The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain NC/SC/TN Region: Angela Halliwell, Regional Sales Manager BJ Swope, Sales Engineer Mike.
Download ReportTranscript The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain NC/SC/TN Region: Angela Halliwell, Regional Sales Manager BJ Swope, Sales Engineer Mike.
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain NC/SC/TN Region: Angela Halliwell, Regional Sales Manager BJ Swope, Sales Engineer Mike DePrisco, Inside Sales Representative ©2014 Bit9. All Rights Reserved The Malware Problem By the Numbers 66% 69% 155k $5.4M 40% of malware took months or even years to discover (up 10% from previous year)1 of intrusions are discovered by an external party1 The number of new malware samples that are seen daily2 The average total cost of a data breach3 The number of breaches that incorporated malware1 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study Malware: Actors + Actions + Assets = Endpoint Actors Actions Assets *2013 Verizon Data Breach Report Why is the Endpoint Under Attack? 1. Host-based security software still relies on AV signatures – Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume – Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware 2. Evasion techniques can easily bypass host-based defenses – Malware writers use compression and encryption to bypass AV filters – Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system 3. Cyber adversaries test malware against popular host-based software – There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products Significant Data Breaches in Last Twelve Months March April May June July Aug Sept Oct Nov Dec Jan Feb A New Generation of Security is Coming… As defined by Gartner Next-Gen Prevention “Reduce your attack surface” Block newly discovered attacks on the fly Pervasive monitoring and centralized recording Threat Detection & Response “Respond quickly when under attack” Reducing Your Attack Surface Across the Kill Chain Reconnaissance Weaponization Attacker Researches potential victim Attacker creates deliverable payload Delivery Exploitation Installation Attacker transmits weapon in environment Attacker exploits vulnerability Attacker changes system configuration C2 Attacker establishes control channel Prevention effective here Detection effective here Action Attacker attempt to exfiltrate data Real-time Visibility & Detection (Bit9) vs. Scan-based (AV) Unknown malware Known malware Real-time Visibility & Detection Enables Rapid Response Next-gen Security Needs: Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they happen Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact Failures Within the IR Process Preparation Identification & Scoping Containment Eradication & Remediation Recovery Follow Up & Lessons Learned The Six-Step IR Process Failure: No IR plan with processes and procedures in place Failure: Do not have recorded history to fully identify or scope threat Failure: Does not properly identify threat so cannot fully contain Failure: After failing to fully scope threat, remediation is is impossible Failure: Organization resumes operations with false sense of security Failure: No post-incident process in place or does not implement expert recommendations Response Process Simplified Identify Scope Contain Remediate Response Process Pre and Post Bit9: Identify Identify Scope Contain Remediate Gather artifacts: File, System and Network Information Seek Information Review System Changes Malware Analysis 1. 2. 3. 4. 5. First name Hash, Trust Time first seen Group (relation) Connector alert Response Process Pre and Post Bit9: Identify Identify Gather artifacts: File, System and Network Information Seek Information Review System Changes Malware Analysis 1. 2. Search machine History of change and events Response Process Pre and Post Bit9: Identify Identify Gather artifacts: File, System and Network Information Seek Information Review System Changes Malware Analysis 1. 2. 3. SRS Analysis Acquire file remotely Submit to Connector Response Process Pre and Post Bit9: Scope Identify Scope Contain Remediate Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Review Attack History Identify All Systems Find Patient Zero Complete history of files (the attack) Response Process Pre and Post Bit9: Scope Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Review Attack History Identify All Systems Find Patient Zero Complete history of machines the files are, and were, on And where executed Response Process Pre and Post Bit9: Scope Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Review Attack History Identify All Systems Find Patient Zero Patient 0 (Initial attack vector) Response Process Pre and Post Bit9: Contain Identify Scope Contain Remediate Short term steps to halt the attack: Block or ban content Halt Exfiltration Disrupt Attack Ban Globally, stop further executions Response Process Pre and Post Bit9: Remediate Identify Scope Contain Remediate Longer term changes to prevent & detect attacks Update policies across an organization Review Posture Update Prevention & Detection Review Policy For endpoint controls Response Process Pre and Post Bit9: Remediate Remediate Longer term changes to prevent & detect attacks Update policies across an organization Review Posture Update Prevention & Detection Update Prevention Update Prevention policies policies Update detection Capabilities Full Visibility Fuels Full Detection & Response Without deployed With Bit9Bit9 fullyfully deployed Limited coverage = limited security Takeaways Assume you will get breached Reduce your attack surface with visibility & detection • How to do this? – Have real-time recorded history that continuous monitors and records every endpoint/server – Detect both known and unknown malware without signatures – Rapidly respond using recorded history Establish an IR plan • Understand security solutions that can simplify and expedite response Fully deploy security solutions across entire environment • Limited coverage means limited visibility, detection, response and prevention “In 2020, enterprises will be in a state of continuous compromise.” Bit9 Benefits Visibility Detection Know what’s running on every endpoint and server right now See and record everything; detect threats in real-time without signatures • Always know what’s on your endpoints and servers • Detect and stop Response A full history about what’s happened on every machine; contain and control threats advanced threats • Reduce incident response time Prevention Integration New proactive, signature-less prevention techniques Integrate network and endpoint security for realtime response and prevention • Reduce remediation time • Improve compliance Thank you! Q&A