esen re advanced security services · 2019. 2. 11. · threat protec on esen re advanced security...
TRANSCRIPT
ac�ve threat protec�on
eSen�re Advanced Security Services The Gartner Con�nuous Advanced Threat Protec�on
Mark Sangster | VP Marke�ng mark.sangster@esen�re.com
Presented to: SecTor 2014
Presented by: eSen�re, Inc.
Date: 22 October 2014
Leaders in Threat Protec�on Services Securing over $2.0 Trillion in Assets
4 November 2014 Slide 2
Founded 2001
450 Clients with Extensive IP in Heavily Regulated
Industries
99.6% Customer Loyalty
Typical Customer A�ributes
» 50-‐25,000 employees
» 1 –20 global offices
» 1-‐25 sensors/customer
» $250M to $160B AuM
High Risk Sensi�vity
Min. in-‐house skills
High value assets
Follow Us @eSen�re Copyright © eSen�re 2014
4 November 2014 Copyright © eSen�re -‐ Confiden�al Slide 3
You Will Be Hacked.
Looking for a New Category
4 November 2014 Slide 4
MSSP EMERGENT TERMINOLOGY
CONVERGENCE INSTABILITITY & JOCKEYING INCUMBENT CATEGORY
Security model is broken
Value dissonance: spend vs. secure
Analyst Defini�ons
Incumbent Vendor
Reposi�oning
New Market Entrants
Device Management
Threat Management
CMaaS/CTP
Opportunity to nudge industry in our direc�on
CONVERGENT POSITIONING
Follow Us @eSen�re Copyright © eSen�re 2014
Gartner Cross-‐silo Architecture
4 November 2014 Slide 5
MSSP EMERGENT TERMINOLOGY
CONVERGENCE INSTABILITITY & JOCKEYING INCUMBENT CATEGORY
Security model is broken
Value dissonance: spend vs. secure
Analyst Defini�ons
Incumbent Vendor
Reposi�oning
New Market Entrants
Device Management
Threat Management
CMaaS/CTP
Opportunity to nudge industry in our direc�on
CONVERGENT POSITIONING
2008-‐2012 2013 2014
MSSP Managed Security Services
CMaaS Con�nuous Monitoring
C-‐ATP Ac�ve Threat Protec�on
Follow Us @eSen�re Copyright © eSen�re 2014
Gartner Architecture: Con�nuous Advanced Threat Protec�on
_2014 Gartner discovers a new security
approach called continuous advanced threat
protection_
4 November 2014 Slide 6 Follow Us @eSen�re Copyright © eSen�re 2014
TARGETS
» Intellectual property (IP)
» Website Brand Damage
» Mergers and acquisi�on (M&A) insider informa�on
» Creden�als to bank accounts
» Industry-‐sensi�ve documents and informa�on
The Risks to Enterprise
4 November 2014 Slide 7
ATTACKS
» Socially engineered emails/calls
» Phishing scams (emails with infected links)
» Infected media
» Stolen mobile devices
THREAT ACTORS
» Hack�vists/Ac�vists
» Terrorists
» Na�on state-‐sponsored
» Organized Criminals
» Smash-‐&-‐Grab Criminals
» Insiders
Follow Us @eSen�re Copyright © eSen�re 2014
14-‐11-‐04 Slide 8
Over the past 12 months, the SOC has iden�fied: -‐ 100% increase in Spear Phishing a�acks -‐ 10% increase in DriveByDownload a�acks -‐ 20% increase in focused Scans/Brute Force a�acks
eSen�re SOC Threat Data and Trends (Q12014, YoY)
SpearPhishing 47%
Focused Scans / BruteForce
29%
DriveByDownload 19%
Other 5%
Follow Us @eSen�re Copyright © eSen�re 2014
A�acks O�en Remain Undetected
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 9
78% Ini�al Intrusions Rates
as LOW Difficulty
69% Discovered by
EXTERNAL Par�es
66% Took MONTHS or More
to Discover
40% Used Some Form of MALWARE
Security Technology Spend Doubled in 10 Years
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 10
$0 $5
$10 $15 $20 $25 $30 $35 $40 $45 $50
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
$46 Billion Globally in 2013
$86B 2016
$60B 2012
$67B 2013
Tradi�onal Security Approaches
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 11
ASSETS & DATA
PERIMETER DEFENSE
Tradi�onal Security Approaches
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 12
Router Firewall
Malware Detec�on User ID and Password
Data
Tradi�onal Security Approaches
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 13
Data Host Virtualiza�on
IDS Router Firewall
VPN PKI
Malware Detec�on User ID and Password
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 14
Data SW & HW Cer�ficates
IPS Packet Inspec�on
SSL Host Virtualiza�on
IDS Router Firewall
Hard Tokens Containeriza�on Virtualiza�on
VPN PKI
Malware Detec�on User ID and Password
Gartner Security Findings
Signatures are dead is misguided hyperbole
Detec�on and Response > Blocking and Preven�on
Incident Response is the wrong mindset
Protec�on is integrated service NOT siloed offerings
Monitoring and Analy�cs are at the core of all next-‐genera�on Security pla�orms
4 November 2014 Slide 15 Follow Us @eSen�re Copyright © eSen�re 2014
Legacy Security Is No Match for Targeted A�acks
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 16
INDISCRIMINATE Malware | SPAM | DoS
Threats are evolving from nuisance to targeted a�acks
TACTICAL Compliance-‐based | Reac�onary
STRATEGIC Intelligence-‐driven | Con�nuous
PHILOSOPHY Perimeter (mul�ple, dislocated) Assume constant compromise
FOCUS Protect all systems Priori�ze high-‐risk assets
DETECTION Signature-‐based technology Behavioral-‐based technology & methods
AWARENESS Headline news Consume real-‐�me threat feeds
RESPONSE Shut down/wipe compromised systems Quaran�ne, gather and preserve forensics
*Architecture a�ributed to IBM
Legacy Security Is No Match for Targeted A�acks
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 17
INDISCRIMINATE Malware | SPAM | DoS
TARGETED Advanced | Persistent | Organized | Mo�vated
Threats are evolving from nuisance to targeted a�acks
TACTICAL Compliance-‐based | Reac�onary
STRATEGIC Intelligence-‐driven | Con�nuous
PHILOSOPHY Perimeter (mul�ple, dislocated) Assume constant compromise
FOCUS Protect all systems Priori�ze high-‐risk assets
DETECTION Signature-‐based technology Behavioral-‐based technology & methods
AWARENESS Headline news Consume real-‐�me threat feeds
RESPONSE Shut down/wipe compromised systems Quaran�ne, gather and preserve forensics
*Architecture a�ributed to IBM
PREDICT PROACTIVE EXPOSURE ASSESSMENT PREDICT ATTACKS BASELINE SYSTEMS
RESPOND
REMEDIATE/MAKE CHANGES DESIGN/MODEL CHANGE INVESTIGATE/FORENSICS
PREVENT HARDEN AND ISOLATE SYSTEMS
DIVERT ATTACKERS
PREVENT INCIDENTS
DETECT
DETECT INCIDENTS
CONFIRM AND PRIORITIZE
CONTAIN INCIDENTS
Gartner C-‐ATP Architecture
4 November 2014 Slide 18 Follow Us @eSen�re Copyright © eSen�re 2014
CONTINUOUS MONITORING
& ANALYTICS
Gartner C-‐ATP Full Lifecycle Protec�on
4 November 2014 Slide 19 Follow Us @eSen�re Copyright © eSen�re 2014
PREDICT PROACTIVE EXPOSURE ASSESSMENT PREDICT ATTACKS BASELINE SYSTEMS
RESPOND
REMEDIATE/MAKE CHANGES DESIGN/MODEL CHANGE INVESTIGATE/FORENSICS
PREVENT HARDEN AND ISOLATE SYSTEMS
DIVERT ATTACKERS
PREVENT INCIDENTS
DETECT
DETECT INCIDENTS
CONFIRM AND PRIORITIZE
CONTAIN INCIDENTS
CONTINUOUS MONITORING
& ANALYTICS
DURIN
G
Gartner Five Styles of Defense
4 November 2014 Slide 20 Follow Us @eSen�re Copyright © eSen�re 2014
TIME
WHE
RE TO LOOK REAL-‐TIME/NEAR REAL-‐TIME POST COMPROMISE
NETWORK STYLE 01 Network Traffic Analysis
STYLE 02 Network Forensics
PAYLOAD STYLE 03 Payload Analysis
ENDPOINT STYLE 04 Endpoint Behavior Analysis
STYLE 05 Endpoint Forensics
DETECTION RESPONSE
Con�nuous Monitoring at All Layers
4 November 2014 Slide 21 Follow Us @eSen�re Copyright © eSen�re 2014
NETWORK ENDPOINT
APPLICATION FRONT END
APPLICATION BACK END
PEOPLE
INFORMAITON
Paradigm Shi� in Security
4 November 2014 Slide 22 Follow Us @eSen�re Copyright © eSen�re 2014
OLD MINDSET NEW REALITIES
SIGNATURES ALGORITHMS
POINT SOLUTIONS PLATFORMS -‐ CORRELATE
FIXED PERIMETERS ADAPTIVE PERIMETERS
OWNERSHIP = TRUST REPUTATION SERVICES
SECURITY APPLIANCES SECURITY SOFTWARE
SOLUITION SILOS ADAPTIVE SYSTEMS
SECURITY APPLIANCES SECURITY SOFTWARE
MANUAL POLICY CONFIG AUTOMATION
BLOCK/PREVENT DETECT/RESPOND
INCIDENT RESPONSE CONTINUOUS RESPONSE
PROTECT NETWORK/DEVICES PROTECT INFORMATION
Gartner Recommenda�ons
4 November 2014 Slide 23
Spend less on preven�on and more on detec�on and response »
Follow Us @eSen�re Copyright © eSen�re 2014
Use Gartner’s 12 Cri�cal Capabili�es Framework » Shi� from Incident to Con�nuous Response » Develop a SOC to provide con�nuous monitoring » Con�nuous Monitoring at all layers »
The Case for Ac�ve Threat Protec�on
4 November 2014 Slide 24
» Ever changing threat landscape » ‘Set and forget’ is a myth
» Recrui�ng: scarce talent pool » Retaining: highly compe��ve market
» Infrastructure, process dev/adherence » Costly to build and maintain
»
»
»
TECHNOLOGY
PROCESS
PEOPLE
Follow Us @eSen�re Copyright © eSen�re 2014
A Final Thought…
4 November 2014 Follow Us @eSen�re Copyright © eSen�re 2014 Slide 25
Gartner C-‐ATP | PREVENT
4 November 2014 Slide 26
PREDICT
PROACTIVE EXPOSURE ASSESSMENT PREDICT ATTACKS BASELINE SYSTEMS
RESPOND
REMEDIATE/MAKE CHANGES DESIGN/MODEL CHANGE INVESTIGATE/FORENSICS
PREVENT
HARDEN AND ISOLATE SYSTEMS
DIVERT ATTACKERS
PREVENT INCIDENTS
DETECT
DETECT INCIDENTS
CONFIRM AND PRIORITIZE
CONTAIN INCIDENTS
CONTINUOUS MONITORING
& ANALYTICS
PREVENT
HARDEN AND ISOLATE SYSTEMS
DIVERT ATTACKERS
PREVENT INCIDENTS
eSen�re CAPABILITIES
AUTOMATIC BLOCKS BASED ON IOCS
INBOUND PATIENT ZERO PROTECTION
SIGNATURE-‐BASED PREVENTION
DYNAMIC REPUTATION DEFENSE
MANAGED WHITELISTING
Follow Us @eSen�re Copyright © eSen�re 2014
Gartner C-‐ATP | PREVENT
4 November 2014 Slide 27
PREDICT
PROACTIVE EXPOSURE ASSESSMENT PREDICT ATTACKS BASELINE SYSTEMS
RESPOND
REMEDIATE/MAKE CHANGES DESIGN/MODEL CHANGE INVESTIGATE/FORENSICS
PREVENT
HARDEN AND ISOLATE SYSTEMS
DIVERT ATTACKERS
PREVENT INCIDENTS
DETECT
DETECT INCIDENTS
CONFIRM AND PRIORITIZE
CONTAIN INCIDENTS
CONTINUOUS MONITORING
& ANALYTICS
DETECT
DETECT INCIDENTS
CONFIRM AND PRIORITIZE
CONTAIN INCIDENTS
eSen�re CAPABILITIES
SANDBOX/MALWARE DETONATION
BEHAVIOR-‐BASED DETECTION ZERO-‐DAY EVENTS
IMMEDIATE AUTOMATIC &
SOC-‐BASED CONTAINMENT AND REPORTING
BEHAVIOR-‐BASED SIGNATURE
UPDATING
Follow Us @eSen�re Copyright © eSen�re 2014
Gartner C-‐ATP | PREVENT
4 November 2014 Slide 28
PREDICT
PROACTIVE EXPOSURE ASSESSMENT PREDICT ATTACKS BASELINE SYSTEMS
RESPOND
REMEDIATE/MAKE CHANGES DESIGN/MODEL CHANGE INVESTIGATE/FORENSICS
PREVENT
HARDEN AND ISOLATE SYSTEMS
DIVERT ATTACKERS
PREVENT INCIDENTS
DETECT
DETECT INCIDENTS
CONFIRM AND PRIORITIZE
CONTAIN INCIDENTS
CONTINUOUS MONITORING
& ANALYTICS
RESPOND
REMEDIATE/MAKE CHANGES DESIGN/MODEL CHANGE INVESTIGATE/FORENSICS
eSen�re CAPABILITIES
TARGETED RETROSPECTION
RAPID REMEDIATION
EMBEDDED INCIDENT RESPONSE
OPERATIONALIZED FORENSICS
ACTIONABLE ANALYTICS
Follow Us @eSen�re Copyright © eSen�re 2014
TRAP
4 November 2014 Slide 29
T Targeted
R Retrospec�on A Analy�cs P Pla�orm
Follow Us @eSen�re Copyright © eSen�re 2014
Targeted Retrospec�on
4 November 2014 Slide 30
DISCOVERY DISCLOSURE PATCH AVAILABILITY
PATCH DEPLOYMENT
PATCH COMPLETION
NOW INTRO
MIN
MAX
Follow Us @eSen�re Copyright © eSen�re 2014
Gartner C-‐ATP | PREVENT
4 November 2014 Slide 31
PREDICT
PROACTIVE EXPOSURE ASSESSMENT PREDICT ATTACKS BASELINE SYSTEMS
RESPOND
REMEDIATE/MAKE CHANGES DESIGN/MODEL CHANGE INVESTIGATE/FORENSICS
PREVENT
HARDEN AND ISOLATE SYSTEMS
DIVERT ATTACKERS
PREVENT INCIDENTS
DETECT
DETECT INCIDENTS
CONFIRM AND PRIORITIZE
CONTAIN INCIDENTS
CONTINUOUS MONITORING
& ANALYTICS
PREDICT
PROACTIVE EXPOSURE ASSESSMENT PREDICT ATTACKS BASELINE SYSTEMS
eSen�re CAPABILITIES
POLICY RISK PROFILING
THREAT INTELLIGENCE/ REPUTATION FEEDS
EVENT LOG ANOMALIES
CONTINUOUS VULNERABILITY
ASSESSMENTS
Follow Us @eSen�re Copyright © eSen�re 2014