Mission Possible Taming Rogue Ghost Alerts

Ethan Hunt aka Todd Weller VP Corporate Development

July 2015

Cyber = The Newer Battlefield

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 4

Cyber Attacks from All Angles

• Casual Hackers

• Hacktivists

• Cyber criminals

• Corporations

• Nation states

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 5

Your Mission: Should you choose to accept it…

…is to increase your ability to detect, verify, and respond to threats efficiently and effectively.

Focusing on Threats vs. Chasing Ghosts

The Problem

Despite significant investment in security, organizations continue to experience challenges detecting, verifying & responding to threats.

Not enough skilled people to respond fast enough

AV and Network Perimeter not blocking threats

1

Too many events and false positives to review

2 3

Blind to the Breach

Source: Mandiant, Verizon

Spending Shift to Detection and Response

Detection & Response

Prevention

Prevention necessary but not 100% effective

Nature of attacks is changing

Response more top of mind

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 10

AUTOMATED RESPONSE DETECTION VERIFICATION

1 2 3

Critical Cyber Defense Elements

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 11

DETECTION

VERIFICATION

AUTOMATED RESPONSE

Verification is the Critical Link

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 12

Visibility Is The First Step

Increasing adoption of behavior- based detection

Initial focus = network-based sandboxing

Focus shifting to Endpoint Detection & Response

DETECTION

No. I just want to get the bad guys, but if I can't see them I can't shoot them.

“You got some kinda savior complex?”

-American Sniper

Visibility is Eye Opening…

…and Overwhelming

Source: Ponemon Institute

The Response Challenge

Security Talent Shortage

Source: Burning Glass Technologies “Job Market Intelligence: Report on the Growth of Cybersecurity Jobs”

“The talent you’re looking for in incident response is absolutely the hardest I’ve seen to find in security in general”

- Christine Gadsby, Manager, Blackberry Product Security Incident response Team

Attack Velocity Increasing

Shift to Continuous Response

Velocity Continuous Automation

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 20

The Double Whammy

STRATEGIC: Corroboration and threat fusion to improve detection and prioritize investigation and response

TACTICAL: Solving false positive issue related to network security alerts

VERIFICATION

Cyber Defense Requires an Integrated Approach

Automated Response

Detection Verification

Integration Orchestration Automation

Cyber Defense Requires an Integrated Approach

An integrated approach to threat detection, verification, and

response that leverages flexible, policy-based responses to

remove threats before they do damage.

INTEGRATED DETECTION. AUTOMATED RESPONSE.

HawkEye G = “Defender’s Advantage”

1

DETECT

Integrated platform: • Real-time endpoint agents • Network edge detection • 3rd party ecosystem

2

VERIFY

Host and Network correlation confirms the threat to pinpoint where

you really need to respond

3

RESPOND

Automation and machine-guided is a force multiplier to remove the

threat before breach

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 26

HawkEye G

Manager

Hexis

Threat Feed HawkEye G

Network Sensor

Third-Party Integrations

FireEye® NX

PAN NGFW + WildFire®

19

HawkEye G

Host Sensor

174

Detect

Endpoints + Network

174 Heuristics

19 Threat Feeds

3rd Party Integration

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 27

174

Hexis

Threat Feed Third-Party Integrations HawkEye G

Network Sensor

ThreatSync

FireEye® NX

PAN NGFW + WildFire®

HawkEye G

Host Sensor

19

Introducing ThreatSync™

Threat Fusion

Threat Analytics

Indicator Scoring

Device Incident Score Verify

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 28

174

Hexis

Threat Feed Third-Party Integrations HawkEye G

Network Sensor

Policy Manager Countermeasures

Kill

Quarantine

Block

Expire

Forensics

Future

ThreatSync

FireEye® NX

PAN NGFW + WildFire®

HawkEye G

Host Sensor

19

Surgical

Machine Guided

Automatic Respond

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 29

Hexis

Threat Feed Third-Party Integrations HawkEye G

Network Sensor

Policy Manager Countermeasures

Kill

Quarantine

Block

Expire

Forensics

Future

ThreatSync

+

FireEye® NX

PAN NGFW + WildFire®

174

HawkEye G

Host Sensor

19

Machine Guided

Automatic

Detect, Verify, Respond

Endpoint + network

Improve detection effectiveness

Verify endpoint infections

Enable automated response

U.S. Intelligence Community reference architecture (SHORTSTOP)

Integrated Active Cyber Defense (ACD) solution

Includes Hexis, Palo Alto, FireEye, and Splunk

Tackling Integration on Multiple Fronts

Architectures Integrated Platform ThreatSync™

“How do I stop an active campaign before compromise or breach?”

“I’ve got no clear picture of threat actor activity, malware or infection spread across my enterprise”

“I’m wasting time and resources chasing down network alerts to confirm if my hosts are infected”

“My antivirus isn’t working and I need better visibility into activity on my endpoints”

“How do I respond more effectively and efficiently?

HawkEye G Common Use Cases

Real-world Deployment Metrics

Feature Customer A Customer B Customer C

Host sensor distribution

(initial)

1,872 host sensors (out of 30,000 total)

400 host sensors (out of 1,000 total)

20 host sensors (out of 2,000 total)

Prevention Security Technologies

in-place

Cisco ASA FireEye

McAfee AV Malwarebytes

Cisco ASA/IPS/SSM OpenDNS

TrendMicro AV

Palo Alto FireEye

McAfee AV

Infection % 637 infected hosts

36% infection 50 infected hosts

12% infection

20 infected hosts (89 malicious binaries)

100% infection

Value-add Automated verification of ghost

FireEye alerts Reduce manual verify and

remove by 50% Machine-guided removal on

remote devices

Hexis Key Differentiators

Integrated platform to detect, verify, and respond

Endpoint + network including correlation

Endpoint sensing capabilities – heuristics, real-time eventing

ThreatSync™ analytics fuses Hexis detection with 3rd party indicators

Full arsenal of machine-guided and automated responses that can be flexibly deployed based on policy

Developed using military-grade cyber capabilities and state-of-the-art commercial technologies

RESPOND

Key Takeaways

Cyber defense requirements are driving increased investment in detection & response

Efficient and effective detection & response requires verification

Verification benefits are both strategic and tactical

Integration and automation are critical in your efforts to detect, verify, and respond to threats before they do damage

Copyright © 2015, Hexis Cyber Solutions, Inc. All rights reserved. Page 35

Questions?

Thank You!