Protection Against Spear Phishing and the Modern Cyber Threats
Notable 2011 Breaches
Hidden ExecutablesMalware executables delivered within PDFs
Vulnerabilities Backdoors in browsers and applications that malware can bypass
Portable Storage Devices Malware delivered on portable flash drives and USB sticks
Advanced Threat Vectors
AdvancedPersistentThreat
1.6M The amount of unique malicious code seen daily on average1
55k The number of new malware signatures that are distributed daily2
90%The number of companies in the US who fell victim to a cyber security breach at least once in the past 12 months3
1. Source: Symantec. 2. Source: McAfee.3. Source: Ponemon Institute
By the Numbers
4
Acceleration of IP Loss
5
Criminal Enterprises• Broad-based and
targeted attacks• Financially
motivated• Getting more
sophisticated
Hactivists• Targeted and
destructive attacks• Unpredictable
motivations• Generally less
sophisticated
Nation-States• Targeted and
multi-stage attacks • Motivated by
information and IP• Highly sophisticated,
endless resources
The Advanced Threat Landscape
6
The Advanced Threat
Workday in Beijing
Lunch Dinner
The Advanced Threat…
4 Steps …4 STEPS
Social engineering
“email”
Malwaredropped
Malwaremorphs &
moves
Data gathered &
stolen
MEASURE
TRUST DETECT PROTECT
8
A new approach is
required
The Solution
10
Trust is assigned by user/group/organization
Trusted Publisher – Microsoft
Trusted User – [email protected]
Trusted Directory – E:\sccm\packages
Trusted Updater – WebEx
Automatically Trust Software “Pushed” by IT
Cloud-Driven Reputation
IT sets trust policies for software “pulled” by end users
Keylogger 0
Firefox 10
IT-Driven Reputation
MarketingFinanceData Center
Trust PROVIDE A TRUST RATING ON ALL SOFTWARE
Excel.exe 10
Acroread.msi10
Calc.exe9
Excel.exe 10
Acroread.msi10
Calc.exe9
Firefox 10
Java.dll10
Exchange10
Sharepoint10
VMware.exe8
010
Java.dll10
5
11
MarketingFinanceData Center
Real-time Endpoint Sensors to Monitor
File Integrity
Devices
Memory locations
Registry Keys
OS/application Tampering
Security OpsCenter
SIEM
Event correlation
Forensic IR Team
Track every executable
Find out how software arrives
Learn how software propagates
See if file has executed
View full audit trail
Detect IDENTIFY RISK
CFS
Keylogger
Keylogger
Exchange10
VMware.exe8 Excel.exe 10
Acroread.msi10
Calc.exe9
Sharepoint10
Excel.exe 10
Acroread.msi10
Calc.exe9
Firefox 10
Java.dll10 Keylogger
12
MarketingFinanceData Center
Enforcement Policies
Protection for:
Servers (file, application, SCADA, etc.)
Virtualized environments
Domain controllers
Desktop/laptop endpoints
Point-of-sale devices
Protect STOP THE APT
User & Context-based Trust Policies
MicrosoftAdobeWebEx
Low Enforcement (Monitor unapproved)
Med Enforcement (Prompt unapproved)
High Enforcement (Block unapproved)
Ban unauthorized software
Perform emergency lockdown
Excel.exe 10
Acroread.msi10
Calc.exe9
Excel.exe 10
Acroread.msi10
Calc.exe9
Firefox 10
Java.dll10
Exchange10
Sharepoint10
VMware.exe8
13
MarketingFinanceData Center
Reports for ongoing security health
• Baseline drift
• Health dashboards
• Event categorization
• Live inventory SDK
Analytics to assess, investigate, and fine-tune your security posture
• Find file
• Prevalence
• Device usage
Alerts for unexpected threats or requests
• For file propagation
• For integrated helpdesk approval
• Sent to syslog
• Sent to email
Measure ACTIONABLE SECURITY INTELLIGENCE
Audit
Governance
Compliance
SOC
Incident Response
Track Activity Required For
MicrosoftAdobeWebEx
Excel.exe 10
Acroread.msi10
Calc.exe9
Excel.exe 10
Acroread.msi10
Calc.exe9
Firefox 10
Java.dll10
Exchange10
Sharepoint10
VMware.exe8
14
The Advanced Threat…
4 Steps …4 STEPS
Social engineering
“email”
Malwaredropped
Malwaremorphs &
moves
Data gathered &
stolen
MEASURE
TRUST DETECT PROTECT
15
Global Software Registry At a Glance
Records Indexed > 7.2 Billion
Number of Packages > 15.3 Million
Unique Hashes > 450 Million
Unique Executables > 13 Million
New Files Indexed Daily > 8 Million (Average)
Archived Packages > 50 TBs
File Hash Metadata Source Publisher/certificate First seen/last seen date Product, version AV scan results Vulnerability information Threat level Trust Factor
• Parity knowledge• Forensics (CFS/Analyzer)• File Advisor
Publish
Bit9 Global Software Registry
Derive• Normalize data• Categorize• Determine trust vs. threat
Analyze• AV scanners• PE analysis• Correlation
Extract• 140 un-packers• 300+ variants
Collect• Crawlers• Partner feeds• Subscriptions
Servers Under Protection• Domain controllers• Web servers• Application servers• Database servers
Server ChallengesSecurity
• Targeted malware and cyber attacks
Operations• Unauthorized configuration
changes
Compliance• Lack of demonstrable change
controls
Bit9 SolutionSecurity
• Application control• Device control• Memory and registry protection
Operations• File integrity monitor and control• Baseline drift reports• Find unplanned changes
Compliance• Server consistency reports• Site integrity validation
Advanced Server Protection
• SharePoint servers• Internet Security and
Acceleration (ISA) servers• Virtual servers
Security Information and Event Management (SIEM)
Advanced Network Protection Advanced
Endpoint Protection
Traditional Endpoint Protection
(EPP)
TraditionalNetwork Protection
(IDS/IPS, UTM)
New Strategy for the Advanced Threat
Incident Response/Forensics
Benefits
Protect your core IP by stopping the Advanced Threat from critical servers and users
Meet compliance requirements such as PCI DSS
Improve operational efficiency by reducing IT helpdesk calls and time spent reimaging
Reduce costs by understanding all software being used across the enterprise
Reduce risk by improving incident response times to quickly and accurately identify high risk files
Situation:• Gov’t funded facility with ~11,000 machines• Critical research to nation’s defense• Protect intellectual property, trade secrets• Forensics located APTs on machines• Client-based attacks identified as the “blind spot”
Case Study Federally Funded Research and Development Center
Bit9 Solution Stopped APTs and unauthorized software from executing Reduced number of re-images by 92 percent Prevented a non-trusted file “hiding” as Google Earth from
executing
20
Case Study
Situation:• Struggling to keep up with advances in malware• Breach in a data center highlighted the urgency of the situation • Could not stop infection from spreading to thousands of servers
Financial Technology Provider
Bit9 Solution Mitigated risk on infected or “dirty” machines Delivered instant visibility into applications, utilities, and tools
running on servers Locked down hundreds of servers in less than a day Easily scaled to ensure protection across entire data center
21
Situation:• Improve performance during PCI DSS audits• Operating 5,000 machines across 560 stores• Must perform frequent/controlled software updates • Found unauthorized software on store systems
Grocery Retailer
Bit9 Solution Achieved PCI DSS compliance Prevented targeted/insider attacks Managed configuration drift Monitored activity and provided alerts about unwanted activity
Case Study
22
MICROSOFTSQL SERVER
Laptops
Point of Sale
Kiosks
ATMs
Servers
Desktops
Clients
BIT9SERVER
ACTIVE DIRECTORYSERVER
CONSOLE
Management Server Software Reputation Service
Corporate Endpoints
RetailGovernmentTechnology/
ServicesFinanceHealthcare
Bit9 Confidential Information
Industrial
Sample Customer List
24