Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automate, or Die Building a Continuous Response Architecture

Similar presentations


Presentation on theme: "Automate, or Die Building a Continuous Response Architecture"— Presentation transcript:

1 Automate, or Die Building a Continuous Response Architecture

2 Compromise is Inevitable
205 Breaches up 120% YoY Days to Discover* 69% Total cost of US breaches $100B Discovered Externally** #ISR It’s a scary world out there, each and every one of us know this. Compromise is inevitable, but a data breach is not. So why then are data breaches on the rise, costing organizations billions of dollars? You’re using outdated tools in a modern war. $5.4 Attacker only has to be successful once…but defender has to stop of attacks 100% Million Average Cost*** * M-Trends ** VDBIR ***Ponemon, Verizon

3 Traditional Defenses Were Designed for Opp. Attacks
Signature available DETECTION THRESHOLD OPPORTUNISTIC Hosts Compromised Goal for attacker is to compromise as many endpoints as possible Time Signature available (if ever) ? When we look at solutions today, many are still signature-based AV. Opportunistic attacks find value in scale. Their goal is to compromise as many hosts (endpoints) as possible over a very short period of time. As a result, they pop above this detection threshold and generate a signature in the process rendering antivirus solutions more effective. However, advanced attacks disrupt this balance by compromising only a targeted number of endpoints remaining below the detection threshold and going extended periods without generating a signature (if ever). DETECTION THRESHOLD ADVANCED Hosts Compromised Goal for attacker is to compromise as few endpoints as possible Time

4 Tailored Attacks Require Tailored Defenses
Your Name Here 70% of Malware is Used Only Once Tailored Attacks Require Tailored Defenses With 70% of malware only being used once, you can’t detect what is bad ahead of time. Signatures simply won’t work. Custom malware requires custom solutions, designed with an understanding of your environment. As tailored attacks become more sophisticated, Organizations need to tailor their defenses to build fit-for-purpose security.

5 INTEGRATE, or DIE AUTOMATE, or DIE
Tailored Defenses Require Integration SIEM Threat Intelligence Endpoint IPS/IDS Mobile Firewall NAC Sandbox One-size fits all solutions simply that try and put your organization into a box will not cut it against a dedicated attacker. Security must become integrated and customized to meet your needs of your organization. You need EVERYTHING speaking the same language, using APIs, and sharing information to provide your team with maximum context. Those who fail to integrate, will die and I’d go ever further and say so those fail to leverage integrations to automate security will find themselves not much better off as they get buried manually responding to alerts. AUTOMATE, or DIE INTEGRATE, or DIE

6 Security as a unified process vs a collection of solutions
So we need to start thinking about security as a unified process, not simply a collection of tools.

7 Arm Your Endpoints! Organizations continue to spend a lot of money on network security solutions, but it’s the endpoint that is the ultimate target of advanced threats and attacks. To do this, you have to first think about what tools are most important. At Bit9 + Carbon Black, we are all about helping your protect your endpoints from advanced threats. There’s a lot of talk these days about network security, and a lot of money is spent on network security, but it’s important to remember that the ultimate target of advanced threats and attacks are your endpoints and servers, not your network. The network is not the target; attackers are after your digital assets – your customer data, intellectual property, confidential documents, etc. – and that’s all stored on your endpoints and servers. They attack your network as a way to get to your endpoints and servers. July 2014

8 Carbon Black: Industry’s Best ETDR Solution
First & only solution with continuous endpoint recording and live response CONTINUOUS endpoint recorder INSTANT, aggregated threat intel. COMPLETE kill chain analysis CUSTOMIZED detection CONTINUOUS RECORDING IMMEDIATE endpoint threat isolation LIVE endpoint investigation REAL-TIME attack termination COMPREHENSIVE threat remediation LIVE RESPONSE So we think the first thing any organization must do, is gain real-time visibility across their organization. You can’t do anything without data.

9 Reduce Dwell Time By Prioritizing Data Collection
DETECTION RESPONSE RECOVERY Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME Eliminate expensive data collection process Optimize security team Instant answers to complex IR questions Avoid blind reimaging Zero end-user/endpoint impact Reduce dwell time Compromised (attacker present) Breach Discovered (attacker identified) Recovered (attacker expelled) Proactively collecting data here is automated, efficient & conclusive Reactively collecting data here is time consuming, expensive & incomplete DETECTION RESPONSE RECOVERY When we look at the breadth of an attack from the moment an attacker is present, to when the breach is discovered to ultimately when we’ve recovered and remediated the threat—that entire time the attacker is dwelling in your environment. If you’re collecting data after you’ve discovered an attack it’s time consuming, expensive and incomplete. If you can proactively collect data even before compromise it’s automated, efficient and conclusive. Also, you can accelerate threat discovery and your response to drastically reducing dwell time in the process. DWELL TIME

10 Expand Detection Beyond the Moment of Compromise
Traditional Focus Only See Individual Detection Event Abnormal Behavior You can’t know what’s bad ahead of time Lateral Movement & User Accounts Missed without continuous data collection Weeks to Months (Years) When you look at the traditional detection focus it’s the tip of the iceberg. They focus on an individual event as it pertains to an individual endpoint. Without continuous data collection they miss abnormal behavior, lateral movement, data exfiltration and more. Because you can’t know what’s bad ahead of time you need to proactively collect everything. Exfiltration & Data Gathering

11 Prioritize Alerts with Data Collection & Threat Intelligence
ALERT FATIGUE Too many alerts to manage & prioritize ACTIONABLE ALERTS Accelerate threat discovery Customize detection for organization Detect every threat vector Narrow focus by understanding data ! ! Another common problem is alert fatigue where your organization has too many alerts to manage and prioritize. If we can apply threat intelligence on top of that continuous data collection or visibility you can develop actionable alerts that accelerate threat discovery and speed investigations. ! ! ! ! ! ! ! ! ! ! ! Discovery ! ! Detection

12 Respond at the Moment of Discovery
Spawns second stage payload Injects code into Windows Explorer Takes malicious actions User visits website Is sent malicious Java applet Spawns first stage payload Deleted Payload Lateral Movement DISCOVERED Learn from investigation to build detection moving forward ! User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Lateral Movement Downloads PDF Instantly “Roll back the tape” with a recorded history to understand scope Deleted Payload By leveraging a recorded history you can “roll back the tape” no matter when you discovered the attack to understand the entire scope and breadth of the attack—even if it moved laterally and even if it deleted payloads to try and clean up their tracks. Also, by applying threat intelligence on top of that visibility you can instantly classify attacks during your investigation to immediately contain, respond and remediate threats. Additionally, it’s important to evolve, adapt and learn from any investigation and Carbon Black enables you do develop custom watchlists (or detection events) based off of your investigation to detect the same attack in real time moving forward. DISCOVERED Takes malicious actions Prioritize investigations with applied threat intelligence Spawns second stage payload Injects code into Windows Explorer

13 Drive Action on Endpoints with Live Response
ISOLATED IDENTIFY ROOT CAUSE & REMEDIATE MACHINE BLOCK NETWORK COMMUNICATION Use one IR solution without dropping admin. credentials Built by responders for responders Customize on-sensor actions by executing third-party tools Remove IT out of SecOps equation KILL ATTACK PROCESS Deleted payload Is sent malicious Java applet User visits website Takes malicious actions Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Use one solution to understand the scope of each attack, but also drive action on identified threats. Why use one solution, because it makes automation simpler. This affords responders time to perform more surgical investigations, kill attack processes and get full remediation all in one experience. MODERN VIEW One comprehensive IR solution Responders manage multiple tools for continuous recording & live response

14 Security as a unified process vs a collection of solutions
So like I said earlier, security is more than a collection of tools. It’s more than just endpoint. It needs to be a unified process.

15 AUTOMATE, or DIE Tailored Defenses Require Automation SIEM
Threat Intelligence Endpoint IPS/IDS Mobile Firewall NAC Sandbox Those organizations who are best able to strategically invest in tools that provide best-of-breed date collection, detection and response capabilities will be those with the funds available to truly build continuous response architectures by automating their people, processes and technology together to create a single positive feedback loop. AUTOMATE, or DIE

16 Connect: Integrate & Automate the Entire Security Stack
Open APIs to integrate with third-party and in-house tools At Bit9 + Carbon Black, we want to make integrating and ultimately automating your security tools as easy as possible. It’s why all of our products come standard with rich APIs and a wide ecosystem of plug and play integrations so that you can get the most out of your security investment. Let’s just take a second to talk through how just 1 or two of these integrations along can dramatically reduce alert fatigue and improve incident response times. (Pick a couple examples to talk to) We’ve integrated Bit9 + Carbon Black into our entire security stack. – Senior Architect, Leading Internet Entertainment Provider

17 Public API; User Community; Developer Relations
But we don’t just stop at providing APIs and plug and play integrations, we open-source the entire process. Why? Because as I said earlier, security must become tailored to the unique needs of your organization and that requires the ability to customize to your environment. To make this easy and help encourage a community of support around this concept, we post all our code to Github and encourage people to contribute so our customers can continue to get more out of their investment and reduce the amount of time it takes you to respond to an incident.

18 Moving from Integration to Automation
CROSS CHECK For context Alert Generated Alert Enriched Blocks IPs Remediation Actions Kill Process, Gathers Forensics Threat Intelligence So I’ve mentioned this concept of a continuous response architecture a couple times, but let’s take a look at what a truly automated security program might look like with carbon black. Let’s take an example, let’s say Wildfire pings off an alert. With our PAN integration, this alert would automatically be sent to Carbon Black where it would be correlated to identify if any devices are infected. If so through our threat intelligence cloud or by connecting any third party threat intel you may subscribe to, you could quickly gain context into this malware and any specific threat actor groups or campaigns it is associated. You can see if it ever ran in your environment and depending on how you have Carbon Black configured, if those results are significant enough or tied to a high-risk user you could have Carbon Black automatically kill the process, delete the file, and ban it from every executing on any other device in your environment. Additionally, if you’ve connected Carbon Black to a DNS firewall you could ban the IP addresses or domains it connected to and if it came through an or malicious USB, automatically enroll that end-user in education training to reduce the risk of future infection. All of this activity is then being recorded and fed back into the system so that your team can then optimize the settings and policies you put in place to continuous reduce your attack surface. This is the type of continuous response architectures Carbon Black customers are building today through our APIs and that you could take advantage of in your organization. User Profile & Behaviors Device History Enrolls User in Education Training

19 Bit9 + Carbon Black: Arm Your Endpoints
Threat Intelligence Cloud Reputation Threat Indicators Attack Attribution For IT and Security Teams Managing Desktops, Servers, and Fixed-function Devices World’s most widely deployed application control/whitelisting solution Single agent for visibility, detection, response, prevention Trust-based and policy-driven The Most Comprehensive Endpoint Threat Protection Solution For Security Operations Center and Incident Response Teams Only solution with continuous recording; live response; threat isolation, termination and remediation Real-time customizable detection Complete kill chain analysis based on recorded history and attack visualization The Leading Endpoint Threat Detection and Response Solution Again we’re Bit9 + Carbon Black… Supported Operating Systems Open API and Integrations Supported Operating Systems Network Security, Analytics and SIEM, In-House & Custom Tools

20 Questions?


Download ppt "Automate, or Die Building a Continuous Response Architecture"

Similar presentations


Ads by Google