hexis rules of engagement webinar

34
Automated Threat Removal Todd Weller VP Corporate Development June 2015

Upload: hexis-cyber-solutions

Post on 26-Jan-2017

245 views

Category:

Technology


0 download

TRANSCRIPT

Automated  Threat  Removal  

Todd  Weller  VP  Corporate  Development  

June  2015  

What  is  Automated  Threat  Removal?    

An  integrated  approach  to  threat  detection  and  response  

that  leverages  flexible,  policy-­‐based  automation  to  

detect,  verify,  and  remove  threats  before  they  do  damage.  

 

The  Response  Problem  

Despite  deploying  lots  of  security  technologies,  organizations  continue    to  experience  multiple  challenges  responding  to  threats.        

Not  enough  skilled  people  to  respond  fast  enough  

AV  and  Network  Perimeter  not  blocking  threats  

1  

Too  many  events  and  false  positives  to  review  

2   3  

The  Response  Problem  

Despite  deploying  lots  of  security  technologies,  organizations  continue    to  experience  multiple  challenges  responding  to  threats.        

Response  Visibility  

1  

Verification  

2   3  

Spending  Shift  to  Detection  and  Response  

Detection  &  Response  

Prevention  

§  Prevention  is  not  100%  effective    

§  Nature  of  attacks  driving  need  for  greater  visibility  

§  Response  more  top  of  mind  

Move  to  Continuous  Response  

§  Attack  environment  resulting  in  increased  investment  in  response  

§  Continuous  attacks  driving  shift  from  incident  response  to  continuous  response  

§  Continuous  response  requires  increasing  use  of  automation  

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              7      

Why  Automation  is  Necessary  

Human  Assets  Are  Tough  to  Find  and  Scale  

Demand  for  Talent  Outstripping  Supply  

Source:    Burning  Glass  Technologies  “Job  Market  Intelligence:  Report  on  the  Growth  of  Cybersecurity  Jobs”  

 “The  talent  you’re  looking  for  in  incident  response  is  absolutely  the  hardest        I’ve  seen  to  find  in  security  in  general”    

-­‐Christine  Gadsby,  Manager,  Blackberry  Product  Security  Incident  response  Team  

 

Automated  Attacks  =  Automated  Defense  

Forrester’s  Call  for  Automated  Response  

“A  call  to  action  for  a  more    automated  threat  response  process  based  on  developing  a  set  of  cyber  rules  of  engagement”  

   

“Security  Automation  is  Inevitable”  

Source:  Forrester  Research  

Forrester  Rules  of  Engagement  Themes  Better  tools  to  detect  breaches  

Defining  policy  (rules  of  engagement)  to  facilitate  of  adoption  of  automation  

Response  index  

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              13      

What  are  essential  ingredients?  

Automated  Response  Visibility   Verification  

1   2   3  

§  Ensuring  environments  are  properly  instrumented  to  detect  today’s  threats    

§  Initial  focus  was  network-­‐based  sandboxing  solutions    

§  Focus  shifting  to  Endpoint  Visibility  &  Control  

Visibility  1  

Advanced  Threat  Detection  Frameworks  

Takeaways  

§  Sandboxing  is  important  but  it’s  just  one  component  of  defense  §  Malware  increasingly  sandbox  aware  and  evading  sandboxes  

 

§  Visibility  on  both  endpoints  and  the  network  is  required  §  Including  correlation  of  activity  

§  STRATEGIC:    Corroboration  and  threat  fusion  to  improve  detection  and  prioritize  investigation  and  response    

§  TACTICAL:    Solving  “ghost  alert”  issue  related  to  network  security  alerts  

Verification  2  

§  A  collection  of  countermeasures    that  can  be  flexibly  deployed  based  on  policy  

§  Ability  to  operate  countermeasures  in  any  combination  of  automated  or  machine-­‐guided  modes    

§  Manual  investigation  capabilities  

Automated  Response  3  

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              20      

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              21      

Mix  ‘em  up  so  they  work  together…  

Automation  Requires  Integration  

§  Visibility    

§  Verification    

§  Automated  Response  

Integration  &  Orchestration  

HawkEye  G  Solves  the  Response  Problem  

1   2   3  

Detect   Verify   Remove  

Integrated  platform:  •  Real-­‐time  endpoint  agents  • Network  edge  detection  •  3rd  party  ecosystem  

Host  and  Network    correlation  confirms  the  

threat  to  pinpoint  where  you  really  need  to  respond  

Automation  and  machine-­‐guided  is  a  force  multiplier  to  remove  the  threat  before  breach  

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              24      

HawkEye G Manager

Hexis Threat Feed

HawkEye G Network Sensor

Detect  

 Endpoints + Network  

174 Heuristics 19 Threat Feeds

3rd Party Integration  

Third-Party Integrations

FireEye® NX

PAN NGFW + WildFire®

19

HawkEye G Host Sensor

174

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              25      

174

Verify  

Introducing ThreatSync™

Hexis Threat Feed Third-Party Integrations

HawkEye G Network Sensor

Threat Fusion Threat Analytics

Indicator Scoring Device Incident Score

ThreatSync  

FireEye® NX

PAN NGFW + WildFire®

HawkEye G Host Sensor

19

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              26      

174

Hexis Threat Feed Third-Party Integrations

HawkEye G Network Sensor

Remove  

Policy Manager Countermeasures

Kill

Quarantine

Block

Expire

Forensics

Future  

ThreatSync  

FireEye® NX

PAN NGFW + WildFire®

HawkEye G Host Sensor

Surgical Machine Guided

Automatic

19

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              27      

Hexis Threat Feed Third-Party Integrations

HawkEye G Network Sensor

Report  

Policy Manager Countermeasures  

Kill

Quarantine

Block

Expire

Forensics

Future

ThreatSync  

+  

FireEye® NX

PAN NGFW + WildFire®

174

HawkEye G Host Sensor

19

Machine Guided Automatic

§  Detect,  Verify,  Remove  

§  Endpoint  +  network  

 

§  Improve  detection  effectiveness  

§  Verify  endpoint  infections  

§  Enable  automated  response  

   

§  U.S.  Intelligence  Community  reference  architecture  (SHORTSTOP)    

§  Integrated  Active  Cyber  Defense  (ACD)  solution  

§  Includes  Hexis,  Palo  Alto,  FireEye,  and  Splunk  

 

How  Hexis  is  Embracing  Integration  

Architectures  Integrated  Platform   ThreatSync™  

Hexis  Key  Differentiators  §  Full  arsenal  of  machine-­‐guided  and  automated  countermeasures  that  can  be  

flexibly  deployed  based  on  policy  

§  Endpoint  sensing  capabilities  –  heuristics,  real-­‐time  eventing  

§  Endpoint  +  network  including  correlation  

§  ThreatSync™  analytics  fuses  Hexis  detection  with  3rd  party  indicators  

§  Integrated  platform  spanning  detection,  investigation,  and  response    

§  Developed  using  military-­‐grade  cyber  capabilities  and  state-­‐of-­‐the-­‐art    commercial  technologies  

Forrester’s  Call  for  Automated  Response  

“A  call  to  action  for  a  more    automated  threat  response  process  based  on  developing  a  set  of  cyber  rules  of  engagement”  

   

REVIEW  

“Security  Automation  is  Inevitable”  

Source:  Forrester  Research  

Forrester  Rules  of  Engagement  Themes  Better  tools  to  detect  breaches  

Defining  policy  (rules  of  engagement)  to  facilitate  of  adoption  of  automation  

Response  index  

REVIEW  

…totally  in  sync  HawkEye  G  3.0  vision  

Security  Automation  Adoption  

§  Crawl,  walk,  run    

§  Early  win  automation  use  cases  §  Verification  of  network  alerts  §  Automated  removal  of  nuisance  malware  

 

§  Organizations  can  buy  and  operate  their  own  automation  platforms  or  consume  via  a  managed  service    

Security  Automation  Benefits  

§  Increase    in  response  time  =  improved  security  posture  §  Narrow  gap  between  time  to  detect  and  time  to  remediate  

 §  Automation  can  serve  as  a  force  multiplier  for  scarce  human  

security  resources  §  Free  up  existing  resources  to  focus  on  more  meaningful  alerts/issues  §  Efficiently  scale  response  efforts  

Copyright  ©  2015,  Hexis  Cyber  Solutions,  Inc.  All  rights  reserved.   Page              34      

Questions?  

Thank  You!