©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional Director

Significant Data Breaches in Last Twelve Months Jan Feb March April May June July Sept Oct Nov Dec Aug

©2014 Bit9. All Rights Reserved

Malware: Actors + Actions + Assets = Endpoint ActorsActions Assets 2013 Verizon Data Breach Investigations Report

Why is the Endpoint Under Attack? 1. Host-based security software still relies on AV signatures –Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume –Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware 2. Evasion techniques can easily bypass host-based defenses –Malware writers use compression and encryption to bypass AV filters –Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system 3. Cyber adversaries test malware against popular host-based software –There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products

The Malware Problem By the Numbers 66% of malware took months or even years to discover (dwell time) 1 69% of intrusions are discovered by an external party Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study $5.4M The average total cost of a data breach 3 155k The number of new malware samples that are seen daily 2

The State of Information Security NetDiligence, 2013 Cyber Liability & Data Breach Insurance Claims 2013 Verizon Data Breach Investigations Report

The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

The Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

Protection = Prevention, Detection and Response “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014

Prevent Detect & Respond Prevention Visibility Detection Response Need a Security Lifecycle to Combat Advanced Threats

Reduce Attack Surface with Default-Deny Traditional EPP failure Scan/sweep based Signature based –Block known bad Success of emerging endpoint prevention solutions Real time Policy based –Tailor policies based on environment Trust based –Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area –Make it as difficult as possible for advanced attacker Prevention Visibility Detection Response Visibility

Prevention effective here Reduce Attack Surface Across Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

Prevention Visibility Detection Response Visibility Detect in Real-time and Without Signatures Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention Enable rapid response

Detection effective here Prevention effective here Reduce Attack Surface Across Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

Prevention Visibility Detection Response Visibility Rapidly Respond to Attacks in Motion Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds –In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward

Current Failures Within the Incident Response Process Preparation Failure: No IR plan with processes and procedures in place Identification & Scoping Failure: Do not have recorded history to fully identify or scope threat Containment Failure: Does not properly identify threat so cannot fully contain Eradication & Remediation Failure: After failing to fully scope threat, remediation is is impossible Recovery Failure: Organization resumes operations with false sense of security Follow Up & Lessons Learned Failure: No post-incident process in place or does not implement expert recommendations The Six-Step IR Process

Real-time Visibility & Detection Drives Rapid Response Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they appear Know if and when you are under attack Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they appear Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact

High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices All Other UsersData Center Servers Watch and record

High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices All Other UsersData Center Servers Stop all untrusted software Watch and record

High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices Data Center Servers Stop all untrusted software Watch and record All Other Users Detect and block on the fly

Prevent Detect & Respond Prevention Visibility Detection Response Bit9 + Carbon Black: Security Lifecycle in One Solution

Proactive prevention mechanisms customizable for different users and systems Advanced Threat Prevention Market leader in Default-Deny + Super lightweight sensor that records/and monitors everything and deployable to every computer Incident Response in Seconds Technology leader Purpose-built by experts Rapidly Detect & Respond to Threats Reduce Your Attack Surface New signature-less prevention techniques Continuously monitor and record every endpoint/server 12 Bit9 + Carbon Black

See the kill chain in seconds From vulnerable processes to the persistent malicious service Would take days or weeks to re-create using traditional tools Bit9 + Carbon Black: Understanding the Entire Kill Chain

©2014 Bit9. All Rights Reserved

Takeaways Reduce your attack surface with prevention Prepare for inevitability of compromise Detect in real time without signatures Pre-breach rapid response in seconds with recorded history Establish an IR plan Understand the need for a security lifecycle Fully deploy security solutions across entire environment “In 2020, enterprises will be in a state of continuous compromise.”

Thank you! Q&A