Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP DataConnectors June 2014 Re-Imagined. Security.

Similar presentations


Presentation on theme: "1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP DataConnectors June 2014 Re-Imagined. Security."— Presentation transcript:

1 1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP DataConnectors June 2014 Re-Imagined. Security.

2 2 THREAT LANDSCAPE DEEP DIVE A LOOK INSIDE THE FIREEYE TECHNOLOGY THE FIREEYE PLATFORM FIREEYE PLATFORM: A CASE STUDY

3 3 Current State of Cyber Security NEW THREAT LANDSCAPE Multi-Vector AttacksMulti-Staged Attacks Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware

4 4 The High Cost of Being Unprepared 3 Months 6 Months 9 Months 229 Days Median # of days attackers are present on a victim network before detection. Initial Breach THREAT UNDETECTEDREMEDIATION Source: M-Trends Report

5 5 The High Cost of Being Unprepared 3 Months 6 Months 9 Months Initial Breach THREAT UNDETECTEDREMEDIATION Source: M-Trends Report, Ponemon 32 Days Average Time to Resolve an Attack

6 6 Zero Day Scorecard

7 7 Multi-Staged Cyber Attack Exploit Detection is Critical All Subsequent Stages can be Hidden or Obfuscated Callback Server IPS File Share 2 File Share 1 Exploit Server 1. Exploitation of System 2. Malware Executable Download 3. Callbacks and Control Established 4. Lateral Spread 5. Data Exfiltration Firewall

8 8 What Is An Exploit? Compromised webpage with exploit object 1.Exploit object rendered by vulnerable software2.Exploit injects code into running program memory 3.Control transfers to exploit code Exploit object can be in ANY web page An exploit is NOT the same as the malware executable file! HACKED

9 9 Structure of a Multi-Flow APT Attack Callback Server Exploit Server Encrypted Malware Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4

10 10 Structure of a Multi-Flow APT Attack Callback Server Exploit Server Encrypted Malware Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4

11 11 Multi-Flow Structure of APT Attacks (e.g. Operation Aurora, Operation Beebus, CFR…) Exploit injects code in Web browser 1 Exploit code downloads encrypted malware (not SSL!) 2 Exploit code decrypts malware 3 Target end point connects to C&C server 4 Callback Exploit in compromised Web page Encrypted Malware Embedded Exploit Alters Endpoint Callback Encrypted malware downloads Callback and data exfiltration 1234

12 12 Multi-Vector Structure of APT Attack Weaponized with Zero-Day Exploit (e.g. RSA) with weaponized document, opened by user, causing exploit 1 Client endpoint calls back to infection server 2 Backdoor DLL dropped 3 Encrypted callback over HTTP to command and control server 4 Callback Server Weaponized (2011 Recruitment Plan.xls) Backdoor C&C Server 1234

13 13 Traditional Defense in Depth is failing Firewalls/ NGFW Secure Web Gateways IPS Anti-Spam Gateways Desktop AV The New Breed of Attacks Evade Signature-Based Defenses

14 14 Accelerating the Detection to Forensics Workflow Real-time Detection Validation & Containment Forensics: Connecting the dots across time 231

15 15 Finds known/ unknown cyber-attacks in real time across all attack vectors

16 16 FireEye Technology: Scaling the MVX HTML and JavaScript form 95% of objects to be scanned on the wire MVX Line Rate Intelligent Capture MVX Core (Detonation) Reduce False Positives Reduce False Negatives Phase 1Phase 2 1M+ objects/hour Multi-flow virtual analysis APT web attacks are nearly invisible needles in haystack of network traffic

17 17 FireEye Technology: Inside the MVX FireEye Hardened Hypervisor Hardware Custom hypervisor with built-in countermeasures Designed for threat analysis FireEye Hardened Hypervisor 1

18 18 FireEye Technology: Inside the MVX Multiple operating systems Multiple service packs Multiple applications Multiple application versions FireEye Hardened Hypervisor Cross-Matrix Virtual Execution Hardware FireEye Hardened Hypervisor 1 Massive cross matrix of virtual executions 2

19 19 FireEye Technology: Inside the MVX >2000 simultaneous executions Multi-flow analysis FireEye Hardened Hypervisor Cross-Matrix Virtual Execution v1v2v3v1v2v3 Hardware Control Plane > 2000 Execution Environments FireEye Hardened Hypervisor 1 Massive cross matrix of virtual execution 2 Threat Protection at Scale 3

20 20 FireEyes Web detection is great, BUT ….. There are a number of threats that FireEye solution does not address well: –Unauthorized access –Data Resource Theft –Malformed Packets –SQL Injection –Packet Flooding –Cross-Site Scripting –DDOS Client-side vs. Server-side Attacks

21 21 Improve Correlation Between Known and Unknown Threats to Increase Threat Protection and Reduce Costs Consolidated threat defense integrate threat prevention for known and unknown threats, leveraging the MVX engine to provide timely and accurate notifications It allows NX to compete in both APT and IPS market segments Threat validation validate attacks using the MVX engine so time and resource investments are not spent on filtering down the noise It supports custom IPS Snort rules that are widely used in the market for compliance Actionable insights correlate known and unknown threats and derive richer threat intelligence to speed up incident response It provides both client and server IPS protection for known attacks It provides the CVE ID for known attacks that has been detected by MVX FireEye IPS

22 22 The Objective: Continuous Threat Protection THEFT OF ASSETS & IP COST OF RESPONSE DISRUPTION TO BUSINESS REPUTATION RISK Prevent & Investigate Time to DetectTime to Fix nPulse Full Real-time Enterprise Forensics

23 23 FireEye Product Portfolio: Powered by MVX SEG IPSSWG IPS MDM Host Anti-virus MVX Threat Analytics Platform Mobile Threat Prevention Threat Prevention Dynamic Threat Intelligence Network Threat Prevention Content Threat Prevention Mobile Threat Prevention Endpoint Threat Prevention Threat Prevention

24 24 FireEye and Mandiant Services Portfolio Security Consulting Services Subscription Services and Product Support FireEye Managed Defense Product Support Services Proactive Threat and Vulnerability Assessments Incident Response Strategic Consulting and Security Program Assessments

25 25 Mandiant and Cloud offerings MOBILITY INSTRUMENTATION ENDPOINT MITIGATION ANALYSIS/SIEM Reference Architecture and Strategic Integrations Virtual Machine Detonation Forensic Analysis Real Time Alerts Call Back Detection Exploit Detection Remediate Threats FireEye Technology Alliances INSTRUMENTATION PARTNERS Ease of implementation and high availability for Layers 1-3 ENDPOINT PARTNERS Verification and remediation of threats through incident response processes ANALYSIS / SIEM PARTNERS Data correlation analytics, policy and compliance management MITIGATION PARTNERS Augmenting and enhancing FireEye remediation capabilities, real time policy creation and blocking across the architecture MOBILITY PARTNERS Mitigating against mobile based threats for BYOD environments with MDMs ACCELERATION PARTNERS Top partners in the Fuel Technology Program FireEye technology partnerships are great. They fill in the gaps other vendors cant match. FireEye, with its partners, offers a formidable defense. – OTR Global Report 2013 For Partner & Field Confidential Only

26 26 FireEye Platform: Products & Services Portfolio Mandiant Incident Response, Vulnerability Assessment and Penetration Testing Strategic Services: Response Readiness and Security Program Assessment Product Deployment and Integration Advanced Services Managed Defense Continuous Protection Continuous Monitoring Managed Defense Services Portfolio Platinum (24x7, Global) Platinum Priority Plus (DSE) Govt. Support (Citizens) Govt Classified – Planned (Clearances, Secured Facility) Start in U.S. and expand internationally)SupportServices Network (NX) - IPS (EX) Content (FX) Endpoint (HX) Central Manager (CM) Mobile (MTP) Cloud (ETP) Forensics (AX) Threat Analytics Platform (TAP) Network Forensics – (CPX) Products

27 27 Reimagined Security Reimagined Security Thank You


Download ppt "1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP DataConnectors June 2014 Re-Imagined. Security."

Similar presentations


Ads by Google