1 / 24

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain. Chris Berninger, Sr. Solutions Engineer, Bit9. The Malware Problem By the Numbers. 66%. of malware took months or even years to discover (up 10% from previous year) 1. 69%.

caspar
Download Presentation

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions Engineer, Bit9

  2. The Malware Problem By the Numbers 66% • of malware took months or even years to discover (up 10% from previous year)1 69% of intrusions are discovered by an external party1 155k The number of new malware samples that are seen daily2 $5.4M The average total cost of a data breach3 40% The number of breaches that incorporated malware1 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study

  3. Malware: Actors + Actions + Assets = Endpoint Actors Actions Assets *2013 Verizon Data Breach Report

  4. Why is the Endpoint Under Attack? • Host-based security software still relies on AV signatures • Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume • Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware • Evasion techniques can easily bypass host-based defenses • Malware writers use compression and encryption to bypass AV filters • Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system • Cyber adversaries test malware against popular host-based software • There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products

  5. Significant Data Breaches in Last Twelve Months Jan Feb July Dec Nov Aug Oct Sept March June May April

  6. A New Generation of Security is Coming… As defined by Gartner • Next-Gen Prevention • “Reduce your attack surface” Block newly discovered attacks on the fly Pervasive monitoring and centralized recording • Threat Detection & Response • “Respond quickly when under attack”

  7. Reducing Your Attack Surface Across the Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Detection effective here Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim

  8. Real-time Visibility & Detection (Bit9) vs. Scan-based (AV) Unknown malware Known malware

  9. Real-time Visibility & Detection Enables Rapid Response Next-gen Security Needs: Visibility & Detection Real-time recorded history of entire environment Detect known and unknown files as they happen Know if and when you are under attack Response Identify, scope, contain and remediate faster Proactively respond to attacks in motion Simplify and expedite investigations Non-intrusive and no perceived end user impact

  10. Failures Within the IR Process Identification & Scoping Eradication & Remediation Follow Up & Lessons Learned Preparation Containment Recovery The Six-Step IR Process Failure: Does not properly identify threat so cannot fully contain Failure: Organization resumesoperations with false sense of security Failure: No IR plan with processes and procedures in place Failure: After failing to fully scope threat, remediation is is impossible Failure: No post-incident process in place or does not implement expert recommendations Failure: Do not have recorded history to fully identify or scope threat

  11. Response Process Simplified Scope Identify Contain Remediate

  12. Response Process Pre and Post Bit9: Identify Scope Identify Contain Remediate Gather artifacts: File, System and Network Information Seek Information Review System Changes Malware Analysis • First name • Hash, Trust • Time first seen • Group (relation) • Connector alert

  13. Response Process Pre and Post Bit9: Identify Identify Gather artifacts: File, System and Network Information Malware Analysis Seek Information Review System Changes Search machine History of change and events

  14. Response Process Pre and Post Bit9: Identify Identify Gather artifacts: File, System and Network Information Malware Analysis Seek Information Review System Changes • SRS Analysis • Acquire file remotely • Submit to Connector

  15. Response Process Pre and Post Bit9: Scope Scope Identify Contain Remediate Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Find Patient Zero Review Attack History Identify All Systems Complete history of files (the attack)

  16. Response Process Pre and Post Bit9: Scope Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Find Patient Zero Review Attack History Identify All Systems Complete history of machines the files are, and were, on And where executed

  17. Response Process Pre and Post Bit9: Scope Scope Discover all compromised systems Determine attack progression, propagate, what systems are and have been impacted Find Patient Zero Review Attack History Identify All Systems Patient 0 (Initial attack vector)

  18. Response Process Pre and Post Bit9: Contain Scope Identify Contain Remediate Short term steps to halt the attack: Block or ban content Halt Exfiltration Disrupt Attack Ban Globally, stop further executions

  19. Response Process Pre and Post Bit9: Remediate Scope Identify Contain Remediate Longer term changes to prevent & detect attacks Update policies across an organization Review Posture Update Prevention & Detection Review Policy For endpoint controls

  20. Response Process Pre and Post Bit9: Remediate Remediate Longer term changes to prevent & detect attacks Update policies across an organization Review Posture Update Prevention & Detection Update Prevention policies Update detection Capabilities Update Prevention policies Update detection Capabilities

  21. Full Visibility Fuels Full Detection& Response Without Bit9 fully deployed Limited coverage = limited security With Bit9 fully deployed

  22. Takeaways • Assume you will get breached • Reduce your attack surface with visibility & detection • How to do this? • Have real-time recorded history that continuous monitors and records every endpoint/server • Detect both known and unknown malware without signatures • Rapidly respond using recorded history • Establish an IR plan • Understand security solutions that can simplify and expedite response • Fully deploy security solutions across entire environment • Limited coverage means limited visibility, detection, response and prevention “In 2020, enterprises will be in a state of continuous compromise.”

  23. Bit9 Benefits Visibility Know what’s running on every endpoint and server right now • Always know what’s on your endpoints and servers • Detect and stop advanced threats • Reduce incident response time • Reduce remediation time • Improve compliance Detection See and record everything; detect threats in real-time without signatures Response A full history about what’s happened on every machine; contain and control threats Prevention New proactive, signature-less prevention techniques Integration Integrate network and endpoint security for real-time response and prevention

  24. Thank you!Q&A

More Related