proactively discovering malicious activity on your...
TRANSCRIPT
1
Proactively Discovering Malicious Activity On Your Network
Mark Guntrip Product Marketing, Symantec
1487 - Proactively Discovering Malicious Activity on Your Network
Mark Feeney Manager, IT Security, AMETEK
SYMANTEC VISION 2014
Agenda
1487 - Proactively Discovering Malicious Activity on Your Network 2
The Best Place to Detect Malicious Behavior 1
Different Viewpoints 2
AMETEK Real-World Case Study 3
SYMANTEC VISION 2014
The big question…
“Where is the best place to detect malicious behavior?”
1487 - Proactively Discovering Malicious Activity on Your Network 3
SYMANTEC VISION 2014 1487 - Proactively Discovering Malicious Activity on Your Network 4
SYMANTEC VISION 2014
The big question…
1487 - Proactively Discovering Malicious Activity on Your Network 5
0 5 10 15 20 25
Server
Cloud
Network
Endpoint
Gateway
At what point do you believe advanced threats are stopped or identified?
SYMANTEC VISION 2014
What does this question mean to different people?
1487 - Proactively Discovering Malicious Activity on Your Network 6
Where my core data
resides
What I think malicious activity is
Where I believe I might be
vulnerable
Within the bounds of my control
I’m blocking threats
before they get in
SYMANTEC VISION 2014
What does this question mean to different people?
1487 - Proactively Discovering Malicious Activity on Your Network 7
Where my core data
resides
What I think malicious activity is
Where I believe I might be
vulnerable
I’m blocking threats
before they get in
I’m blocking threats
before they get in
SYMANTEC VISION 2014
Shortened URLs
1487 - Proactively Discovering Malicious Activity on Your Network 8
Where my core data
resides
What I think malicious activity is
Where I believe I might be
vulnerable
Within the bounds of my control
I’m blocking threats
before they get in
SYMANTEC VISION 2014
Real Time Link Following
1487 - Proactively Discovering Malicious Activity on Your Network 9
SYMANTEC VISION 2014
Active Content
1487 - Proactively Discovering Malicious Activity on Your Network 10
What I think malicious activity is
Where my core data
resides
Where I believe I might be
vulnerable
Within the bounds of my control
I’m blocking threats
before they get in
SYMANTEC VISION 2014
Disarm Technology
• Problem: attacks using malicious, attached email documents
– Primarily used in spear phishing emails – Advanced Persistent Threat (APT)
– Contain malicious active content, or exploit payloads targeting parser vulnerabilities
1487 - Proactively Discovering Malicious Activity on Your Network 11
• Solution: reconstruct attachment documents from scratch before presenting to the user
SYMANTEC VISION 2014
Content Download
1487 - Proactively Discovering Malicious Activity on Your Network 12
Where my core data
resides
What I think malicious activity is
Where I believe I might be
vulnerable
Within the bounds of my control
I’m blocking threats
before they get in
SYMANTEC VISION 2014
Symantec Insight
1487 - Proactively Discovering Malicious Activity on Your Network
6.3 billion files
300 million machines
2 million URLs
Insight makes decisions based on who downloads what from where…
When one machine downloads a file, all reputations must be re-calculated!
Not just how many times a file is downloaded.
That’s over 100 billion associations that must be refreshed every few hours!
13
SYMANTEC VISION 2014
Drive-by Download
1487 - Proactively Discovering Malicious Activity on Your Network 14
What I think malicious activity is
Where I believe I might be
vulnerable
Within the bounds of my control
I’m blocking threats
before they get in
Where my core data
resides
SYMANTEC VISION 2014
Network Threat Protection
• Threat Protection Efficacy from Drive-by Downloads
• Prevent browser exploitation
• Blocks attacks where endpoint protection may not be in place such as BOYD support
• Detect internal malware proliferation
1487 - Proactively Discovering Malicious Activity on Your Network 15
64% of Symantec malware blocks due to network threat detection
SYMANTEC VISION 2014
Devices Outside The Network
1487 - Proactively Discovering Malicious Activity on Your Network 16
What I think malicious activity is
Within the bounds of my control
I’m blocking threats
before they get in
Where I believe I might be
vulnerable
Where my core data
resides
SYMANTEC VISION 2014
Cloud Security
1487 - Proactively Discovering Malicious Activity on Your Network 17
SYMANTEC VISION 2014
Unmanaged Devices
1487 - Proactively Discovering Malicious Activity on Your Network 18
What I think malicious activity is
Within the bounds of my control
I’m blocking threats
before they get in
Where I believe I might be
vulnerable
Where my core data
resides
SYMANTEC VISION 2014
Protect Technologies
• Gateway/cloud
– Email Security – on-premise and cloud – strip active content, follow links
– Web Security – on premise and cloud – detect botnet activity, protect remote devices when they are off-network
– Protect unmanaged devices
• Server/Endpoint
– Prevent malicious content from installing
– Detect malware post-infection
1487 - Proactively Discovering Malicious Activity on Your Network 19
Within the bounds of my control
SYMANTEC VISION 2014
Shift in viewpoint
1487 - Proactively Discovering Malicious Activity on Your Network 20
Protect Detect Respond Recover
Realization
Customer Needs Shift
Breach is Inevitable
From Protection Only To Protection +
Detection and Response
Understanding Where Important
Data Is
Stopping Incoming Attacks
Finding Incursions
Containing & Remediating
Problems
Restoring Operations
Identify
I’m blocking threats
before they get in
SYMANTEC VISION 2014
Detecting and stopping malware activity
1487 - Proactively Discovering Malicious Activity on Your Network 21
I’m blocking threats
before they get in
SYMANTEC VISION 2014
Gateway
• Command &Control Communications
• Botnet activity
• Inactive botnets
1487 - Proactively Discovering Malicious Activity on Your Network 22
I’m blocking threats
before they get in
Bo
tnet
D
ete
ctio
n
Infe
cte
d C
lien
t D
ete
ctio
n
Ap
plic
atio
n
Co
ntr
ol
Mal
war
e C
on
ten
t Sc
ann
ing
UR
L Fi
lte
rin
g
Mal
war
e D
om
ain
s
& IP
s
Web Client
systems
Inspects packets, IPs, URLs, files,
active content, applications, behavior
Symantec Web Gateway
SYMANTEC VISION 2014
Detecting and stopping malware activity
• Managed Security Services
1487 - Proactively Discovering Malicious Activity on Your Network 23
I’m blocking threats
before they get in
Desktops
Symantec MSS
• Network
• Server
• Endpoint
• Data
• Compliance
Restriction
• Organization
• Asset Value
• System
Function
•Threats
• Vulnerabilities
• Malcode
• File & Site
Reputation
SYMANTEC VISION 2014
Shift in viewpoint
1487 - Proactively Discovering Malicious Activity on Your Network 24
Protect Detect Respond Recover
Realization
Customer Needs Shift
Breach is Inevitable
From Protection Only To Protection +
Detection and Response
Understanding Where Important
Data Is
Stopping Incoming Attacks
Finding Incursions
Containing & Remediating
Problems
Restoring Operations
Identify
How AMETEK Found, Watched & Beat a Malware Campaign
Mark Feeney Manager, IT Security - AMETEK
1487 - Proactively Discovering Malicious Activity on Your Network 25
SYMANTEC VISION 2014
• $3.6B global manufacturer of electronic instruments and electro-mechanical devices
• AMETEK is a component of the S&P 500 Index. (AME)
• Over 120 Manufacturing and 80 sales and services locations
• 30 Countries
• 4 Data Centers. Boston MA , Horsham PA, Leicester UK, Singapore
• 14,000 employees worldwide
1487 - Proactively Discovering Malicious Activity on Your Network 26
SYMANTEC VISION 2014
Timeline
• FBI, San Diego Sept 2013
• Just a little “noise” June 2013
• Aahh. There it is! Oct 2013
• FBI, Boston
• Ongoing process begins Nov 2013
1487 - Proactively Discovering Malicious Activity on Your Network 27
SYMANTEC VISION 2014
Key Takeaways
• If the FBI wants to talk to you, talk to them
• Don’t be afraid to ask your vendors for help
• If you haven’t already, upgrade to SEP 12.1
• Reduce lateral movement
• Eliminate password reuse
• Look to gateway security measures to maximize visibility
• Devices outside your control are still critical
• Plan to Protect, Detect, Respond, Recover
1487 - Proactively Discovering Malicious Activity on Your Network 28
SYMANTEC VISION 2014
For more information on Symantec future plans for malware and targeted attack detection: Gateway, Cloud and Targeted Attacks: Symantec’s Vision, Strategy and Roadmap 10.15 – 11.15AM AUGUSTUS BALLROOM 2
1487 - Proactively Discovering Malicious Activity on Your Network 29
Thank you!
30
YOUR FEEDBACK IS VALUABLE TO US!
Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.
To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.
1487 - Proactively Discovering Malicious Activity on Your Network