fe securityreimagined parti web final

WHITE PAPER

SECURITY REIMAGINED, PART I: AN ADAPTIVE APPROACH TO CYBER THREATS FOR THE DIGITAL AGE

2

Security Reimagined: An Adaptive Approach to Cyber Threats for the Digital Age

CONTENTS

4 8 10A HISTORY OF REIMAGINING

7WHAT’S WRONG WITH THE STATUS QUO?

ADOPTING AN ADAPTIVE STRATEGY

INTEGRATING TOOLS AND TECHNOLOGIES

10 12 14 14 15ENABLING BIG-PICTURE VIGILANCE

LEANING FORWARD WITH INTELLIGENCE

RESPONDING NIMBLY WITH A RESPONSIVE ARCHITECTURE

WHEN DEFENSE IN DEPTH IS NEITHER

CONCLUSION AND RECOMMENDATIONS

DETE

CT

PREVENT

ANALY

ZERESOLVE

6REIMAGINING SECURITY FOR A NEW GENERATION OF ATTACKS

3


EXECUTIVE SUMMARY

Conventional security detects threats too late (if at all), and resolves them too slowly. It gives security teams a fragmented, incomplete view into what’s going on in their network. It’s passive and blind to broader threat trends. And it reacts too slowly to new threats and changing conditions.

Organizations need a flexible, deeply integrated framework that offers a far-reaching view of threats and evolves as quickly as conditions do.

FireEye calls this approach Adaptive Defense™.

Rather than trying (and failing) to prevent every attack, organizations that implement an adaptive model recognize that some attacks will get

through. They change their mindset and aim to quickly detect attacks and then respond forcefully to prevent the worst results: stolen data, costly fixes, and tarnished reputations.

To reduce time to metrics, organizations must be able to adapt as attackers change their tactics. Their security architecture must be agile. It must be deeply integrated for an end-to-end view of attacks. It must present a full picture of threats by incorporating internal and external intelligence. And it must take an active, “lean-forward” posture that doesn’t just wait for attacks but anticipates them.

This is security reimagined.

IT’S TIME TO REIMAGINE SECURITY.

4


It demands a fundamentally new approach. It entails rethinking old assumptions and revamping tired orthodoxies. It means reworking broken models—or rebuilding them from the ground up. Meaningful progress is all about reinventing, reforming, and refashioning the past. And it’s about reimagining the present.

SOMETIMES PROGRESS REQUIRES MORE THAN INCREMENTAL CHANGE.

5


THROWING BASEBALL A CURVE

In 1863, 14-year-old Arthur Cummings was goofing off on a beach near his Brooklyn home when he noticed that he could throw seashells in curved paths into the water. “All of a sudden, it came to me,” he recalled in a magazine essay years later, “It would be a good joke on the boys if I could make a baseball curve the same way.”1 Over the next four years, his epiphany became an obsession. He perfected the throw during his off time as he rose through baseball’s amateur ranks, finally debuting the throw in an 1867 game against Harvard College. It worked. Harvard’s batters were helpless against his new throwing technique, now known as the curveball. The reimagined pitch allowed the lanky 120-pound, 5-foot-nine pitcher to dominate the game—and changed baseball forever. Today, the curveball remains a key part of every pitcher’s arsenal.

About a decade later, George Westinghouse reimagined the way electricity was delivered to homes and businesses. He saw the limits of Thomas Edison’s direct current system, which sent electricity at a constant voltage and lost power along the way. With alternating current, Westinghouse knew, power plants could transmit power at higher voltages less prone to leakage. That enabled power providers to transmit electricity over much longer distances. And because transformers reduced the voltage as needed for each endpoint, the same power infrastructure could serve homes and industry. The upshot: utilities could serve a larger population with fewer power plants, slashing costs—and leading America into the Electric Age.

JUMP-STARTING ELECTRIC DISTRIBUTION

1880s

1 Arthur “Candy” Cummings (The Baseball Magazine) “How I Pitched the First Curve.” August 1908.

1863

left: Arthur “Candy” Cummings

right: Alternating-current generator pictured in a newspaper ad for The Westinghouse Electric Co. in the late 1880s.

6


REIMAGINING SECURITY FOR A NEW GENERATION OF ATTACKSIn this generation, the Internet has spurred a new frontier for innovation across the globe. Today’s pioneers have reimagined everything from banking to healthcare to education to entertainment. The Internet has changed the way we stay in touch with friends, track our health, get around town, stay up to date, learn new things, watch TV and movies, and manage our money. The global network—several billion connected devices and counting—has altered countless industries and touched nearly every aspect of civilization.

It has also changed the nature of cyber crime and espionage. As our time, personal information, and money have gone online, cyber attackers have quickly followed. Empowered by the same advances that have transformed countless industries, cyber attackers have evolved. Targeted, well-funded cyber crime rings have replaced the opportunistic hackers of yesterday. State-sponsored spy operations

PUTTING AMERICA IN THE DRIVER’S SEAT

By 1910, Henry Ford already had a hit with his Model T. But Ford wanted more than popularity; he wanted ubiquity. To achieve that, he needed to drastically rev up production and bring the Model T’s price within the reach of more buyers without cutting corners. So he reimagined the manufacturing process. For decades, teams of skilled mechanics had painstakingly handcrafted cars.2 Ford took a radically new approach with the first auto assembly line. By breaking down the process into a series of 84 discrete steps and using standard, interchangeable parts, workers could produce on a scale never before seen.3,4 The newfound efficiency allowed Ford to slash the Model T’s price from $825 (about $20,000 in today’s dollars) to $260 ($3,600 today) over the following decade.5 The company sold more than 15 million of the cars, and in the process, transformed the way people live, work, and play.

that would have stretched belief in a spy novel just a few years ago have grown routine.

Our defenses have failed to keep pace. Today’s security architecture remains stuck on a signature-based approach first sold in 1987—when IBM launched the first PS/2 computer and Microsoft’s MS-DOS 3.3 ruled the OS market. Most people could not connect to the Internet even if they wanted to; the first commercial dial-up service was still two years away.

During periods of rapid innovation, we often overlook the downsides of these advances. Keeping up with the changes—let alone pondering their drawbacks—is challenging enough. And unfortunately, cyber security has been largely an afterthought in the Digital Age.

With attackers now stealing personal information, intellectual property, and state secrets almost at will, the time has come to rethink our approach to cyber security.

2 Daniel Gross. “Forbes Greatest Business Stories of All Time.” August 1997. 3 Jennifer L. Gross. “Henry Ford and the Assembly Line.” 4 Ford Motor Company. “Model T Facts.” August 2012. 5 Ford. “The Model T Put the World on Wheels.” 2008.

1910

Workers assemble Model T autos at Ford’s Highland Park, Michigan., plant.

7


More than two centuries ago, the German poet Johann Wolfgang von Goethe wrote about a sorcerer’s

apprentice who tries to use magic to make his chores easier.6 Tasked with filling a basin, the promising young wizard conjures a broom to begin fetching pails of water from a nearby stream. The plan quickly backfires. Soon, the basin (along with every other vessel in sight) is overflowing. The apprentice can’t stop the enchanted sweeper. Growing desperate, he chops it in half— only to see it morph into two brooms, doubling the cascade.

Sound familiar? Organizations invest billions of dollars every year in security tools that promise to protect their IT assets—only to see their workload swell and their IT assets no more secure than they were before. On average, attackers have access to a breached system for 229 days before they are detected.7 And they typically have at least another month or so before they’re fully dislodged from the victim’s network.8 In a recent study of real-world security

6 Johann Wolfgang von Goethe. “Der Zauberlehrling.” 1797. 7 Mandiant, a FireEye Company. “M-Trends: Beyond the Breach.” April 2014. 8 Ponemon Institute. “2013 Cost of Cyber Crime Study: Global Report.” October 2013. 9 FireEye. “Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model.” May 2014.

WHAT’S WRONG WITH THE STATUS QUO?

deployments, more than 97 percent of systems were breached, despite having deployed several layers of the security.9

Conventional security architectures create more work. They provide reams of log data, false positives, and alerts with no context. Rather than focusing on true threats, security teams spend too much time on busywork and chasing dead ends. Like the hapless apprentice, organizations are struggling to stay on top of the rising deluge of cost and complexity.

The prevailing model is fundamentally broken. Why must security leaders submit a headcount request along with their purchase order to deploy a new technology?

Security tools should make you more agile, not less. And they should help you save money on routine tasks so you can focus your security investment in higher-value activity that only people can do.

llustration from Goethe’s Werke by Ferdinand Barth.

8


SECURITY REIMAGINED:

THE VISIONR

eimagining security is about more than just technologies, skills, or processes. While the concept includes all of these, it is

above all a mindset—a fundamentally new way of thinking about cyber attacks. A big part of this vision includes implementing what FireEye calls Adaptive Defense™.

Rather than trying (and failing) to prevent every attack, organizations that implement an adaptive model recognize that some attacks will get through. They change their mindset and aim to quickly detect attacks and then respond forcefully to prevent the worst results: stolen data, costly fixes, and tarnished reputations.

In the adaptive model, security teams have the tools, intelligence, and expertise to detect, prevent, analyze, and resolve ever-evolving tactics used by advanced attackers.

229 DaysMedian # of days attackers are present on

a victim network before detection.

3 Months 6 Months 9 Months

THREAT UNDETECTED REMEDIATIONINITIAL BREACH

of victims had up-to-date anti-virus

signatures

100% 63% of companies learned they were breached

from an external Entity

Attackers have access to compromised systems 229 days on average before being discovered (two-thirds of the time, by an outside party such as a law enforcement agency or business partner).10 For truly effective security, security teams need to detect an attack in minutes, not hours or days.

TIME TO DETECT

Breaches are inevitable. They don’t have to be devastating. When security teams can quickly contain the attack and fix compromised systems, they avoid becoming another statistic.

TIME TO RESOLVE

10 Mandiant. “M-Trends 2014: Beyond the Breach.” May 2014.

The goal is reducing two key metrics:

• Time to detect• Time to resolve

To reduce both metrics, organizations must be able to adapt as attackers change their tactics. Their security architecture must be agile. It must be deeply integrated for an end-to-end view of attacks. It must present a full picture of threats by incorporating internal and external intelligence. And it must take an active, “lean-forward” posture that doesn’t just wait for attacks but anticipates them—and even helps “hunt” for well-hidden attacks that don’t produce the usual tip-offs.

The following section describes each of these attributes.

9


ADAPTIVE APPROACH

DISCONNECTED TOOLS

LOTS OF DATA, LITTLE INSIGHT

PASSIVE STANCE

SLOW RESPONSE, RIGID ARCHITECTURES

INTEGRATED END TO END

BIG-PICTURE VIGILANCE

LEAN-FORWARD POSTURE

NIMBLE

CONVENTIONAL SECURITY VS. SECURITY REIMAGINED

TRADITIONAL APPROACH

Most security architectures weld together different tools from a range of vendor that do not work well together. Security teams get a disjointed view of attacks.

Conventional security deployments offer a flood of data. Making sense of it all can be tough.

Conventional architectures, which have long focused on prevention alone, take too long to detect and resolve threats. By the time organizations detect a breach, the damage is done. And they do not adapt to changing customer needs and a shifting threat landscape.

An adaptive approach helps customers find and fix breaches quickly.

Most security architectures react to attacks as they happen. Security teams have little knowledge of attackers, their motives, their tools, or their techniques. They don’t have a broader view of regional or industry trends. And they can’t anticipate or hunt for threats.

An adaptive approach integrates tools for a full picture.

An adaptive approach provides a bird’s-eye-view for actionable insights.

TACTICAL INTELLIGENCE

STRATEGIC INTELLIGENCE

CONTEXTUAL INTELLIGENCE

An adaptive approach uses intelligence to identify new, unknown, and even future attacks.

ADAPTIVE DEFENSE

DETE

CT

PREVENT

ANALY

ZE

RESOLVE

10

NETWORK EMAIL

INTEGRATING DEFENSES END TO END Today, most security architectures comprise a mishmash of different tools from a range of vendors, each focused on a single piece of the security puzzle. Because they are not integrated, many security teams miss attacks that unfold over multiple threat vectors, such as email and the web. And they miss attacks that play out over multiple TCP connections, or flows. A single web page typically consists of dozens of these TCP flows; if a security tool cannot see all of them, it misses the attack.

In advanced attacks, the individual pieces of an orchestrated attack can appear benign when viewed in isolation by point products. Even if each tool is working as promised, security teams get a fragmented, kaleidoscope-style view of what’s happening on their network.

An adaptive strategy, by contrast, not only looks across multiple threat vectors and flows but also connects the dots to give security teams a complete picture. Security teams don’t just see clues. They get a complete narrative so they can see the full attack lifecycle at every step—from the initial exploit to downloading malware to reconnaissance to data exfiltration. They can see how traffic at the perimeter relates to OS changes on a network-attached PC. And they can reconstruct weeks of network traffic to trace an attack to its source.

ENABLING BIG-PICTURE VIGILANCE Another hallmark of adaptive strategies is big-picture vigilance, a bird’s-eye view that enables security teams to monitor network activity and gauge how well their defenses are performing.

Conventional security deployments offer all kinds of data: network traces, system logs, security alerts, and the like. But little of it leads to useful insight. Data from various security tools can be ambiguous and contradictory. Keeping up with the deluge, let alone making sense of it all, is difficult for even well-staffed security teams.


INTEGRATED END TO END

11


[ ENDPOINT MOBILE ANALYTICSCONTENTFORENSICS EMAILNETWORK ]

12


Instead of generating more and more data—and more and more questions—an adaptive strategy focuses on creating high-quality, actionable insights. Think of it as a master-control level of visibility into attacker actions against your network. An adaptive approach seeks to provide answers–answers you can use in the business process of resolving incidents to make better decisions.

An adaptive model doesn’t just spit out raw data. Instead, it helps glean meaning from that data. By analyzing unusual network traffic, suspicious files, and threat intelligence, the ideal security system can correlate seemingly unrelated events to detect attacks that might otherwise get lost in the noise.

With an adaptive strategy, users don’t get the usual flood of false alarms, cryptic warnings, and reports. Instead, they get alerts that matter: accurate, high-priority, actionable information they can use to quickly contain and resolve the threat.

Knowing the big picture also means being able to measure those two key measures: time to detect and time to resolve. An adaptive strategy means being able to replay the timeline of an attack to see how quickly your security deployment detected it, and how well your tools contained and resolved the threat.

Increasingly, security leaders are measured on those two statistics as much as they are on their ability to simply warn off threats.11 Your metrics should do the same.

LEANING FORWARD WITH INTELLIGENCE According to Gartner, leaning forward means not just reacting to attacks as they come but actively combating them on an ongoing basis. 12

Along with tightly integrated tools and a big-picture view of the network, intelligence is key to the lean-forward approach. The right kind of intelligence, delivered at the right time, helps identify new and unknown attacks—and even potential future attacks. Effective intelligence in an adaptive architecture is actionable – it is used directly to adapt security protections in a way that makes them more effective.

The best threat intelligence includes information on specific attackers, including their motives, what they’re after, what tools they use, and how their attacks unfold. Armed with that intelligence, security teams can more closely monitor specific threat vectors, look for telltale markers, and bolster defenses around the assets most at risk.

In an adaptive security strategy, this intelligence comes from a number of sources, all vetted and harmonized to provide a cohesive account of the most urgent threats.

11 Greg Day (FireEye). “The Road to Resilience: How Cybersecurity is Moving from the Back Office to the Boardroom.” April 2014. 12 Jeremy D’Hoinne and Lawrence Orans (Gartner Research). “Strategies for Dealing With Advanced Targeted Attacks.” June 2013.

13


This intelligence comes in three forms: tactical, contextual, and strategic (see below). Each plays a distinct but vital role.

In the most adaptive architectures, this intelligence is a few clicks away -- not something security teams must always dig up, verify, and weave together themselves.

And in all three cases, the intelligence is timely, relevant, and specific enough to act on.

For instance, if an attack is coming from a known threat actor, intelligence from past attacks can spell out the most likely techniques, tactics, and procedures (TTPs). That, in turn, helps security teams determine what malware to look for, what assets are most at risk, and where to focus their attention.

Strategic intelligence—typically from threat bulletins, industry briefings, and the like—give security leaders information for longer-term planning, management, and budgeting

Adaptive architectures also incorporate contextual intelligence from research labs and incident responders for a broader view of attack trends and detailed profiles of attackers and their methods.

THE POWER OF THREE: How each forms of intelligence plays a distinct but vital role in adaptive architectures.

TACTICAL INTELLIGENCE STRATEGIC INTELLIGENCE CONTEXTUAL INTELLIGENCE

Tactical intelligence is automatically generated from local deployments. When a system analyzes a suspicious file and discovers a new malware variant, for instance, it can generate and quickly distribute a new indicator of compromise (IOC) to inoculate the entire enterprise.

14


RESPONDING NIMBLY WITH A RESPONSIVE ARCHITECTURE Unlike conventional security architectures, an adaptive strategy positions you to respond instantly to both known and unknown threats. In this sense, nimbleness involves rapidly detecting, assessing, and containing these threats.

Expecting to stop all attacks at the perimeter is unreasonable. An adaptive approach focuses instead on stopping attackers before they reach their goal. Prevention isn’t as much about averting attacks outright as it is avoiding harmful outcomes.

When we talk about being nimble, we also define it from the vendor perspective. Vendor nimbleness is the ability to adapt quickly to the changing threat landscape and customers’ changing needs.

WHEN DEFENSE IN DEPTH IS NEITHER

Security practitioners often talk about their “defense in depth” strategy. But the technology used for each layer uses the same approach (signature matching)—so organizations actually have a single layer of technology that is better described as “defense in shallow.”

Here are just a few scenarios that the ideal security architecture should accommodate:

• A growing business adopts a bring-your-own-device policy and needs mobile protection that is integrated into its existing network security

• A non-profit wants to move its infrastructure to the cloud without losing a security vendor it knows and trusts

• A government agency is dealing with a particularly complex attack and needs short-term help to resolve it

In all of these scenarios, a truly adaptive approach can scale hardware deployment up and down, shuffle resources, and provide hands-on support as needed. Customers get the level of protection they want, delivered the way they want it, with an architecture that evolves as quickly as conditions do.

REDUNDANT DETECTION Multiple products use the same signature-based approach to detect attacks.

LIMITED RESPONSE CAPABILITY Signature-based detection assumes you know what an attack looks like before it happens.

OUTDATED APPROACH When attackers evade defensive measures, most organizations have little capability to respond.

15


CONCLUSION AND RECOMMENDATIONSConventional security detects threats too late (if at all), and resolves them too slowly. It gives security teams a fragmented, incomplete view into what’s going on in their network. It’s passive and blind to broader threat trends. And it reacts too slowly to new threats and changing conditions.

Today’s advanced attacks call for a more advanced approach. Organizations need a flexible, deeply integrated framework that offers a far-reaching view of threats and evolves as quickly as conditions do.

By adopting an adaptive strategy, organizations get integrated, end-to-end protection from the network ingress to the endpoint. They get a big-picture view of attacker activity across their entire network. They can integrate intelligence to not just respond to threats but also actively anticipate them. And they are nimble. They are not only empowered to quickly detect and resolve threats to avoid the worst outcomes, but they also get the level of protection they want, delivered the way they want it.

Implementing an adaptive strategy doesn’t happen overnight. While many of the essential tools are available now, the shift also requires a new way of thinking. Just as past breakthroughs required reimagining earlier approaches, today’s cyber challenges call for reimagining security.

As a starting point, FireEye recommends the following:

• Change your mindset. Shift away from the “prevent, prevent, prevent” model. Nothing can stop every threat. Responding quickly and effectively to attacks is just as important as blocking them.

• Bolster your forensics capabilities. Get a full picture of threats with a solution that offers end-to-end visibility of malicious activity.

• Integrate internal and external intelligence. Make sure that it is actionable, contextual, and applicable.

• Invest in tools that help detect unknown threats. As an industry, we have “known” threats under control. Don’t keep spending more money on redundant tools based on the same legacy technology. Research technology designed with today’s threats in mind.

• Meet regulation and compliance-based rules, reporting, and procedures, but don’t treat them as the goal. Remember that the adaptive approach is about finding threats, not satisfying a compliance checklist or outside mandates.

• Establish meaningful metrics. Measure how effectively your organization manages incidents and their impact. Evaluate your existing solutions against that regime.

• Consider diverting your security spending. Spend less on ineffective layers and use the savings to invest in integrated solutions that improve time to detection and time to resolution.

Part II of this series examines how an adaptive security approach helps organizations better prevent, detect, analyze, and resolve threats. It also recommends a reimagined security architecture to address today’s evolving threat landscape. Download Part II at fireeye.com.

FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | [email protected] | www.fireeye.com

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.SRI.EN-US.092014

fe securityreimagined parti web final

Documents

adaptive approach

cyber threats

new threats

security architecture

approach adaptive defense

new approach

picture of threats

security teams