Panda Adaptive Defense Platform and Services A New Endpoint Protection Paradigm Josu Franco. Strategy and Technology Advisor.
Dynamics of digital life. “Nexus of forces” Our current digital behavior means a complex, interconnected, and hyper-dynamic environment. Now, the perimeter is where the user is. The complexity of IT systems increases vulnerability in the face of cyber-threats. The Evolution of the Cyber Attacks
The Target is the Endpoint. Attackers need to reach the endpoint because from there, they can access other targets, exfiltrate information, steal credentials, gather intelligence, or deploy other attacks. % Incidents by Target Source: Verizon Data Breach Investigations Report 2016. The Malware Industry
The Gap is Getting Wider. The figure shows how the percent of breaches where time to compromise/time to discovery was days or less is increasing. Attackers are more efficient now than ever before. Time to Compromise Time to Discover Source: Verizon Data Breach Investigations Report 2016. The Detection Gap
Challenge #1: “Malwareless” attacks. Attackers exploit social engineering and vulnerabilities in the design of security products. “POWERWARE” attack No vulnerabilities exploited. No malicious URL involved. No malware file on disk. POWERSHELL encrypts files. Conventional defences won’t work. The Malware Industry
Challenge #2: Agent clutter prevents visibility. Non-integrated solutions create complexity, performance issues, and lack of visibility. The Malware Industry
Challenge #3: Alert noise Only 4% of alerts are ever investigated. “Two-thirds of the time spent by security staff responding to malware alerts is wasted because of faulty intelligence” “It costs organizations an average of $1.27 million annually in time wasted responding to erroneous or inaccurate malware alerts” 4% Source: Ponemon Institute. “The cost of malware containment”. n=630. The Malware Industry
The Prevailing Endpoint Security Paradigm… … is based on punctual detection only of known malicious processes, this means that: All suspicious activity has to be investigated case by case. All unknown malicious processes are allowed. That’s why attackers skirt around these systems so easily, and their attacks’ success rate is so high. Suspicious More Effort The result is a higher success rate in attacks, a detection gap. More Risk Malware Unknown A New Approach to Endpoint Security
Malware Detection Gap: Blacklist Model. Source: Panda Research. Jan.-Jun. 6 months. 16 M. samples) The Detection Gap
Panda Adaptive Defense security Paradigm. It is based on the classification of absolutely all running processes on your network. All activity of all programs is monitored and analyzed in real-time. All behaviors are verified by a managed service, the admins don’t have to investigate anything. Higher level of protection, fewer efforts, and no risks for you. Real-time Visibility Integrated Forensic Analysis All processes are classified . Suspicious Managed Service Zero Risk No application can run if it is not trusted. The result is a higher protection rate with minimum effort. Malware Unknown Goodware A New Approach to Endpoint Security
Evolution of Panda Security Protection Capabilities Panda Adaptive Defense, is a managed cybersecurity service based on three pillars: product, technologies and services, all designed to work together. Starting from the customer, all it needs is an agent in all endpoints that monitors all activity at the endpoint related to processes, network connections, registry, changes to the OS, access to data files, etc. This metadata is used by the Adaptive Defense Platform in the cloud and by Panda’s and Deloitte analysts, to determine the nature of each executable file and its behaviour. The data is also used to detect insiders or hackers who might be attempting to infiltrate the network, or exfiltrate data it they were already inside. The classification of all files is delivered through the 100% Attestation Service. In most cases (99,98% currently), this is performed automatically by the system using machine learning techniques. If needed, unknown applications are detonated in a custom-made array of physical sandboxes (not VMs, since they can be detected by malware) and their behaviour is extracted. The remaining 0,02% is delivered by analysts from Panda. The service will always cover 100% of the applications. However, as attackers evolve and adapt their methods, it is necessary to look beyond the classification of the files. It is necessary to hunt for attacks which can use other, more advanced methods. Therefore, Panda Security’s hunters jointly with Deloitte’s experts provides a Threat Hunting and Investigation Server. This service uses proprietary, machine learning algorithms and the expertise of threat hunters to spot anomalies and Indicators of Attacks across all endpoints protected by Adaptive Defense. Searches can be done in real-time and retrospectively by looking at the historical behaviour profiles of machines, applications and the network.. Adaptive Defense is managed through a cloud-based console, which provides deployment, configuration and reporting options at various levels. An Advanced Reporting Tool, accessible from the main AD console, offers in-depth visibility and insights about all the activity monitored at the endpoints (who is using which applications and when, which data is being accessed, which running applications are vulnerable, etc). This way, customers have real-time access to all the metadata being collected. The Adaptive Defense Platform can also be integrated with third party systems, via APIs or specifically with SIEM products, via a SIEM-Feeder, to augment the customer’s own security infrastructure. An important part of Panda’s strategy is to partner with Managed Security Service Providers and Managed Detection and Response providers. By leveraging the AD platform and its services, they can offer additional value, protection and insights, providing last-mile services tailored to each customer, understanding the context of each of them, hunting for targeted threats, helping them reduce the attack surface, or complementing the endpoint-based capabilities of Adaptive Defense with additional security management, for instance.
Architecture & components Panda Security Architecture & components MSSP & MDR Panda Adaptive Defense, is a managed cybersecurity service based on three pillars: product, technologies and services, all designed to work together. Starting from the customer, all it needs is an agent in all endpoints that monitors all activity at the endpoint related to processes, network connections, registry, changes to the OS, access to data files, etc. This metadata is used by the Adaptive Defense Platform in the cloud and by Panda’s and Deloitte analysts, to determine the nature of each executable file and its behaviour. The data is also used to detect insiders or hackers who might be attempting to infiltrate the network, or exfiltrate data it they were already inside. The classification of all files is delivered through the 100% Attestation Service. In most cases (99,98% currently), this is performed automatically by the system using machine learning techniques. If needed, unknown applications are detonated in a custom-made array of physical sandboxes (not VMs, since they can be detected by malware) and their behaviour is extracted. The remaining 0,02% is delivered by analysts from Panda. The service will always cover 100% of the applications. However, as attackers evolve and adapt their methods, it is necessary to look beyond the classification of the files. It is necessary to hunt for attacks which can use other, more advanced methods. Therefore, Panda Security’s hunters jointly with Deloitte’s experts provides a Threat Hunting and Investigation Server. This service uses proprietary, machine learning algorithms and the expertise of threat hunters to spot anomalies and Indicators of Attacks across all endpoints protected by Adaptive Defense. Searches can be done in real-time and retrospectively by looking at the historical behaviour profiles of machines, applications and the network.. Adaptive Defense is managed through a cloud-based console, which provides deployment, configuration and reporting options at various levels. An Advanced Reporting Tool, accessible from the main AD console, offers in-depth visibility and insights about all the activity monitored at the endpoints (who is using which applications and when, which data is being accessed, which running applications are vulnerable, etc). This way, customers have real-time access to all the metadata being collected. The Adaptive Defense Platform can also be integrated with third party systems, via APIs or specifically with SIEM products, via a SIEM-Feeder, to augment the customer’s own security infrastructure. An important part of Panda’s strategy is to partner with Managed Security Service Providers and Managed Detection and Response providers. By leveraging the AD platform and its services, they can offer additional value, protection and insights, providing last-mile services tailored to each customer, understanding the context of each of them, hunting for targeted threats, helping them reduce the attack surface, or complementing the endpoint-based capabilities of Adaptive Defense with additional security management, for instance. Customers’ environment
Main Differentiators and Benefits. 100% Attestation Service and Threat Hunting and Investigation Service. Ensures trustability of all running process. Allows a continuous response to hackers and Insider threats. Closes the detection gap and adapts to the evolution of threats. Integrated Prevention, Detection and Response against malware and malwareless attacks. Eliminates agent clutter from multiple vendors. Simplifies management and reporting efforts. Cloud-based solution requires no maintenance costs and it is always up to date. Visibility of past and present endpoint activity, in one integrated architecture. Provides in-depth insight of all endpoint activity, not only malware. Autom>ated investigation, minimizes time spent on incidents. No alert noise. Enables scalability of managed security services and Managed Detection & Response. The Malware Industry
Reinventing Cybersecurity.