240 likes | 321 Views
Security without Limits. Spear-Phishing, Watering Holes, Drive-by Downloads The Need for Rapid Endpoint Security Innovation. Darin Dick. About Invincea. Heritage and Market Presence. Recognition. SINET “Innovator” Award 2010 Global Security Challenge Eastern Region Winner
E N D
Security without Limits Spear-Phishing, Watering Holes, Drive-by Downloads The Need for Rapid Endpoint Security Innovation Darin Dick
About Invincea Heritage and Market Presence Recognition • SINET “Innovator” Award 2010 • Global Security Challenge Eastern Region Winner • “Most Innovative Company of the Year” – RSA 2011 • SINET “Best in Class” Award 2011 • GOVTek “Top Company to Watch” in 2012 • Governor’s Award 2012– Best Tech Transfer to Start-up • GOVTek “Best Security Solution” 2013 • Government Security News “Best Anti-Malware Solution” – 2012 & 2013 • NVTC 3024 “Cyber-Innovators” Award • Awarded $21.4 million research and development contract from DARPA to develop secure Android platform • Spun out of a DARPA funded project focusing on advanced malware prevention • Headquartered just outside Washington, D.C. • Product in market just under 3 years • Fortune 1,000 • US Federal Government • DELL OEM to 20+ MILLION machines annually • Protecting nearly 10,000 organizations around the globe!! • Management team with successful start-up track records and National Security credentials • DARPA • BAE Systems • RipTech • NetWitness • ArcSight
A Four Letter Word… How does the adversary enter your network? Your New Perimeter
How Breaches Happen… TargetedAttacks (APTs) Zero-days and New Malware Strains Targeting Browsers, Plug-ins, PDFs and Office Docs • Spear-phishing (95% of all APTs*) • Links to drive-by downloads • Weaponized document attachments • Watering hole attacks • Hijacked, trusted sites Incidental Contact • - Poisoned Search Engine Results • - Malicious Websites • - Hijacked Legitimate Sites • - 30,000 takeovers DAILY** • - Social Networking Worms *Both Mandiant and Trend Micro – 2013 Reports** Sophos – June 2013
A Running Theme… • ‘11, ‘12 and ’13 (so far) bloodiest years on record… • “White House” eCard(spear-phishing) • HBGaryFederal (social engineering) • Night Dragon (spear-phishing) • London Stock Exchange Website (watering-hole) • French Finance Ministry (spear-phishing) • Dupont, J&J, GE (spear-phishing) • Nasdaq(spear-phishing) • Office of Australian Prime Minister (spear-phishing) • RSA (spear-phishing) • Epsilon (spear-phishing) • Barracuda Networks (spear-phishing) • Oak Ridge National Labs (spear-phishing) • Lockheed Martin (spear-phishing) • Northrup Grumman (spear-phishing) • Gannet Military Publications (spear-phishing) • PNNL (spear-phishing) • ShadyRAT(spear-phishing) • DIB and IC campaign (spear-phishing) • ‘Voho’ campaign (watering-holes and spear-phishing) • ‘Mirage’ campaign (spear-phishing) • ‘Elderwood’ campaign (spear-phishing) • White House Military Office (spear-phishing) • Telvent’ compromise (spear-phishing) • Council on Foreign Relations (watering hole) • Capstone Turbine (watering hole) • RedOctober(spear-phishing) • DoE (spear-phishing) • Federal Reserve (spear-phishing) • NYT, WSJ, WaPO(spear-phishing) • South Korea (spear-phishing) • 11 Energy Firms (spear-phishing) • QinetIQ (TBD) • Apple, Microsoft, Facebook (watering-hole) • Speedtest.net (gill netting) • National Journal (watering hole) • FemmeCorp(watering hole) • Department of Labor / DoE (watering hole) • WTOP and FedNewsRadio(gill netting) • Retail - spear-phishing • Energy – watering holes • Microsoft – spear-phishing 93-95% of all targeted attacks (APTs) involve the user…(amalgam of Mandiant,VBR,TrendMicro)
Results from Invincea Survey ‘Addressing APTs’ In Use Confidence 45% 85% Firewalls/Web Proxies Network Controls 65% 85% 10% 95% Anti-Virus 35% 75% App Whitelisting 85% User Training 5% 85% 65% Forensics and IR
The Elephant… Stop the insanity! “I’m right there in the room…and no one even acknowledges me.”
Protect the New Perimeter… “Its the endpoint bro…” • Top 3 Reasons we avoid the endpoint… • We don’t realize how bad legacy controls really are… • We’ve already bogged it down with a bunch of agents… • But they AREN’T stopping the threat • We’re scared of user revolt • But the user DOESN’T want to be your weakest link! Stop the insanity!
Invincea Use Case: Spear-Phishing… • Attacks targeted at Information Security professionals… • February 2013 • Took advantage of global media coverage of Mandiant APT-1 report • Legitimate PDF renamed and weaponized • Detected in the wild by Invincea – attack stopped at point of opening PDF • Attacks against South Korean banking system • March 2013 • Widespread attacks • Banking system • Broadcast networks • Appear to have originated in China • North Korea suspected • Wiper virus similar to Shamoon which attacked Saudi Aramco an other targets • $200 Billion market swing… • April 2013 • Spear-phishing attack against the Associated Press • Stolen login credentials for AP Twitter account • Fake tweet that White House had been bombed sent markets into a tail-spin
Invincea Use Case: Watering Hole Attacks… • Department of Labor website serving DoE Nuclear Researchers… • May 2013 • Hallmarks of known APT acting group • Detected in the wild by Invincea – attack stopped within secure virtual container • IE-8 zero-day • Small defense contractor serving the U.S. Intel community… • March 2013 • FemmeComp website serving up malware • Detected in the wild by Invincea – attack stopped within secure virtual container • 3rd party software developer website used as watering-hole… • February 2013 • Software developer used by three major high tech companies • Microsoft • Apple • Facebook
Endpoint Security Reborn! Protect the User Enterprise & Small Business Endpoint Application & Management Server • Invincea Management Server • Threat Data Server • Optional integration to other technologies • Config Management • Track deployments • Manage groups • Maintain audit trail • Schedule software updates • Reporting • Multiple deployment options • Virtual appliance • Physical appliance (1u rack-mounted) • Cloud hosted • InvinceaFreeSpace • Endpoint application • Priced per seat • Protection options: • Browser (IE, Firefox, Chrome) • PDF • Office Suite • PPT • XLS • DOC Recommended System Specs: 512 MB RAM, 150 MB free disk space, Intel/AMD x-86 chipset Supported Operating Systems: Windows XP, Windows 7 32 and 64-bit
Secure Virtual Container Hardware
Secure Virtual Container Operating System …
Secure Virtual Container Web Browser
Secure Virtual Container Office Applications Excel, Word, PowerPoint
Secure Virtual Container Adobe Acrobat Reader …
Secure Virtual Container Browser Toolbars & Widgets
Secure Virtual Container Browser Plugins
Secure Virtual Container Anti-Virus … Host Security Plug-ins DLP Single Sign-on
Secure Virtual Container • Secure Virtual Container • Virtual File System • Behavioral sensors (process, file, network) • Command and Control • Forensic data capture Invincea Communications Interface Virtual Segregation Shim
Secure Virtual Container Contained Threats Attacks against the browser, PDF reader, Office suite are air-locked from the host operating system. Detection, kill and forensic capture occurs inside the secure virtual container.
The Power of InvinceaFreeSpace • Free the User | Contain the Threat • Protect the mobile workforce left unprotected when they leave the four walls of the network • Deliver exactly what the business needs! • Unfettered access for the user – even giving things back • Protect the network from the user and the user from himself • Map the Adversary • Real-time vs. post-facto forensics • Intelligence fusing • Mapping the M.O. and opening the attributionalgold mine • Reduce Operational Expenses • Patching • e.g. old/vulnerable versions of Java that can’t be patched due to legacy app incompatibility • Incident response • Endpoint reimaging • Employee downtime • Prevent the Breach! • Brand protection • Mission critical data protection • Millions in breach related expenses
Blazing the Trail • IDC Forecasts $1.17bn in Stand Alone spend on Invincea type services by 2017 • Specialized Threat Analysis and Prevention market • Additive to $10bn endpoint security market • “Endpoint security. Don’t just rely upon network security based controls that detect delivery of malicious code. You should also use the new breed of endpoint solutions that detect exploitation of malicious code on the host.” Rick Holland @ Forrester “Traditional defense-in-depth components are still necessary, but are no longer sufficient in protecting against advanced targeted attacks and advanced malware. Today's threats require an updated layered defense model that utilizes "lean forward" technologies at three levels: network, payload and endpoint. “ Lawrence Orens and Jeremy D’Hoinne @ Gartner “By year-end 2016, 20% of enterprises will implement Windows containment mechanisms for end users handling untrusted content and code, up from less than 1% in 2013.” Neil MacDonald @ Gartner • SANS 20 Critical Controls • Item 5: Malware Defenses • 5.7. Quick wins: Deploy…products that provide sandboxing (e.g., run browsers in a VM), and other techniques that prevent malware exploitation. “In what might be described as a sea change, Dell announced a new security suite for its Precision, Latitude and OptiPlex systems…” Wendy Nather @ 451 Group
Let’s Talk More… Let’s get moving today!!! Darin.dick@invincea.com http://www.invincea.com/get-protected/request-form/ Stop the insanity!