The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain NC/SC/TN Region: Angela Halliwell, Regional Sales Manager BJ Swope, Sales Engineer Mike.
Download
Report
Transcript The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain NC/SC/TN Region: Angela Halliwell, Regional Sales Manager BJ Swope, Sales Engineer Mike.
The Evolution of Endpoint Security:
Detecting and Responding to
Malware Across the Kill Chain
NC/SC/TN Region:
Angela Halliwell, Regional Sales Manager
BJ Swope, Sales Engineer
Mike DePrisco, Inside Sales Representative
©2014 Bit9. All Rights Reserved
The Malware Problem By the Numbers
66%
69%
155k
$5.4M
40%
of malware took months or even years to discover
(up 10% from previous year)1
of intrusions are discovered by an
external party1
The number of new malware samples that are
seen daily2
The average total cost of a data breach3
The number of breaches that incorporated
malware1
1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 |
3. Ponemon Institute 2013 Cost of a Data Breach Study
Malware: Actors + Actions + Assets = Endpoint
Actors
Actions
Assets
*2013 Verizon Data Breach Report
Why is the Endpoint Under Attack?
1.
Host-based security software still relies on AV
signatures
– Antivirus vendors find a routine process: Takes time and can no longer
keep up with the massive malware volume
– Host-based security software’s dependency on signatures and
scanning engines remains an Achilles heel when addressing modern
malware
2.
Evasion techniques can easily bypass host-based
defenses
– Malware writers use compression and encryption to bypass AV filters
– Malware developers use software polymorphism or metamorphism to
change the appearance of malicious code from system to system
3.
Cyber adversaries test malware against popular
host-based software
– There are criminal web sites where malware authors can submit their
exploits for testing against dozens of AV products
Significant Data Breaches in Last Twelve Months
March
April
May
June
July
Aug
Sept
Oct
Nov
Dec
Jan
Feb
A New Generation of Security is Coming…
As defined by Gartner
Next-Gen Prevention
“Reduce your attack surface”
Block newly discovered
attacks on the fly
Pervasive monitoring and
centralized recording
Threat Detection & Response
“Respond quickly when under attack”
Reducing Your Attack Surface Across the Kill Chain
Reconnaissance Weaponization
Attacker
Researches
potential
victim
Attacker
creates
deliverable
payload
Delivery
Exploitation
Installation
Attacker
transmits
weapon in
environment
Attacker
exploits
vulnerability
Attacker
changes
system
configuration
C2
Attacker
establishes
control
channel
Prevention effective here
Detection effective here
Action
Attacker
attempt to
exfiltrate
data
Real-time Visibility & Detection (Bit9) vs. Scan-based (AV)
Unknown malware
Known malware
Real-time Visibility & Detection Enables Rapid Response
Next-gen Security Needs:
Visibility & Detection
Real-time recorded history of entire environment
Detect known and unknown files as they happen
Know if and when you are under attack
Response
Identify, scope, contain and remediate faster
Proactively respond to attacks in motion
Simplify and expedite investigations
Non-intrusive and no perceived end user impact
Failures Within the IR Process
Preparation
Identification &
Scoping
Containment
Eradication &
Remediation
Recovery
Follow Up &
Lessons Learned
The Six-Step IR Process
Failure:
No IR plan
with processes
and
procedures in
place
Failure:
Do not have
recorded
history to
fully identify
or scope
threat
Failure:
Does not
properly
identify threat
so cannot fully
contain
Failure:
After failing to
fully scope
threat,
remediation is
is impossible
Failure:
Organization
resumes
operations
with false
sense of
security
Failure:
No post-incident
process in place or
does not
implement expert
recommendations
Response Process Simplified
Identify
Scope
Contain
Remediate
Response Process Pre and Post Bit9: Identify
Identify
Scope
Contain
Remediate
Gather artifacts: File, System and Network Information
Seek Information
Review System Changes
Malware Analysis
1.
2.
3.
4.
5.
First name
Hash, Trust
Time first seen
Group (relation)
Connector alert
Response Process Pre and Post Bit9: Identify
Identify
Gather artifacts: File, System and Network Information
Seek Information
Review System Changes
Malware Analysis
1.
2.
Search machine
History of change
and events
Response Process Pre and Post Bit9: Identify
Identify
Gather artifacts: File, System and Network Information
Seek Information
Review System Changes
Malware Analysis
1.
2.
3.
SRS Analysis
Acquire file
remotely
Submit to
Connector
Response Process Pre and Post Bit9: Scope
Identify
Scope
Contain
Remediate
Discover all compromised systems
Determine attack progression, propagate, what systems are and have been impacted
Review Attack History
Identify All Systems
Find Patient Zero
Complete history of
files (the attack)
Response Process Pre and Post Bit9: Scope
Scope
Discover all compromised systems
Determine attack progression, propagate, what systems are and have been impacted
Review Attack History
Identify All Systems
Find Patient Zero
Complete history of
machines the files
are, and were, on
And where executed
Response Process Pre and Post Bit9: Scope
Scope
Discover all compromised systems
Determine attack progression, propagate, what systems are and have been impacted
Review Attack History
Identify All Systems
Find Patient Zero
Patient 0
(Initial attack vector)
Response Process Pre and Post Bit9: Contain
Identify
Scope
Contain
Remediate
Short term steps to halt the attack: Block or ban content
Halt Exfiltration
Disrupt Attack
Ban Globally, stop
further executions
Response Process Pre and Post Bit9: Remediate
Identify
Scope
Contain
Remediate
Longer term changes to prevent & detect attacks
Update policies across an organization
Review Posture
Update Prevention & Detection
Review Policy
For endpoint controls
Response Process Pre and Post Bit9: Remediate
Remediate
Longer term changes to prevent & detect attacks
Update policies across an organization
Review Posture
Update Prevention & Detection
Update Prevention
Update
Prevention
policies
policies
Update detection
Capabilities
Full Visibility Fuels Full Detection & Response
Without
deployed
With Bit9Bit9
fullyfully
deployed
Limited coverage = limited security
Takeaways
Assume you will get breached
Reduce your attack surface with visibility & detection
• How to do this?
– Have real-time recorded history that continuous monitors and records every endpoint/server
– Detect both known and unknown malware without signatures
– Rapidly respond using recorded history
Establish an IR plan
• Understand security solutions that can simplify and expedite response
Fully deploy security solutions across entire environment
• Limited coverage means limited visibility, detection, response and prevention
“In 2020, enterprises will be in a state of continuous compromise.”
Bit9 Benefits
Visibility
Detection
Know what’s running on
every endpoint and server
right now
See and record everything;
detect threats in real-time
without signatures
• Always know what’s
on your endpoints
and servers
• Detect and stop
Response
A full history about what’s
happened on every machine;
contain and control threats
advanced threats
• Reduce incident
response time
Prevention
Integration
New proactive,
signature-less
prevention techniques
Integrate network and
endpoint security for realtime response and prevention
• Reduce remediation
time
• Improve compliance
Thank you!
Q&A