1 / 27

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain. Mary Ann Fitzsimmons Regional Director. Significant Data Breaches in Last Twelve Months. Jan. Feb. July. Dec. Nov. Aug. Oct. Sept. March. June. May. April.

diamond
Download Presentation

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional Director

  2. Significant Data Breaches in Last Twelve Months Jan Feb July Dec Nov Aug Oct Sept March June May April

  3. Malware: Actors + Actions + Assets = Endpoint Actors Actions Assets 2013 Verizon Data Breach Investigations Report

  4. Why is the Endpoint Under Attack? • Host-based security software still relies on AV signatures • Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume • Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware • Evasion techniques can easily bypass host-based defenses • Malware writers use compression and encryption to bypass AV filters • Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system • Cyber adversaries test malware against popular host-based software • There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products

  5. The Malware Problem By the Numbers 66% • of malware took months or even years to discover (dwell time)1 69% of intrusions are discovered by an external party1 155k The number of new malware samples that are seen daily2 $5.4M The average total cost of a data breach3 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study

  6. The State of Information Security NetDiligence, 2013 Cyber Liability & Data Breach Insurance Claims 2013 Verizon Data Breach Investigations Report

  7. The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

  8. The Kill Chain C2 Action Exploitation Installation Delivery Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim

  9. Protection = Prevention, Detection and Response “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014

  10. Need a Security Lifecycle to Combat Advanced Threats • Prevent • Prevention • Visibility • Detection • Response • Detect & • Respond

  11. Reduce Attack Surface with Default-Deny • Traditional EPP failure • Scan/sweep based • Signaturebased • Block known bad • Success of emerging endpoint prevention solutions • Real time • Policy based • Tailor policies based on environment • Trust based • Block all but known good • Objective of emerging endpoint prevention solutions • Lock down endpoint/server • Reduce attack surface area • Make it as difficult as possible for advanced attacker • Prevention • Visibility • Visibility • Detection • Response

  12. Reduce Attack Surface Across Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim

  13. Detect in Real-time and Without Signatures • Traditional EPP failure • Scan/sweep based • Small signature database • Success of emerging endpoint detection solutions • Large global database of threat intelligence • Signature-less detection through threat indicators • Watchlists • Objective of emerging endpoint detection solutions • Prepare for inevitability of breach and continuous state of compromise • Cover more of the kill chain than prevention • Enable rapid response • Prevention • Visibility • Visibility • Detection • Response

  14. Reduce Attack Surface Across Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Detection effective here Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim

  15. Rapidly Respond to Attacks in Motion • Traditional EPP failure • Expensive external consultants • Relies heavily on disk and memory artifacts for recorded history • Success of emerging endpoint incident response solutions • Real-time continuous recorded history delivers IR in seconds • In centralized database • Attack process visualization and analytics • Better, faster and less expensive • Objective of emerging endpoint incident response solutions • Pre-breach rapid incident response • Better prepare prevention moving forward • Prevention • Visibility • Visibility • Detection • Response

  16. Current Failures Within the Incident Response Process Identification & Scoping Eradication & Remediation Follow Up & Lessons Learned Preparation Containment Recovery The Six-Step IR Process Failure: Does not properly identify threat so cannot fully contain Failure: Organization resumesoperations with false sense of security Failure: No IR plan with processes and procedures in place Failure: After failing to fully scope threat, remediation is is impossible Failure: No post-incident process in place or does not implement expert recommendations Failure: Do not have recorded history to fully identify or scope threat

  17. Real-time Visibility & Detection Drives Rapid Response Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they appear Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact

  18. Advanced Threat Protection for Every Endpoint and Server Watch and record High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Data Center Servers

  19. Advanced Threat Protection for Every Endpoint and Server Watch and record Stop all untrusted software High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Data Center Servers

  20. Advanced Threat Protection for Every Endpoint and Server Watch and record Stop all untrusted software Detect and block on the fly High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices Data Center Servers All Other Users

  21. Bit9 + Carbon Black: Security Lifecycle in One Solution • Prevent • Prevention • Visibility • Detect & • Respond • Detection • Response

  22. Bit9 + Carbon Black Reduce Your Attack Surface Rapidly Detect & Respond to Threats 1 2 New signature-less prevention techniques Continuously monitor and record every endpoint/server + Incident Response in Seconds Advanced Threat Prevention Technology leader Purpose-built by experts Market leader in Default-Deny Super lightweight sensor that records/and monitors everything and deployable to everycomputer Proactive prevention mechanisms customizable for different users and systems

  23. Bit9 + Carbon Black: Understanding the Entire Kill Chain • See the kill chain in seconds • From vulnerable processes to the persistent malicious service • Would take days or weeks to re-create using traditional tools

  24. Takeaways • Reduce your attack surface with prevention • Prepare for inevitability of compromise • Detect in real time without signatures • Pre-breach rapid response in seconds with recorded history • Establish an IR plan • Understand the need for a security lifecycle • Fully deploy security solutions across entire environment “In 2020, enterprises will be in a state of continuous compromise.”

  25. Thank you!Q&A

More Related