1 / 27

Fighting Advanced Persistent Threats

Fighting Advanced Persistent Threats. Samar Deybis- Regional Account Manager Robert Zamani- Sr. Sales Engineer. Today’s Security Challenge. Growing Risks of Advanced Threats. APT is on the rise… 71% increase in APT attacks over the past 12 months APT targets any industry

reid
Download Presentation

Fighting Advanced Persistent Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Fighting Advanced Persistent Threats Samar Deybis- Regional Account Manager Robert Zamani- Sr. Sales Engineer

  2. Today’s Security Challenge

  3. Growing Risks of Advanced Threats • APT is on the rise… • 71% increase in APT attacks over the past 12 months • APT targets any industry • 83% of US companies have been hit by the APT • APT is low profile… • 46% say it takes 30 days or more to detect • APT is targeted … • 97% of the 140M records compromised through customized malware • APT is elusive • AV databases are 20-50% effective at detecting new or low-volume threats

  4. Evolving Threat Landscape • 75% of threats are targeted at 50 computers or less • 2/3 of breaches are detected by 3rd party • U.S. Government probed 1.8B times / month • Motivation • PII / Credit Card Data • Intellectual Property • Hactivism

  5. The largest loss of IP in history

  6. Phishing … A Click Away

  7. The Advanced Persistent Threat … 5 Steps … Phishing Drops Malware Malware Creates a Back Door Malware Morphs & Moves Laterally Data is Gathered Remote Command & Control Exfiltrates Data 1 2 3 4 5

  8. The Compromise to Discovery Gap

  9. Endpoint is a Massive Blind SpotLacking in Visibility; Knowledge; Trust • 90 -100% Known Threats • 25 - 50% New Macro-Distrb threats • 0 - 5% New Micro-Distrb threats • >11,000,000 Total Detections per month1 10 New Threats • … 49% of the records compromised were a result of customized malware … • Over 31,000 detections / day 5 2 3 Stopped Maybe Evade Protection 1-Symantec Internet Security Threat Report May 2011

  10. Protection Gap Exists At Endpoint Anti-virus SIGNATURES HIPS BEHAVIOR RULES Protection Network UTM, IDS/IPS • Rootkits • DLL Injection • Trojans • Infected USB Drive • Unpatched Applications • Spoof AV • Sophisticated Botnets • Custom, Targeted Attacks Remove Admin Rights Advanced Threats Patch management Delivery Software Distribution BASE SYSTEM IMAGE Aurora, Conficker, Zues, Here you Have, RSA, <Insert Name Here>

  11. Advanced Persistent Threat Targets … Bit9 Parity Suite APT attempts to change critical resources Registry Ensure Registry Integrity Ensure Memory Protection Config Files Ensure File Integrity Portable Storage Devices Prevent Data Leakage Applications Prevent Targeted/Advanced Malware Memory Prevent Rootkits Operating System

  12. The New Strategy for Advanced Threats Advanced Network Protection Advanced Endpoint Protection Malware in Motion Malware at Rest Reputation Service SIEM – APT Event Consolidation and Correlation Traditional Endpoint Protection Traditional Network Protection Malware Signature Database Bit9 Confidential Information

  13. The Power of Correlation 142.3.21.2 aurora.exe 1. Suspicious Network Traffic Alert on SIEM 2. Correlate Network Behavior with Endpoint Events aurora.exe 3. Identify Non-Trusted Software Introduced in Last 24 Hrs 1st Seen 4. Advanced Threat Detection aurora.exe MD5 hash: 93433579104738557312194765176145217231 5. Advanced Threat Protection

  14. Advanced Endpoint ProtectionPreventing Targeted Cyber Attacks

  15. Bit9 Advanced Threat Protection VISIBILITY KNOWLEDGE CONTROL Detect All Critical Changes Confirm or Deny Changes Assess Risk & Integrity

  16. Bit9 Architecture Clients Management Server Software Reputation Service Laptops CONSOLE desktops servers GLOBAL SOFTWARE REGISTRY kiosks Bit9 Parity server MSFT SQL SERVER Active Directory server ATMs Point of sale

  17. Step 1: Live Software Inventory User Laptop Applications Active-X Toolbars DLL’s … Server Groups Kiosk/POS/ATM Geography

  18. Step 2: Software Reputation Service GLOBAL SOFTWARE REGISTRY Hash Bit9 Parity Server Metadata Hash • Trust Factor • Multi AV Scan Results • Publisher • Prevalence • Age • Categorization

  19. Building the Application Whitelist Bit9 Software Bans Bit9 Trusted Updaters Blacklist Policies HIPS Behavioral Rules Skype.exe <MD5 Hashes> Keyloggers Adobe Cisco Symantec AV Signatures Remove Admin Rights Bit9 Trusted Directories Bit9 Software Bans E:\wsus\* S:\sms\distribution L:\library\* ? ?? WHITELIST Policies Bit9 Trusted Updaters Bit9 Trusted Publishers WHITELIST Policies Bit9 Trusted Directories WHITELIST Policies Adobe Apple Microsoft Bit9 Trusted Publishers WHITELIST Policies Bit9 Trusted Users Bit9 Trusted Users WHITELIST Policies Confirm the Integrity of Existing Software TMurphy BGates BObama

  20. Closing the Gap Blacklist Default Open Monitor Policy ? Allow Execution ? ?? ? Deny Execution ? Ask User BeforeExecution WHITELIst User Asked For Permission Block and Ask Policy Default Deny Flexible Lockdown Policy

  21. What Systems Are At Risk? Targeted Attack Conficker Botnet When was the file created? Who introduced the file? Was the file ever executed? On what system was it first seen? Who else has the file? Keylogger P-2-P Risk iTunes Skype Baseline of Trusted Software Drift

  22. Can’t Assume Trust?

  23. About Bit9 Advanced Malware Protection Founded with a $2M NIST Grant Next Generation Endpoint Security Gartner Cool Vendor inInfrastructure Protection InfoWorld 2010 Top Technology of the Year Only “10” ever given GSN “Best Anti-Malware Solution” 2010 Adaptive Whitelisting Cloud-based Software Reputation Service

  24. Product Reviews 9.4/10 5/5 Highest Rating Ever Given Perfect Score; Great Value

  25. Take Back Control Reduce Risk • Stop Tomorrow’s Malware Today • Maintain Configuration Integrity Ensure Compliance • • Audit All Changes • Only Allow Trusted Changes Improve Manageability • Prevent Configuration Drift • Drastic Reduction in Support Calls

  26. Next Steps • One-on-one discussion • Hosted or Onsite Evaluation and Proof of Concept • Regional Bit9 team • Samar Deybis- Cell: 949-468-6101- email: Sdeybis@Bit9.com • Robert Zamani- Cell: 408-234-1009- email: Rzamani@Bit9.com

  27. QUESTIONS?

More Related