The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain David Flournoy Bit9 Mid-Atlantic Regional Manager ©2014 Bit9.
Download ReportTranscript The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain David Flournoy Bit9 Mid-Atlantic Regional Manager ©2014 Bit9.
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain David Flournoy Bit9 Mid-Atlantic Regional Manager ©2014 Bit9. All Rights Reserved “In 2020, enterprises will be in in a state of continuous Significant Data Breaches Last Twelve Months compromise.” March April May June July Aug Sept Oct Nov Dec Jan Feb Why is the Endpoint Under Attack? 1. Host-based security software still relies on AV signatures – Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume – Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware 2. Evasion techniques can easily bypass host-based defenses – Malware writers use compression and encryption to bypass AV filters – Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system 3. Cyber adversaries test malware against popular host-based software – There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE The Kill Chain Reconnaissance Weaponization Attacker Researches potential victim Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data Protection = Prevention, Detection and Response “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014 Need a Security Lifecycle to Combat Advanced Threats Prevent Prevention Visibility Response Detection Detect & Respond Reduce Attack Surface with Default-Deny Traditional EPP failure • Scan/sweep based (strobe light) • Signature based – Block known bad Success of emerging endpoint prevention solutions Prevention • Real time • Policy based – Tailor policies based on environment • Trust based – Block all but known good Objective of emerging endpoint prevention solutions • Lock down endpoint/server • Reduce attack surface area – Make it as difficult as possible for advanced attacker Visibility Response Detection Reduce Attack Surface Across Kill Chain Reconnaissance Weaponization Attacker Researches potential victim Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration Prevention effective here C2 Attacker establishes control channel Action Attacker attempt to exfiltrate data Detect in Real-time and Without Signatures Traditional EPP failure • Scan/sweep based • Small signature database Success of emerging endpoint detection solutions • Large global database of threat intelligence • Signature-less detection through threat indicators • Watchlists Prevention Objective of emerging endpoint detection solutions Visibility • Prepare for inevitability of breach and continuous state of compromise • Cover more of the kill chain than prevention • Enable rapid response Response Detection Reduce Attack Surface Across Kill Chain Reconnaissance Weaponization Attacker Researches potential victim Attacker creates deliverable payload Delivery Attacker transmits weapon in environment Exploitation Attacker exploits vulnerability Installation Attacker changes system configuration C2 Attacker establishes control channel Prevention effective here Detection effective here Action Attacker attempt to exfiltrate data Rapidly Respond to Attacks in Motion Traditional EPP failure • Expensive external consultants • Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Prevention • Real-time continuous recorded history delivers IR in seconds – In centralized database • Attack process visualization and analytics • Better, faster and less expensive Objective of emerging endpoint incident response solutions • Pre-breach rapid incident response • Better prepare prevention moving forward Visibility Response Detection Current Failures Within the Incident Response Process Preparation Identification & Scoping Containment Eradication & Remediation Recovery Follow Up & Lessons Learned The Six-Step IR Process Failure: No IR plan with processes and procedures in place Failure: Do not have recorded history to fully identify or scope threat Failure: Does not properly identify threat so cannot fully contain Failure: After failing to fully scope threat, remediation is is impossible Failure: Organization resumes operations with false sense of security Failure: No post-incident process in place or does not implement expert recommendations Advanced Threat Protection for Every Endpoint and Server Watch and record Data Center Servers High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Advanced Threat Protection for Every Endpoint and Server Stop all untrusted software Watch and record Data Center Servers High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Advanced Threat Protection for Every Endpoint and Server Stop all untrusted software Watch and record Detect and block on the fly Data Center Servers High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Bit9 + Carbon Black: Security Lifecycle in One Solution Prevent Prevention Visibility Detect & Respond Response Detection Bit9 + Carbon Black Reduce Your Attack Surface 1 2 New signature-less prevention techniques Rapidly Detect & Respond to Threats Continuously monitor and record every endpoint/server + Advanced Threat Prevention Incident Response in Seconds Market leader in Default-Deny Technology leader Purpose-built by experts Proactive prevention mechanisms customizable for different users and systems Super lightweight sensor that records/and monitors everything and deployable to every computer Bit9 + Carbon Black: Understanding the Entire Kill Chain See the kill chain in seconds • From vulnerable processes to the persistent malicious service • Would take days or weeks to re-create using traditional tools Takeaways “In 2020, enterprises will be in a state of continuous compromise.” Bit9 is much more than application control/application whitelisting Reduce your attack surface with prevention Prepare for inevitability of compromise • Detect in real time without signatures • Pre-breach rapid response in seconds with recorded history Establish an IR plan Understand the need for a security lifecycle Deploy security solutions across entire environment Thank You