hexis cybersecurity mission possible: taming rogue ghost alerts
TRANSCRIPT
Mission Possible Taming Rogue Ghost Alerts
Ethan Hunt aka Todd Weller VP Corporate Development
July 2015
Cyber = The Newer Battlefield
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 4
Cyber Attacks from All Angles
• Casual Hackers
• Hacktivists
• Cyber criminals
• Corporations
• Nation states
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 5
Your Mission: Should you choose to accept it…
…is to increase your ability to detect, verify, and respond to threats efficiently and effectively.
Focusing on Threats vs. Chasing Ghosts
The Problem
Despite significant investment in security, organizations continue to experience challenges detecting, verifying & responding to threats.
Not enough skilled people to respond fast enough
AV and Network Perimeter not blocking threats
1
Too many events and false positives to review
2 3
Blind to the Breach
Source: Mandiant, Verizon
Spending Shift to Detection and Response
Detection & Response
Prevention
Prevention necessary but not 100% effective
Nature of attacks is changing
Response more top of mind
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 10
AUTOMATED RESPONSE DETECTION VERIFICATION
1 2 3
Critical Cyber Defense Elements
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 11
DETECTION
VERIFICATION
AUTOMATED RESPONSE
Verification is the Critical Link
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 12
Visibility Is The First Step
Increasing adoption of behavior- based detection
Initial focus = network-based sandboxing
Focus shifting to Endpoint Detection & Response
DETECTION
No. I just want to get the bad guys, but if I can't see them I can't shoot them.
“You got some kinda savior complex?”
-American Sniper
Visibility is Eye Opening…
…and Overwhelming
Source: Ponemon Institute
The Response Challenge
Security Talent Shortage
Source: Burning Glass Technologies “Job Market Intelligence: Report on the Growth of Cybersecurity Jobs”
“The talent you’re looking for in incident response is absolutely the hardest I’ve seen to find in security in general”
- Christine Gadsby, Manager, Blackberry Product Security Incident response Team
Attack Velocity Increasing
Shift to Continuous Response
Velocity Continuous Automation
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 20
The Double Whammy
STRATEGIC: Corroboration and threat fusion to improve detection and prioritize investigation and response
TACTICAL: Solving false positive issue related to network security alerts
VERIFICATION
Cyber Defense Requires an Integrated Approach
Automated Response
Detection Verification
Integration Orchestration Automation
Cyber Defense Requires an Integrated Approach
An integrated approach to threat detection, verification, and
response that leverages flexible, policy-based responses to
remove threats before they do damage.
INTEGRATED DETECTION. AUTOMATED RESPONSE.
HawkEye G = “Defender’s Advantage”
1
DETECT
Integrated platform: • Real-time endpoint agents • Network edge detection • 3rd party ecosystem
2
VERIFY
Host and Network correlation confirms the threat to pinpoint where
you really need to respond
3
RESPOND
Automation and machine-guided is a force multiplier to remove the
threat before breach
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 26
HawkEye G
Manager
Hexis
Threat Feed HawkEye G
Network Sensor
Third-Party Integrations
FireEye® NX
PAN NGFW + WildFire®
19
HawkEye G
Host Sensor
174
Detect
Endpoints + Network
174 Heuristics
19 Threat Feeds
3rd Party Integration
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 27
174
Hexis
Threat Feed Third-Party Integrations HawkEye G
Network Sensor
ThreatSync
FireEye® NX
PAN NGFW + WildFire®
HawkEye G
Host Sensor
19
Introducing ThreatSync™
Threat Fusion
Threat Analytics
Indicator Scoring
Device Incident Score Verify
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 28
174
Hexis
Threat Feed Third-Party Integrations HawkEye G
Network Sensor
Policy Manager Countermeasures
Kill
Quarantine
Block
Expire
Forensics
Future
ThreatSync
FireEye® NX
PAN NGFW + WildFire®
HawkEye G
Host Sensor
19
Surgical
Machine Guided
Automatic Respond
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 29
Hexis
Threat Feed Third-Party Integrations HawkEye G
Network Sensor
Policy Manager Countermeasures
Kill
Quarantine
Block
Expire
Forensics
Future
ThreatSync
+
FireEye® NX
PAN NGFW + WildFire®
174
HawkEye G
Host Sensor
19
Machine Guided
Automatic
Detect, Verify, Respond
Endpoint + network
Improve detection effectiveness
Verify endpoint infections
Enable automated response
U.S. Intelligence Community reference architecture (SHORTSTOP)
Integrated Active Cyber Defense (ACD) solution
Includes Hexis, Palo Alto, FireEye, and Splunk
Tackling Integration on Multiple Fronts
Architectures Integrated Platform ThreatSync™
“How do I stop an active campaign before compromise or breach?”
“I’ve got no clear picture of threat actor activity, malware or infection spread across my enterprise”
“I’m wasting time and resources chasing down network alerts to confirm if my hosts are infected”
“My antivirus isn’t working and I need better visibility into activity on my endpoints”
“How do I respond more effectively and efficiently?
HawkEye G Common Use Cases
Real-world Deployment Metrics
Feature Customer A Customer B Customer C
Host sensor distribution
(initial)
1,872 host sensors (out of 30,000 total)
400 host sensors (out of 1,000 total)
20 host sensors (out of 2,000 total)
Prevention Security Technologies
in-place
Cisco ASA FireEye
McAfee AV Malwarebytes
Cisco ASA/IPS/SSM OpenDNS
TrendMicro AV
Palo Alto FireEye
McAfee AV
Infection % 637 infected hosts
36% infection 50 infected hosts
12% infection
20 infected hosts (89 malicious binaries)
100% infection
Value-add Automated verification of ghost
FireEye alerts Reduce manual verify and
remove by 50% Machine-guided removal on
remote devices
Hexis Key Differentiators
Integrated platform to detect, verify, and respond
Endpoint + network including correlation
Endpoint sensing capabilities – heuristics, real-time eventing
ThreatSync™ analytics fuses Hexis detection with 3rd party indicators
Full arsenal of machine-guided and automated responses that can be flexibly deployed based on policy
Developed using military-grade cyber capabilities and state-of-the-art commercial technologies
RESPOND
Key Takeaways
Cyber defense requirements are driving increased investment in detection & response
Efficient and effective detection & response requires verification
Verification benefits are both strategic and tactical
Integration and automation are critical in your efforts to detect, verify, and respond to threats before they do damage
Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 35
Questions?
Thank You!