Presentation is loading. Please wait.

Presentation is loading. Please wait.

FireEye Architecture & Technology Full Spectrum Kill-chain Visibility

Published byDarren Westbury Modified over 10 years ago

Similar presentations

Presentation on theme: "FireEye Architecture & Technology Full Spectrum Kill-chain Visibility"— Presentation transcript:

1 FireEye Architecture & Technology Full Spectrum Kill-chain Visibility
Security. Re-Imagined. FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP DataConnectors June 2014

2 AGENDA Threat Landscape Deep Dive A Look INSIDE the FireEye TECHNOLOGY
The FireEye Platform FireEye Platform: A Case Study AGENDA

3 Current State of Cyber Security
Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks

4 The High Cost of Being Unprepared
63% of Companies Learned They Were Breached from an External Entity THREAT UNDETECTED REMEDIATION Initial Breach 229 Days Median # of days attackers are present on a victim network before detection. 100% of Victims Had Up-To-Date Anti-Virus Signatures 3 Months 6 Months 9 Months Here’s what we’ve seen in our experiences at FireEye/Mandiant. Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats. More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?” And these were serious organizations, your everyday brands… that had invested heavily in security. How’s that possible? Source: M-Trends Report

5 The High Cost of Being Unprepared
63% of Companies Learned They Were Breached from an External Entity THREAT UNDETECTED REMEDIATION Initial Breach 32 Days Average Time to Resolve an Attack 100% of Victims Had Up-To-Date Anti-Virus Signatures 3 Months 6 Months 9 Months Here’s what we’ve seen in our experiences at FireEye/Mandiant. Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats. More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?” And these were serious organizations, your everyday brands… that had invested heavily in security. How’s that possible? Source: M-Trends Report, Ponemon

6 Zero Day Scorecard

7 Multi-Staged Cyber Attack
1 Callback Server IPS File Share 2 File Share 1 Exploit Server 5 3 2 4 1. Exploitation of System 2. Malware Executable Download 3. Callbacks and Control Established 4. Lateral Spread 5. Data Exfiltration Firewall Exploit Detection is Critical All Subsequent Stages can be Hidden or Obfuscated

8 Compromised webpage with exploit object
What Is An Exploit? HACKED Compromised webpage with exploit object An exploit is NOT the same as the malware executable file! Exploit object can be in ANY web page Exploit object rendered by vulnerable software Exploit injects code into running program memory Control transfers to exploit code

9 Structure of a Multi-Flow APT Attack
Exploit Server Callback Server Command and Control Server Encrypted Malware Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4

10 Structure of a Multi-Flow APT Attack
Exploit Server Callback Server Command and Control Server Encrypted Malware Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4

11 Exploit in compromised Web page Command and Control Server
Multi-Flow Structure of APT Attacks (e.g. Operation Aurora, Operation Beebus, CFR…) Exploit in compromised Web page Callback Command and Control Server Encrypted Malware Exploit injects code in Web browser 1 Exploit code downloads encrypted malware (not SSL!) 2 Exploit code decrypts malware 3 Target end point connects to C&C server 4 Embedded Exploit Alters Endpoint Encrypted malware downloads Callback and data exfiltration 1 2 Callback 3 4

12 Weaponized Email (2011 Recruitment Plan.xls)
Multi-Vector Structure of APT Attack Weaponized with Zero-Day Exploit (e.g. RSA) with weaponized document, opened by user, causing exploit 1 Weaponized (2011 Recruitment Plan.xls) Callback Server Backdoor C&C Server Client endpoint calls back to infection server 2 Backdoor DLL dropped 3 Encrypted callback over HTTP to command and control server 4 1 2 3 4

13 Traditional “Defense in Depth” is failing
The New Breed of Attacks Evade Signature-Based Defenses Anti-Spam Gateways IPS Firewalls/ NGFW Secure Web Gateways Desktop AV And what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks.

14 Accelerating the Detection to Forensics Workflow
1 2 3 Forensics: Connecting the dots across time Real-time Detection Validation & Containment Signature-less virtual machine-based approach to identify the attack lifecycle On and off-premise endpoint validation and containment Kill chain reconstruction to determine the scope and impact of a threat One security platform with precise alert capabilities and detailed forensic data on the full scope of an attack.

15 Security Reimagined Virtual Machine-Based Model of Detection
Finds known/ unknown cyber-attacks in real time across all attack vectors Virtual Machine-Based Model of Detection Purpose-Built for Security Hardened Hypervisor Multi-flow Multi-vector Scalable Extensible Security Reimagined

16 FireEye Technology: Scaling the MVX
Line Rate Intelligent Capture MVX Core (Detonation) Phase 1 Phase 2 Reduce False Negatives Reduce False Positives 1M+ objects/hour HTML and JavaScript form 95% of objects to be scanned on the wire Multi-flow virtual analysis APT web attacks are nearly invisible needles in haystack of network traffic

17 FireEye Technology: Inside the MVX
FireEye Hardened Hypervisor 1 Custom hypervisor with built-in countermeasures Designed for threat analysis FireEye Hardened Hypervisor Hardware

18 FireEye Technology: Inside the MVX
FireEye Hardened Hypervisor 1 Massive cross matrix of virtual executions 2 Multiple operating systems Multiple service packs Multiple applications Multiple application versions Cross-Matrix Virtual Execution FireEye Hardened Hypervisor Hardware

19 FireEye Technology: Inside the MVX
FireEye Hardened Hypervisor 1 Massive cross matrix of virtual execution 2 Threat Protection at Scale 3 >2000 simultaneous executions Multi-flow analysis > 2000 Execution Environments Cross-Matrix Virtual Execution v1 v2 v3 v1 v2 v3 Control Plane FireEye Hardened Hypervisor Hardware

20 FireEye’s Web detection is great, BUT …..
There are a number of threats that FireEye solution does not address well: Unauthorized access Data Resource Theft Malformed Packets SQL Injection Packet Flooding Cross-Site Scripting DDOS Client-side vs. Server-side Attacks

21 FireEye IPS Improve Correlation Between Known and Unknown Threats to Increase Threat Protection and Reduce Costs Consolidated threat defense—integrate threat prevention for known and unknown threats, leveraging the MVX engine to provide timely and accurate notifications It allows NX to compete in both APT and IPS market segments Threat validation—validate attacks using the MVX engine so time and resource investments are not spent on filtering down the noise It supports custom IPS Snort rules that are widely used in the market for compliance Actionable insights—correlate known and unknown threats and derive richer threat intelligence to speed up incident response It provides both client and server IPS protection for known attacks It provides the CVE ID for known attacks that has been detected by MVX

22 The Objective: “Continuous Threat Protection”
Full Real-time Enterprise Forensics Capture Time to Detect Time to Fix REAL TIME Inspect Expose THEFT OF ASSETS & IP COST OF RESPONSE DISRUPTION TO BUSINESS REPUTATION RISK Prevent & Investigate nPulse We see two key goals: Minimize time to detect and time to fix/remediate the threats/impact in our environment Lets just take a look at the Target breach --- it cost $400M just to replace the credit cards, not to mention the impact to the brand, organizational disruption, and legal ramifications. The ideal situation would be to stop this right at the outset and prevent and impact to the organization and its customers – providing Continuous Threat Protection. FireEye has identified four steps to achieving “Continuous Threat Protection”.. These include detecting the threats (in real time) containing the impact of the threats within an organization by understand what the malware might be going after resolving the impacted systems (identifying, quarantining, and cleaning up the machines) and where appropriate preventing any impact from these threats (especially when deployed inline)

23 FireEye Product Portfolio: Powered by MVX
Threat Analytics Platform Mobile Threat Prevention Threat Prevention Dynamic Threat Intelligence MVX SEG Threat Prevention Network Threat Prevention IPS SWG DMZ Perimeter Host Anti-virus Endpoint Threat Prevention IPS Content Threat Prevention Endpoint Data Center MDM Host Anti-virus Mobile Threat Prevention Note: perimeter – Network Threat Prevention Platform Data Center – Content Threat Prevention Platform for latent malware Obviously many people are now bringing in mobile devices… with Mobile Threat Prevention, we are able to leverage MVX to now analyze the new class of threats – threats via mobile apps. E.g. apps stealing contacts via mobile apps, which provides the attacker the information (and legally valid sources) for the next stage of attack On the endpoint, Mandiant brings us the MSO product, which will be rebranded into the FireEye platform as the Endpoint Threat Prevention Platform Finally, we have the threat Prevention Platform for the spearphishing attacks that attackers use to penetrate organizations. The Threat Analytics Platform is a new product for analyzing advanced threats using a combination of of event logs and security device logs with homegrown threat intelligence from FireEye. BYOD Domain

24 FireEye and Mandiant Services Portfolio
Subscription Services and Product Support FireEye Managed Defense Product Support Services Security Consulting Services Proactive Threat and Vulnerability Assessments Strategic Consulting and Security Program Assessments Incident Response While products help defend you against threats and attacks in progress right here and now, knowing your attackers, their motives, and your infrastructural security structure will take your organizational security health to a higher level. Much like health assessments and exercise complement medication for the human health taking it a level higher. In addition to managed defense, FireEye offers services to help you assess your security with constant evolution of services and business models, update and test your incident response plan, review current processes, capabilities and technology against leading practices as well as train your CERT teams. Additionally if you are short on staff or talent, count on assistance to complement your staff or leverage external services to help manage your security. All these services are offered directly by FireEye and some can also be offered in conjunction with one of the FireEye partners (depending on their level)

25 FireEye Technology Alliances
For Partner & Field Confidential Only Mandiant and Cloud offerings ACCELERATION PARTNERS INSTRUMENTATION PARTNERS Ease of implementation and high availability for Layers 1-3 COMING SOON MOBILITY ENDPOINT PARTNERS Verification and remediation of threats through incident response processes MITIGATION ANALYSIS/SIEM ANALYSIS / SIEM PARTNERS Data correlation analytics, policy and compliance management ENDPOINT MITIGATION PARTNERS Augmenting and enhancing FireEye remediation capabilities, real time policy creation and blocking across the architecture INSTRUMENTATION MOBILITY PARTNERS Mitigating against mobile based threats for BYOD environments with MDMs ACCELERATION PARTNERS Top partners in the Fuel Technology Program Reference Architecture and Strategic Integrations Virtual Machine Detonation Forensic Analysis Real Time Alerts Call Back Detection Exploit Remediate Threats “FireEye technology partnerships are great. They fill in the gaps other vendors can’t match. FireEye, with its partners, offers a formidable defense.” – OTR Global Report 2013

26 FireEye Platform: Products & Services Portfolio
Platinum (24x7, Global) Platinum Priority Plus (DSE) Gov’t. Support (Citizens) Gov’t Classified – Planned (Clearances, Secured Facility) Start in U.S. and expand internationally) Support Services Managed Defense Continuous Protection Continuous Monitoring Managed Defense Services Portfolio Network (NX) - IPS (EX) Content (FX) Endpoint (HX) Central Manager (CM) Mobile (MTP) Cloud (ETP) Forensics (AX) Threat Analytics Platform (TAP) Network Forensics – (CPX) Products Mandiant Incident Response, Vulnerability Assessment and Penetration Testing Strategic Services: Response Readiness and Security Program Assessment Product Deployment and Integration Advanced Services

27 Thank You

Download ppt "FireEye Architecture & Technology Full Spectrum Kill-chain Visibility"

Similar presentations

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.

© 2012 Gigamon. All rights reserved. The Dynamic World of Threat Detection, Containment & Response 1.
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in e-mails Integrated.

1 Proofpoint, Inc. Proprietary and Confidential ©2010 Proofpoint Protection/Privacy Offering Proofpoint Privacy Accurately detect ePHI in s Integrated.
Next Generation Threat Protection

Next Generation Threat Protection
Nathan Labadie Systems Engineer, US-Central FireEye

Nathan Labadie Systems Engineer, US-Central FireEye
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
© Blue Coat Systems, Inc. 2011. All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.

© Blue Coat Systems, Inc All Rights Reserved. APTs Are Not a New Type of Malware 1 Source: BC Labs Report: Advanced Persistent Threats.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.

Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
What’s New in WatchGuard Dimension v1.2

What’s New in WatchGuard Dimension v1.2
1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.
Tim Davidson System Engineer

Tim Davidson System Engineer
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 FireEye Overview John Bolger Manager Channels, US-Central FireEye.

Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 FireEye Overview John Bolger Manager Channels, US-Central FireEye.

Similar presentations

Ads by Google