Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tim Davidson System Engineer

Similar presentations

Presentation on theme: "Tim Davidson System Engineer"— Presentation transcript:

1 Tim Davidson System Engineer
Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause… Tim Davidson System Engineer

2 Agenda Changing Threat Landscape Why Traditional Defenses Fail?
Introducing the FireEye Platform FireEye Advantage

3 Changing Threat Landscape

4 Changing Threat Landscape – Advanced Persistent Threats (APTs)
Leverages spectrum of exploits Well-known and zero-day vulnerabilities Multi-pronged Advanced Goal oriented rather than opportunistic Targeted attacks Well-planned – low and slow Persistent Organized, well-funded adversaries Nation-states, cyber-espionage groups Stealthy and camouflaged attacks Threats The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted MODERN Stealthy Unknown and Zero Day Targeted Persistent Well-funded syndicates Advanced Persistent Threats Open Known and Patchable Broad One Time Individuals LEGACY

5 High Profile Targeted Attacks
3 minutes On average, malware activities take place once every 3 minutes 184 countries, 41% Over the past year, FireEye captured callbacks to 184 countries, a 41% rise 46% Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22% Technology companies Technology companies experienced highest rate of callback activity 89% 89% of callback activities linked with APT tools made in China or Chinese hacker groups Source: FireEye Advanced Threat Report, March 2013

6 Significant Compromise Still Exists!
Percent of Deployments Infections/Weeks at Normalized Bandwidth 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 98.5% of deployments see at least 10 incidents*/week/Gbps 1 Gbps Average is about 221 incidents*/week 20% of deployments have thousands of incidents*/week 100,000 10,000 1,000 100 10 Source: FireEye Advanced Threat Report, March, 2013 221 Average Net New Incidents Per Week at Only 1 Gbps! * An incident is beyond inbound malware – it includes an exploit and callback

7 Why Traditional Defenses Fail

8 What’s causing the compromise?
Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks

9 The Attack Life Cycle – Multiple Stages
Compromised Web server, or Web 2.0 site 1 Callback Server 1 Exploitation of system 4 Exploit detection is critical All subsequent stages can be hidden or obfuscated 2 Malware executable download 3 Callbacks and control established File Share 2 IPS 5 4 Data exfiltration File Share 1 2 3 5 Malware spreads laterally

10 Traditional Defenses Don’t Work
The new breed of attacks evade signature-based defenses IPS Anti-Spam Gateways Firewalls/ NGFW Secure Web Gateways And what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks. Desktop AV

11 The Enterprise Security Hole
Attack Vector NGFW FW Web-Based Attacks IPS SECURITY HOLE Spear Phishing s Malicious Files SWG AV

12 Legacy Pattern-Matching Detection Model New Virtual Execution Model
A New Model is Required Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH MATCH Signature-Based Reactive Only known threats Many false negatives Signature-less Dynamic, real-time Known/unknown threats Minimal false positives

13 Introducing the FireEye Platform

14 FireEye Platform: Next Generation Threat Protection
Dynamic Threat Intelligence (CLOUD) Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Ecosystem Partners

15 FireEye Platform: Multi-Vector Virtual Execution (MVX)
MPS 2 Inbound 1 SMTP CMS 3 MVX 6 Outbound 4 HTTP 5 Callback Server 1 – with weaponized pdf 2 – Executed in MVX ( MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack Web MPS Multi-vector blended attack

16 FireEye Platform: Multi-Flow Virtual Execution
File-oriented sandboxing can be easily evaded by malware Lack of virtually executing flows vs. file-based approach Lack of capturing and analyzing flows across multiple vectors FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks Stateful attack analysis shows the entire attack life cycle Enables FireEye to disrupt each stage and neutralize attack Callback Server Infection Server Malware Executable Data Exfiltration Exploit Callbacks Downloads

17 FireEye Platform: Dynamic Threat Intelligence
Anonymized Malware Metadata Anonymized Malware Metadata DTI Cloud Enterprise 2 DTI Enterprise Ecosystem Partners Enterprise 1 Ecosystem Partners DTI Enterprise Enterprise 3 Ecosystem Partners DTI Enterprise

18 FireEye Advantage

19 FireEye Platform Advantage
1. Thousands of Permutations (files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Local Loop MVX MVX Dynamic Threat Intelligence (DTI) Threat Protection Fabric Single Enterprise Cross Enterprise

20 Sandbox Approach (Cloud)
File-oriented sandbox - evasion 1. Thousands of Permutations (files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Single file Sandbox in the cloud Privacy violation Compliance and regulation violation Latency issues Single vector partial hours or days

21 Sandbox Approach (On-Premises)
File-oriented sandbox 1. Thousands of Permutations (files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Sandbox (On-Premises) Malware can easily circumvent generic sandbox File-based sandbox misses the exploit detection phase No flow causes lack of stateful malware analysis Single file Single vector Hashes: limited value Non-realtime

22 Key Takeaways Changing Threat Landscape Advanced Persistent Threats
Traditional Defenses Fall Short Exploit Detection is Critical File-oriented sandboxing does not detect exploits FireEye Platform MVX architecture DTI Cloud DTI Enterprise

23 Thank You

Download ppt "Tim Davidson System Engineer"

Similar presentations

Ads by Google