FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Security. Re-Imagined. FireEye Architecture & Technology Full Spectrum Kill-chain Visibility Joshua Senzer, CISSP DataConnectors June 2014

AGENDA Threat Landscape Deep Dive A Look INSIDE the FireEye TECHNOLOGY The FireEye Platform FireEye Platform: A Case Study AGENDA

Current State of Cyber Security Coordinated Persistent Threat Actors Dynamic, Polymorphic Malware NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks

The High Cost of Being Unprepared 63% of Companies Learned They Were Breached from an External Entity THREAT UNDETECTED REMEDIATION Initial Breach 229 Days Median # of days attackers are present on a victim network before detection. 100% of Victims Had Up-To-Date Anti-Virus Signatures 3 Months 6 Months 9 Months Here’s what we’ve seen in our experiences at FireEye/Mandiant. Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats. More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?” And these were serious organizations, your everyday brands… that had invested heavily in security. How’s that possible? Source: M-Trends Report

The High Cost of Being Unprepared 63% of Companies Learned They Were Breached from an External Entity THREAT UNDETECTED REMEDIATION Initial Breach 32 Days Average Time to Resolve an Attack 100% of Victims Had Up-To-Date Anti-Virus Signatures 3 Months 6 Months 9 Months Here’s what we’ve seen in our experiences at FireEye/Mandiant. Attackers have literally months of unfettered access.. And when they have access for so long, they penetrate deep and it take months to cleanup the mess All environments we analyzed had traditional security tools, e.g. old school IDS, AV, designed into their architectures to safe-guard! But they weren’t protecting against this new breed of cyber threats. More alarming… 63% of the organizations were told they were breached by someone outside – someone walking up to their door and saying, “Hey, you dropped you wallet outside… is this yours?” And these were serious organizations, your everyday brands… that had invested heavily in security. How’s that possible? Source: M-Trends Report, Ponemon

Zero Day Scorecard

Multi-Staged Cyber Attack 1 Callback Server IPS File Share 2 File Share 1 Exploit Server 5 3 2 4 1. Exploitation of System 2. Malware Executable Download 3. Callbacks and Control Established 4. Lateral Spread 5. Data Exfiltration Firewall Exploit Detection is Critical All Subsequent Stages can be Hidden or Obfuscated

Compromised webpage with exploit object What Is An Exploit? HACKED Compromised webpage with exploit object An exploit is NOT the same as the malware executable file! Exploit object can be in ANY web page Exploit object rendered by vulnerable software Exploit injects code into running program memory Control transfers to exploit code

Structure of a Multi-Flow APT Attack Exploit Server Callback Server Command and Control Server Encrypted Malware Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4

Structure of a Multi-Flow APT Attack Exploit Server Callback Server Command and Control Server Encrypted Malware Embedded Exploit Alters Endpoint 1 Callback 2 Encrypted malware downloads 3 Callback and data exfiltration 4

Exploit in compromised Web page Command and Control Server Multi-Flow Structure of APT Attacks (e.g. Operation Aurora, Operation Beebus, CFR…) Exploit in compromised Web page Callback Command and Control Server Encrypted Malware Exploit injects code in Web browser 1 Exploit code downloads encrypted malware (not SSL!) 2 Exploit code decrypts malware 3 Target end point connects to C&C server 4 Embedded Exploit Alters Endpoint Encrypted malware downloads Callback and data exfiltration 1 2 Callback 3 4

Weaponized Email (2011 Recruitment Plan.xls) Multi-Vector Structure of APT Attack Weaponized Email with Zero-Day Exploit (e.g. RSA) Email with weaponized document, opened by user, causing exploit 1 Weaponized Email (2011 Recruitment Plan.xls) Callback Server Backdoor C&C Server Client endpoint calls back to infection server 2 Backdoor DLL dropped 3 Encrypted callback over HTTP to command and control server 4 1 2 3 4

Traditional “Defense in Depth” is failing The New Breed of Attacks Evade Signature-Based Defenses Anti-Spam Gateways IPS Firewalls/ NGFW Secure Web Gateways Desktop AV And what do they all have in common? The attacks are targeted, persistent and unknown, enabling them to evade traditional signature-based defenses. Traditional or next generation firewalls, IPS, gateways or AV. It doesn’t matter. They are all completely defenseless in the face of these new attacks.

Accelerating the Detection to Forensics Workflow 1 2 3 Forensics: Connecting the dots across time Real-time Detection Validation & Containment Signature-less virtual machine-based approach to identify the attack lifecycle On and off-premise endpoint validation and containment Kill chain reconstruction to determine the scope and impact of a threat One security platform with precise alert capabilities and detailed forensic data on the full scope of an attack.

Security Reimagined Virtual Machine-Based Model of Detection Finds known/ unknown cyber-attacks in real time across all attack vectors Virtual Machine-Based Model of Detection Purpose-Built for Security Hardened Hypervisor Multi-flow Multi-vector Scalable Extensible Security Reimagined

FireEye Technology: Scaling the MVX Line Rate Intelligent Capture MVX Core (Detonation) Phase 1 Phase 2 Reduce False Negatives Reduce False Positives 1M+ objects/hour HTML and JavaScript form 95% of objects to be scanned on the wire Multi-flow virtual analysis APT web attacks are nearly invisible needles in haystack of network traffic

FireEye Technology: Inside the MVX FireEye Hardened Hypervisor 1 Custom hypervisor with built-in countermeasures Designed for threat analysis FireEye Hardened Hypervisor Hardware

FireEye Technology: Inside the MVX FireEye Hardened Hypervisor 1 Massive cross matrix of virtual executions 2 Multiple operating systems Multiple service packs Multiple applications Multiple application versions Cross-Matrix Virtual Execution FireEye Hardened Hypervisor Hardware

FireEye Technology: Inside the MVX FireEye Hardened Hypervisor 1 Massive cross matrix of virtual execution 2 Threat Protection at Scale 3 >2000 simultaneous executions Multi-flow analysis > 2000 Execution Environments Cross-Matrix Virtual Execution v1 v2 v3 v1 v2 v3 Control Plane FireEye Hardened Hypervisor Hardware

FireEye’s Web detection is great, BUT ….. There are a number of threats that FireEye solution does not address well: Unauthorized access Data Resource Theft Malformed Packets SQL Injection Packet Flooding Cross-Site Scripting DDOS Client-side vs. Server-side Attacks

FireEye IPS Improve Correlation Between Known and Unknown Threats to Increase Threat Protection and Reduce Costs Consolidated threat defense—integrate threat prevention for known and unknown threats, leveraging the MVX engine to provide timely and accurate notifications It allows NX to compete in both APT and IPS market segments Threat validation—validate attacks using the MVX engine so time and resource investments are not spent on filtering down the noise It supports custom IPS Snort rules that are widely used in the market for compliance Actionable insights—correlate known and unknown threats and derive richer threat intelligence to speed up incident response It provides both client and server IPS protection for known attacks It provides the CVE ID for known attacks that has been detected by MVX

The Objective: “Continuous Threat Protection” Full Real-time Enterprise Forensics Capture Time to Detect Time to Fix REAL TIME Inspect Expose THEFT OF ASSETS & IP COST OF RESPONSE DISRUPTION TO BUSINESS REPUTATION RISK Prevent & Investigate nPulse We see two key goals: Minimize time to detect and time to fix/remediate the threats/impact in our environment Lets just take a look at the Target breach --- it cost $400M just to replace the credit cards, not to mention the impact to the brand, organizational disruption, and legal ramifications. The ideal situation would be to stop this right at the outset and prevent and impact to the organization and its customers – providing Continuous Threat Protection. FireEye has identified four steps to achieving “Continuous Threat Protection”.. These include detecting the threats (in real time) containing the impact of the threats within an organization by understand what the malware might be going after resolving the impacted systems (identifying, quarantining, and cleaning up the machines) and where appropriate preventing any impact from these threats (especially when deployed inline)

FireEye Product Portfolio: Powered by MVX Threat Analytics Platform Mobile Threat Prevention Email Threat Prevention Dynamic Threat Intelligence MVX SEG Email Threat Prevention Network Threat Prevention IPS SWG DMZ Perimeter Host Anti-virus Endpoint Threat Prevention IPS Content Threat Prevention Endpoint Data Center MDM Host Anti-virus Mobile Threat Prevention Note: Threats @ perimeter – Network Threat Prevention Platform Data Center – Content Threat Prevention Platform for latent malware Obviously many people are now bringing in mobile devices… with Mobile Threat Prevention, we are able to leverage MVX to now analyze the new class of threats – threats via mobile apps. E.g. apps stealing contacts via mobile apps, which provides the attacker the email information (and legally valid sources) for the next stage of attack On the endpoint, Mandiant brings us the MSO product, which will be rebranded into the FireEye platform as the Endpoint Threat Prevention Platform Finally, we have the Email threat Prevention Platform for the spearphishing attacks that attackers use to penetrate organizations. The Threat Analytics Platform is a new product for analyzing advanced threats using a combination of of event logs and security device logs with homegrown threat intelligence from FireEye. BYOD Domain

FireEye and Mandiant Services Portfolio Subscription Services and Product Support FireEye Managed Defense Product Support Services Security Consulting Services Proactive Threat and Vulnerability Assessments Strategic Consulting and Security Program Assessments Incident Response While products help defend you against threats and attacks in progress right here and now, knowing your attackers, their motives, and your infrastructural security structure will take your organizational security health to a higher level. Much like health assessments and exercise complement medication for the human health taking it a level higher. In addition to managed defense, FireEye offers services to help you assess your security with constant evolution of services and business models, update and test your incident response plan, review current processes, capabilities and technology against leading practices as well as train your CERT teams. Additionally if you are short on staff or talent, count on assistance to complement your staff or leverage external services to help manage your security. All these services are offered directly by FireEye and some can also be offered in conjunction with one of the FireEye partners (depending on their level)

FireEye Technology Alliances For Partner & Field Confidential Only Mandiant and Cloud offerings ACCELERATION PARTNERS INSTRUMENTATION PARTNERS Ease of implementation and high availability for Layers 1-3 COMING SOON MOBILITY ENDPOINT PARTNERS Verification and remediation of threats through incident response processes MITIGATION ANALYSIS/SIEM ANALYSIS / SIEM PARTNERS Data correlation analytics, policy and compliance management ENDPOINT MITIGATION PARTNERS Augmenting and enhancing FireEye remediation capabilities, real time policy creation and blocking across the architecture INSTRUMENTATION MOBILITY PARTNERS Mitigating against mobile based threats for BYOD environments with MDMs ACCELERATION PARTNERS Top partners in the Fuel Technology Program Reference Architecture and Strategic Integrations Virtual Machine Detonation Forensic Analysis Real Time Alerts Call Back Detection Exploit Remediate Threats “FireEye technology partnerships are great. They fill in the gaps other vendors can’t match. FireEye, with its partners, offers a formidable defense.” – OTR Global Report 2013

FireEye Platform: Products & Services Portfolio Platinum (24x7, Global) Platinum Priority Plus (DSE) Gov’t. Support (Citizens) Gov’t Classified – Planned (Clearances, Secured Facility) Start in U.S. and expand internationally) Support Services Managed Defense Continuous Protection Continuous Monitoring Managed Defense Services Portfolio Network (NX) - IPS Email (EX) Content (FX) Endpoint (HX) Central Manager (CM) Mobile (MTP) Cloud Email (ETP) Forensics (AX) Threat Analytics Platform (TAP) Network Forensics – (CPX) Products Mandiant Incident Response, Vulnerability Assessment and Penetration Testing Strategic Services: Response Readiness and Security Program Assessment Product Deployment and Integration Advanced Services

Thank You