eguide designing continuous response architecture interactive
TRANSCRIPT
eGuide: Designing a Continuous Response Architecture
eGuide: Designing a Continuous Response Architecture
2Designing a Continuous Response Architecture
eGuide
Table of ContentsOverview 3
The Problem 3
Defining the Threat 3
The Network is Not the Target 4
Incident Response is Ad Hoc 5
Incident Response is Not Forensics 5
Limited Threat Intelligence 6
The Solution 6
Prioritize Data Collection Over Detection 6
Highlight Instead of Filter Data Collection 7
Apply Aggregated Threat Intelligence 8
Respond in Seconds with a Recorded History 9
Security As a Process 10
Security Platform Over Product 11
Summary 11
eGuide: Designing a Continuous Response Architecture
3
eGuide
Designing a Continuous Response Architecture
OverviewData acquisition, threat discovery, incident response and forensics have become arduous and incomplete—with no insight into
the patterns of compromise We’ve focused on detection techniques that filter out actionable visibility, insight into root cause and
lateral movement We’ve relied on solutions that inundate us with too many alerts to prioritize and investigate And we’ve blindly
reimaged machines by focusing on reactive forensic techniques instead of proactive incident response solutions
Response solutions have been developed for use post-breach by the IR consultant, instead of created to enable an enterprise to
proactively prepare for a breach Additionally, responders need to focus on security solutions that can integrate with third-party
solutions whether network security products, threat intelligence providers, SIEMs, SOC tools, or other IR products Businesses need
to view security as a process and focus on solutions that can:
+ Proactively automate the tedious and time-consuming data acquisition process at the endpoint before a breach occurs
+ Layer threat intelligence on top of that continuously recorded visibility to highlight advanced threats to expedite investigations
+ Reduce the cost and complexity of incident response by instantly understanding entire attack processes
+ Evolve, adapt and learn from your investigation by using the right solutions to adjust your detection
and prevention techniques moving forward
This eGuide will cover how a continuous approach to response can resolve these challenges and put your organization in a better
security posture by proactively preparing for a breach
The ProblemDefining the ThreatThere are two types of attackers: opportunistic and advanced The opportunistic attacker finds value in large-scale attacks The
more hosts the attacker compromises, the quicker a signature is generated, making it easier to identify the attack The advanced
attacker, on the other hand, finds value in small-scale and targeted attacks By compromising fewer hosts, it takes significantly
longer to generate a signature (if at all) As a result, traditional endpoint prevention, detection and response solutions are more
likely to miss advanced and targeted attackers who infiltrate their enterprise
Advanced (or zero-day) attacks can take multiple forms:
+ Unknown attack with no patch
+ Known attack with no patch
+ Known attack with available patch not yet applied
HO
STS
CO
MPR
OM
ISED
DETECTION THRESHOLD DETECTION THRESHOLD
SIGNATURE AVAILABLE (if ever)
SIGNATURE AVAILABLE
HO
STS
CO
MPR
OM
ISED
TIMETIME
OPPORTUNISTIC ADVANCED
COMPROMISE AS MANY ENDPOINTS AS POSSIBLE
COMPROMISE AS FEWENDPOINTS AS POSSIBLE
eGuide: Designing a Continuous Response Architecture
4
eGuide
Designing a Continuous Response Architecture
A response solution should be prepared for all attack phases, whether opportunistic or advanced, because you cannot know
in advance what’s bad Also, many attackers can “live off of the land” by leveraging built-in tools to reduce the number of new
executables introduced into an environment—masking their lateral movement This also enables an attacker to establish approved
user accounts escalating their privileges so they can come and go as they please Threats are only as sophisticated as they need to
be Attackers will never waste a $5 million payload if they do not have to As a result, enterprises need solutions that can identify all
attack types—known or unknown—and respond accordingly
The Network is Not the TargetSixty-five percent of 2013 data breaches happened on company endpoints1 Many enterprises, however, still fail to deploy
response solutions that can deliver actionable visibility and intelligence down to the endpoint—opting instead to sink more
security dollars into their network
“Organizations continue to spend a lot of money on network security solutions, but it’s the endpoint that is the ultimate target of advanced threats and attacks” 2
— 451 Research
Many enterprise security approaches can be viewed as hard on the outside, but soft in the middle—because strong network
defenses and weak endpoint security are a common practice A secure corporate network should be a priority, but not the focus
This is because corporate networks are now unraveling as more employees continue to operate outside of them These
endpoints are connecting to a variety of unknown networks from a diverse set of locations with limited protection from
next-generation firewalls
The endpoint is the target of attackers because this is where the valuable data resides Enterprises must identify key data, assess
the probability of that data being targeted by attackers, estimate the business impact of that data being compromised, and
determine where that data is located The answers to these questions ultimately will bring you back to the endpoint
Prob
abili
ty (a
dver
sary
inte
rest
)
Impact (to business)
Low(minor)
Medium(moderate)
High(existential)
High(very likely)
DocumentsUser credentials
Web services
Key IP
CRM
Email Content
Financial Info
Medium(possible)
Physical computers
Employee Personally Identifiable Information
Critical systems
Public website
Customer info
Low(unlikely)
Office access Data center access
1 2014 Verizon Data Breach Investigations Report2 “When worlds collide: post-acquisition, Bit9 + Carbon Black emerges as a combined brand” – Javvad Malik and Adrian Sanabria – 2 Sep, 2014
eGuide: Designing a Continuous Response Architecture
5
eGuide
Designing a Continuous Response Architecture
However, when securing the endpoint, many rely on antivirus software as the chief component to their endpoint security
strategy—but this hampers the ability of an enterprise to detect, respond or prevent multiple attack forms as they happen
Organizations ultimately need continuous visibility, customizable detection and rapid response solutions at the endpoint
Not only will this expedite response, but it ultimately will improve and complement your network security as well
Incident Response is Ad HocMany enterprises may not invest in incident response solutions because they feel they lack the skilled staff needed to perform
conclusive and confident investigations In addition, many organizations may perceive incident response solutions as far too
complex for them to leverage effectively Without a response plan in place, if an organization is breached, reactively deploying an
incident response solution can be time-consuming and extremely expensive
For an enterprise, the goal should be to build out your security maturity framework This means deploying solutions that
enable enterprises to make the best possible decisions Many organizational approaches to incident response are ad hoc and
unpredictable with no formal security programs Success is usually predicated on luck—and not much else The goal for an
enterprise should be to build a formal incident response plan as well as deploy solutions that can reduce the cost and complexity
of a response Responders also should look to optimize their enterprise’s security so that any response is reliable, predictable and
adaptive to the changing threat landscape
Unpredictable
No formal Security program or organization
No Formal process
Success depends on luck
Not Standardized
Respond to critical alerts only
Process is characterized for projects
Success depends on individual heroics
Formative
Formal security organization, basic auditing
Process is characterized for organization
Success depends on execution
Measured
Comprehensive security program and oversight
Process is measured and controlled
Success is demonstrable
Adaptive
Expand from investigation to hunting
Process is continuously improved
Success is predictable
LEVEL 1AD HOC
LEVEL 2REACTIVE
LEVEL 3PROACTIVE
LEVEL 4MANAGED
LEVEL 5OPTIMIZED
Security Maturity Framework
eGuide: Designing a Continuous Response Architecture
6
eGuide
Designing a Continuous Response Architecture
Incident Response is Not ForensicsWith forensics, a breach has already happened, data has already been lost, and now you are tasked with the clean up You may
have been alerted to the breach by a third party, but now it is your job to understand what went wrong To add to the problem,
your enterprise may not have proactively collected data before the breach, which means you now will spend the next several
weeks or months collecting the desperately needed data to fully scope and understand the attack Because you are now reactively
collecting data after the breach, unraveling lateral movement—especially if the attacker cleaned up their tracks by deleting prior
payloads—means that understanding the root cause may take months, years—or even longer—to discover
When responding to an incident and discovering a potential compromise, as a responder it is your job to contain the attack before
data is lost When responding, there is still a chance to stop the bleeding and intervene with an ongoing attack This means you
need to leverage response solutions that can expedite this process to detect, respond, isolate and remediate the problem as
quickly as possible
Limited Threat IntelligenceMany organizations lack the necessary threat intelligence to help them fully detect and classify attacks as they happen Threat
intelligence should be a valuable part of any detection or response solution Without threat intelligence, enterprises can lose
valuable insight into threats as they arrive in their environment
SOC analysts and IR teams can also suffer from alert fatigue because they receive too many alerts to prioritize and investigate
With no way to sift through the noise, enterprises are finding it difficult to efficiently respond Organizations need to focus on
solutions that can accelerate the discovery of advanced threats as opposed to those that just produce more detection events
Fixing this will exponentially reduce the dwell time of threats in an environment by accelerating investigations to minimize the
scope of an attack
No one provider has a lock on the world’s threat intelligence, but many organizations still deploy security solutions that only
integrate with a finite number of providers Responders need security solutions that offer the ability to integrate with a wide range
of threat intelligence feeds, as well as enable organizations to add their own custom feeds This affords businesses the opportunity
to incorporate threat intelligence feeds not initially offered by a security solution
eGuide: Designing a Continuous Response Architecture
7
eGuide
Designing a Continuous Response Architecture
The SolutionPrioritize Data Collection Over DetectionIf you are not prepared for a breach by prioritizing data collection before the moment of compromise, you are likely leveraging
forensic tools to collect data during an investigation Collecting data takes time, money and effort Not to mention that reactively
collecting data usually produces incomplete data sets with no way of scoping the full breadth of an attack All of this prolongs
the dwell time of the attacker and potentially magnifies the number of impacted machines in your organization—extending
time to recovery
Carbon Black enables enterprises to prepare for a breach by proactively automating and continuously recording the critical data
before the moment of compromise so you can instantly leverage data during an investigation when a threat is discovered This
reduces the dwell time of attackers exponentially by enabling you to dive into your response immediately and recover faster
Proactively collecting data here is automated and e�cient
DWELL TIME
Reactively collecting data here is time consuming and expensive
DETECTION
RESPONSE
RECOVERY
Compromised (attacker present)
Breach Discovered (attacker identified)
Recovered (attacker expelled)
eGuide: Designing a Continuous Response Architecture
8
eGuide
Designing a Continuous Response Architecture
Highlight Instead of Filter Data CollectionMost detection solutions filter out endpoint visibility when detecting threats in an environment They typically provide the specific
instance of the attack and its compromised host, but by filtering out endpoint visibility, they lose sight of lateral movement, root
cause and the entire scope of the attack during an investigation As a responder, your goal should be to understand the scope and
root cause as confidently and quickly as possible
Instead of filtering out visibility, Carbon Black highlights detected activity over its continuously recorded endpoint data to enable
you to instantly “roll back the tape” from the detection event all the way to root cause By proactively recording and maintaining
the relationships of every file execution, file modification, registry modification, network connection and executed binary Carbon
Black delivers conclusive and confident insight into the full scope of an attack—enabling you to respond rapidly
All Registry Modi�cations
All Network Connections
All File Modi�cations
Continuously Record
Copy of Every Executed Binary
All File Executions
Discovered
Carbon Black highlights detected activity within endpoint visibility to understand root cause and scope
Detection probablility increases overtime
Investigations seek root causeGOAL:
Understand Root Cause
User Visits Website
Is sent malicious Java applet
Spawns first stage payload
Spawns second stage payload
Injects code into Windows Explorer
Takes malicious actions
eGuide: Designing a Continuous Response Architecture
9
eGuide
Designing a Continuous Response Architecture
Apply Aggregated Threat IntelligenceProactively collecting critical data is a starting point, but it’s not the finish line It’s what you do with that data that’s important
Many detection and response solutions have either visibility or threat intelligence, but rarely have both Applying threat
intelligence on top of continuous endpoint visibility enables responders to detect attacks in real time and prioritize investigations
With Carbon Black, not only is the data acquisition process automated and continuously recorded, but comprehensive threat
intelligence also is simultaneously applied on top of that visibility This delivers instant attack classification and reputation of
recorded endpoint activity that’s immediately accessible and consumable during an investigation This enables responders to drive
purposeful investigations and inquiries across their entire organization
Carbon Black applies threat intelligence through the Bit9 + Carbon Black Threat Intelligence Cloud service, which offers a robust
offering of third-party and proprietary threat feeds and reputation services Carbon Black integrates with network security
providers such as Check Point, Fidelis, FireEye and Palo Alto Networks and extends to offer you the flexibility to integrate and apply
your own custom feeds as well
The combination of visibility and threat intelligence also enables responders to design and save complex queries as real-time
detection alerts within Carbon Black (known as watchlists) This offers the ability to detect based on entire attack processes,
network activity, threat intelligence, attack behaviors and more—not just individual events This powerful combination also
enhances your detection capabilities by delivering actionable alerts to reduce alert fatigue By automating both the data collection
and applied threat intelligence process responders also gain instant insight when diving into an investigation
Threat Intelligence CloudThreat Indicators Reputation Attack Classi�cation
Continuous Data Collection
CONSOLE
ENDPOINT
ENDPOINT
ENDPOINT
Instantly Classify Data Collectionwith Applied Threat Intelligence
!
!
!
!
eGuide: Designing a Continuous Response Architecture
10
eGuide
Designing a Continuous Response Architecture
Respond in Seconds with a Recorded HistoryBy automating the tedious and time-consuming data acquisition process and layering threat intelligence on top of that visibility,
responders can “roll back the tape” in Carbon Black to understand the root cause the instant compromise is discovered By
understanding the context and relationships within the collected data, Carbon Black also can perform surgical investigations
to identify deleted payloads, lateral movement, malicious outbound connections, and more to identify every step, move and
behavior of an attack This enables responders to see the entire kill chain of an attack in seconds to fully scope the environment
and instantly isolate, contain and remediate impacted machines
By understanding root cause and the entire attack scope during an investigation, Carbon Black can reduce the cost of blind
reimaging by only responding to affected endpoints By leveraging a recorded history, Carbon Black also can help enterprises
immediately learn from their investigations to improve their threat prevention, detection and response in the future
User Visits Website
Is sent malicious Java applet
Spawns first stage payload
Lateral movement
Deleted Payload
Spawns second stage payload
Spawns second stage payload
Injects code into Windows Explorer
Injects code into Windows Explorer
Takes malicious actions
Takes malicious actions
With Carbon Black, instantly “Roll back the tape” with a recorded history to understand the full attack scope
Discovered
eGuide: Designing a Continuous Response Architecture
11
eGuide
Designing a Continuous Response Architecture
Security As a Process
When developing an incident response plan security should never be viewed as static Everything should work as an ongoing
process and lifecycle with the goal of ensuring that any response can evolve, adapt and learn from the investigation after it is
concluded Without continuous endpoint visibility and threat intelligence at the core of your enterprise’s response plan this can be
extremely difficult
IT hires staff to support technology Security operations buys technology to support staff
With proactive endpoint visibility at the backbone of Carbon Black, responders can detect, respond and remediate in seconds
However, the goal should be to evolve, adapt and strengthen your prevention and detection solutions moving forward as well
With Carbon Black, any investigation can be saved as a watchlist to detect in real time moving forward Additionally, both Carbon
and Bit9 now work together to automate Carbon Black’s real-time detection capabilities with Bit9’s leading advanced threat
prevention solution Bit9 can now pull in Carbon Black watchlists and drive prevention policy off of those detection events as they
occur—providing the most comprehensive protection against advanced threats
RESPONSE PREVENTION
VISIBILITYKnow what’s happening on every computer right now
Stop attacks with proactive,customizable techniques
DETECTIONDetect attacks in real time
without signatures
Use a recorded history to seean attack’s full kill chain
Define watchlists in Carbon Black
Automate watchlist alerts from Carbon Black in Bit9
Instantly dive back into Carbon Black for deeper analysis
and investigations
Leverage Bit9 event rules to automate prevention policy off
Carbon Black watchlist alerts
eGuide: Designing a Continuous Response ArchitectureeGuide
266 Second Avenue Waltham, MA 02451 USAP 6173937400 F 6173937499www.bit9.com
ABOUT BIT9 + CARBON BLACK
The combination of Bit9 + Carbon Black offers the most complete answer to the newer, more advanced threats and targeted attacks intent on breaching an organization’s endpoints This comprehensive approach makes it easier for organizations to see—and immediately stop—advanced threats Our solution combines Carbon Black’s lightweight endpoint sensor, which can be rapidly deployed with no configuration to deliver “incident response in seconds,” and Bit9’s industry-leading prevention technologies Benefits include:
+ Continuous, real-time visibility into what’s happening on every computer+ Real-time threat detection, without relying on signatures+ Instant response by seeing the full “kill chain” of any attack+ Protection that is proactive and customizable
Bit9 + Carbon Black delivers a comprehensive solution for continuous endpoint threat security This is why thousands of organizations worldwide—from 25 Fortune 100 companies to small businesses—use our proven solution The result is increased security, reduced operational costs and improved compliance
© 2014 Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.20140930
Security Platform Over ProductMost security solutions lock you into their ecosystem Part of the challenge when leveraging multiple security products is getting
them to work together and collaborate to give you the level of protection you desire This could be integrating your existing
endpoint security with network security products, pulling in third-party threat intelligence providers, combining multiple security
products, or other challenges
Carbon Black is a security platform, not a product We understand that it’s your data to use how you want By leveraging Carbon
Black’s open API, you can easily and seamlessly integrate all endpoint sensor data and threat intelligence with custom, proprietary
or third-party security solutions Also, you can easily pull network providers and custom threat feeds into Carbon Black to tailor
your detection and response capabilities for your specific enterprise IT hires staff to support technology Security operations buys
technology to support staff Invest in solutions that enable your people to make the best possible decisions
SummaryEnterprises are in a state of continuous compromise To combat this, organizations need to prepare for a breach so you can
instantly respond at the moment a threat is discovered This means deploying solutions that can again:
+ Automate the tedious and time-consuming data acquisition process
+ Aggregate and apply comprehensive threat intelligence
+ Leverage recorded history to surgically investigate across entire attack processes
+ Evolve and learn from your response to adapt detection and prevention solutions
Unlike scan-based data collection tools that only deliver the current state of your environment, Carbon Black can expand detection
beyond the moment of compromise to detect and respond to attacks across the entire kill chain As a result, Carbon Black makes
advanced threats easier to see and faster to contain by empowering SOC and IR teams to arm their endpoints against the most
advanced and targeted threats