Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defeat Tomorrow’s Threats Today

Published byShawn Eaton Modified over 6 years ago

Similar presentations

Presentation on theme: "Defeat Tomorrow’s Threats Today"— Presentation transcript:

1 Defeat Tomorrow’s Threats Today

2 Problems Evolving threat landscape
Traditional security detection being bypassed Lack of enterprise incident response tools

3 Value Proposition Belief that your network is targeted by bad guys
Belief that traditional detection is easily bypassed Desire for proactive early detection Desire to learn what adversaries are doing Want automated and scalable incident response

4 Detection at Endpoints
HBGary’s Big Picture Detection at Endpoints Forensic Analysis Incident Response Threat Mitigation

5 Physical Memory Forensics
Endpoint Detection Digital DNA (Behavioral Analysis) Code Reverse Engineering Physical Memory Forensics Under the hood we start with physical memory. If you ever looked at a memory dump you’ll see that it is unstructured garble-dee-goop. HBGary has reverse engineered over 50 undocumented Windows structures to give you organized information of the data contained in memory. We uncover all digital objects, so automated reverse engineering on each and every binary to uncover low level behaviors. Digital DNA examines the behaviors to identify which binaries are malware.

6 Digital DNA Automated malware detection
Digital object classification system 5000 software and malware behavioral traits Example Huge number of key logger variants in the wild About 6 logical ways to sniff a keystroke

7 Ranking Software Modules by Threat Severity Software Behavioral Traits
Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F F B ED C D 8A C2 Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys. 0F 51 0F 64 Software Behavioral Traits

8 Efficacy Curve Efficacy is rising ZERO KNOWLEDGE DETECTION RATE DDNA
Detecting more (> 80%) ZERO KNOWLEDGE DETECTION RATE Detecting very little Signatures And scaling issue getting worse

9 Active Defense Endpoint Visibility
Web-based console Network Digital DNA™ Physical Memory Raw Physical Disk Live Operating System Event Timeline AD Server Host Information Sources https Under the hood we start with physical memory. If you ever looked at a memory dump you’ll see that it is unstructured garble-dee-goop. HBGary has reverse engineered over 50 undocumented Windows structures to give you organized information of the data contained in memory. We uncover all digital objects, so automated reverse engineering on each and every binary to uncover low level behaviors. Digital DNA examines the behaviors to identify which binaries are malware.

10 Efficacy of IOC Scans Blacklists Code-level IOC’s Lifetime 
Signatures Code-level IOC’s NIDS sans address Lifetime  IP Address Protocol Install Hooks Algorithms Checksums Developer Toolmarks DNS Name Minutes Hours Days Weeks Months Years Under the hood we start with physical memory. If you ever looked at a memory dump you’ll see that it is unstructured garble-dee-goop. HBGary has reverse engineered over 50 undocumented Windows structures to give you organized information of the data contained in memory. We uncover all digital objects, so automated reverse engineering on each and every binary to uncover low level behaviors. Digital DNA examines the behaviors to identify which binaries are malware.

11 Traditional Forensics and Incident Response are Difficult
Requires lots of technical expertise Time consuming Expensive Doesn’t scale Traditional methods to analyze memory and malware are difficult. It requires expertise, is time consuming and expensive, and it doesn’t scale. 15

12 Responder Professional

13 Threat Mitigation Bolster network defense through intelligence
Develop new network device signatures Inoculation Shot Alternative to re-imaging Enterprise malware removal

14 Integration with McAfee ePO
Responder Professional ePO Console ePO Server ePO Agents (Endpoints) DDNA is automatically installed across the enterprise by ePO. We give a ePO a couple of zip files. ePO installs HBGary code onto the ePO server and onto each endpoint. The ePO scheduler tells DDNA when to run on each endpoint. We run, examine memory, create DDNA alerts, hand the alerts and traits to the ePO agent which sends them to the ePO SQL server. The DDNA alerts are displayed on the ePO console. DDNA is not installed as an agent. It is a command line utility that loads runs when ePO tells it to. After executing DDNA exits memory. ePO’s AV, firewall and HIDS runs 24x7 as a service. DDNA runs at a point in time to find malware. Schedule Licensing HBGary Active Defense Server SQL Events Search Collect HBG Extension HBGary DDNA

15

Download ppt "Defeat Tomorrow’s Threats Today"

Similar presentations

Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006.

Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.

Lesson 7 Intrusion Prevention Systems. UTSA IS 3523 ID & Incident Response Overview Definitions Differences Honeypots Defense in Depth.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.

Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
OPSWAT Presentation for XXX Month Date, Year. OPSWAT & ____________ Agenda  Overview of OPSWAT  Multi-scanning with Metascan  Controlling Data Workflow.

OPSWAT Presentation for XXX Month Date, Year. OPSWAT & ____________ Agenda  Overview of OPSWAT  Multi-scanning with Metascan  Controlling Data Workflow.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Artificial Intelligence. Real Threat Prevention.

Artificial Intelligence. Real Threat Prevention.
©2014 Check Point Software Technologies Ltd. 2014 Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.

©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Understanding and breaking the cyber kill chain

Understanding and breaking the cyber kill chain

Similar presentations

Ads by Google