Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Life Cycle for Advanced Threats

Published byAlan Taft Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Life Cycle for Advanced Threats"— Presentation transcript:

1

2 Security Life Cycle for Advanced Threats
Prevent Prevention Visibility Detection Response EPP Detect & Respond Central is visibility. Several tools on the market provide network visibility. Detection: must interpret the visibility data to identify threatening events. Repsonse: How quickly can we understand what happened and scope. Visibility at the endpoint is critical. Prevention: How can advanced threats be stopped? ETDR

3 You could keep the enemy at the gates
Once Upon A Time… You could keep the enemy at the gates

4 Technology Has Evolved
Cloud Computing Mobile Computing Internet of Things Surface area is ever-increasing Perimeters are becoming less relevant Everything is connected to something Technology is crossing into our physical world Let’s start with technology… call it Moore’s Law or what you will, but the technology world is evolving at a tremendous pace. <click> Cloud computing, mobile, the Internet of Things… these are all new realities of the past decade. They have changed the way we interact and interconnect, and consequently this changes how we are vulnerable, the attack surface, and what companies must do to protect themselves. <click> The surface area is constantly expanding. From remote users, to users directly interacting with the cloud (public and private), to personal/business dual use devices. There is no well defined perimeter anymore. You might even argue there is no perimeter at all. Firewalls, IDS/IPS, packet inspection – technologies that rely on perimeter and choke points – are no longer sufficient.

5 Threat Actors Have Evolved
Criminal Enterprises Broad-based and targeted attacks Financially motivated Getting more sophisticated Hactivists Targeted and destructive attacks Unpredictable motivations Generally less sophisticated Nation-States Targeted and multi-stage attacks Motivated by information and IP Highly sophisticated, endless resources

6 Endless Stream of News

7 The Malware Problem By the Numbers
Bit9 MasterMinds Dallas, TX The Malware Problem By the Numbers 3/26/2013 66% of malware took months or even years to discover (dwell time)1 69% of intrusions are discovered by an external party1 155k The number of new malware samples that are seen daily2 $5.4M The average total cost of a data breach3 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study

8 The State of Information Security
Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

9 DON’T OVERCOMPLICATE THE THREAT
SIMPLE THREAT MODEL: 1: OPPORTUNISTIC 2: NOT DON’T OVERCOMPLICATE THE THREAT

10 Opportunistic threats find value in our computers
Opportunistic threats find value in our computers. Goal: breadth of access. “Advanced” threats find value in our data. Goal: precision of access.

11 How This Impacts Traditional Security
Hosts Compromised Time 10 100 1k 10k 100k Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7 Signature available. THRESHOLD OF DETECTION Opportunistic Goal is to maximize slope. Hosts Compromised Time 10 100 1k 10k 100k Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7 THRESHOLD OF DETECTION Signature available? “Advanced” Goal is to minimize slope.

12 A New Perspective Is Required
assume you will be breached compromise is inevitable

13 “In 2020, enterprises will be in a state of continuous compromise.”
Gartner, “Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence,” Neil MacDonald, May 30, 2013

14 The Assumption of Breach
how will you know? what will you do?

15 Rethink Your Security Strategy
prevention is no longer enough invest in detection and response traditional approaches are ineffective move from reactive to proactive security cannot be done in isolation it is a continuous process

16 The Adaptive Security Architecture
Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

17 The Adaptive Security Architecture
Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

18 The Adaptive Security Architecture - Capabilities
Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

19 Key Characteristics of “Next Gen” Security
Forensic quality data collection and analysis Threat intelligence to interpret and prioritize data At all stages of kill chain, not just point of delivery Based on behaviors and context, not just files/IPs Real-time, not scan or snapshot based Provide full historical context of activity Information needed to assess impact and scope Remediation and containment Proactive signature-less prevention techniques Adapt based on detection and response Incorporate and correlate data from third party sources Export data and alerts to other tools Visibility Detection Response Prevention Integration

20 Security Life Cycle for Advanced Threats
Prevention Visibility Detection Response Central is visibility. Several tools on the market provide network visibility. Detection: must interpret the visibility data to identify threatening events. Repsonse: How quickly can we understand what happened and scope. Visibility at the endpoint is critical. Prevention: How can advanced threats be stopped?

21 Reduce Attack Surface with Default-Deny
Traditional EPP failure Scan/sweep based Signature based Block known bad Success of emerging endpoint prevention solutions Real time Policy based Tailor policies based on environment Trust based Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area Make it as difficult as possible for advanced attacker Prevention Visibility Detection Response Visibility Traditional EPP failure Scan/sweep based Signature based Block known bad Success of emerging endpoint prevention solutions Real time Policy based Tailor policies based on environment Trust based Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area Make it as difficult as possible for advanced attacker

22 Detect in Real-time and Without Signatures
Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention Enable rapid response Prevention Visibility Detection Response Visibility Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention

23 Rapidly Respond to Attacks in Motion
Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward Prevention Visibility Detection Response Visibility Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward

24 Too Much Data, Not Enough Intelligence
integrate your tools attacks happen on endpoints correlate network and endpoint for actionable intelligence incorporate threat intelligence what happens to someone else can happen to you filter, prioritize and alert on third party feeds, reputation and indicators

25 Summary The threat landscape continues to evolve The enemy is more advanced, attacks are more targeted Rethink your security strategy, traditional security tools are insufficient Assume you will breached Invest in entire lifecycle: detection, response and prevention Don’t treat security tools as islands, integrate them

26 Endpoint Threat Detection, Response and Prevention for DUMMIES
Download the eBook at… Bit9.com eBook resources section

27 questions

28

Download ppt "Security Life Cycle for Advanced Threats"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC

1© Copyright 2014 EMC Corporation. All rights reserved. Securing the Cloud Gintaras Pelenis Field Technologist RSA, the Security Division of EMC
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Top of Content Box Line Subtitle Line Title Line Ruslans Barbasins| Territory Manager – CIS, Central Asia, Caucasus Leading The World Into Connected Security.

Top of Content Box Line Subtitle Line Title Line Ruslans Barbasins| Territory Manager – CIS, Central Asia, Caucasus Leading The World Into Connected Security.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.
Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.

Radware DoS / DDoS Attack Mitigation System Orly Sorokin January 2013.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.

© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.

John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.
Security Imperatives in a New Workplace Partnering to Protect Digital Information in the 21st Century Presented by Michael Ferris, Alaska Enterprise Solutions.

Security Imperatives in a New Workplace Partnering to Protect Digital Information in the 21st Century Presented by Michael Ferris, Alaska Enterprise Solutions.

Similar presentations

Ads by Google