1 / 21

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain. David Flournoy Bit9 Mid-Atlantic Regional Manager. Significant Data Breaches in Last Twelve Months. Jan. Feb. July. Dec. Nov. Aug. Oct. Sept. March. June. May. April.

sissy
Download Presentation

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain David Flournoy Bit9 Mid-Atlantic Regional Manager

  2. Significant Data Breaches in Last Twelve Months Jan Feb July Dec Nov Aug Oct Sept March June May April “In 2020, enterprises will be in a state of continuous compromise.”

  3. Why is the Endpoint Under Attack? • Host-based security software still relies on AV signatures • Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume • Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware • Evasion techniques can easily bypass host-based defenses • Malware writers use compression and encryption to bypass AV filters • Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system • Cyber adversaries test malware against popular host-based software • There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products

  4. The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE

  5. The Kill Chain C2 Action Exploitation Installation Delivery Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim

  6. Protection = Prevention, Detection and Response “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.” Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013 “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.” NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014

  7. Need a Security Lifecycle to Combat Advanced Threats • Prevent • Prevention • Visibility • Detection • Response • Detect & • Respond

  8. Reduce Attack Surface with Default-Deny • Traditional EPP failure • Scan/sweep based (strobe light) • Signaturebased • Block known bad • Success of emerging endpoint prevention solutions • Real time • Policy based • Tailor policies based on environment • Trust based • Block all but known good • Objective of emerging endpoint prevention solutions • Lock down endpoint/server • Reduce attack surface area • Make it as difficult as possible for advanced attacker • Prevention • Visibility • Visibility • Detection • Response

  9. Reduce Attack Surface Across Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim

  10. Detect in Real-time and Without Signatures • Traditional EPP failure • Scan/sweep based • Small signature database • Success of emerging endpoint detection solutions • Large global database of threat intelligence • Signature-less detection through threat indicators • Watchlists • Objective of emerging endpoint detection solutions • Prepare for inevitability of breach and continuous state of compromise • Cover more of the kill chain than prevention • Enable rapid response • Prevention • Visibility • Visibility • Detection • Response

  11. Reduce Attack Surface Across Kill Chain C2 Action Exploitation Installation Prevention effective here Delivery Detection effective here Weaponization Reconnaissance Attacker attempt to exfiltrate data Attacker exploits vulnerability Attacker changes system configuration Attacker establishes control channel Attacker transmits weapon in environment Attacker creates deliverable payload Attacker Researches potential victim

  12. Rapidly Respond to Attacks in Motion • Traditional EPP failure • Expensive external consultants • Relies heavily on disk and memory artifacts for recorded history • Success of emerging endpoint incident response solutions • Real-time continuous recorded history delivers IR in seconds • In centralized database • Attack process visualization and analytics • Better, faster and less expensive • Objective of emerging endpoint incident response solutions • Pre-breach rapid incident response • Better prepare prevention moving forward • Prevention • Visibility • Visibility • Detection • Response

  13. Current Failures Within the Incident Response Process Identification & Scoping Eradication & Remediation Follow Up & Lessons Learned Preparation Containment Recovery The Six-Step IR Process Failure: Does not properly identify threat so cannot fully contain Failure: Organization resumesoperations with false sense of security Failure: No IR plan with processes and procedures in place Failure: After failing to fully scope threat, remediation is is impossible Failure: No post-incident process in place or does not implement expert recommendations Failure: Do not have recorded history to fully identify or scope threat

  14. Advanced Threat Protection for Every Endpoint and Server Watch and record High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Data Center Servers

  15. Advanced Threat Protection for Every Endpoint and Server Watch and record Stop all untrusted software High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices All Other Users Data Center Servers

  16. Advanced Threat Protection for Every Endpoint and Server Watch and record Stop all untrusted software Detect and block on the fly High-Risk/Targeted Users Fixed-Function and Critical Infrastructure Devices Data Center Servers All Other Users

  17. Bit9 + Carbon Black: Security Lifecycle in One Solution • Prevent • Prevention • Visibility • Detect & • Respond • Detection • Response

  18. Bit9 + Carbon Black Reduce Your Attack Surface Rapidly Detect & Respond to Threats 1 2 New signature-less prevention techniques Continuously monitor and record every endpoint/server + Incident Response in Seconds Advanced Threat Prevention Technology leader Purpose-built by experts Market leader in Default-Deny Super lightweight sensor that records/and monitors everything and deployable to everycomputer Proactive prevention mechanisms customizable for different users and systems

  19. Bit9 + Carbon Black: Understanding the Entire Kill Chain • See the kill chain in seconds • From vulnerable processes to the persistent malicious service • Would take days or weeks to re-create using traditional tools

  20. Takeaways • Bit9 is much more than application control/application whitelisting • Reduce your attack surface with prevention • Prepare for inevitability of compromise • Detect in real time without signatures • Pre-breach rapid response in seconds with recorded history • Establish an IR plan • Understand the need for a security lifecycle • Deploy security solutions across entire environment “In 2020, enterprises will be in a state of continuous compromise.”

  21. Thank You

More Related