Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

Published byBruce Cornish Modified over 10 years ago

Similar presentations

Presentation on theme: "©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional."— Presentation transcript:

1 ©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional Director

2 Significant Data Breaches in Last Twelve Months Jan Feb March April May June July Sept Oct Nov Dec Aug

3 ©2014 Bit9. All Rights Reserved

4 Malware: Actors + Actions + Assets = Endpoint ActorsActions Assets 2013 Verizon Data Breach Investigations Report

5 Why is the Endpoint Under Attack? 1. Host-based security software still relies on AV signatures –Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume –Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware 2. Evasion techniques can easily bypass host-based defenses –Malware writers use compression and encryption to bypass AV filters –Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system 3. Cyber adversaries test malware against popular host-based software –There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products

6 The Malware Problem By the Numbers 66% of malware took months or even years to discover (dwell time) 1 69% of intrusions are discovered by an external party 1 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study $5.4M The average total cost of a data breach 3 155k The number of new malware samples that are seen daily 2

7 The State of Information Security NetDiligence, 2013 Cyber Liability & Data Breach Insurance Claims 2013 Verizon Data Breach Investigations Report

8 The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

9 The Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

10 Protection = Prevention, Detection and Response “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014

11 Prevent Detect & Respond Prevention Visibility Detection Response Need a Security Lifecycle to Combat Advanced Threats

12 Reduce Attack Surface with Default-Deny Traditional EPP failure Scan/sweep based Signature based –Block known bad Success of emerging endpoint prevention solutions Real time Policy based –Tailor policies based on environment Trust based –Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area –Make it as difficult as possible for advanced attacker Prevention Visibility Detection Response Visibility

13 Prevention effective here Reduce Attack Surface Across Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

14 Prevention Visibility Detection Response Visibility Detect in Real-time and Without Signatures Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention Enable rapid response

15 Detection effective here Prevention effective here Reduce Attack Surface Across Kill Chain Reconnaissance Attacker Researches potential victim Weaponization Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data

16 Prevention Visibility Detection Response Visibility Rapidly Respond to Attacks in Motion Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds –In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward

17 Current Failures Within the Incident Response Process Preparation Failure: No IR plan with processes and procedures in place Identification & Scoping Failure: Do not have recorded history to fully identify or scope threat Containment Failure: Does not properly identify threat so cannot fully contain Eradication & Remediation Failure: After failing to fully scope threat, remediation is is impossible Recovery Failure: Organization resumes operations with false sense of security Follow Up & Lessons Learned Failure: No post-incident process in place or does not implement expert recommendations The Six-Step IR Process

18 Real-time Visibility & Detection Drives Rapid Response Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they appear Know if and when you are under attack Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they appear Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact

19 High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices All Other UsersData Center Servers Watch and record

20 High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices All Other UsersData Center Servers Stop all untrusted software Watch and record

21 High-Risk/Targeted Users Advanced Threat Protection for Every Endpoint and Server Fixed-Function and Critical Infrastructure Devices Data Center Servers Stop all untrusted software Watch and record All Other Users Detect and block on the fly

22 Prevent Detect & Respond Prevention Visibility Detection Response Bit9 + Carbon Black: Security Lifecycle in One Solution

23 Proactive prevention mechanisms customizable for different users and systems Advanced Threat Prevention Market leader in Default-Deny + Super lightweight sensor that records/and monitors everything and deployable to every computer Incident Response in Seconds Technology leader Purpose-built by experts Rapidly Detect & Respond to Threats Reduce Your Attack Surface New signature-less prevention techniques Continuously monitor and record every endpoint/server 12 Bit9 + Carbon Black

24 See the kill chain in seconds From vulnerable processes to the persistent malicious service Would take days or weeks to re-create using traditional tools Bit9 + Carbon Black: Understanding the Entire Kill Chain

25 ©2014 Bit9. All Rights Reserved

26 Takeaways Reduce your attack surface with prevention Prepare for inevitability of compromise Detect in real time without signatures Pre-breach rapid response in seconds with recorded history Establish an IR plan Understand the need for a security lifecycle Fully deploy security solutions across entire environment “In 2020, enterprises will be in a state of continuous compromise.”

27 Thank you! Q&A

Download ppt "©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.

© 2015 ForeScout Technologies, Page 2 Source: Identity Theft Resource Center Annual number of data breaches Breaches reported Average annual cost of security.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,
Ali Alhamdan, PhD National Information Center Ministry of Interior

Ali Alhamdan, PhD National Information Center Ministry of Interior

Similar presentations

Ads by Google