©2014 bit9. all rights reserved the evolution of endpoint security: detecting and responding to...
TRANSCRIPT
©2014 Bit9. All Rights Reserved
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain
Chris Berninger, Sr. Solutions Engineer, Bit9
The Malware Problem By the Numbers
66% of malware took months or even years to discover (up 10% from previous year)1
69% of intrusions are discovered by an external party1
1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study
$5.4M The average total cost of a data breach3
155k The number of new malware samples that are seen daily2
The number of breaches that incorporated malware140%
Malware: Actors + Actions + Assets = Endpoint
Actors Actions
Assets
*2013 Verizon Data Breach Report
Why is the Endpoint Under Attack?
1. Host-based security software still relies on AV signatures – Antivirus vendors find a routine process: Takes time and can no longer
keep up with the massive malware volume– Host-based security software’s dependency on signatures and scanning
engines remains an Achilles heel when addressing modern malware
2. Evasion techniques can easily bypass host-based defenses– Malware writers use compression and encryption to bypass AV filters – Malware developers use software polymorphism or metamorphism to
change the appearance of malicious code from system to system
3. Cyber adversaries test malware against popular host-based software– There are criminal web sites where malware authors can submit their
exploits for testing against dozens of AV products
Significant Data Breaches in Last Twelve Months
Jan FebMarch April May June July Sept Oct Nov DecAug
A New Generation of Security is Coming…
Next-Gen Prevention“Reduce your attack surface”
Block newly discovered attacks on the fly
Threat Detection & Response“Respond quickly when under attack”
Pervasive monitoring and centralized recording
As defined by Gartner
Detection effective here
Prevention effective here
Reducing Your Attack Surface Across the Kill Chain
Reconnaissance
Attacker Researches potential
victim
Weaponization
Attacker creates
deliverable payload
Delivery
Attacker transmits
weapon in environment
Exploitation
Attacker exploits
vulnerability
Installation
Attacker changes system
configuration
C2
Attacker establishes
control channel
Action
Attacker attempt to exfiltrate
data
Real-time Visibility & Detection (Bit9) vs. Scan-based (AV)
Unknown malwareKnown malware
Real-time Visibility & Detection Enables Rapid Response
Visibility & DetectionReal-time recorded history of entire environmentDetect known and unknown files as they happen
Know if and when you are under attack
ResponseIdentify, scope, contain and remediate faster
Proactively respond to attacks in motionSimplify and expedite investigations
Non-intrusive and no perceived end user impact
Next-gen Security Needs:
Failures Within the IR Process
Preparation
Failure: No IR plan with processes and procedures in place
Identification & Scoping
Failure: Do not have recorded history to fully identify or scope threat
Containment
Failure:Does not properly identify threat so cannot fully contain
Eradication & Remediation
Failure:After failing to fully scope threat, remediation is is impossible
Recovery
Failure: Organization resumes operations with false sense of security
Follow Up & Lessons Learned
Failure: No post-incident process in place or does not implement expert recommendations
The Six-Step IR Process
Response Process Simplified
Identify Scope Contain Remediate
Response Process Pre and Post Bit9: Identify
Seek Information Review System Changes Malware Analysis
Gather artifacts: File, System and Network Information
1. First name2. Hash, Trust3. Time first seen4. Group (relation)5. Connector alert
Identify Scope Contain Remediate
Response Process Pre and Post Bit9: Identify
Seek Information Review System Changes Malware Analysis
Gather artifacts: File, System and Network Information
1. Search machine2. History of change
and events
Identify
Response Process Pre and Post Bit9: Identify
Seek Information Review System Changes Malware Analysis
Gather artifacts: File, System and Network Information
Identify
1. SRS Analysis2. Acquire file
remotely 3. Submit to
Connector
Response Process Pre and Post Bit9: Scope
Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted
Review Attack History Identify All Systems Find Patient Zero
Complete history of files (the attack)
Identify Scope Contain Remediate
Response Process Pre and Post Bit9: Scope
Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted
Review Attack History Identify All Systems Find Patient Zero
Complete history of machines the files are,
and were, on
And where executed
Scope
Response Process Pre and Post Bit9: Scope
Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted
Review Attack History Identify All Systems Find Patient Zero
Patient 0(Initial attack vector)
Scope
Response Process Pre and Post Bit9: Contain
Short term steps to halt the attack: Block or ban content
Halt Exfiltration Disrupt Attack
Ban Globally, stop further executions
Identify Scope RemediateContain
Response Process Pre and Post Bit9: Remediate
Review Posture Update Prevention & Detection
Longer term changes to prevent & detect attacks Update policies across an organization
Review PolicyFor endpoint controls
Identify Scope Contain Remediate
Response Process Pre and Post Bit9: Remediate
Review Posture Update Prevention & Detection
Longer term changes to prevent & detect attacks Update policies across an organization
Update Prevention policies
Update detectionCapabilities
Update Prevention policies
Update detectionCapabilities
Remediate
Full Visibility Fuels Full Detection & Response
Without Bit9 fully deployedLimited coverage = limited securityWith Bit9 fully deployed
Takeaways
Assume you will get breachedReduce your attack surface with visibility & detection• How to do this?– Have real-time recorded history that continuous monitors and records every endpoint/server– Detect both known and unknown malware without signatures– Rapidly respond using recorded history
Establish an IR plan• Understand security solutions that can simplify and expedite response
Fully deploy security solutions across entire environment• Limited coverage means limited visibility, detection, response and prevention
“In 2020, enterprises will be in a state of continuous compromise.”
Bit9 Benefits
• Always know what’s on your endpoints and servers• Detect and stop
advanced threats• Reduce incident
response time• Reduce remediation
time• Improve compliance
Know what’s running on every endpoint and server right now
See and record everything; detect threats in real-time without signatures
New proactive, signature-less prevention techniques
A full history about what’s happened on every machine; contain and control threats
Integrate network and endpoint security for real-time response and prevention
Visibility
Integration
Prevention
Detection
Response
Thank you!Q&A