Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Tim Davidson System Engineer Malware Pandemic? Sometimes getting a shot only treats.

Similar presentations


Presentation on theme: "Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Tim Davidson System Engineer Malware Pandemic? Sometimes getting a shot only treats."— Presentation transcript:

1 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Tim Davidson System Engineer Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause…

2 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2 Agenda Changing Threat Landscape Why Traditional Defenses Fail? Introducing the FireEye Platform FireEye Advantage

3 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3 Changing Threat Landscape

4 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4 Changing Threat Landscape – Advanced Persistent Threats (APTs) Leverages spectrum of exploits Well-known and zero-day vulnerabilities Multi-pronged Advanced Goal oriented rather than opportunistic Targeted attacks Well-planned – low and slow Persistent Organized, well-funded adversaries Nation-states, cyber-espionage groups Stealthy and camouflaged attacks Threats MODERN LEGACY Advanced Persistent Threats Stealthy Unknown and Zero Day TargetedPersistent Well-funded syndicates Open Known and Patchable BroadOne TimeIndividuals The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted

5 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5 High Profile Targeted Attacks 3 minutes On average, malware activities take place once every 3 minutes 184 countries, 41% Over the past year, FireEye captured callbacks to 184 countries, a 41% rise 46% Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22% Technology companies Technology companies experienced highest rate of callback activity 89% 89% of callback activities linked with APT tools made in China or Chinese hacker groups Source: FireEye Advanced Threat Report, March 2013

6 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6 Significant Compromise Still Exists! 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 100,00010,0001,00010010 Infections/Weeks at Normalized Bandwidth Percent of Deployments 98.5% of deployments see at least 10 incidents*/week/Gbps Average is about 221 incidents*/week 20% of deployments have thousands of incidents*/week 1 Gbps 221 Average Net New Incidents Per Week at Only 1 Gbps! Source: FireEye Advanced Threat Report, March, 2013 * An incident is beyond inbound malware – it includes an exploit and callback

7 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7 Why Traditional Defenses Fail

8 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8 What’s causing the compromise? NEW THREAT LANDSCAPE Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors Multi-Vector AttacksMulti-Staged Attacks

9 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9 The Attack Life Cycle – Multiple Stages Exploitation of system 1 3 Callbacks and control established 2 Malware executable download Compromised Web server, or Web 2.0 site 1 Callback Server IPS 3 2 Malware spreads laterally 4 Data exfiltration 5 File Share 2 File Share 1 5 4 Exploit detection is critical All subsequent stages can be hidden or obfuscated

10 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10 Traditional Defenses Don’t Work Firewalls/ NGFW Secure Web Gateways IPS Anti-Spam Gateways Desktop AV The new breed of attacks evade signature-based defenses

11 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11 The Enterprise Security Hole Web-Based Attacks NGFW FW IPS SWG AV Attack Vector SECURITY HOLE Malicious Files Spear Phishing Emails

12 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12 A New Model is Required Signature-Based Reactive Only known threats Many false negatives Signature-less Dynamic, real-time Known/unknown threats Minimal false positives Legacy Pattern-Matching Detection Model New Virtual Execution Model 101011010101101000101110001 101010101011001101111100101 011001001001001000 100100111001010101010110 110100101101011010101000 MATCH 100100111001010101010110 MATCH 100100111001010101010110

13 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13 Introducing the FireEye Platform

14 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14 FireEye Platform: Next Generation Threat Protection Multi-Vector Virtual Execution engine Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Dynamic Threat Intelligence (CLOUD) Dynamic Threat Intelligence (CLOUD) Ecosystem Partners

15 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15 FireEye Platform: Multi-Vector Virtual Execution (MVX) 5 1 – Email with weaponized pdf 2 – Executed in MVX (Email MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack 1 – Email with weaponized pdf 2 – Executed in MVX (Email MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack 6 MVX Callback Server Inbound 1 SMTP Outbound 4 HTTP Multi-vector blended attack CMS Web MPS Email MPS 2 3

16 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16 FireEye Platform: Multi-Flow Virtual Execution File-oriented sandboxing can be easily evaded by malware Lack of virtually executing flows vs. file-based approach Lack of capturing and analyzing flows across multiple vectors FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks Stateful attack analysis shows the entire attack life cycle Enables FireEye to disrupt each stage and neutralize attack Exploit Downloads Callback ServerInfection Server Data Exfiltration Malware Executable Callbacks

17 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17 FireEye Platform: Dynamic Threat Intelligence DTI Cloud Anonymized Malware Metadata Enterprise 1 Ecosystem Partners DTI Enterprise Enterprise 3 Ecosystem Partners DTI Enterprise Enterprise 2 DTI Enterprise Ecosystem Partners

18 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18 FireEye Advantage

19 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19 1.Thousands of Permutations (files, OS, browser, apps) 2.Multi-flow analysis 3.Multi-vector analysis 4.Correlation of information 5.Cloud Sharing 6.Time to protection Cross Enterprise MVX Single Enterprise Dynamic Threat Intelligence (DTI) FireEye Platform Advantage Local Loop MVX Threat Protection Fabric

20 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20 1.Thousands of Permutations (files, OS, browser, apps) 2.Multi-flow analysis 3.Multi-vector analysis 4.Correlation of information 5.Cloud Sharing 6.Time to protection File-oriented sandbox - evasion partial hours or days Sandbox Approach (Cloud) Single file Single vector Sandbox in the cloud Privacy violation Compliance and regulation violation Latency issues Sandbox in the cloud Privacy violation Compliance and regulation violation Latency issues

21 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21 1.Thousands of Permutations (files, OS, browser, apps) 2.Multi-flow analysis 3.Multi-vector analysis 4.Correlation of information 5.Cloud Sharing 6.Time to protection File-oriented sandbox Hashes: limited value Non-realtime Sandbox Approach (On-Premises) Single file Single vector Sandbox (On-Premises) Malware can easily circumvent generic sandbox File-based sandbox misses the exploit detection phase No flow causes lack of stateful malware analysis Sandbox (On-Premises) Malware can easily circumvent generic sandbox File-based sandbox misses the exploit detection phase No flow causes lack of stateful malware analysis

22 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22 Key Takeaways FireEye Platform MVX architectureDTI CloudDTI Enterprise Traditional Defenses Fall Short Exploit Detection is Critical File-oriented sandboxing does not detect exploits Changing Threat Landscape Advanced Persistent Threats

23 Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23 Thank You


Download ppt "Copyright © 2013, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Tim Davidson System Engineer Malware Pandemic? Sometimes getting a shot only treats."

Similar presentations


Ads by Google