Protection Against Spear Phishing and the Modern Cyber Threats

Notable 2011 Breaches

Hidden ExecutablesMalware executables delivered within PDFs

Vulnerabilities Backdoors in browsers and applications that malware can bypass

Portable Storage Devices Malware delivered on portable flash drives and USB sticks

Advanced Threat Vectors

AdvancedPersistentThreat

1.6M The amount of unique malicious code seen daily on average1

55k The number of new malware signatures that are distributed daily2

90%The number of companies in the US who fell victim to a cyber security breach at least once in the past 12 months3

1. Source: Symantec. 2. Source: McAfee.3. Source: Ponemon Institute

By the Numbers

4

Acceleration of IP Loss

5

Criminal Enterprises• Broad-based and

targeted attacks• Financially

motivated• Getting more

sophisticated

Hactivists• Targeted and

destructive attacks• Unpredictable

motivations• Generally less

sophisticated

Nation-States• Targeted and

multi-stage attacks • Motivated by

information and IP• Highly sophisticated,

endless resources

The Advanced Threat Landscape

6

The Advanced Threat

Workday in Beijing

Lunch Dinner

The Advanced Threat…

4 Steps …4 STEPS

Social engineering

“email”

Malwaredropped

Malwaremorphs &

moves

Data gathered &

stolen

MEASURE

TRUST DETECT PROTECT

8

A new approach is

required

The Solution

10

Trust is assigned by user/group/organization

Trusted Publisher – Microsoft

Trusted User – Hdesk_User@xx.com

Trusted Directory – E:\sccm\packages

Trusted Updater – WebEx

Automatically Trust Software “Pushed” by IT

Cloud-Driven Reputation

IT sets trust policies for software “pulled” by end users

Keylogger 0

Firefox 10

IT-Driven Reputation

MarketingFinanceData Center

Trust PROVIDE A TRUST RATING ON ALL SOFTWARE

Excel.exe 10

Acroread.msi10

Calc.exe9

Excel.exe 10

Acroread.msi10

Calc.exe9

Firefox 10

Java.dll10

Exchange10

Sharepoint10

VMware.exe8

010

Java.dll10

5

11

MarketingFinanceData Center

Real-time Endpoint Sensors to Monitor

File Integrity

Devices

Memory locations

Registry Keys

OS/application Tampering

Security OpsCenter

SIEM

Event correlation

Forensic IR Team

Track every executable

Find out how software arrives

Learn how software propagates

See if file has executed

View full audit trail

Detect IDENTIFY RISK

CFS

Keylogger

Keylogger

Exchange10

VMware.exe8 Excel.exe 10

Acroread.msi10

Calc.exe9

Sharepoint10

Excel.exe 10

Acroread.msi10

Calc.exe9

Firefox 10

Java.dll10 Keylogger

12

MarketingFinanceData Center

Enforcement Policies

Protection for:

Servers (file, application, SCADA, etc.)

Virtualized environments

Domain controllers

Desktop/laptop endpoints

Point-of-sale devices

Protect STOP THE APT

User & Context-based Trust Policies

MicrosoftAdobeWebEx

Low Enforcement (Monitor unapproved)

Med Enforcement (Prompt unapproved)

High Enforcement (Block unapproved)

Ban unauthorized software

Perform emergency lockdown

Excel.exe 10

Acroread.msi10

Calc.exe9

Excel.exe 10

Acroread.msi10

Calc.exe9

Firefox 10

Java.dll10

Exchange10

Sharepoint10

VMware.exe8

13

MarketingFinanceData Center

Reports for ongoing security health

• Baseline drift

• Health dashboards

• Event categorization

• Live inventory SDK

Analytics to assess, investigate, and fine-tune your security posture

• Find file

• Prevalence

• Device usage

Alerts for unexpected threats or requests

• For file propagation

• For integrated helpdesk approval

• Sent to syslog

• Sent to email

Measure ACTIONABLE SECURITY INTELLIGENCE

Audit

Governance

Compliance

SOC

Incident Response

Track Activity Required For

MicrosoftAdobeWebEx

Excel.exe 10

Acroread.msi10

Calc.exe9

Excel.exe 10

Acroread.msi10

Calc.exe9

Firefox 10

Java.dll10

Exchange10

Sharepoint10

VMware.exe8

14

The Advanced Threat…

4 Steps …4 STEPS

Social engineering

“email”

Malwaredropped

Malwaremorphs &

moves

Data gathered &

stolen

MEASURE

TRUST DETECT PROTECT

15

Global Software Registry At a Glance

Records Indexed > 7.2 Billion

Number of Packages > 15.3 Million

Unique Hashes > 450 Million

Unique Executables > 13 Million

New Files Indexed Daily > 8 Million (Average)

Archived Packages > 50 TBs

File Hash Metadata Source Publisher/certificate First seen/last seen date Product, version AV scan results Vulnerability information Threat level Trust Factor

• Parity knowledge• Forensics (CFS/Analyzer)• File Advisor

Publish

Bit9 Global Software Registry

Derive• Normalize data• Categorize• Determine trust vs. threat

Analyze• AV scanners• PE analysis• Correlation

Extract• 140 un-packers• 300+ variants

Collect• Crawlers• Partner feeds• Subscriptions

Servers Under Protection• Domain controllers• Web servers• Application servers• Database servers

Server ChallengesSecurity

• Targeted malware and cyber attacks

Operations• Unauthorized configuration

changes

Compliance• Lack of demonstrable change

controls

Bit9 SolutionSecurity

• Application control• Device control• Memory and registry protection

Operations• File integrity monitor and control• Baseline drift reports• Find unplanned changes

Compliance• Server consistency reports• Site integrity validation

Advanced Server Protection

• SharePoint servers• Internet Security and

Acceleration (ISA) servers• Virtual servers

Security Information and Event Management (SIEM)

Advanced Network Protection Advanced

Endpoint Protection

Traditional Endpoint Protection

(EPP)

TraditionalNetwork Protection

(IDS/IPS, UTM)

New Strategy for the Advanced Threat

Incident Response/Forensics

Benefits

Protect your core IP by stopping the Advanced Threat from critical servers and users

Meet compliance requirements such as PCI DSS

Improve operational efficiency by reducing IT helpdesk calls and time spent reimaging

Reduce costs by understanding all software being used across the enterprise

Reduce risk by improving incident response times to quickly and accurately identify high risk files

Situation:• Gov’t funded facility with ~11,000 machines• Critical research to nation’s defense• Protect intellectual property, trade secrets• Forensics located APTs on machines• Client-based attacks identified as the “blind spot”

Case Study Federally Funded Research and Development Center

Bit9 Solution Stopped APTs and unauthorized software from executing Reduced number of re-images by 92 percent Prevented a non-trusted file “hiding” as Google Earth from

executing

20

Case Study

Situation:• Struggling to keep up with advances in malware• Breach in a data center highlighted the urgency of the situation • Could not stop infection from spreading to thousands of servers

Financial Technology Provider

Bit9 Solution Mitigated risk on infected or “dirty” machines Delivered instant visibility into applications, utilities, and tools

running on servers Locked down hundreds of servers in less than a day Easily scaled to ensure protection across entire data center

21

Situation:• Improve performance during PCI DSS audits• Operating 5,000 machines across 560 stores• Must perform frequent/controlled software updates • Found unauthorized software on store systems

Grocery Retailer

Bit9 Solution Achieved PCI DSS compliance Prevented targeted/insider attacks Managed configuration drift Monitored activity and provided alerts about unwanted activity

Case Study

22

MICROSOFTSQL SERVER

Laptops

Point of Sale

Kiosks

ATMs

Servers

Desktops

Clients

BIT9SERVER

ACTIVE DIRECTORYSERVER

CONSOLE

Management Server Software Reputation Service

Corporate Endpoints

RetailGovernmentTechnology/

ServicesFinanceHealthcare

Bit9 Confidential Information

Industrial

Sample Customer List

24