1 / 27

Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats. EPP. Prevent. Prevention. Visibility. ETDR. Detection. Response. Detect & Respond. Once Upon A Time…. You could keep the enemy at the gates. Technology Has Evolved. Surface area is ever-increasing Perimeters are becoming less relevant

shadow
Download Presentation

Security Life Cycle for Advanced Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Life Cycle for Advanced Threats EPP • Prevent • Prevention • Visibility ETDR • Detection • Response • Detect & • Respond

  2. Once Upon A Time… You could keep the enemy at the gates

  3. Technology Has Evolved • Surface area is ever-increasing • Perimeters are becoming less relevant • Everything is connected to something • Technology is crossing into our physical world Cloud Computing Mobile Computing Internet of Things

  4. Threat Actors Have Evolved • Hactivists • Targeted and destructive attacks • Unpredictable motivations • Generally less sophisticated • Nation-States • Targeted and multi-stage attacks • Motivated by information and IP • Highly sophisticated, endless resources Criminal Enterprises • Broad-based and targeted attacks • Financially motivated • Getting more sophisticated

  5. Endless Stream of News

  6. The Malware Problem By the Numbers 66% • of malware took months or even years to discover (dwell time)1 69% of intrusions are discovered by an external party1 155k The number of new malware samples that are seen daily2 $5.4M The average total cost of a data breach3 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study

  7. The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

  8. DON’T OVERCOMPLICATE THE THREAT SIMPLE THREAT MODEL: 1: OPPORTUNISTIC 2: NOT

  9. Opportunistic threats find value in ourcomputers. Goal: breadthof access. “Advanced” threats find value in ourdata. Goal: precisionof access.

  10. How This Impacts Traditional Security 100k 100k 10k 10k 1k 1k Hosts Compromised Hosts Compromised Signatureavailable. 100 100 THRESHOLD OF DETECTION 10 10 Opportunistic Week 1 Week 1 Week 2 Week 2 Week 3 Week 3 Week 4 Week 4 Week 5 Week 5 Week 6 Week 6 Week 7 Week 7 Goal is tomaximize slope. Time Time THRESHOLD OF DETECTION Signatureavailable? “Advanced” Goal is tominimize slope.

  11. A New Perspective Is Required assume you will be breached compromise is inevitable

  12. The Assumption of Breach how will you know? what will you do?

  13. Rethink Your Security Strategy prevention is no longer enough invest in detection and response traditional approaches are ineffective move from reactive to proactive security cannot be done in isolation it is a continuous process

  14. The Adaptive Security Architecture Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

  15. The Adaptive Security Architecture Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

  16. The Adaptive Security Architecture - Capabilities Gartner, “Designing an Adaptive Security Architecture for Protection From Advanced Attacks,” February, 2014

  17. Key Characteristics of “Next Gen” Security • Forensic quality data collection and analysis • Threat intelligence to interpret and prioritize data • At all stages of kill chain, not just point of delivery • Based on behaviors and context, not just files/IPs • Real-time, not scan or snapshot based • Provide full historical context of activity • Information needed to assess impact and scope • Remediation and containment • Proactive signature-less prevention techniques • Adapt based on detection and response • Incorporate and correlate data from third party sources • Export data and alerts to other tools Visibility Detection Response Prevention Integration

  18. Security Life Cycle for Advanced Threats • Prevention • Visibility • Detection • Response

  19. Reduce Attack Surface with Default-Deny • Traditional EPP failure • Scan/sweep based • Signaturebased • Block known bad • Success of emerging endpoint prevention solutions • Real time • Policy based • Tailor policies based on environment • Trust based • Block all but known good • Objective of emerging endpoint prevention solutions • Lock down endpoint/server • Reduce attack surface area • Make it as difficult as possible for advanced attacker • Prevention • Visibility • Visibility • Detection • Response

  20. Detect in Real-time and Without Signatures • Traditional EPP failure • Scan/sweep based • Small signature database • Success of emerging endpoint detection solutions • Large global database of threat intelligence • Signature-less detection through threat indicators • Watchlists • Objective of emerging endpoint detection solutions • Prepare for inevitability of breach and continuous state of compromise • Cover more of the kill chain than prevention • Enable rapid response • Prevention • Visibility • Visibility • Detection • Response

  21. Rapidly Respond to Attacks in Motion • Traditional EPP failure • Expensive external consultants • Relies heavily on disk and memory artifacts for recorded history • Success of emerging endpoint incident response solutions • Real-time continuous recorded history delivers IR in seconds • In centralized database • Attack process visualization and analytics • Better, faster and less expensive • Objective of emerging endpoint incident response solutions • Pre-breach rapid incident response • Better prepare prevention moving forward • Prevention • Visibility • Visibility • Detection • Response

  22. Too Much Data, Not Enough Intelligence integrate your tools • attacks happen on endpoints • correlate network and endpoint for actionable intelligence incorporate threat intelligence • what happens to someone else can happen to you • filter, prioritize and alert on third party feeds, reputation and indicators

  23. Summary • The threat landscape continues to evolve • The enemy is more advanced, attacks are more targeted • Rethink your security strategy,traditional security tools are insufficient • Assume you will breached • Invest in entire lifecycle:detection, response and prevention • Don’t treat security tools as islands,integratethem

  24. Endpoint Threat Detection, Response and Prevention for DUMMIES Download the eBook at… • Bit9.com eBook resources section • https://www.bit9.com/resources/ebooks/endpoint-threat-detection-response-prevention-dummies/

  25. questions

More Related