advancing security maturity - aventri€¦ · m-trends 2016. incidents by industry high tech 13%...
TRANSCRIPT
ADVANCING SECURITY MATURITY
Gary Fisk
Solutions Architect, FireEye
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
The Current State of Affairs
What is Working?
Threat Intelligence as a Model for Progress
Security vs. IT Operations
FireEye and F5 ‘Bridging the Gap’
AGENDA
Expertise Earned on the Front Lines
• First responders to the world’s most
consequential breaches
• Offer proactive and reactive
services
• Hundreds of intelligence and
malware experts
• Unmatched knowledge of advanced
attacker techniques
• Our consultants wrote the book
(literally) on incident response
M-TRENDS 2016
INCIDENTS BY INDUSTRYHigh Tech 13%
Business & Professional Services 11%
Media & Entertainment 11%
Financial Services & Insurance 10%
Retail 10%
Education 8%
Biotechnology & Pharmaceuticals 7%
Construction & Engineering 6%
Healthcare 5%
Aerospace & Defense 5%
Transportation 3%
Legal Services 3%
Government 3%
Telecommunications 2%
Agriculture & Forestry 1%
Energy 1%
Who are “They”
FireEyeFireEye
Traditional AVTraditional AV
Nuisance
Objective
Example
Skill
Potential
Data
Targets
Access &
Propagation
Botnets & Spam
Hacktivism
Defamation, Press &
Policy
Website Defacements
Cyber CrimeState
Sponsored
Financial
Gain
Economic, Political
Advantage
Credit Card Theft Intellectual
Property Theft
Very High
Intellectual Property,
Negotiation Positions,
R&D, National
Intelligence & Defense
Information
High
Credit Card Holder
Data, Personal
Identifiable
Information, Health
Records
Network Attack
Escalation,
Destruction
Destroy Critical
Infrastructure, DDOS
MedLow - Med
Access to Critical
Infrastructure,
Websites
Access to the Network,
Compromising
Information
Low
Sensitive
Information,
Vulnerable Data
Revenge, Monetary
Gain
Insiders
Destruction,
Theft
Med
Intellectual Property,
Compromising
Information
Impact Very HighHighMedLow - MedLow Med
All Mandiant Investigation in 2015 External Notification Internal Discovery
146 days 320 days 56 days
DAY SUM OF PERCENTAGE
Sunday 0%
Monday 11%
Tuesday 11%
Wednesday 29%
Thursday 20%
Friday 18%
Saturday 10%Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
0% 5% 10% 15% 20% 25% 30% 35%
% of total spear phishing emails
Day of week email was sent
BY THE NUMBERSMedian Days from Compromise to Discovery
Day of Week of Spearphishing Frequency
The Value of Detection
416
243229
205
146
56
320
0
50
100
150
200
250
300
350
400
450
2011 2012 2013 2014 2015 -
Average
2015 -
Internal
2015 -
External
Dwell Time
(Days)
9
WHAT WE’VE
LEARNED2015 – 2016 Breaches
Bogging Down Security Teams Since
1987
ALERTS SECURITY16,937 ALERTS
3,218 “RELIABLE” (19%)
705 INVESTIGATED (4%)
The Cost of Malware Containment, Ponemon Institute, January 2015
FireEye: An Intelligent Combination
11
• Forward looking, high fidelity, adversary
focused intelligence and actionable advice
• A global intelligence collection presence
tracking adversaries and operating
infrastructure
• Intel-led capability development services
• Comprehensive API to consume intelligence
across security infrastructure
FireEye DTi
Mandiant
Post-Breach
iSIGHT
Forward-Look
• 24x7x365 visibility through 6 worldwide
SOCs
• 45 BILLION URLS analyzed each month
• 340 MILLION correlation relationships
defined
• 212 PETABYTES sensor traffic analyzed each
month
• 100k Hours incident response per year
• Major headline breach response
• 300+ Threat groups tracked
• 200+ consultants
Adversary
Breach
Victim
Data
Actionable
Intelligence
12Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
FireEye Threat Intelligence: Strategic + Tactical = Actionable
FireEye combines Mandiant Threat Intel + FireEye Labs +iSight Labs data to
provide actionable information about security threats.
Help us to understand:
• Who’s attacking you?
• What data do they typically target?
• What are the indicators of compromise?
• Which vulnerabilities are they targeting?
• What is the risk of this type of attack?
Strategic “Human Curated” Threat Intel
• Threat Actor Profiles
• Intentions
• Tools, Techniques, and Procedures
• Focuses on planning, decisions
Tactical “Machine Generated” Threat Intel
• IPs
• URLs, Domains
• MD5s
• Focuses on detection, triage, response
Segment sensitive data onto its own network Require two-factor authentication for remote access
Improve control over powerful accounts Only permit pre-authorized programs to run on servers
Test the incident response plan
Use new technology to block advanced malwareFocus on phishing prevention
Promote a “Security Culture”
Ensures that attackers cannot easily move from one
segment of the network to another.
Prevents attackers from using stolen passwords to access
resources. Most companies prioritize remote access to e-
mail and networks (virtual provide networks).
Requires the most powerful accounts to be checked in / out
prior to usage, usually protected by two-factor
authentication.
Fewer than 20% of organizations test response plans with a
cross-functional team on an annual basis.
Phishing (luring users to click on malicious e-mail
attachments) is still the #1 method that attackers use to
compromise organizations. Most orgs are not well-
protected.
Senior executives set the tone in any successful initiative.
Security orgs often need increased support for new controls
like two-factor access, incident response plan testing, etc.
New technologies can proactively execute and test web
downloads in a secure environment (known as a “sandbox”) to
find malware that traditional signature-based models miss.
Critical systems like servers generally only need to run a small
set of software--yet they are often allowed to run arbitrary
programs. “Whitelisting” technology can prevent this.
WHAT IS WORKING?
THINK L IKE YOUR ATTACKER
WHO ARE THEY?HAVE THEY GAINED
ACCESS?HOW DO YOU STOP THEM?
‣ Teams of humans targeting
you
‣ Highly tailored and customized
attacks
‣ Need insight on which
adversaries may be targeting
your industry
‣ Removing malware doesn’t
eliminate the attacker
‣ Need threat intel that detects
malware linked to known
adversary groups
‣ Attackers evade detection by
using existing tools and
protocols
‣ However they use them in
identifiable ways
‣ Need attacker profiles that
details tools, techniques and
procedures employed by
adversaries
FireEye Adaptive Defense
Continuous Threat Prevention Process
Information Security Maturity
Information Security Maturity
Technology trends create opportunity
and complexity
How Security Sees Enterprise Networks
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Client Hello
Server Hello
Key Exchange (Encrypted Session key)
Change CipherSpec ‘Finished’
Client verifies server Cert
Secure Data Exchange
Client Cert if requested by Server
(optional)
Verify Client Cert
(optional)
Establish Security capabilities (protocol version,
Cipher suites, Session ID, compression, random No.)
Server sends Certificate,
key exchange
Client finish
Client End Point Server End Point
SSL/TLS OverviewHow does SSL work?
23
SSL VisibilityMaking SSL-Encrypted Traffic visible
Client End Point Server End Point
F5 BIG-IP
Client Hello Client Hello
Security
Infrastructure
Client-Side Secure Data Exchange Server-Side Secure Data Exchange
Server Hello Server Hello
Key Exchange Key Exchange
Change CipherSpec ‘Finished’ Change CipherSpec ‘Finished’
Unencrypted
24
F5 SSL Intercept Solution• Purpose built, all-in-one SSL
Intercept appliances
• Provides security solutions with visibility into SSL/TLS encrypted traffic
• Key Features– SSL visibility at high performance
– Policy based service chaining of security solutions
– Load balancing of SSL traffic flows across security devices
– Centralized and simplified management of certificates, encryption keys
– Selective decrypt / encrypt of specific traffic flows
– Flexibility of deployment
Internet
Firewall
Web Gateway
(Pool)
NGFW (Pool)
DLP (Pool)
IPS (Pool)
FEYE (Pool)
Users / Devices
User
F5 SSL Intercept
Firewall
Decrypt and steer (based on policy, bypass options, URL categorization
Re-encrypt