Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Flournoy Bit9 Mid-Atlantic Regional Manager

Similar presentations


Presentation on theme: "David Flournoy Bit9 Mid-Atlantic Regional Manager"— Presentation transcript:

1 David Flournoy Bit9 Mid-Atlantic Regional Manager
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain David Flournoy Bit9 Mid-Atlantic Regional Manager

2 Significant Data Breaches in Last Twelve Months
“In 2020, enterprises will be in a state of continuous compromise.” Significant Data Breaches in Last Twelve Months March April May June July Aug Sept Oct Nov Dec Jan Feb By 2020, enterprises will be in a constant state of compromise” Gartner Personally state of compromise Bank Favorite retailer Alma mater My newspaper Smartphone, Workstation Common thread between these organizations and our organizations: we all have something worth stealing.

3 Why is the Endpoint Under Attack?
Host-based security software still relies on AV signatures Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware Evasion techniques can easily bypass host-based defenses Malware writers use compression and encryption to bypass AV filters Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system Cyber adversaries test malware against popular host-based software There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products MAIN POINT – a lot of people look at perimeter defenses – hardening it – but the end game is EPS – that’s where they are heading and the protection out there is largely traditional – only good for nuisance and common known malware – not good for defending against targeted. What about the new advanced malware solution – it’s next gen – but 71% of attacks that happen compromised and landed on an endpoint – even with the new perimeter solutions – they land. FireEye understands that the problem is on the endpoint – ie: Mandiant. You can’t simply harden at the NW layer. Need to be able to have a merging sec. solution that goes beyond sign/ Signatures Takes to develop, reactive Scanning 2. Evasion techniques Compression, encryption, passwords Polymorphic, metamorphic 3. Test against AV Own the AV software Default configs

4 The State of Information Security
Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs Reiterates these points – talk about the COST for forensics – if you’re relying on the fact that you will be bringing in a post-breach remediation service – you’ll never get the IP. NEED a solution that can detect and respond at the moment of compromise and in the event that prevention fails (compromise versus breach) THIS IS UNSUSTAINABLE

5 The Kill Chain Reconnaissance Attacker Researches potential victim
Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data Now let’s talk about the kill chain – what is this? For those of you not familiar – the idea is that this is a 7 step process that all attacks go through and if you can thwart anyone of these steps is you can thwart the attack. The point is – PREVENT the attacker from getting to “action” Recon and Weapon = hard to disrupt BUT delivery and exploit and install – all of these elements can be disrupted by a security solution. We’ll get into the emerging sec solutions that allow you to cover as much of the kill chain as possible CLICK Developed at Lockheed Martin Recon Hard to prevent Employees, Leadership team, writing styles, supply chain Prevent network scanning Weaponization Obfuscation techniques Waterholing Delivery First real place we can start prevent the adversary Links, IP addresses, addresses, understand who is being targeted Malicious actors will re-use resources, so understanding an attack may help prevent future attacks Expoitation Must shrink the attack surface to reduce vulnerabilities Installation Details of the malware C2 Callbacks Beaconing characteristics, hostnames, ports, IP addresses Action Attack has achieved their goal; exfiltration, privilege escalation, lateral movement

6 Protection = Prevention, Detection and Response
“Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” We talked about the kill chain – but it’s not just me that’s saying there is a need for these new solutions – Gartner and others have identified a need to move towards REAL TIME detection and response and can deliver full protection against all systems. NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014

7 Need a Security Lifecycle to Combat Advanced Threats
Prevent Prevention Visibility Detection Response Detect & Respond Gartner talks about “Adaptive Sec. Arc” – essentially it’s like our security lifecycle at Bit9 – requirements = 1/ Real time visibility – up to the second recorded history and real time detection capability with third party feeds that can hook into a sec sol to get comprehensive sec solutions – not only third parties but first parties like SRS 2/Based on detection – need to be able to rapidly respond – based on that, you can fuel your prevention for future 3/Always evolving and you need to be able to reduce your attack surface with prevention – best way is “trust based” security – for those assets where you can’t use a trust based solution – different enforcement levels on an endpoint – you MUST be able to detect and rapidly respond Central is visibility. Several tools on the market provide network visibility. Detection: must interpret the visibility data to identify threatening events. Response: How quickly can we understand what happened and scope. Visibility at the endpoint is critical. Prevention: How can advanced threats be stopped?

8 Reduce Attack Surface with Default-Deny
Traditional EPP failure Scan/sweep based (strobe light) Signature based Block known bad Success of emerging endpoint prevention solutions Real time Policy based Tailor policies based on environment Trust based Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area Make it as difficult as possible for advanced attacker Prevention Visibility Detection Response Visibility Now – go into each individual element – self explanatory - Traditional EPP failure Scan/sweep based Signature based Block known bad Success of emerging endpoint prevention solutions Real time Policy based Tailor policies based on environment Trust based Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area Make it as difficult as possible for advanced attacker

9 Reduce Attack Surface Across Kill Chain
Prevention effective here Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data Visibility and detection enable response Detect earlier in the kill chain and later in kill chain You’re getting immediate value as well and across a larger portion of the kill chain Detects advanced threats resident before installing Bit9 Alerts on advanced threats when in low and medium enforcement Adds another layer of defense (inadvertent approval of malware) Protects against inadvertent approval of malware (especially for inadvertent approval of malware from users in medium enforcement and inadvertent approval of malware from admins in high enforcement). Adds visibility and context when stopping untrusted software when in medium and high enforcement

10 Detect in Real-time and Without Signatures
Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention Enable rapid response Prevention Visibility Detection Response Visibility Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention

11 Reduce Attack Surface Across Kill Chain
Detection effective here Prevention effective here Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data Visibility and detection enable response Detect earlier in the kill chain and later in kill chain You’re getting immediate value as well and across a larger portion of the kill chain Detects advanced threats resident before installing Bit9 Alerts on advanced threats when in low and medium enforcement Adds another layer of defense (inadvertent approval of malware) Protects against inadvertent approval of malware (especially for inadvertent approval of malware from users in medium enforcement and inadvertent approval of malware from admins in high enforcement). Adds visibility and context when stopping untrusted software when in medium and high enforcement

12 Rapidly Respond to Attacks in Motion
Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward Prevention Visibility Detection Response Visibility PRE breach incident response Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward

13 Current Failures Within the Incident Response Process
Identification & Scoping Failure: Do not have recorded history to fully identify or scope threat Eradication & Remediation Failure: After failing to fully scope threat, remediation is is impossible Follow Up & Lessons Learned Failure: No post-incident process in place or does not implement expert recommendations Preparation Failure: No IR plan with processes and procedures in place Containment Failure: Does not properly identify threat so cannot fully contain Recovery Failure: Organization resumes operations with false sense of security The Six-Step IR Process 6 step IR process developed by NIST – these are the steps IR teams go through once there is an attack – typically don’t have pre-attack tools in place = no recorded history – difficult to scope therefore difficult to contain and remediate Even after they’ve been breached – even if they leave behind a tool – don’t have what it take to prevent it from happening again. Maybe the fact that companies that are "ahead of the curve" in security are doing it, while security laggards are barely waking up to it. What causes the laggards not to pay attention to IR? Obviously, misplaced trust in the ability of preventative controls to stop the attack, and thus excessive focus on them in their security planning, is a contributing factor. – Gartner Sec IR in the age of APT Preparation: Preparing your team to be ready to handle an incident at a moment’s notice. Identification/Scoping: Out of all the 6 steps Identification should originate internally either from your security team or SOC. This is rarely the case today because detecting an incident is most likely to be done by a third party and in a lot of cases that third party is law enforcement This is really the most important and critical step although some people may argue that “Preparation” is the most critical. Proper identification of all the compromised systems is crucial, ALL of them, not just a handful of the compromised systems. Advanced or targeted attackers install malware on more than half (actual figure 54%) of the compromised systems. What this means there are more than likely other compromised systems in an environment without ACTIVE malware on them. This is why proper identification and DETECTION is so important because you need to be able to detect the compromised systems that might not be blinking red, but are still compromised. A big mistake that I see with breached customers today is they seem to go directly to the containment and eradication because the attitude is “just get rid of this problem, so we can move on, this a knee jerk reaction.” Unfortunately when you skip right to eradicating and containment you don’t do proper scoping and this is a recipe for disaster it creates a false sense of security and ultimately leads to a game of whack-a-mole. The result of not doing proper scoping is an increased risk of re-infection and getting breached again. Another negative result of moving right to containment and eradication is the threat actor can react quickly and implement countermeasures in response to containment and eradication efforts to ensure their foothold. Even worse is the threat actor will just start exfiltrating any collected data once they recognize you are containing and eradicating. Proper identification and Scoping is the FIRST and most crucial step towards proper remediation, you have scope and identify every compromised system properly, but in order to do this you need to gather intelligence. Containment and Intelligence Gathering: While analyzing an attack you start to learn: How the threat actor was able to get into your environment How they are laterally moving from system to system Identify and learn about the malware and tools they have placed on systems and are using All of the above things are used to identify additional compromised systems as well as help you put measures in places to start remediating. This is threat intelligence and threat intelligence is a critical asset for an IR effort during any incident Remediation: These are recommendations and actions that need to done in a short window of time in order to properly mitigate the incident. Examples might include blocking malicious IP addresses or URLs, rebuilding compromised systems, enterprise wide password change, etc. Recovery: This is the step of the overall process where the organization starts to transition back into normal operations and their day to day business. You’re not out of the dark yet because long term counter measures still need to be implemented. Most of the things that happen in the recovery step are aimed at improving the overall security of the environment in order to PREVENT and DETECT additional incidents from happening in the future. Follow-Up: This step is necessary to make sure that the incident was actually mitigated, the threat actor has been removed from the environment, and all other recommendations and solutions are being implemented. By now you should recognize that the steps in the IR process are mutually dependent and without proper execution of each step you can’t progress and be successful in winning the battle. It really all boils down to Detection, Identification, and Visibility

14 Advanced Threat Protection for Every Endpoint and Server
Watch and record Data Center Servers High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users OPTIONAL instead of slide 18 – use talking points from slide 18 - Watch and record everything across the enterprise. The core of security is visibility.

15 Advanced Threat Protection for Every Endpoint and Server
Watch and record Stop all untrusted software Data Center Servers High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Prevention for: Data Centers Fixed Function – POS, ATM, Health Care, Control systems High-Risk / Targeted users– VIP systems

16 Advanced Threat Protection for Every Endpoint and Server
Watch and record Stop all untrusted software Detect and block on the fly Data Center Servers High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Detect and Deny –Integrations with FireEye, fo

17 Bit9 + Carbon Black: Security Lifecycle in One Solution
Prevention Visibility Detection Response Prevent This slide – for the product –with the LOGOS – where Bit9 and CB are effective and compliment each other – quick slide – punch line. Detect & Respond

18 Reduce Your Attack Surface Rapidly Detect & Respond to Threats
Bit9 + Carbon Black 1 2 Reduce Your Attack Surface Rapidly Detect & Respond to Threats New signature-less prevention techniques Continuously monitor and record every endpoint/server + Super lightweight sensor that records/and monitors everything and deployable to every computer Incident Response in Seconds Technology leader Purpose-built by experts Proactive prevention mechanisms customizable for different users and systems Advanced Threat Prevention Market leader in Default-Deny Corp info – belabors the point – with logos

19 Bit9 + Carbon Black: Understanding the Entire Kill Chain
Screen shot of “PROCESS TREE” to get the visualization to get the entire breadth of the attack – to show how it brings all the child processes and builds out. See the whole attack but dive in to see the attack in seconds. See the kill chain in seconds From vulnerable processes to the persistent malicious service Would take days or weeks to re-create using traditional tools

20 Takeaways “In 2020, enterprises will be in a state of continuous compromise.” Bit9 is much more than application control/application whitelisting Reduce your attack surface with prevention Prepare for inevitability of compromise Detect in real time without signatures Pre-breach rapid response in seconds with recorded history Establish an IR plan Understand the need for a security lifecycle Deploy security solutions across entire environment RECAP slide – self explanatory – remember the diff between compromise and breach- PLAN = prepare BEFORE a breach occurs – rinse and repeat. Assume you will get breached Establish an IR plan Use security solutions that can simplify and expedite response Reduce your attack surface with prevention Make it as difficult as possible for an attacker Assume prevention will fail and prepare to respond How to do this? Detect both known and unknown malware without signatures Have real-time recorded history that continuous monitors and records every endpoint/server Rapidly respond using recorded history Deploy security solutions that understand the relationships of the data it is collecting Fully deploy security solutions across entire environment Limited coverage means limited prevention, detection, and response capabilities

21 Thank You


Download ppt "David Flournoy Bit9 Mid-Atlantic Regional Manager"

Similar presentations


Ads by Google