Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Similar documents
Advanced Endpoint Protection

Building Resilience in a Digital Enterprise

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Symantec Ransomware Protection

esendpoint Next-gen endpoint threat detection and response

ANATOMY OF AN ATTACK!

Carbon Black PCI Compliance Mapping Checklist

Next Generation Endpoint Security Confused?

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The Kill Chain for the Advanced Persistent Threat

Reducing the Cost of Incident Response

Why Are We Still Being Breached?

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Incident Response Agility: Leverage the Past and Present into the Future

Defense in Depth Security in the Enterprise

Real-time, Unified Endpoint Protection

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Managing an Active Incident Response Case. Paul Underwood, COO

CipherCloud CASB+ Connector for ServiceNow

The Evolution of : Continuous Advanced Threat Protection

CloudSOC and Security.cloud for Microsoft Office 365

THE ACCENTURE CYBER DEFENSE SOLUTION

Traditional Security Solutions Have Reached Their Limit

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Agenda: Insurance Academy Event

Endpoint Protection : Last line of defense?

Maximum Security with Minimum Impact : Going Beyond Next Gen

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

RSA INCIDENT RESPONSE SERVICES

Un SOC avanzato per una efficace risposta al cybercrime

Using Visibility To Turn The Tables on Cybercriminals

Symantec Advanced Threat Protection: Endpoint

Cybersecurity Auditing in an Unsecure World

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

ArcSight Activate Framework

Internet had lots of examples and tutorials for specific or advanced dashboards Top 10 lists of other things were easy to find But no dashboard Top

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Managed Endpoint Defense

SentinelOne Technical Brief

Rethinking Security: The Need For A Security Delivery Platform

with Advanced Protection

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Stopping Advanced Persistent Threats In Cloud and DataCenters

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

MODERN DESKTOP SECURITY

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

External Supplier Control Obligations. Cyber Security

Part 2: How to Detect Insider Threats

AT&T Endpoint Security

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

9 Steps to Protect Against Ransomware

Click to edit Master title style. DIY vs. Managed SIEM

Proactive Approach to Cyber Security

SECURITY OPERATIONS CENTER BUY BUILD BUY. vs. Which Solution is Right for You?

RSA INCIDENT RESPONSE SERVICES

2018 Cyber Security Predictions

At a Glance: Symantec Security.cloud vs Microsoft O365 E3

Internet had lots of examples and tutorials for specific or advanced dashboards

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

NEXT GENERATION SECURITY OPERATIONS CENTER

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

RSA NetWitness Suite Respond in Minutes, Not Months

Think Like an Attacker

6 KEY SECURITY REQUIREMENTS

Critical Hygiene for Preventing Major Breaches

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Advanced Threat Hunting:

Enterprise Ransomware Mitigations

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Panda Security. Corporate Presentation. Gianluca Busco Arré Country Manager

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

10 FOCUS AREAS FOR BREACH PREVENTION

empow s Security Platform The SIEM that Gives SIEM a Good Name

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

Table of Content Security Trend

New World, New IT, New Security

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Seqrite Endpoint Security

Transcription:

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

About Me Chief Security Officer @ Bit9 Former Director of Technical Operations and Information Security @ Center for American Progress Former Director of Global Systems and Tools @ NASDAQ:IAWK Practicing professionally since 1997 Certified Information Systems Security Professional Educational background in Communications Areas of focus: Information Warfare Cyber Counterintelligence Security Operations Development Operations Social Media / Social Network Analysis NJ TN Silicon Valley Asia * DC MA * Frequent movement between aforementioned locations

the assumption of breach the inevitability of compromise

In 2020, enterprises will be in a state of continuous compromise. -- Gartner more like 2010

Rethink Your Security Strategy prevention is no longer enough invest in detection and response consider your technologies move from reactive to proactive security is not a solution it is a process

The attacker has the advantage. The attacker does not have the advantage, unless we cede it to them.

Enterprise Network as a Battlespace

Situational awareness enables real-time, accurate decisions in tactical situations. Most enterprises have no internal or endpoint situational awareness.

prepare the battlefield win the battle

Prepare for breach. Avoid forensics & expensive consultants.

Defense-in-depth / Layered Controls Network security controls Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation Service security controls Authentication, permissions, naming lookup, lots of logging Endpoint security controls Anti-virus, application control, endpoint threat detection and response If you are depending on one control to stop an attack, you are doing it wrong.

The Attacker s Process & Enterprise Capabilities The often misunderstood meaning of empathy The Cyber Kill Chain model Developed by Mike Cloppert, Rohan Amin, and Eric Hutchens at Lockheed Martin Useful for Breaking down stages of an attacker s process Formulating strategy for deploying security controls Facilitating iterative intelligence gathering Effective intelligence use Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI DETECT DENY DISRUPT DEGRADE DECEIVE

The Endpoint in the Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Preventing Exploitation Patching matters! (Most basic way to minimize threat surface) Enforce ASLR/DEP (Microsoft EMET) Inter-process memory controls Unfortunately, there s little you can do at this stage Preventing Installation Dropping of binaries, touching other processes, et cetera Blacklist approaches Default-Allow Sandbox approaches Default-Allow + Deny-over-there Trust based approaches Default-Deny (Application Whitelisting) Hybrid approaches Detonate-and-Deny, Detect-and-Deny

The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Allow Blacklisting Blocking known bad Traditional AV, based on signatures Ineffective for anything other than nuisance threats Local blacklists are still tactically useful

Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time

Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time

The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Deny Whitelisting Trust Based Known Good Most effective protection Easy on servers and fixed function systems Can be challenging on dynamic endpoints Good application governance is key to successful implementation Still not a silver bullet

The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Sandboxes Mitigation of application compromise, not system protection Application specific sandboxes (e.g. Java, Chrome) Virtualization based EPP solutions Covers only a limited portion of the threat surface Can t prevent/detect lateral movement

Challenges stopping attacks at Delivery Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Network detonation solutions often not in-line Known Bad point comes after delivery, becomes detection only Network assets often are not the first time a bad file is seen Encrypted (No SSL MITM inspection) In a container (Password protected zip/rar) Removable media (USB stick, DVD/CDs, et cetera)

Actionable intelligence passing Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Incoming files on network Detonate files for analysis Transfer alerts Correlate endpoint/server and network data Prioritize network alerts Investigate scope of the threat Remediate endpoints and servers Submit files automatically Submit files on-demand Endpoint and server files Automatic analysis of all suspicious files On-demand analysis of suspicious files

Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI IP Addresses Hostnames File Hashes Et cetera Leveraging Indicators to Facilitate Detection

Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI Reputation levels for files Thresholds can drive approvals Firefox == 10 Keylogger == 0 Software Reputation Service (SRS) Leveraging Intelligence to Determine Trust

Complete Forensic Record of Endpoint Activity Reconnaissance Weaponization Delivery Exploitation Installation C2 AoI All file modifications All registry modifications All file executions All network connections Copy of every executed binary All the information you need to respond

telemetry

telemetry

detection focus

detection focus seconds to minutes wee k s t o yea r s

detection focus seconds to minutes wee k s t o yea r s

seconds to minutes w e e k s t o y e a r s detection focus?

Establishing a Continuous Security Process Attacks happen on the endpoint Visibility Know what s running on every computer right now How can you protect your assets if you don t know what s running on them? Traditional security tools provide no visibility Visibility needs to be live, not poll or scan-based

Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Reducing your attack surface Symantec saw 240 million unique threats in 2009 we ve crossed the billion mark cumulatively Apply trust-based policies to allow only known good software to run

Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures See and record everything You can t always know what s bad ahead of time Apply advanced indicators to detect unknown threats in real-time

Establishing a Continuous Security Process Respond See the full evolution of a threat; contain and control Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures Traditional incident response is expensive and time consuming With historical recording, you can identify scope and impact in minutes, not weeks Use that information to contain, remediate and further reduce attack surface

Endpoint and Server Telemetry/Control Monitor & Record: File executions File modifications Registry modifications Network connections Retain: Telemetry from periods when system is offline Copies of all executed binaries Control: File executions Inter-process memory access Registry modifications

Conclusions Compromise is inevitable; You must plan for response Proactive defense starts with visibility You ve got to collect telemetry from EVERYTHING You can leverage the home-field advantage against adversaries Defense tactics are changing Shift from Default-Allow to Default-Deny Not all assets are protected the same way Your endpoints and network must work together There are no silver bullets THERE ARE TWO THINGS YOU NEED TO DO: Decrease your threat surface Increase your response capabilities

Discussion All questions welcome Share experiences Keep it short & leave room for others

Thank You!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback