Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

Similar presentations


Presentation on theme: "©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional."— Presentation transcript:

1 ©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional Director

2 Significant Data Breaches in Last Twelve Months Jan Feb March April May June July Sept Oct Nov Dec Aug

3 ©2014 Bit9. All Rights Reserved

4 Malware: Actors + Actions + Assets = Endpoint ActorsActions Assets 2013 Verizon Data Breach Investigations Report

5 Why is the Endpoint Under Attack? 1. Host-based security software still relies on AV signatures –Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume –Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware 2. Evasion techniques can easily bypass host-based defenses –Malware writers use compression and encryption to bypass AV filters –Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system 3. Cyber adversaries test malware against popular host-based software –There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products

6 The Malware Problem By the Numbers 66% of malware took months or even years to discover (dwell time) 1 69% of intrusions are discovered by an external party Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study $5.4M The average total cost of a data breach 3 155k The number of new malware samples that are seen daily 2

7 The State of Information Security NetDiligence, 2013 Cyber Liability & Data Breach Insurance Claims 2013 Verizon Data Breach Investigations Report

8 The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

9 The Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

10 Protection = Prevention, Detection and Response “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014

11 Prevent Detect & Respond Prevention Visibility Detection Response Need a Security Lifecycle to Combat Advanced Threats

12 Reduce Attack Surface with Default-Deny Traditional EPP failure Scan/sweep based Signature based –Block known bad Success of emerging endpoint prevention solutions Real time Policy based –Tailor policies based on environment Trust based –Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area –Make it as difficult as possible for advanced attacker Prevention Visibility Detection Response Visibility

13 Prevention effective here Reduce Attack Surface Across Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

14 Prevention Visibility Detection Response Visibility Detect in Real-time and Without Signatures Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention Enable rapid response

15 Detection effective here Prevention effective here Reduce Attack Surface Across Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

16 Prevention Visibility Detection Response Visibility Rapidly Respond to Attacks in Motion Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds –In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward

17 Current Failures Within the Incident Response Process Preparation Failure: No IR plan with processes and procedures in place Identification & Scoping Failure: Do not have recorded history to fully identify or scope threat Containment Failure: Does not properly identify threat so cannot fully contain Eradication & Remediation Failure: After failing to fully scope threat, remediation is is impossible Recovery Failure: Organization resumes operations with false sense of security Follow Up & Lessons Learned Failure: No post-incident process in place or does not implement expert recommendations The Six-Step IR Process

18 Real-time Visibility & Detection Drives Rapid Response Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they appear Know if and when you are under attack Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they appear Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact

19 High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices All Other UsersData Center Servers Watch and record

20 High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices All Other UsersData Center Servers Stop all untrusted software Watch and record

21 High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices Data Center Servers Stop all untrusted software Watch and record All Other Users Detect and block on the fly

22 Prevent Detect & Respond Prevention Visibility Detection Response Bit9 + Carbon Black: Security Lifecycle in One Solution

23 Proactive prevention mechanisms customizable for different users and systems Advanced Threat Prevention Market leader in Default-Deny + Super lightweight sensor that records/and monitors everything and deployable to every computer Incident Response in Seconds Technology leader Purpose-built by experts Rapidly Detect & Respond to Threats Reduce Your Attack Surface New signature-less prevention techniques Continuously monitor and record every endpoint/server 12 Bit9 + Carbon Black

24 See the kill chain in seconds From vulnerable processes to the persistent malicious service Would take days or weeks to re-create using traditional tools Bit9 + Carbon Black: Understanding the Entire Kill Chain

25 ©2014 Bit9. All Rights Reserved

26 Takeaways Reduce your attack surface with prevention Prepare for inevitability of compromise Detect in real time without signatures Pre-breach rapid response in seconds with recorded history Establish an IR plan Understand the need for a security lifecycle Fully deploy security solutions across entire environment “In 2020, enterprises will be in a state of continuous compromise.”

27 Thank you! Q&A


Download ppt "©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional."

Similar presentations


Ads by Google