Fidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases

Transcription

1 Fidelis Overview ISC 2 DoD and Industry Forum Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases Vince Holtmann-Cyber Subject Matter Expert Vincent.Holtmann@fidelissecurity.com

2 The Challenges PEOPLE Security Skills Shortage TECHNOLOGY Patchwork of Security Solutions PROCESS Manual, Ad-Hoc Processes Not enough security experts for effective defense Overlapping tools create more work and lead to alert fatigue Reviewing alerts is time consuming and critical alerts are missed 2

3 The Threat Timeline Attacker Timeline Time-to- Compromise Milliseconds to Minutes Time-to- Exfiltration Minutes to Days Data Exfiltration Window Months to Years Defender Timeline Time-to- Prevention Milliseconds to Minutes Time-to-Discovery Months to Years Time-to-Containment Days to Weeks Defense Options: 1.Prevent the Initial Compromise 2.Compress or Eliminate the Data Exfiltration Window by reducing the Time-to-Discovery and Time-to-Containment Speed Matters you are in a race with the attacker! 3

4 Not Looking In (All of) the Right Places Existing detection solutions don t dig as deep as attackers hide. WHERE they look WHAT they see WHEN they see it HTTP (port 80) HTTPS (port 443) Mail (port 25) Thousands of ports and protocols & Attachment Most Security Solutions Only Look HERE Archive PDF Malicious Binary But Attackers Live Here ATTACK LIFECYCLE Initial Compromise Establish Foothold Escalate Privileges Lateral Propagation Data Staging & Exfiltration Blind to attackers operating on non-standard ports Can t find malware hidden deep inside content Don t see attackers after the initial compromise Real-time detection/prevention across all ports, protocols and applications. 4

5 Detection at Every Stage of an Attack Attack Lifecycle Overview Initial Compromise Establish Foothold Escalate Privileges Move Laterally Data Theft Attacker Objective Gain Initial Access Strengthen Position Steal Valid User Credentials Access Other Servers & Files Package & Steal Target Data Endpoint Artifacts Malware Recording of command line activity Suspicious Network Traffic/Command & Control Activity Incoming and Outgoing Content Exploits Evidence of Compromise Sample Tools & Tactics W H A T W E F I N D Phishing Watering-hole attack Removable media Malicious download Custom malware Command and control 3 rd party application exploitation Credential theft Pass-the-hash Window & Linux lateral movement techniques Reverse shell access Staging servers & directories Data consolidation Data theft Preventing attackers from achieving their mission requires detection and visibility at every stage of the attack. 5

6 Real-Time Threat Detection Real-Time Threat Detection Merging Endpoint & Network Visibility E N D P O I N T N E T W O R K DEEP ENDPOINT INSPECTION DEEP SESSION INSPECTION Endpoint Threat Monitoring Forensic Data Collection Memory Analysis Historical Data Endpoint Flight Recorder Content Analysis, Malware Detection Deep Content Decoding Protocol and Application Decoding Automated Alert Validation Network Metadata Full Session Reassembly Agent Agent Real-time Threat Intel Sensor Sensor Forensically sound data exchange provides visibility across both network and endpoint 6. All rights reserved.

7 Automating Action Continuous Monitoring ALL 65,535 ports Content Inspection for Applications & Protocols Supports Cyber Compliance, Audits & Network Assessments Not just SIGNATURE Inspection Heuristics, Anomaly, Behavior, Customer Policies, Intelligence (Indicators of Compromise) Monitor Detect Automated Detection Malware, Data Theft, Insider Threat Integration with SIEM (SPLUNK, Arcsight, etc.) Closes Detection Gap Left by NGFW/IPS Automated Response Focuses Workflow for Incident Response Aligns Network & Endpoint Remediation Comprehensive Metadata for Hunting Respond Analyze Automated Analysis Forensic Decode & Evidence Packages Focuses Tier 1 Staff Minimizes Tier 3 Staff Involvement Threat Feed & SOC/CERT Integration Multi-Purpose Cyber Monitoring, Defense, Analysis and Response from SINGLE Solution. 7

8 Defense in Depth Advancing Security Traditional Security Attack Vectors Fully Decoded Forensic Detail-Historical Analysis Features Event Correlation, Data Correlation, Alerting, Dashboard Rich, Content-infused Metadata & Packet Capture Functional Components Security Information and Event Management Network Security Analytics / Forensics Multi-purpose cyber defense solution Single interface and license Delivers entire threat lifecycle visibility Forensic metadata for every session Pivots/interfaces with SIEM of choice Targeted Data Theft and Insider Threat Adv. Targeted Attacks Advanced Malware, RATs Commodity Malware Signature-based CVE Detection - Packetbased Network Application Attacks and Exploits Signature-base CVE Detection - Packetbased Protocol Attacks, Exploits, and Evasions, Access Control, Protocol Misuse Content / Embedded Content Business Applications / Run-time Environment (PDF, Office, JAVA, Flash) Network Applications (HTTP, SMTP, SSL, DNS ) Network Protocols (TCP / UDP) Network DLP / Data Theft Network Malware Detection/Sandbox IPS / IDS (IPS / NGIPS) Firewalls (FW / NGFW) Features Detect, Contain, Investigate, Remediate Antivirus, Network Protocols, Application Security Functional Components Endpoint Detection & Response (EDR) Endpoint Protection Platforms (EPP) 8

9 Migration from PCAP to Metadata Storage Meta Vs. Pcap -90% smaller footprint -Richer data elements -Easier to share Forensically sound metadata for ALL data flows. Proven in expert testimony and prosecution. 9

10 Deep Content Visibility HTTP -Single pane of glass for investigation/hunting. -Downloadable objects for RE & CERT/SOC. -Multi-layered inspection for obfuscated threats. -Directionality for inbound/ outbound vectors. Webmail Most Security Solutions Only Look Here Text MIME PDF ZIP PPT Visibility into Deeply Embedded Network Content (Inbound and Outbound) Text Deflate But Attackers Live Here Text -Evidence package creation w/ single click. -Chain of Custody preservation for incident response. Excel Malicious Inbound Content Malware Sensitive Outbound Content Classified Deep Content inspection DETECTS inbound threats and out bound theft undetectable by Signature defenses. 10

11 Advanced Threats, Data Theft and Incident Response Fidelis-A multipurpose tool for defense and investigation. T H E W O R L D S M O S T VAL U ABLE B R AN D S U S E F I D E L I S * 15 * Forbes Magazine

12 Technology Applied to Mission Requirements Technology Focus DETECT ATTACKS OTHER SOLUTIONS MISS STOP attacks and prevent data theft INVESTIGATE and triage security incidents Fidelis Credentials US Army US Air Force DISA UC APL Navy FIPS Pen Tested NIAP Common Criteria STIG & ACAS Artifacts Government Test Results IPv6 Compliant Customer Benefits All-in-one Cyber Defense Technology Advanced Threats, Data Theft, Automated Forensic Detail, Incident Response Real Time Visiblity DEEP Session Inspection Decodes and Analyzes ALL Content across ALL Port, Protocol and Applications Manpower Reduction through Automation Hunting with Recursive Detection, Reporting and Evidence Package Creation Proven Detection Approach Blends Behavior & Heuristic Analytics, Malware Detection & Detonation, 53 Independent Intelligence Feeds and Customer Policies & Intelligence Customer Requirements Addressed Malware Detection Command & Control Sandbox Detonation Data Theft/Loss Protection Classified Spillage Lateral Propagation SIEM & Endpoint Integration Meta Data Collection Centralized Visibility Remote Management Virtual Machine Software Delivery Continuous Monitoring Proactive Hunting Incident Response Forensic Reporting Evidence Collection Compliance Auditing 12. All rights reserved.

13 Recommendations Multi-layered defenses MUST be expanded into/inside enterprise Provides coverage for inter service data inspection/monitoring Data not leaving DoD service boundaries may go uninspected Focuses on additional threat vectors such as Insider and Data Theft Behavior, heuristic and anomaly detection should be implemented here (e.g. Manning/Snowden) Cyber Defense Focus MUST expand beyond just Malware Monitoring should cover all ports, protocols and applications e.g. not just Mail & Web Use of non-standard ports or obfuscation within other protocols and content is common Insider Threat, Surveillance/Espionage, SQL Injection, Anomalous/Unusual user behavior, Content Staging, Data & Credential Theft, etc these are not Malware... Automation is a NECESSITY not a nice to have Leverage technology where possible to automate detection and speed response Minimize point solutions when possible, Integrate tools to reduce operator workload Utilize solutions that improve and centralize visibility with detailed information Enable Tier 1 analysts to function like Tier 3 staff Automate the HUNT, look into the past to help promote PROACTIVE measures Recursive hunting identifies anomalies, deviations from standard and heuristics 13

14 Fidelis-Protecting the Worlds most critical assets Additional Information, Network Assessments, Technology Pilot, or Government References Please Contact: Jeff Lockheart-US Army/COCOM Director Vince Holtmann-Federal Business Director 14