370 likes | 677 Views
Advanced Threat Protection. Notable 2011 Breaches. Advanced Threat Vectors. Hidden Executables Malware executables delivered within PDFs Vulnerabilities Backdoors in browsers and applications that malware can bypass Portable Storage Devices
E N D
Advanced Threat Vectors • Hidden Executables • Malware executables delivered within PDFs • Vulnerabilities • Backdoors in browsers and applications that malware can bypass • Portable Storage Devices • Malware delivered on portable flash drives and USB sticks Advanced Persistent Threat
By the Numbers The number of new malware signatures that are distributed daily2 1.6M The amount of unique malicious code seen daily on average1 55k The number of companies in the US who fell victim to a cyber security breach at least once in the past 12 months3 90% 1. Source: Symantec. 2. Source: McAfee. 3. Source: Ponemon Institute
The Advanced Threat Landscape Criminal Enterprises • Broad-based and targeted attacks • Financially motivated • Getting more sophisticated • Hactivists • Targeted and destructive attacks • Unpredictable motivations • Generally less sophisticated • Nation-States • Targeted and multi-stage attacks • Motivated by information and IP • Highly sophisticated, endless resources
The Advanced Threat… 4 STEPS 4 Steps … Social engineering “email” Malware dropped Malware morphs & moves Data gathered & stolen TRUST DETECT PROTECT MEASURE
Trust PROVIDE A TRUST RATING ON ALL SOFTWARE Cloud-Driven Reputation Automatically Trust Software “Pushed” by IT IT-Driven Reputation Trusted Publisher – Microsoft Trusted User – Hdesk_User@xx.com Trusted Directory – E:\sccm\packages Trusted Updater – WebEx IT sets trust policies for software “pulled” by end users Firefox 10 10 Java.dll10 5 Keylogger0 0 Excel.exe 10 Acroread.msi10 Calc.exe9 Firefox 10 Java.dll10 Excel.exe 10 Acroread.msi10 Calc.exe9 VMware.exe8 Exchange10 Sharepoint10 Data Center Finance Marketing Trust is assigned by user/group/organization
Detect IDENTIFY RISK SIEM Event correlation Real-time Endpoint Sensors to Monitor File Integrity Devices Memory locations Registry Keys OS/application Tampering Security Ops Center CFS Forensic IR Team Track every executable Find out how software arrives Learn how software propagates See if file has executed View full audit trail Excel.exe 10 Acroread.msi10 Calc.exe9 Firefox 10 Java.dll10 Excel.exe 10 Acroread.msi10 Calc.exe9 VMware.exe8 Exchange10 Keylogger Sharepoint10 Keylogger Keylogger x Data Center Finance Marketing
Protect STOP THE APT Enforcement Policies Protection for: Low Enforcement (Monitor unapproved) Med Enforcement (Prompt unapproved) High Enforcement (Block unapproved) Ban unauthorized software Perform emergency lockdown Servers (file, application, SCADA, etc.) Virtualized environments Domain controllers Desktop/laptop endpoints Point-of-sale devices User & Context-based Trust Policies Excel.exe 10 Acroread.msi10 Calc.exe9 Firefox 10 Java.dll10 Excel.exe 10 Acroread.msi10 Calc.exe9 VMware.exe8 Microsoft Adobe WebEx Exchange10 Sharepoint10 Data Center Finance Marketing
Measure ACTIONABLE SECURITY INTELLIGENCE Reports for ongoing security health • Baseline drift • Health dashboards • Event categorization • Live inventory SDK Track Activity Required For Audit Governance Compliance SOC Incident Response Analytics to assess, investigate, and fine-tune your security posture • Find file • Prevalence • Device usage Alerts for unexpected threats or requests • For file propagation • For integrated helpdesk • approval • Sent to syslog • Sent to email Excel.exe 10 Acroread.msi10 Calc.exe9 Firefox 10 Java.dll10 Microsoft Adobe WebEx Excel.exe 10 Acroread.msi10 Calc.exe9 VMware.exe8 Exchange10 Sharepoint10 Data Center Finance Marketing
The Advanced Threat… 4 STEPS 4 Steps … Social engineering “email” Malware dropped Malware morphs & moves Data gathered & stolen TRUST DETECT PROTECT MEASURE
Bit9 Global Software Registry Publish File Hash Metadata • Source • Publisher/certificate • First seen/last seen date • Product, version • AV scan results • Vulnerability information • Threat level • Trust Factor • Parity knowledge • Forensics (CFS/Analyzer) • File Advisor Derive • Normalize data • Categorize • Determine trust vs. threat Analyze • AV scanners • PE analysis • Correlation Extract • 140 un-packers • 300+ variants Collect • Crawlers • Partner feeds • Subscriptions
Advanced Server Protection • Server Challenges • Security • Targeted malware and cyber attacks • Operations • Unauthorized configuration changes • Compliance • Lack of demonstrable change controls • Bit9 Solution • Security • Application control • Device control • Memory and registry protection • Operations • File integrity monitor and control • Baseline drift reports • Find unplanned changes • Compliance • Server consistency reports • Site integrity validation Servers Under Protection • Domain controllers • Web servers • Application servers • Database servers • SharePoint servers • Internet Security and Acceleration (ISA) servers • Virtual servers
New Strategy for the Advanced Threat Advanced Network Protection Advanced Endpoint Protection Incident Response/Forensics SIEM – APT Event Consolidation Traditional Endpoint Protection Traditional Network Protection
Benefits Protect your core IP by stopping the Advanced Threat from critical servers and users Improve operational efficiency by reducing IT helpdesk calls and time spent reimaging Reduce costs by understanding all software being used across the enterprise Reduce risk by improving incident response times to quickly and accurately identify high risk files Meet compliance requirements such as PCI DSS
Case Study Federally Funded Research and Development Center Situation: • Gov’t funded facility with ~11,000 machines • Critical research to nation’s defense • Protect intellectual property, trade secrets • Forensics located APTs on machines • Client-based attacks identified as the “blind spot” Bit9 Solution • Stopped APTs and unauthorized software from executing • Reduced number of re-images by 92 percent • Prevented a non-trusted file “hiding” as Google Earth from executing
Case Study Financial Technology Provider Situation: • Struggling to keep up with advances in malware • Breach in a data center highlighted the urgency of the situation • Could not stop infection from spreading to thousands of servers • Bit9 Solution • Mitigated risk on infected or “dirty” machines • Delivered instant visibility into applications, utilities, and tools running on servers • Locked down hundreds of servers in less than a day • Easily scaled to ensure protection across entire data center
Case Study Grocery Retailer • Situation: • Improve performance during PCI DSS audits • Operating 5,000 machines across 560 stores • Must perform frequent/controlled software updates • Found unauthorized software on store systems • Bit9 Solution • Achieved PCI DSS compliance • Prevented targeted/insider attacks • Managed configuration drift • Monitored activity and provided alerts about unwanted activity
Corporate Endpoints Clients Management Server Software Reputation Service Laptops CONSOLE Desktops Servers Kiosks Bit9 server Microsoft SQL SERVER ATMs Active Directory server Point of Sale
Sample Customer List Technology/Services Government Healthcare Finance Retail Industrial Bit9 Confidential Information