230 likes | 416 Views
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain. Brian M. Orr – Systems Engineer May 22, 2014. The Malware Problem By the Numbers. 66%. of malware took months or even years to discover (up 10% from previous year) 1. 69%.
E N D
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Brian M. Orr – Systems Engineer May 22, 2014
The Malware Problem By the Numbers 66% • of malware took months or even years to discover (up 10% from previous year)1 69% of intrusions are discovered by an external party1 155k The number of new malware samples that are seen daily2 $5.4M The average total cost of a data breach3 40% The number of breaches that incorporated malware1 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study
Malware: Actors + Actions + Assets = Endpoint Actors Actions Assets *2013 Verizon Data Breach Report
Why is the Endpoint Under Attack? • Host-based security software still relies on AV signatures • Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume • Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware • Evasion techniques can easily bypass host-based defenses • Malware writers use compression and encryption to bypass AV filters • Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system • Cyber adversaries test malware against popular host-based software • There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products
Significant Data Breaches in Last Twelve Months Jan Feb July Dec Nov Aug Oct Sept March June May April
A New Generation of Security is Coming… As defined by Gartner • Next-Gen Prevention • “Reduce your attack surface” Block newly discovered attacks on the fly Pervasive monitoring and centralized recording • Threat Detection & Response • “Respond quickly when under attack”
Reducing Your Attack Surface Across the Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Detection effective here Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim
Real-time Visibility & Detection Enables Rapid Response Next-gen Security Needs: Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they happen Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact
Failures Within the IR Process Identification & Scoping Eradication & Remediation Follow Up & Lessons Learned Preparation Containment Recovery The Six-Step IR Process Failure: Does not properly identify threat so cannot fully contain Failure: Organization resumesoperations with false sense of security Failure: No IR plan with processes and procedures in place Failure: After failing to fully scope threat, remediation is is impossible Failure: No post-incident process in place or does not implement expert recommendations Failure: Do not have recorded history to fully identify or scope threat
Response Process Simplified Scope Identify Contain Remediate
Response Process Pre and Post Bit9: Identify Scope Identify Contain Remediate Gather artifacts: File, System and Network Information Seek Information Review System Changes Malware Analysis • First name • Hash, Trust • Time first seen • Group (relation) • Connector alert
Response Process Pre and Post Bit9: Identify Identify Gather artifacts: File, System and Network Information Malware Analysis Seek Information Review System Changes Search machine History of change and events
Response Process Pre and Post Bit9: Identify Identify Gather artifacts: File, System and Network Information Malware Analysis Seek Information Review System Changes • SRS Analysis • Acquire file remotely • Submit to Connector
How Network Security Enhances Endpoint Security Next-Generation Network Security Next-Generation Endpoint and Server Security Incoming files on network Correlate endpoint/server and network data • Prioritize network alerts • Investigate scope of the threat • Remediate endpoints and servers “Detonate / Emulate” files for analysis Transfer alerts ETDR Automatic analysisofall suspicious files On-demand analysis of suspicious files Submit files automaticallySubmit files on-demand Endpoints/servers files
Response Process Pre and Post Bit9: Scope Scope Identify Contain Remediate Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Find Patient Zero Review Attack History Identify All Systems Complete history of files (the attack)
Response Process Pre and Post Bit9: Scope Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Find Patient Zero Review Attack History Identify All Systems Complete history of machines the files are, and were, on And where executed
Response Process Pre and Post Bit9: Scope Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Find Patient Zero Review Attack History Identify All Systems Patient 0 (Initial attack vector)
Response Process Pre and Post Bit9: Contain Scope Identify Contain Remediate Short term steps to halt the attack: Block or ban content Halt Exfiltration Disrupt Attack Ban Globally, stop further executions
Response Process Pre and Post Bit9: Remediate Scope Identify Contain Remediate Longer term changes to prevent & detect attacks Update policies across an organization Review Posture Update Prevention & Detection Review Policy For endpoint controls
Response Process Pre and Post Bit9: Remediate Remediate Longer term changes to prevent & detect attacks Update policies across an organization Review Posture Update Prevention & Detection Update Prevention policies Update detection Capabilities Update Prevention policies Update detection Capabilities
Takeaways • Assume you will get breached • Reduce your attack surface with visibility & detection • How to do this? • Have real-time recorded history that continuous monitors and records every endpoint/server • Detect both known and unknown malware without signatures • Rapidly respond using recorded history • Establish an IR plan • Understand security solutions that can simplify and expedite response • Fully deploy security solutions across entire environment • Limited coverage means limited visibility, detection, response and prevention “In 2020, enterprises will be in a state of continuous compromise.”
ETDR Benefits Visibility Know what’s running on every endpoint and server right now • Always know what’s on your endpoints and servers • Detect and stop advanced threats • Reduce incident response time • Reduce remediation time • Improve compliance Detection See and record everything; detect threats in real-time without signatures Response A full history about what’s happened on every machine; contain and control threats Prevention New proactive, signature-less prevention techniques Integration Integrate network and endpoint security for real-time response and prevention