220 likes | 373 Views
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain. David Flournoy Bit9 Mid-Atlantic Regional Manager. Significant Data Breaches in Last Twelve Months. Jan. Feb. July. Dec. Nov. Aug. Oct. Sept. March. June. May. April.
E N D
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain David Flournoy Bit9 Mid-Atlantic Regional Manager
Significant Data Breaches in Last Twelve Months Jan Feb July Dec Nov Aug Oct Sept March June May April “In 2020, enterprises will be in a state of continuous compromise.”
Why is the Endpoint Under Attack? • Host-based security software still relies on AV signatures • Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume • Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware • Evasion techniques can easily bypass host-based defenses • Malware writers use compression and encryption to bypass AV filters • Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system • Cyber adversaries test malware against popular host-based software • There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products
The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE
The Kill Chain C2 Action Exploitation Installation Delivery Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim
Protection = Prevention, Detection and Response “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014
Need a Security Lifecycle to Combat Advanced Threats • Prevent • Prevention • Visibility • Detection • Response • Detect & • Respond
Reduce Attack Surface with Default-Deny • Traditional EPP failure • Scan/sweep based (strobe light) • Signaturebased • Block known bad • Success of emerging endpoint prevention solutions • Real time • Policy based • Tailor policies based on environment • Trust based • Block all but known good • Objective of emerging endpoint prevention solutions • Lock down endpoint/server • Reduce attack surface area • Make it as difficult as possible for advanced attacker • Prevention • Visibility • Visibility • Detection • Response
Reduce Attack Surface Across Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim
Detect in Real-time and Without Signatures • Traditional EPP failure • Scan/sweep based • Small signature database • Success of emerging endpoint detection solutions • Large global database of threat intelligence • Signature-less detection through threat indicators • Watchlists • Objective of emerging endpoint detection solutions • Prepare for inevitability of breach and continuous state of compromise • Cover more of the kill chain than prevention • Enable rapid response • Prevention • Visibility • Visibility • Detection • Response
Reduce Attack Surface Across Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Detection effective here Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim
Rapidly Respond to Attacks in Motion • Traditional EPP failure • Expensive external consultants • Relies heavily on disk and memory artifacts for recorded history • Success of emerging endpoint incident response solutions • Real-time continuous recorded history delivers IR in seconds • In centralized database • Attack process visualization and analytics • Better, faster and less expensive • Objective of emerging endpoint incident response solutions • Pre-breach rapid incident response • Better prepare prevention moving forward • Prevention • Visibility • Visibility • Detection • Response
Current Failures Within the Incident Response Process Identification & Scoping Eradication & Remediation Follow Up & Lessons Learned Preparation Containment Recovery The Six-Step IR Process Failure: Does not properly identify threat so cannot fully contain Failure: Organization resumesoperations with false sense of security Failure: No IR plan with processes and procedures in place Failure: After failing to fully scope threat, remediation is is impossible Failure: No post-incident process in place or does not implement expert recommendations Failure: Do not have recorded history to fully identify or scope threat
Advanced Threat Protection for Every Endpoint and Server Watch and record High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Data Center Servers
Advanced Threat Protection for Every Endpoint and Server Watch and record Stop all untrusted software High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Data Center Servers
Advanced Threat Protection for Every Endpoint and Server Watch and record Stop all untrusted software Detect and block on the fly High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices Data Center Servers All Other Users
Bit9 + Carbon Black: Security Lifecycle in One Solution • Prevent • Prevention • Visibility • Detect & • Respond • Detection • Response
Bit9 + Carbon Black Reduce Your Attack Surface Rapidly Detect & Respond to Threats 1 2 New signature-less prevention techniques Continuously monitor and record every endpoint/server + Incident Response in Seconds Advanced Threat Prevention Technology leader Purpose-built by experts Market leader in Default-Deny Super lightweight sensor that records/and monitors everything and deployable to everycomputer Proactive prevention mechanisms customizable for different users and systems
Bit9 + Carbon Black: Understanding the Entire Kill Chain • See the kill chain in seconds • From vulnerable processes to the persistent malicious service • Would take days or weeks to re-create using traditional tools
Takeaways • Bit9 is much more than application control/application whitelisting • Reduce your attack surface with prevention • Prepare for inevitability of compromise • Detect in real time without signatures • Pre-breach rapid response in seconds with recorded history • Establish an IR plan • Understand the need for a security lifecycle • Deploy security solutions across entire environment “In 2020, enterprises will be in a state of continuous compromise.”