Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Life Cycle for Advanced Threats

Similar presentations


Presentation on theme: "Security Life Cycle for Advanced Threats"— Presentation transcript:

1

2 Security Life Cycle for Advanced Threats
Prevent Prevention Visibility Detection Response EPP Detect & Respond Central is visibility. Several tools on the market provide network visibility. Detection: must interpret the visibility data to identify threatening events. Repsonse: How quickly can we understand what happened and scope. Visibility at the endpoint is critical. Prevention: How can advanced threats be stopped? ETDR

3 You could keep the enemy at the gates
Once Upon A Time… You could keep the enemy at the gates

4 Technology Has Evolved
Cloud Computing Mobile Computing Internet of Things Surface area is ever-increasing Perimeters are becoming less relevant Everything is connected to something Technology is crossing into our physical world Let’s start with technology… call it Moore’s Law or what you will, but the technology world is evolving at a tremendous pace. <click> Cloud computing, mobile, the Internet of Things… these are all new realities of the past decade. They have changed the way we interact and interconnect, and consequently this changes how we are vulnerable, the attack surface, and what companies must do to protect themselves. <click> The surface area is constantly expanding. From remote users, to users directly interacting with the cloud (public and private), to personal/business dual use devices. There is no well defined perimeter anymore. You might even argue there is no perimeter at all. Firewalls, IDS/IPS, packet inspection – technologies that rely on perimeter and choke points – are no longer sufficient.

5 Threat Actors Have Evolved
Criminal Enterprises Broad-based and targeted attacks Financially motivated Getting more sophisticated Hactivists Targeted and destructive attacks Unpredictable motivations Generally less sophisticated Nation-States Targeted and multi-stage attacks Motivated by information and IP Highly sophisticated, endless resources

6 Endless Stream of News

7 The Malware Problem By the Numbers
Bit9 MasterMinds Dallas, TX The Malware Problem By the Numbers 3/26/2013 66% of malware took months or even years to discover (dwell time)1 69% of intrusions are discovered by an external party1 155k The number of new malware samples that are seen daily2 $5.4M The average total cost of a data breach3 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study

8 The State of Information Security
Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

9 DON’T OVERCOMPLICATE THE THREAT
SIMPLE THREAT MODEL: 1: OPPORTUNISTIC 2: NOT DON’T OVERCOMPLICATE THE THREAT

10 Opportunistic threats find value in our computers
Opportunistic threats find value in our computers. Goal: breadth of access. “Advanced” threats find value in our data. Goal: precision of access.

11 How This Impacts Traditional Security
Hosts Compromised Time 10 100 1k 10k 100k Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7 Signature available. THRESHOLD OF DETECTION Opportunistic Goal is to maximize slope. Hosts Compromised Time 10 100 1k 10k 100k Week 2 Week 1 Week 3 Week 4 Week 5 Week 6 Week 7 THRESHOLD OF DETECTION Signature available? “Advanced” Goal is to minimize slope.

12 A New Perspective Is Required
assume you will be breached compromise is inevitable

13 “In 2020, enterprises will be in a state of continuous compromise.”
Gartner, “Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence,” Neil MacDonald, May 30, 2013

14 The Assumption of Breach
how will you know? what will you do?

15 Rethink Your Security Strategy
prevention is no longer enough invest in detection and response traditional approaches are ineffective move from reactive to proactive security cannot be done in isolation it is a continuous process

16 The Adaptive Security Architecture
Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

17 The Adaptive Security Architecture
Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

18 The Adaptive Security Architecture - Capabilities
Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

19 Key Characteristics of “Next Gen” Security
Forensic quality data collection and analysis Threat intelligence to interpret and prioritize data At all stages of kill chain, not just point of delivery Based on behaviors and context, not just files/IPs Real-time, not scan or snapshot based Provide full historical context of activity Information needed to assess impact and scope Remediation and containment Proactive signature-less prevention techniques Adapt based on detection and response Incorporate and correlate data from third party sources Export data and alerts to other tools Visibility Detection Response Prevention Integration

20 Security Life Cycle for Advanced Threats
Prevention Visibility Detection Response Central is visibility. Several tools on the market provide network visibility. Detection: must interpret the visibility data to identify threatening events. Repsonse: How quickly can we understand what happened and scope. Visibility at the endpoint is critical. Prevention: How can advanced threats be stopped?

21 Reduce Attack Surface with Default-Deny
Traditional EPP failure Scan/sweep based Signature based Block known bad Success of emerging endpoint prevention solutions Real time Policy based Tailor policies based on environment Trust based Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area Make it as difficult as possible for advanced attacker Prevention Visibility Detection Response Visibility Traditional EPP failure Scan/sweep based Signature based Block known bad Success of emerging endpoint prevention solutions Real time Policy based Tailor policies based on environment Trust based Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area Make it as difficult as possible for advanced attacker

22 Detect in Real-time and Without Signatures
Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention Enable rapid response Prevention Visibility Detection Response Visibility Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention

23 Rapidly Respond to Attacks in Motion
Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward Prevention Visibility Detection Response Visibility Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward

24 Too Much Data, Not Enough Intelligence
integrate your tools attacks happen on endpoints correlate network and endpoint for actionable intelligence incorporate threat intelligence what happens to someone else can happen to you filter, prioritize and alert on third party feeds, reputation and indicators

25 Summary The threat landscape continues to evolve The enemy is more advanced, attacks are more targeted Rethink your security strategy, traditional security tools are insufficient Assume you will breached Invest in entire lifecycle: detection, response and prevention Don’t treat security tools as islands, integrate them

26 Endpoint Threat Detection, Response and Prevention for DUMMIES
Download the eBook at… Bit9.com eBook resources section

27 questions

28


Download ppt "Security Life Cycle for Advanced Threats"

Similar presentations


Ads by Google