Download - Addressing the cyber kill chain
Agenda
1 Current Threat Landscape Challenges
2 The Cyber Kill Chain
3 How Symantec can help
4 Q&A
Copyright © 2015 Symantec Corporation2
Enterprise Threat Landscape
4
Attackers Moving Faster Digital extortion
on the riseMalware gets
smarter
Zero-Day Threats Many Sectors Under Attack
5 of 6 large companies attacked
317M new malware created
1M new threats
daily
60% of attacks
targeted SMEs
113% increase in
ransomware
45X more devices
held hostage
28% of malware was Virtual
Machine Aware
24 all-time
high
Top 5 unpatched for
295 days
24
Healthcare
+ 37% Retail
+11% Education
+10%Government
+8%Financial
+6%
Source: Symantec Internet Security Threat Report 2015
Key Trends Reshaping the Enterprise Security Market
RESURGENCE OF ENDPOINT Rapid shift to mobile and IoT
DISAPPEARING PERIMETER Decreasingly relevant with “fuzzy” perimeter
RAPID CLOUD ADOPTION Enterprise data and applications moving to cloud
SERVICES Security as a Service; box fatigue
CYBERSECURITY Governments and regulators playing ever larger role
5
Copyright © 2015 Symantec Corporation
The Cyber Kill Chain
• Military concept, now applied to Cyber Security
• Developed by Lockheed Martin in 2011
• Describes the phases an Adversarywill follow to target an Organization
• It has 7 well defined phases
• Attack is considered successfullif/when all phases have beenaccomplished
Copyright © 2015 Symantec Corporation13
Copyright © 2015 Symantec Corporation14
Reconnaissance Harvesting email addresses, conference information, etc
Weaponization Coupling exploit with backdoor info deliverable payload
DeliveryDelivering weaponized bundle to the victim via email, web, USB, etc
ExploitationExploiting a vulnerability to execute code on victimsystem
Installation Installing malware on the asset
Command & Control Command channel for remote manipulation of victim
Actions on ObjectivesWith “Hands on Keyboard” access, intruders accomplishtheir original goal
The Cyber Kill Chain
Addressing the Cyber Kill Chain
Phase Detect Deny or Contain Disrupt, Eradicate
or Deceive
Recover
Reconnaissance Web analytics, Internet scannning
reports, vuln. scanning, pen testing,
SIEM, DAST/SAST, threat
intelligence, TIP
Firewall ACL, system and service
hardening, network obfuscation,
logical segmentation
Honeypot SAST/DAST
Weaponization sentiment analysis, vuln.
announcements, vuln. assessm.
NIPS, NGFW, patch management,
configuration hardening,
application remediation
SEG, SWG
Delivery user training, security analytics,
network behavior analysis, threat
intelligence, NIPS, NGFW, WAF,
DDoS, SSL inspection, TIP
SWG, NGIPS, ATD, TIP EPP Backup or EPP
cleanup
Exploitation EPP, NIPS, SIEM, WAF EPP, NGIPS, ATD, WAF NIPS, NGFW, EPP,
ATD
data restoration
from backups
Installation EPP, endpoint forensics or ETDR,
sandboxing, FIM
EPP, MDM, IAM, endpoint
containerization/app wrapping
EPP, HIPS, incidente
forensic tools
incident response,
ETDR
Command and
Control
NIPS, NBA, network forensics, SIEM,
DNS security,TIP
IP/DNS reputation blocking, DLP,
ATA
DNS redirect, threat
intelligence on DNS,
egress filtering, NIPS
incident response,
system restore
Action on
Targets
Logging, SIEM, DLP, honeypot, TIP,
DAP
egress filtering, SWG, trust zones,
DLP
QoS, DNS, DLP, ATA incident response
Copyright © 2015 Symantec Corporation15
Source: Gartner (August 2014) – G00263765
Symantec Enterprise Security | STRONG FRANCHISES
17
#1 share; AAArating
12 quarters in a row
Endpoint Security
#1 share; 100% uptime with
<0.0003% FPs 5 years in a row
Email Security
#1 DLP share;
100% of Fortune 100
Data Protection
#1 share
6B certificate lookups/day
TrustServices
13B validations every day
100% uptime last 5 years
Authentication & Authorization
ManagedSecurity Services
12 Yrs Gartner MQ leader
30B logs analyzed/day
Copyright © 2015 Symantec Corporation
Symantec Enterprise Security | UNIQUE VISIBILITY
18
57M attack sensors in
157 countries
175M endpoints
182M web attacks
blocked last year
3.7Trows of telemetry
100 Billion more/month
9threat response centers
500+rapid security response team
30% of world’s enterprise
email traffic scanned/day
1.8 Billion web requests
Copyright © 2015 Symantec Corporation
Symantec Enterprise Security | PRODUCT STRATEGY
19
Threat Protection
ENDPOINTS DATA CENTER GATEWAYS
• Advanced Threat Protection Across All Control Points• Built-In Forensics and Remediation Within Each Control Point• Integrated Protection of Server Workloads: On-Premise, Virtual, and Cloud• Cloud-based Management for Endpoints, Datacenter, and Gateways
Unified Security Analytics Platform
Log andTelemetryCollection
Unified IncidentManagement and Customer Hub
Inline Integrationsfor Closed-loopActionable Intelligence
Regional and Industry Benchmarking
Integrated Threatand BehavioralAnalysis
Information Protection
DATA IDENTITIES
• Integrated Data and Identity Protection• Cloud Security Broker for Cloud and Mobile Apps• User and Behavioral Analytics• Cloud-based Encryption and Key Management
Users
Data
Apps
Cloud
Endpoints
Gateways
Data Center
Cyber Security Services
Monitoring, Incident Response, Simulation, Adversary Threat Intelligence
Copyright © 2015 Symantec Corporation
Addressing the Cyber Kill Chain with Symantec
Phase Detect Deny or Contain Disrupt, Eradicate
or Deceive
Recover
Reconnaissance Deepsight Threat Intelligence,
Managed Security Services (MSS)
Control Compliance Suite
Control Compliance Suite,
Datacenter Security
N/A N/A
Weaponization Deepsight Managed Adversary
Threat Intelligence (MATI)
Control Compliance Suite,
Altiris ITMS
Messaging Gateway,
Symantec.cloud
(email/web)
N/A
Delivery MSS, Deepsight Threat Intelligence,
Blackfin acquisition (user training,
phishing tests)
ATP Suite, Deepsight Threat
Intelligence
Endpoint Protection Endpoint
Protection (Power
Eraser), Veritas
Exploitation Endpoint Protection, Datacenter
Security, MSS
Endpoint Protection, Datacenter
Security, ATP Suite, Deepsight
Threat Intelligence
Endpoint Protection,
ATP Suite,
Datacenter Security
Veritas
Installation Endpoint Protection, Advanced
Threat Protection Suite (ATP Suite),
Datacenter Security
Endpoint Protection, Moblity
Suite, Authentication Manager,
VIP, Managed PKI
Endpoint Protection,
ATP Suite,
Datacenter Security
Incident Response
Retainer Services
Command and
Control
MSS, Deepsight Threat Intelligence Deepsight Threat Intelligence,
DLP, ATP Suite
Deepsight Threat
Inteligence
Incident Response
Retainer Services
Action on
Targets
MSS, Data Loss Prevention (DLP),
Deepsight Threat Intelligence
Data Loss Prevention DLP, ATP Suite Incident Response
Retainer Services
Copyright © 2015 Symantec Corporation20
Source: Gartner (August 2014) – G00263765
Recommendations
Reconnaissance
• Regular external scannings / pentest
• Deepsight MATI: Monitor underground Internet
• DCS:SA: Enforce least privilegie concept on Internet-facing servers
• MSS: Analytics to detect indicatorsof unwanted activity againstInternet-facing servers
• Employ SLDC to guaranteeapplications are processinguntrusted input correctly
Weaponization
• Deepsight Intelligence: keepinformed of recently discoveredvulnerabilities and weaponizedexploits available to them
• Deepsight MATI: Monitor possible/future activities plannedagainst your organization and to track adversaries
Copyright © 2015 Symantec Corporation21
Recommendations
Delivery
• Keep using your traditional controls(NGFW, NGIPS, SWG, DDoS, WAF) to provide visibility and preventcompromise attempts
• ATP Suite: inspect suspicious files through sandboxing analysis
• Analyze DNS resolution to unwantedor malicious hosts
Exploitation
• MSS: collect and correlate logs fromvarious control points to providebetter visibility of malicious behavior
• Email Security.cloud, EndpointProtection: those can help limitmost of the attack attempts
• Deepsight Datafeeds: provideintelligence over maliciousIPs/Domains to your SIEM.
• ATP Suite: inspect suspicious files through sandboxing analysis
Copyright © 2015 Symantec Corporation22
Recommendations
Installation
• Endpoint Protection: to providegreater protection over advancedmalware, browser attacks andapplication white/blacklisting
• SAM/VIP/MPKI: employ strongauthentication to reduce likelyhoodof installation and data access
• Incident Response Retainer: helps with incidente response practicesand containment
Command and Control
• Deepsight Datafeeds: provideintelligence over maliciousIPs/Domains to your SIEM. It canalso be used to create a “DNS Sinkhole” to divert maliciousconnections
• MSS: collect and correlate logs fromvarious control points to providebetter visibility of maliciousbehavior, including C&C connections
Copyright © 2015 Symantec Corporation23
Recommendations
Action on Targets
• Data Loss Prevention: to performcontinous monitoring of userbehavior/data access
• Employ Database monitoring tools to detect/block suspicious data access (excess in volume, abnormal times, locations, etc)
Copyright © 2015 Symantec Corporation24
Thank you!
Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
André Carraretto, [email protected]
@andrecarraretto
https://br.linkedin.com/in/andrecarraretto