5 habits of highly effective endpoint threat protection
TRANSCRIPT
5 Habits of Highly Effective Endpoint Threat ProtectionNovember 18, 2015
© 2015 Forrester Research, Inc. Reproduction Prohibited 2
tripwire.com/blog
@cindyv
forrester.com
@rholland
Cindy Valladares Rick Holland
© 2015 Forrester Research, Inc. Reproduction Prohibited 3
Endpoint security has been in drought conditions for years
© 2015 Forrester Research, Inc. Reproduction Prohibited 4
But now the rain is finally coming!
© 2015 Forrester Research, Inc. Reproduction Prohibited 5
Endpoint investment is increasing
Source: Forrester’s Business Technographics® Global Security Survey, 2015Note: Values may not equal 100% due to omission of “don’t know” responses
© 2015 Forrester Research, Inc. Reproduction Prohibited 6
5 Habits of Highly Effective Endpoint Threat Protection1. Buyers must first live off the land
2. Prevention isn’t dead, but you must fall back to detection
3. This adversary isn’t going to hunt itself
4. Small footprint is required
5. Visibility isn’t enough, action is required
© 2015 Forrester Research, Inc. Reproduction Prohibited 7
asdf› asdf
#1 Buyers must first live off the land
© 2015 Forrester Research, Inc. Reproduction Prohibited 8
Expense in Depth
© 2015 Forrester Research, Inc. Reproduction Prohibited 9
Where do you get diminishing returns on investments?
© 2015 Forrester Research, Inc. Reproduction Prohibited 10
Living off the land› Before you invest in any capabilities
maximize all existing capabilities first› Look to existing vendors before adding
new vendors to your portfolio› Investment in new technologies and
vendors is legitimate, once appropriate due diligence is conducted first
© 2015 Forrester Research, Inc. Reproduction Prohibited 11
#2 Prevention isn’t
dead, but you must
fall back to detection
© 2015 Forrester Research, Inc. Reproduction Prohibited 12
Targeted-Attack Hierarchy of Needs
© 2015 Forrester Research, Inc. Reproduction Prohibited 13
NIST Cybersecurity Framework
© 2015 Forrester Research, Inc. Reproduction Prohibited 14
#3 The adversary isn’t going to hunt itself
© 2015 Forrester Research, Inc. Reproduction Prohibited 15
Solutions must posses ability to hunt› Need the ability to ingest
Threat intelligence feeds
Internally sourced threat intelligence
› Proactively hunt for threat indicators› Manual hunting is bare minimum
requirement, programmatic ability to ingest bulk indicators via API is preferred
© 2015 Forrester Research, Inc. Reproduction Prohibited 16
Hunting at scale, when one Vin Diesel isn’t enough
© 2015 Forrester Research, Inc. Reproduction Prohibited 17
#4 A small footprint is required
© 2015 Forrester Research, Inc. Reproduction Prohibited 18
When was the last time you heard anyone say that they have a “large footprint?”
© 2015 Forrester Research, Inc. Reproduction Prohibited 19
Small footprint required › Transparent user experience required› Transparent administration experience
required › Be careful of “yet another agent
syndrome”› Look at the size of the agent and the
percentage of CPU utilized› Kernel or user space? Operating within
the kernel can be dangerous
© 2015 Forrester Research, Inc. Reproduction Prohibited 20
#5 Visibility isn’t enough, action is required
© 2015 Forrester Research, Inc. Reproduction Prohibited 21
Automate as much as possible
© 2015 Forrester Research, Inc. Reproduction Prohibited 22
Crawl, walk, run with automation › Automation doesn’t have to sacrifice
legitimate traffic› Human intervention required for
automation until confidence is built› Enrichment can be automated› Automation from endpoint, to identity
to network devices
© 2015 Forrester Research, Inc. Reproduction Prohibited 23
Wrap up – vendor selection
© 2015 Forrester Research, Inc. Reproduction Prohibited 24
Wrap up – vendor selection
© 2015 Forrester Research, Inc. Reproduction Prohibited 25
5 Habits of Highly Effective Endpoint Threat Protection1. Buyers must first live off the land
2. Prevention isn’t dead, but you must fall back to detection
3. This adversary isn’t going to hunt itself
4. Small footprint is required
5. Visibility isn’t enough, action is required
26
Habit #1: Buyers Must Live Off the LandBe the Bear Grylls of Infosec
More than 10 Million Endpoints Deployed The most comprehensive data collection capabilities on the planet
Every change on every asset, including who made the change
Comprehensive asset, application and vulnerability discovery
Secure and reliable log collection
Asset tagging, automated actions, correlation
What Could You Build?
27
Habit #2: Prevention Isn’t Dead, Fall Back to DetectionPrevention and Detection
Shrink the Attack Surface
Identify Suspicious Changes
28
Habit #3: This Adversary Isn’t Going to Hunt ItselfSupport for Hunting
IoCs
Custom IoCs
29
Habit #4: Small Footprint is RequiredThe Smallest Footprint is The Agent You Already Have
9,000+ Customers
10,000,000Assets
96+ Countries
Tripwire is used by: 90% of the Top 10 Utilities 80% of the Top 10 Global Retailers 70% of the Top 10 Global
Telecommunications Firms More than 50% of the Fortune 500
30
Habit #5: Visibility Isn’t Enough, Action is RequiredFrom Visibility to Action
Integrate to Enterprise Workflow
Increase/Decrease Monitoring
Run an Executable
Investigate
31
Cindy Valladares Rick Holland
tripwire.com/blog
@cindyv
forrester.com
@rholland