©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions Engineer, Bit9

The Malware Problem By the Numbers 66% of malware took months or even years to discover (up 10% from previous year) 1 69% of intrusions are discovered by an external party Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study $5.4M The average total cost of a data breach 3 155k The number of new malware samples that are seen daily 2 The number of breaches that incorporated malware 1 40%

Malware: Actors + Actions + Assets = Endpoint ActorsActions Assets *2013 Verizon Data Breach Report

Why is the Endpoint Under Attack? 1. Host-based security software still relies on AV signatures –Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume –Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware 2. Evasion techniques can easily bypass host-based defenses –Malware writers use compression and encryption to bypass AV filters –Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system 3. Cyber adversaries test malware against popular host-based software –There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products

Significant Data Breaches in Last Twelve Months Jan Feb March April May June July Sept Oct Nov Dec Aug

A New Generation of Security is Coming… Next-Gen Prevention “Reduce your attack surface” Block newly discovered attacks on the fly Threat Detection & Response “Respond quickly when under attack” Pervasive monitoring and centralized recording As defined by Gartner

Detection effective here Prevention effective here Reducing Your Attack Surface Across the Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

Real-time Visibility & Detection (Bit9) vs. Scan-based (AV) Unknown malware Known malware

Real-time Visibility & Detection Enables Rapid Response Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they happen Know if and when you are under attack Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they happen Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact Next-gen Security Needs:

Failures Within the IR Process Preparation Failure: No IR plan with processes and procedures in place Identification & Scoping Failure: Do not have recorded history to fully identify or scope threat Containment Failure: Does not properly identify threat so cannot fully contain Eradication & Remediation Failure: After failing to fully scope threat, remediation is is impossible Recovery Failure: Organization resumes operations with false sense of security Follow Up & Lessons Learned Failure: No post-incident process in place or does not implement expert recommendations The Six-Step IR Process

Response Process Simplified Identify Scope Contain Remediate

Response Process Pre and Post Bit9: Identify Seek InformationReview System Changes Malware Analysis Gather artifacts: File, System and Network Information 1.First name 2.Hash, Trust 3.Time first seen 4.Group (relation) 5.Connector alert 1.First name 2.Hash, Trust 3.Time first seen 4.Group (relation) 5.Connector alert Identify Scope Contain Remediate

Response Process Pre and Post Bit9: Identify Seek InformationReview System Changes Malware Analysis Gather artifacts: File, System and Network Information 1.Search machine 2.History of change and events 1.Search machine 2.History of change and events Identify

Response Process Pre and Post Bit9: Identify Seek InformationReview System Changes Malware Analysis Gather artifacts: File, System and Network Information Identify 1.SRS Analysis 2.Acquire file remotely 3.Submit to Connector 1.SRS Analysis 2.Acquire file remotely 3.Submit to Connector

Response Process Pre and Post Bit9: Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Review Attack HistoryIdentify All Systems Find Patient Zero Complete history of files (the attack) Identify Scope Contain Remediate

Response Process Pre and Post Bit9: Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Review Attack HistoryIdentify All Systems Find Patient Zero Complete history of machines the files are, and were, on And where executed Complete history of machines the files are, and were, on And where executed Scope

Response Process Pre and Post Bit9: Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Review Attack HistoryIdentify All Systems Find Patient Zero Patient 0 (Initial attack vector) Patient 0 (Initial attack vector) Scope

Response Process Pre and Post Bit9: Contain Short term steps to halt the attack: Block or ban content Halt ExfiltrationDisrupt Attack Ban Globally, stop further executions Identify Scope Remediate Contain

Response Process Pre and Post Bit9: Remediate Review PostureUpdate Prevention & Detection Longer term changes to prevent & detect attacks Update policies across an organization Review Policy For endpoint controls Review Policy For endpoint controls Identify Scope Contain Remediate

Response Process Pre and Post Bit9: Remediate Review PostureUpdate Prevention & Detection Longer term changes to prevent & detect attacks Update policies across an organization Update Prevention policies Update detection Capabilities Update Prevention policies Update detection Capabilities Update Prevention policies Update detection Capabilities Update Prevention policies Update detection Capabilities Remediate

Full Visibility Fuels Full Detection & Response Without Bit9 fully deployed Limited coverage = limited security With Bit9 fully deployed

Takeaways Assume you will get breached Reduce your attack surface with visibility & detection How to do this? –Have real-time recorded history that continuous monitors and records every endpoint/server –Detect both known and unknown malware without signatures –Rapidly respond using recorded history Establish an IR plan Understand security solutions that can simplify and expedite response Fully deploy security solutions across entire environment Limited coverage means limited visibility, detection, response and prevention “In 2020, enterprises will be in a state of continuous compromise.”

Bit9 Benefits Always know what’s on your endpoints and servers Detect and stop advanced threats Reduce incident response time Reduce remediation time Improve compliance Know what’s running on every endpoint and server right now See and record everything; detect threats in real-time without signatures New proactive, signature-less prevention techniques A full history about what’s happened on every machine; contain and control threats Integrate network and endpoint security for real- time response and prevention Visibility Integration Prevention Detection Response

Thank you! Q&A