Advanced Endpoint Protection

Similar documents
Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Building Resilience in a Digital Enterprise

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

esendpoint Next-gen endpoint threat detection and response

ANATOMY OF AN ATTACK!

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Reducing the Cost of Incident Response

Carbon Black PCI Compliance Mapping Checklist

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Managed Endpoint Defense

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Symantec Ransomware Protection

Incident Response Agility: Leverage the Past and Present into the Future

Endpoint Protection : Last line of defense?

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

THE ACCENTURE CYBER DEFENSE SOLUTION

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Next Generation Endpoint Security Confused?

External Supplier Control Obligations. Cyber Security

RSA NetWitness Suite Respond in Minutes, Not Months

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Managing an Active Incident Response Case. Paul Underwood, COO

The Evolution of : Continuous Advanced Threat Protection

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Un SOC avanzato per una efficace risposta al cybercrime

Defense in Depth Security in the Enterprise

Why Are We Still Being Breached?

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Maximum Security with Minimum Impact : Going Beyond Next Gen

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Stopping Advanced Persistent Threats In Cloud and DataCenters

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Cybersecurity in Government

Rethinking Security: The Need For A Security Delivery Platform

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

RSA INCIDENT RESPONSE SERVICES

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

10 FOCUS AREAS FOR BREACH PREVENTION

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cybersecurity Auditing in an Unsecure World

Traditional Security Solutions Have Reached Their Limit

CloudSOC and Security.cloud for Microsoft Office 365

9 Steps to Protect Against Ransomware

Strategies for a Successful Security and Digital Transformation

with Advanced Protection

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Symantec Advanced Threat Protection: Endpoint

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Agenda: Insurance Academy Event

AT&T Endpoint Security

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

MODERN DESKTOP SECURITY

SentinelOne Technical Brief

Proactive Approach to Cyber Security

CipherCloud CASB+ Connector for ServiceNow

The Kill Chain for the Advanced Persistent Threat

6 KEY SECURITY REQUIREMENTS

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

PALANTIR CYBERMESH INTRODUCTION

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Panda Security. Corporate Presentation. Gianluca Busco Arré Country Manager

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

RSA INCIDENT RESPONSE SERVICES

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Real-time, Unified Endpoint Protection

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

McAfee Advanced Threat Defense

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

SECURITY OPERATIONS CENTER BUY BUILD BUY. vs. Which Solution is Right for You?

The GenCyber Program. By Chris Ralph

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Critical Hygiene for Preventing Major Breaches

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

empow s Security Platform The SIEM that Gives SIEM a Good Name

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

McAfee epolicy Orchestrator

ArcSight Activate Framework

Intelligent Protection

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

The Cyber War on Small Business

Click to edit Master title style. DIY vs. Managed SIEM

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Advanced Threat Hunting:

Transcription:

Advanced Endpoint Protection Protecting Endpoints and Servers Nick Levay, Chief Security Officer, Bit9 <nlevay@bit9.com> @rattle1337 2014 Bit9. All Rights Reserved

About Me Chief Security Officer, Bit9 Former Director of Technical Operations and Information Security, Center for American Progress (CAP) Former Director of Global Systems and Tools, NASDAQ:IAWK Practicing professionally since 1997 Certified Information Systems Security Professional Educational background in Communications Areas of focus: Information Warfare Cyber Counter-Intelligence Security Operations Web Development & Operations Social Media / Social Network Analysis NJ TN Silicon Valley Asia * DC MA * Frequent movement between aforementioned locations

the assumption of breach the inevitability of compromise

In 2020, enterprises will be in a state of continuous compromise. -- Gartner More like 2010!!!

Rethink Security Strategy prevention is no longer enough invest in detection and response consider your technologies move from reactive to proactive security is not a solution it is a process

The attacker has the advantage. The attacker does not have the advantage, unless we cede it to them.

Enterprise Network as a Battlespace

Situational awareness enables real-time, accurate decisions in tactical situations. Most enterprises have no internal or endpoint situational awareness.

prepare the battlefield win the battle

Prepare for breach. Avoid forensics & expensive consultants.

Fig 41, Verizon Data Breach Report, 2013 NetDiligence, Cyberinsurance Claims, 2012 Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

Defense-in-depth / Layered Controls Network security controls Firewalls, DPI, IDS/IPS, DLP, Email/Web Scanning, Detonation Service security controls Authentication, permissions, naming lookup, lots of logging Endpoint security controls Anti-virus, application control, endpoint threat detection and response If you are depending on one control to stop an attack, you are doing it wrong.

The Attacker s Process & Enterprise Capabilities The often misunderstood meaning of empathy The Cyber Kill Chain model Developed by Mike Cloppert, Rohan Amin, and Eric Hutchens at Lockheed Martin Useful for Breaking down stages of an attacker s process Formulating strategy for deploying security controls Facilitating iterative intelligence gathering Effective intelligence use Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO DETECT DENY DISRUPT DEGRADE DECEIVE

The Endpoint in Focus Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Preventing Exploitation Patching matters!!! (Best way to minimize threat surface) ASLR/DEP is great, but only degrades and disrupts Very little can be done at this stage Preventing Installation Dropping binaries, touching other processes, et cetera Default-Allow == Blacklisting Default-Deny == Whitelisting Sandboxing Hybrid Approaches

The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Allow Blacklisting Known Bad Traditional AV, based on signatures Ineffective for anything other than nuisance threats Local blacklists are still tactically useful

Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time

Advanced OPPORTUNISTIC Opportunistic vs Advanced Attacks Hosts Compromised Hosts Compromised 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to maximize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time 100k 10k 1k 100 10 THRESHOLD OF DETECTION Goal is to minimize slope. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Time

The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Default-Deny Whitelisting Trust Based Known Good Most effective protection Usually easy on servers and fixed function systems Can be challenging on dynamic endpoints Good application governance is key to successful implementation Still not a silver bullet

The Endpoint in Focus Prevention Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Sandboxes Mitigation of application compromise, not system protection Application specific sandboxes (e.g. Java, Chrome) Virtualization based EPP solutions Covers only a limited portion of the threat surface Can t prevent/detect lateral movement

Challenges stopping attacks at Delivery Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Network detection solutions often not in-line Known Bad point comes after delivery (2m-10m) Network assets often are not the first time a bad file is seen Encrypted (No SSL MITM inspection) In a container (Password protected zip/rar) Physical media (USB stick, DVD/CDs, et cetera) Detonation is so useful, it s becoming commoditized

Actionable intelligence passing Reconnaissance Weaponization Delivery Exploitation Installation C2 AoT Incoming files on network Detonate files for analysis Transfer alerts Correlate endpoint/server and network data Prioritize network alerts Investigate scope of the threat Remediate endpoints and servers Submit files automatically Submit files on-demand Endpoint and server files Automatic analysis of all suspicious files On-demand analysis of suspicious files

Focus on Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO IP Addresses Hostnames File Hashes Et cetera Leveraging Indicators to Facilitate Detection

Focus on Threat Intelligence Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO Reputation levels for files Thresholds can drive approvals Firefox == 10 Keylogger == 0 Software Reputation Service (SRS) Leveraging Intelligence to Determine Trust

Complete Forensic Record of Endpoint Activity Reconnaissance Weaponization Delivery Exploitation Installation C2 AoO All file modifications All registry modifications All file executions All network connections Copy of every executed binary All the information you need to respond

detection focus

detection focus seconds to minutes wee k s t o yea r s

detection focus seconds to minutes wee k s t o yea r s

seconds to minutes w e e k s t o y e a r s detection focus?

Endpoint and Server Telemetry Monitor: File executions File modifications Registry modifications Network activity Retain: Telemetry from periods when system is offline Copies of all executed binaries Control (at minimum): File executions Instant Global Ban Registry modifications

A growing consensus Security will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack. Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover. NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014 Assume the organization is already infected. Change your "incident response" mindset to a "continuous detection and response" process. Gartner Research Note, Feb 2014

In review... Compromise is inevitable; You must plan for response Defense tactics are changing You can leverage the home-field advantage against adversaries Forensics are not part of the defense process You ve got to collect telemetry from EVERYTHING Your endpoints and network must work together There are no silver bullets THERE ARE TWO THINGS YOU NEED TO DO: Decrease your threat surface Increase your response capabilities

Establishing a Continuous Security Process Attacks target the endpoint Visibility Know what s running on every computer right now How can you protect your assets if you don t know what s running on them? Traditional security tools provide no visibility Visibility needs to be live, not poll or scan-based

Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Reduce your attack surface The number of threats will continue to grow exponentially Apply trust-based policies to allow only known good software to run

Establishing a Continuous Security Process Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures See and record everything You can t always know what s bad ahead of time Apply advanced indicators to detect unknown threats in real-time

Establishing a Continuous Security Process Respond See the full evolution of a threat; contain and control Prevent Stop threats with proactive, customizable prevention Visibility Know what s running on every computer right now Detect Detect threats in real-time without signatures Traditional incident response is expensive and time consuming With historical recording, you can identify scope and impact in seconds, not weeks Use that information to contain, remediate and further reduce attack surface

questions Nick Levay <nlevay@bit9.com> @rattle1337

Thank You! Nick Levay <nlevay@bit9.com> @rattle1337

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback