270 likes | 389 Views
Security Life Cycle for Advanced Threats. EPP. Prevent. Prevention. Visibility. ETDR. Detection. Response. Detect & Respond. Once Upon A Time…. You could keep the enemy at the gates. Technology Has Evolved. Surface area is ever-increasing Perimeters are becoming less relevant
E N D
Security Life Cycle for Advanced Threats EPP • Prevent • Prevention • Visibility ETDR • Detection • Response • Detect & • Respond
Once Upon A Time… You could keep the enemy at the gates
Technology Has Evolved • Surface area is ever-increasing • Perimeters are becoming less relevant • Everything is connected to something • Technology is crossing into our physical world Cloud Computing Mobile Computing Internet of Things
Threat Actors Have Evolved • Hactivists • Targeted and destructive attacks • Unpredictable motivations • Generally less sophisticated • Nation-States • Targeted and multi-stage attacks • Motivated by information and IP • Highly sophisticated, endless resources Criminal Enterprises • Broad-based and targeted attacks • Financially motivated • Getting more sophisticated
The Malware Problem By the Numbers 66% • of malware took months or even years to discover (dwell time)1 69% of intrusions are discovered by an external party1 155k The number of new malware samples that are seen daily2 $5.4M The average total cost of a data breach3 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study
The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE
DON’T OVERCOMPLICATE THE THREAT SIMPLE THREAT MODEL: 1: OPPORTUNISTIC 2: NOT
Opportunistic threats find value in ourcomputers. Goal: breadthof access. “Advanced” threats find value in ourdata. Goal: precisionof access.
How This Impacts Traditional Security 100k 100k 10k 10k 1k 1k Hosts Compromised Hosts Compromised Signatureavailable. 100 100 THRESHOLD OF DETECTION 10 10 Opportunistic Week 1 Week 1 Week 2 Week 2 Week 3 Week 3 Week 4 Week 4 Week 5 Week 5 Week 6 Week 6 Week 7 Week 7 Goal is tomaximize slope. Time Time THRESHOLD OF DETECTION Signatureavailable? “Advanced” Goal is tominimize slope.
A New Perspective Is Required assume you will be breached compromise is inevitable
The Assumption of Breach how will you know? what will you do?
Rethink Your Security Strategy prevention is no longer enough invest in detection and response traditional approaches are ineffective move from reactive to proactive security cannot be done in isolation it is a continuous process
The Adaptive Security Architecture Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014
The Adaptive Security Architecture Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014
The Adaptive Security Architecture - Capabilities Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014
Key Characteristics of “Next Gen” Security • Forensic quality data collection and analysis • Threat intelligence to interpret and prioritize data • At all stages of kill chain, not just point of delivery • Based on behaviors and context, not just files/IPs • Real-time, not scan or snapshot based • Provide full historical context of activity • Information needed to assess impact and scope • Remediation and containment • Proactive signature-less prevention techniques • Adapt based on detection and response • Incorporate and correlate data from third party sources • Export data and alerts to other tools Visibility Detection Response Prevention Integration
Security Life Cycle for Advanced Threats • Prevention • Visibility • Detection • Response
Reduce Attack Surface with Default-Deny • Traditional EPP failure • Scan/sweep based • Signaturebased • Block known bad • Success of emerging endpoint prevention solutions • Real time • Policy based • Tailor policies based on environment • Trust based • Block all but known good • Objective of emerging endpoint prevention solutions • Lock down endpoint/server • Reduce attack surface area • Make it as difficult as possible for advanced attacker • Prevention • Visibility • Visibility • Detection • Response
Detect in Real-time and Without Signatures • Traditional EPP failure • Scan/sweep based • Small signature database • Success of emerging endpoint detection solutions • Large global database of threat intelligence • Signature-less detection through threat indicators • Watchlists • Objective of emerging endpoint detection solutions • Prepare for inevitability of breach and continuous state of compromise • Cover more of the kill chain than prevention • Enable rapid response • Prevention • Visibility • Visibility • Detection • Response
Rapidly Respond to Attacks in Motion • Traditional EPP failure • Expensive external consultants • Relies heavily on disk and memory artifacts for recorded history • Success of emerging endpoint incident response solutions • Real-time continuous recorded history delivers IR in seconds • In centralized database • Attack process visualization and analytics • Better, faster and less expensive • Objective of emerging endpoint incident response solutions • Pre-breach rapid incident response • Better prepare prevention moving forward • Prevention • Visibility • Visibility • Detection • Response
Too Much Data, Not Enough Intelligence integrate your tools • attacks happen on endpoints • correlate network and endpoint for actionable intelligence incorporate threat intelligence • what happens to someone else can happen to you • filter, prioritize and alert on third party feeds, reputation and indicators
Summary • The threat landscape continues to evolve • The enemy is more advanced, attacks are more targeted • Rethink your security strategy,traditional security tools are insufficient • Assume you will breached • Invest in entire lifecycle:detection, response and prevention • Don’t treat security tools as islands,integratethem
Endpoint Threat Detection, Response and Prevention for DUMMIES Download the eBook at… • Bit9.com eBook resources section • https://www.bit9.com/resources/ebooks/endpoint-threat-detection-response-prevention-dummies/