Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon

© Fidelis Cybersecurity The Challenges 2 PEOPLE Security Skills Shortage TECHNOLOGY Patchwork of Security Solutions PROCESS Manual, Ad-Hoc Processes Not enough security experts for effective defense Reviewing alerts is time consuming and critical alerts are missed Overlapping tools create more work and lead to alert fatigue

© Fidelis Cybersecurity What It Takes to Find Attackers 3 Changing Data/Hijacking Services Content Staging Insider Threat SQL Injection Suspicious App & User Behavior Cross-Site Scripting (XSS) Zero-Day Exploits Data & Credential Theft Web Shells Surveillance/ Espionage Unusual User Behavior Malicious Content & Services It’s About More than Malware

© Fidelis Cybersecurity See patterns in network activity The Day-to-Day Reality All facets must be brought together for rapid detection and response Monitor for exfiltration of data See beaconing and block it Identify malicious network behavior See lateral movement Perform real-time and historical analysis 4

© Fidelis Cybersecurity Attack Lifecycle Overview Detection at Every Stage of an Attack Preventing attackers from achieving their mission requires detection and visibility at every stage of the attack. Initial CompromiseEstablish FootholdEscalate PrivilegesMove LaterallyData Theft Gain Initial Access Strengthen Position Steal Valid User Credentials Access Other Servers & Files Package & Steal Target Data Attacker Objective Sample Tools & Tactics Phishing Watering-hole attack Removable media Malicious download Custom malware Command and control 3 rd party application exploitation Credential theft “Pass-the-hash” Window & Linux lateral movement techniques Reverse shell access Staging servers & directories Data consolidation Data theft 5

© Fidelis Cybersecurity The Threat Timeline Milliseconds to Minutes Time-to- Compromise Minutes to Days Time-to- Exfiltration Data Exfiltration Window Months to Years Attacker Timeline Months to YearsDays to Weeks Time-to-Discovery Time-to-Containment Milliseconds to Minutes Time-to- Prevention Defender Timeline Defense Options: 1.Prevent the Initial Compromise 2.Compress or Eliminate the Data Exfiltration Window by reducing the Time-to-Discovery and Time-to-Containment Speed Matters – you are in a race with the attacker! 6

© Fidelis Cybersecurity Traditional Security -Looks Here- Threats that make it past the Perimeter/Gateway Insider Threat operates here Initial CompromiseEstablish FootholdEscalate PrivilegesMove LaterallyData Theft The Value Gap 7 $$$$$ Cost of Incident Response and Remediation Cohesive Threat Lifecycle Visibility

© Fidelis Cybersecurity Rapid Detection and Response Model 8

© Fidelis Cybersecurity Firewalls (FW / NGFW) Network Malware Detection/Sandbox Network DLP / Data Theft Network Security Analytics / Forensics Security Information and Event Management Network Protocols (TCP / UDP) Content / Embedded Content Business Applications / Run-time Environment (PDF, Office, JAVA, Flash) Signature-base CVE Detection - Packet- based Protocol Attacks, Exploits, and Evasions, Access Control, Protocol Misuse Signature-based CVE Detection - Packet- based Network Application Attacks and Exploits Commodity Malware Targeted Data Theft and Insider Threat Adv. Targeted Attacks – Advanced Malware, RATs Rich, Content-infused Metadata & Packet Capture IPS / IDS (IPS / NGIPS) Network Applications (HTTP, SMTP, SSL, DNS…) Fully Decoded Forensic Detail-Historical Analysis Defense in Depth Event Correlation, Data Correlation, Alerting, Dashboard Endpoint Detection & Response (EDR) Functional Components Features Endpoint Protection Platforms (EPP) Antivirus, Network Protocols, Application Security Detect, Contain, Investigate, Remediate Advancing Security Traditional Security 9 Functional Components Features Attack Vectors

© Fidelis Cybersecurity Advancing Security Traditional Security 10 Case in Point Rapid Remediation AUTOMATE Required Case Scenario Automate = Minutes

Questions?