Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel FireEye Overview Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel

Sophisticated attacks are more common You may have seen these headlines, but one key point is that all companies are at risk. Interestingly, many attacks are actually designed with the express purpose to enable further attacks on even more valuable targets. (RSA attack led to attacks on Lockheed, L3, and Northrup.) Net-net: Data breaches are increasingly common due to flaws in common applications/plug-ins like Adobe Reader. Persistent foes show that break-ins like the RSA data breach or theft of Symantec source code are straightforward given today’s traditional defenses. TRANSITION: Getting beyond the headlines

What the Analysts are Saying “Some IPS/IDS/NGFW vendors are no better at handling evasions today than they were when they released their original products.” Gartner, 2011 “The widening gap between hacker capabilities and security defenses has security organizations struggling to keep up with the changing nature, complexity, and scale of attacks.” Forrester, 2011 “Incumbent defenses fall short…existing antimalware initiatives are no longer enough.” Forrester, 2011 “Organizations that rely on desktop AV and secure web gateways as their primary antimalware technologies may very well find themselves falling victim to malware-based attacks.” Forrester, 2011 ““There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don't know it yet.” – Gartner, January 2012 Analysts are re-affirming this new threat landscape and the relative ineffectiveness of traditional defenses. Note also that Gartner is calling this category ‘Advanced Threat Protection’. This is the term we will use as well. GARTNER: * “Some IPS/IDS/NGFW vendors are no better at handling evasions today than they were when they released their original products.” * “Being online grows more dangerous by the day, and, for many exploits, the browser is the target of choice. In the last few years, enterprises have seen a parade of vulnerabilities through Adobe Acrobat, Microsoft Internet Explorer, and browser plug-ins. Often, the browser exploit is only the first stage of a more insidious attack, as in Operation Aurora.” FORRESTER: “The widening gap between hacker capabilities and security defenses has security organizations struggling to keep up with the changing nature, complexity, and scale of attacks.” “Organizations that rely on desktop AV and secure web gateways as their primary antimalware technologies may very well find themselves falling victim to malware-based attacks.” “Incumbent defenses fall short…existing antimalware initiatives are no longer enough.”

Hackers Evade Existing Defenses Utilizes advanced techniques and/or malware Unknown Polymorphic Dynamic Multi-stage Personalized Uses zero-day exploits, commercial quality toolkits, and social engineering Often targets IP, credentials and often spreads laterally throughout network Same techniques – whether mass crimeware or targeted APT The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted ADVANCED Stealthy Unknown and Zero Day Targeted Persistent Advanced Targeted Attack Advanced Targeted Attacks is the term we will use to describe the attacks in this market (it is also what Gartner has just coined and uses). What are advanced targeted attacks? They use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and theft. Advanced Malware uses a variety of tactics like zero-day exploits, dynamism (e.g. fast flux DNS, polymorphism), and is often targeted / personalized. We are now in the age of the “Cyber Industrial Complex” in which criminals have commercial qualify toolkits to build the cyber weapons (malware) so effective at penetrating networks. Many in the IT security industry call these cyber criminal actors – Advanced, Persistent Threats TRANSITION: Why are advanced targeted attacks so effective? Open Known and Patchable Broad One Time TRADITIONAL

Multi-Protocol, Real-Time VX Engine Global loop sharing into DTI Cloud Intelligence Phase 3 alerts on infections as well as C&C destinations Fast Path Real-time Blocking in Appliance Phase 1: Aggressive capture heuristics Deploys out-of-band/passive or inline Multi-protocol capture of HTML, files (e.g. PDF), & EXEs Maximizes capture of potential zero-day attacks Phase 2: Virtual machine analysis Confirmation of malicious attacks Removal of false positives Phase 3: Block Call Back Stop data/asset theft Local, Enterprise Wide, Global (DTI Cloud)

Next-Gen Malware Protection System (MPS) FireEye Hardware Platform 7000 Series: 1Gbps 4000 Series: 250 Mbps 2000 Series: 50 Mbps 1000 Series: 20 Mbps KEY FEATURES: Detects inbound 0-day & custom malware via virtual machine analysis Tracks outbound call-backs and subsequent malicious payloads Extremely accurate detection with near-zero false positive Copper and Fiber models 10-Gig native solution coming soon! 6

Advanced Malware Protection Architecture Real-time Web, Email, & File Security to stop Advanced Targeted Attacks Centralized Management, Reporting Augments Zero-Day gaps traditional security misses Platform for sharing FireEye Intel with 3rd party products Automation ensures higher detection accuracy & low TCO Malware Protection Cloud provides unique, zero-day intelligence MALWARE PROTECTION CLOUD Firewall File MPS Proxy Anti-Spam Internet Facing SharePoint CMS Web MPS Email MPS Deployment architecture Real-time Web, email, and file security to stop advanced targeted attacks Centralized reporting and management Integration into cyber incident response system MAS LAN Mail Servers

Technology Alliances - Moving Closer to the Breach MSSP Host SIA Partner Member Gateway Network Monitoring SIEM Threat Attribution Partnerships: SIEM – ArcSight, Juniper/Q1 Labs, RSA enVision, NitroSecurity (now McAfee), Splunk (log management) Network Monitoring – Solera Networks Gateway – Blue Coat Systems GRC SSL Alliances subject to change. Integration levels vary based on purpose and investment.

Summary Pace of advanced threats accelerating, targeting all verticals and all segments Traditional defenses (NGFW, IPS, AV, and Web gateways) no longer combat these attacks Real-time, proactive signature-less solution is required across Web and Email to solve issue FireEye has engineered the best threat protection solution to supplement traditional defenses and combat advanced attacks