area– Make it as difficult as possible for
advanced attacker
Prevention
Visibility
DetectionResponse
Visibility
Prevention effective here
Reduce Attack Surface Across Kill Chain
Reconnaissance
Attacker Researches potential
victim
Weaponization
Attacker creates
deliverable payload
Delivery
Attacker transmits weapon in
environment
Exploitation
Attacker exploits
vulnerability
Installation
Attacker changes system
configuration
C2
Attacker establishes
control channel
Action
Attacker attempt to exfiltrate
data
Prevention
Visibility
DetectionResponse
Visibility
Detect in Real-time and Without Signatures
Traditional EPP failure• Scan/sweep based• Small signature database
Success of emerging endpoint detection solutions• Large global database of threat
intelligence• Signature-less detection through
threat indicators• Watchlists
Objective of emerging endpoint detection solutions• Prepare for inevitability of breach
and continuous state of compromise• Cover more of the kill chain than
prevention• Enable rapid response
Detection effective here
Prevention effective here
Reduce Attack Surface Across Kill Chain
Reconnaissance
Attacker Researches potential
victim
Weaponization
Attacker creates
deliverable payload
Delivery
Attacker transmits weapon in
environment
Exploitation
Attacker exploits
vulnerability
Installation
Attacker changes system
configuration
C2
Attacker establishes
control channel
Action
Attacker attempt to exfiltrate
data
Prevention
Visibility
DetectionResponse
Visibility
Rapidly Respond to Attacks in Motion
Traditional EPP failure• Expensive external consultants• Relies heavily on disk and memory
artifacts for recorded history
Success of emerging endpoint incident response solutions• Real-time continuous recorded
history delivers IR in seconds– In centralized database
• Attack process visualization and analytics
• Better, faster and less expensive
Objective of emerging endpoint incident response solutions• Pre-breach rapid incident response• Better prepare prevention moving
forward
Current Failures Within the Incident Response Process
Preparation
Failure: No IR plan with processes and procedures in place
Identification & Scoping
Failure: Do not have recorded history to fully identify or scope threat
Containment
Failure:Does not properly identify threat so cannot fully contain
Eradication & Remediation
Failure:After failing to fully scope threat, remediation is is impossible
Recovery
Failure: Organization resumes operations with false sense of security
Follow Up & Lessons Learned
Failure: No post-incident process in place or does not implement expert recommendations
The Six-Step IR Process
Real-time Visibility & Detection Drives Rapid Response
Visibility & DetectionReal-time recorded history of entire environmentDetect known and unknown files as they appear
Know if and when you are under attack
ResponseIdentify, scope, contain and remediate faster
Proactively respond to attacks in motionSimplify and expedite investigations
Non-intrusive and no perceived end user impact
High-Risk/Targeted Users
Advanced Threat Protection for Every Endpoint and Server
Fixed-Function and Critical Infrastructure Devices
All Other Users
Data Center Servers
Watch and record
High-Risk/Targeted Users
Advanced Threat Protection for Every Endpoint and Server
Fixed-Function and Critical Infrastructure Devices
All Other Users
Data Center Servers
Stop all untrusted software Watch and record
High-Risk/Targeted Users
Advanced Threat Protection for Every Endpoint and Server
Fixed-Function and Critical Infrastructure Devices
Data Center Servers
Stop all untrusted software Watch and record
All Other Users
Detect and block on the fly
Prevent
Detect & Respond
Prevention
Visibility
DetectionResponse
Bit9 + Carbon Black: Security Lifecycle in One Solution
Proactive prevention mechanisms customizable for
different users and systems
Advanced Threat PreventionMarket leader in
Default-Deny
+
Super lightweight sensor that records/and monitors everything
and deployable to every computer
Incident Response in Seconds
Technology leaderPurpose-built by experts
Rapidly Detect & Respond to Threats
Reduce Your Attack Surface
New signature-less prevention techniques
Continuously monitor and record every endpoint/server
1 2
Bit9 + Carbon Black
See the kill chain in seconds• From vulnerable processes to the persistent malicious service• Would take days or weeks to re-create using traditional tools
Bit9 + Carbon Black: Understanding the Entire Kill Chain
©2014 Bit9. All Rights Reserved
Takeaways
Reduce your attack surface with preventionPrepare for inevitability of compromise• Detect in real time without signatures• Pre-breach rapid response in seconds with recorded history
Establish an IR planUnderstand the need for a security lifecycleFully deploy security solutions across entire environment
“In 2020, enterprises will be in a state of continuous compromise.”
Thank you!
Q&A