Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tim Davidson System Engineer

Published byAryan Straker Modified over 9 years ago

Similar presentations

Presentation on theme: "Tim Davidson System Engineer"— Presentation transcript:

1 Tim Davidson System Engineer
Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause… Tim Davidson System Engineer

2 Agenda Changing Threat Landscape Why Traditional Defenses Fail?
Introducing the FireEye Platform FireEye Advantage

3 Changing Threat Landscape

4 Changing Threat Landscape – Advanced Persistent Threats (APTs)
Leverages spectrum of exploits Well-known and zero-day vulnerabilities Multi-pronged Advanced Goal oriented rather than opportunistic Targeted attacks Well-planned – low and slow Persistent Organized, well-funded adversaries Nation-states, cyber-espionage groups Stealthy and camouflaged attacks Threats The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted MODERN Stealthy Unknown and Zero Day Targeted Persistent Well-funded syndicates Advanced Persistent Threats Open Known and Patchable Broad One Time Individuals LEGACY

5 High Profile Targeted Attacks
3 minutes On average, malware activities take place once every 3 minutes 184 countries, 41% Over the past year, FireEye captured callbacks to 184 countries, a 41% rise 46% Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22% Technology companies Technology companies experienced highest rate of callback activity 89% 89% of callback activities linked with APT tools made in China or Chinese hacker groups Source: FireEye Advanced Threat Report, March 2013

6 Significant Compromise Still Exists!
Percent of Deployments Infections/Weeks at Normalized Bandwidth 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 98.5% of deployments see at least 10 incidents*/week/Gbps 1 Gbps Average is about 221 incidents*/week 20% of deployments have thousands of incidents*/week 100,000 10,000 1,000 100 10 Source: FireEye Advanced Threat Report, March, 2013 221 Average Net New Incidents Per Week at Only 1 Gbps! * An incident is beyond inbound malware – it includes an exploit and callback

7 Why Traditional Defenses Fail

8 What’s causing the compromise?
Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks

9 The Attack Life Cycle – Multiple Stages
Compromised Web server, or Web 2.0 site 1 Callback Server 1 Exploitation of system 4 Exploit detection is critical All subsequent stages can be hidden or obfuscated 2 Malware executable download 3 Callbacks and control established File Share 2 IPS 5 4 Data exfiltration File Share 1 2 3 5 Malware spreads laterally

10 Traditional Defenses Don’t Work
The new breed of attacks evade signature-based defenses IPS Anti-Spam Gateways Firewalls/ NGFW Secure Web Gateways And what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks. Desktop AV

11 The Enterprise Security Hole
Attack Vector NGFW FW Web-Based Attacks IPS SECURITY HOLE Spear Phishing s Malicious Files SWG AV

12 Legacy Pattern-Matching Detection Model New Virtual Execution Model
A New Model is Required Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH MATCH Signature-Based Reactive Only known threats Many false negatives Signature-less Dynamic, real-time Known/unknown threats Minimal false positives

13 Introducing the FireEye Platform

14 FireEye Platform: Next Generation Threat Protection
Dynamic Threat Intelligence (CLOUD) Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Ecosystem Partners

15 FireEye Platform: Multi-Vector Virtual Execution (MVX)
MPS 2 Inbound 1 SMTP CMS 3 MVX 6 Outbound 4 HTTP 5 Callback Server 1 – with weaponized pdf 2 – Executed in MVX ( MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack Web MPS Multi-vector blended attack

16 FireEye Platform: Multi-Flow Virtual Execution
File-oriented sandboxing can be easily evaded by malware Lack of virtually executing flows vs. file-based approach Lack of capturing and analyzing flows across multiple vectors FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks Stateful attack analysis shows the entire attack life cycle Enables FireEye to disrupt each stage and neutralize attack Callback Server Infection Server Malware Executable Data Exfiltration Exploit Callbacks Downloads

17 FireEye Platform: Dynamic Threat Intelligence
Anonymized Malware Metadata Anonymized Malware Metadata DTI Cloud Enterprise 2 DTI Enterprise Ecosystem Partners Enterprise 1 Ecosystem Partners DTI Enterprise Enterprise 3 Ecosystem Partners DTI Enterprise

18 FireEye Advantage

19 FireEye Platform Advantage
1. Thousands of Permutations (files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Local Loop MVX MVX Dynamic Threat Intelligence (DTI) Threat Protection Fabric Single Enterprise Cross Enterprise

20 Sandbox Approach (Cloud)
File-oriented sandbox - evasion 1. Thousands of Permutations (files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Single file Sandbox in the cloud Privacy violation Compliance and regulation violation Latency issues Single vector partial hours or days

21 Sandbox Approach (On-Premises)
File-oriented sandbox 1. Thousands of Permutations (files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Sandbox (On-Premises) Malware can easily circumvent generic sandbox File-based sandbox misses the exploit detection phase No flow causes lack of stateful malware analysis Single file Single vector Hashes: limited value Non-realtime

22 Key Takeaways Changing Threat Landscape Advanced Persistent Threats
Traditional Defenses Fall Short Exploit Detection is Critical File-oriented sandboxing does not detect exploits FireEye Platform MVX architecture DTI Cloud DTI Enterprise

23 Thank You

Download ppt "Tim Davidson System Engineer"

Similar presentations

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 5 Author: Julia Richards and R. Scott Hawley.
1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.

1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Year 6 mental test 5 second questions

Year 6 mental test 5 second questions
A Practical Approach to Advanced Threat Detection and Prevention

A Practical Approach to Advanced Threat Detection and Prevention
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in e-mails Integrated.

1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in s Integrated.
Next Generation Threat Protection

Next Generation Threat Protection
Nathan Labadie Systems Engineer, US-Central FireEye

Nathan Labadie Systems Engineer, US-Central FireEye
© 2009 VMware Inc. All rights reserved View Pool Image Configuration Considerations for Gold Images around Application virtualization and performance.

© 2009 VMware Inc. All rights reserved View Pool Image Configuration Considerations for Gold Images around Application virtualization and performance.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
FireEye Architecture & Technology Full Spectrum Kill-chain Visibility

FireEye Architecture & Technology Full Spectrum Kill-chain Visibility
© Blue Coat Systems, Inc. 2011. All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.

© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.
Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.

Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.
1 Bitdefender 2013 Virtualization Security Understanding The Impact.

1 Bitdefender 2013 Virtualization Security Understanding The Impact.
Addition 1’s to 20.

Addition 1’s to 20.

Similar presentations

Ads by Google