The evolution of endpoint security detecting and responding to malware across the kill chain
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain PowerPoint PPT Presentation


  • 44 Views
  • Uploaded on
  • Presentation posted in: General

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain. David Flournoy Bit9 Mid-Atlantic Regional Manager. Significant Data Breaches in Last Twelve Months. Jan. Feb. July. Dec. Nov. Aug. Oct. Sept. March. June. May. April.

Download Presentation

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The evolution of endpoint security detecting and responding to malware across the kill chain

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

David Flournoy Bit9 Mid-Atlantic Regional Manager


The evolution of endpoint security detecting and responding to malware across the kill chain

Significant Data Breaches in Last Twelve Months

Jan

Feb

July

Dec

Nov

Aug

Oct

Sept

March

June

May

April

“In 2020, enterprises will be in a state of continuous compromise.”


Why is the endpoint under attack

Why is the Endpoint Under Attack?

  • Host-based security software still relies on AV signatures

    • Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume

    • Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware

  • Evasion techniques can easily bypass host-based defenses

    • Malware writers use compression and encryption to bypass AV filters

    • Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system

  • Cyber adversaries test malware against popular host-based software

    • There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products


  • The state of information security

    The State of Information Security

    Compromise happens in seconds

    Data exfiltration starts minutes later

    It continues undetected for months

    Remediation takes weeks

    At $341k per incident in forensics costs

    THIS IS UNSUSTAINABLE


    The kill chain

    The Kill Chain

    C2

    Action

    Exploitation

    Installation

    Delivery

    Weaponization

    Reconnaissance

    Attacker attempt to exfiltrate data

    Attacker exploits vulnerability

    Attacker changes system configuration

    Attacker establishes control channel

    Attacker transmits weapon in environment

    Attacker creates deliverable payload

    Attacker Researches potential victim


    Protection prevention detection and response

    Protection = Prevention, Detection and Response

    “Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.”

    Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013

    “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.”

    NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014


    Need a security lifecycle to combat advanced threats

    Need a Security Lifecycle to Combat Advanced Threats

    • Prevent

    • Prevention

    • Visibility

    • Detection

    • Response

    • Detect &

    • Respond


    Reduce attack surface with default deny

    Reduce Attack Surface with Default-Deny

    • Traditional EPP failure

      • Scan/sweep based (strobe light)

      • Signaturebased

        • Block known bad

    • Success of emerging endpoint prevention solutions

      • Real time

      • Policy based

        • Tailor policies based on environment

      • Trust based

        • Block all but known good

    • Objective of emerging endpoint prevention solutions

      • Lock down endpoint/server

      • Reduce attack surface area

        • Make it as difficult as possible for advanced attacker

    • Prevention

    • Visibility

    • Visibility

    • Detection

    • Response


    Reduce attack surface across kill chain

    Reduce Attack Surface Across Kill Chain

    C2

    Action

    Exploitation

    Installation

    Prevention effective here

    Delivery

    Weaponization

    Reconnaissance

    Attacker attempt to exfiltrate data

    Attacker exploits vulnerability

    Attacker changes system configuration

    Attacker establishes control channel

    Attacker transmits weapon in environment

    Attacker creates deliverable payload

    Attacker Researches potential victim


    Detect in real time and without signatures

    Detect in Real-time and Without Signatures

    • Traditional EPP failure

      • Scan/sweep based

      • Small signature database

    • Success of emerging endpoint detection solutions

      • Large global database of threat intelligence

      • Signature-less detection through threat indicators

      • Watchlists

    • Objective of emerging endpoint detection solutions

      • Prepare for inevitability of breach and continuous state of compromise

      • Cover more of the kill chain than prevention

      • Enable rapid response

    • Prevention

    • Visibility

    • Visibility

    • Detection

    • Response


    Reduce attack surface across kill chain1

    Reduce Attack Surface Across Kill Chain

    C2

    Action

    Exploitation

    Installation

    Prevention effective here

    Delivery

    Detection effective here

    Weaponization

    Reconnaissance

    Attacker attempt to exfiltrate data

    Attacker exploits vulnerability

    Attacker changes system configuration

    Attacker establishes control channel

    Attacker transmits weapon in environment

    Attacker creates deliverable payload

    Attacker Researches potential victim


    Rapidly respond to attacks in motion

    Rapidly Respond to Attacks in Motion

    • Traditional EPP failure

      • Expensive external consultants

      • Relies heavily on disk and memory artifacts for recorded history

    • Success of emerging endpoint incident response solutions

      • Real-time continuous recorded history delivers IR in seconds

        • In centralized database

      • Attack process visualization and analytics

      • Better, faster and less expensive

    • Objective of emerging endpoint incident response solutions

      • Pre-breach rapid incident response

      • Better prepare prevention moving forward

    • Prevention

    • Visibility

    • Visibility

    • Detection

    • Response


    Current failures within the incident response process

    Current Failures Within the Incident Response Process

    Identification & Scoping

    Eradication & Remediation

    Follow Up & Lessons Learned

    Preparation

    Containment

    Recovery

    The Six-Step IR Process

    Failure:

    Does not properly identify threat so cannot fully contain

    Failure:

    Organization resumesoperations with false sense of security

    Failure:

    No IR plan with processes and procedures in place

    Failure:

    After failing to fully scope threat, remediation is is impossible

    Failure:

    No post-incident process in place or does not implement expert recommendations

    Failure:

    Do not have recorded history to fully identify or scope threat


    Advanced threat protection for every endpoint and server

    Advanced Threat Protection for Every Endpoint and Server

    Watch and record

    High-Risk/Targeted Users

    Fixed-Function and Critical Infrastructure Devices

    All Other Users

    Data Center Servers


    Advanced threat protection for every endpoint and server1

    Advanced Threat Protection for Every Endpoint and Server

    Watch and record

    Stop all untrusted software

    High-Risk/Targeted Users

    Fixed-Function and Critical Infrastructure Devices

    All Other Users

    Data Center Servers


    Advanced threat protection for every endpoint and server2

    Advanced Threat Protection for Every Endpoint and Server

    Watch and record

    Stop all untrusted software

    Detect and block on the fly

    High-Risk/Targeted Users

    Fixed-Function and Critical Infrastructure Devices

    Data Center Servers

    All Other Users


    Bit9 carbon black security lifecycle in one solution

    Bit9 + Carbon Black: Security Lifecycle in One Solution

    • Prevent

    • Prevention

    • Visibility

    • Detect &

    • Respond

    • Detection

    • Response


    Bit9 carbon black

    Bit9 + Carbon Black

    Reduce Your Attack Surface

    Rapidly Detect & Respond to Threats

    1

    2

    New signature-less prevention techniques

    Continuously monitor and record every endpoint/server

    +

    Incident Response in Seconds

    Advanced Threat Prevention

    Technology leader

    Purpose-built by experts

    Market leader in

    Default-Deny

    Super lightweight sensor that records/and monitors everything and deployable to everycomputer

    Proactive prevention mechanisms customizable for different users and systems


    Bit9 carbon black understanding the entire kill chain

    Bit9 + Carbon Black: Understanding the Entire Kill Chain

    • See the kill chain in seconds

    • From vulnerable processes to the persistent malicious service

    • Would take days or weeks to re-create using traditional tools


    Takeaways

    Takeaways

    • Bit9 is much more than application control/application whitelisting

    • Reduce your attack surface with prevention

    • Prepare for inevitability of compromise

      • Detect in real time without signatures

      • Pre-breach rapid response in seconds with recorded history

    • Establish an IR plan

    • Understand the need for a security lifecycle

    • Deploy security solutions across entire environment

    “In 2020, enterprises will be in a state of continuous compromise.”


    Thank you

    Thank You


  • Login