1 / 32

FireEye Overview

FireEye Overview. John Bolger Manager Channels, US-Central FireEye. Company Overview. The leader in stopping advanced targeted attacks Marquee customers across every industry Top banks, hi-tech, oil and gas, government

chidi
Download Presentation

FireEye Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FireEye Overview John Bolger Manager Channels, US-Central FireEye

  2. Company Overview • The leader in stopping advanced targeted attacks • Marquee customers across every industry • Top banks, hi-tech, oil and gas, government • All major Internet search engines, top social networks, and auction sites • One of the fastest growing enterprise technology companies in the world

  3. We Are Only Seeing the Tip of the Iceberg HEADLINE GRABBING ATTACKS THOUSANDS MORE BELOW THE SURFACE APT Attacks Zero-Day Attacks Polymorphic Attacks Targeted Attacks

  4. Manufacturing Hit Worst

  5. Don’t Take Usual Vacations (Email Attacks)

  6. Chinese Hacking Methodology http://www.thedarkvisitor.com/2008/11/chinese-hacker-attack-flowchart/

  7. Chinese Hacking Methodology - Translated http://www.thedarkvisitor.com/2008/11/chinese-hacker-attack-flowchart/

  8. Characteristics of Malware • Stealth Level • Ranges from High to Low • Target Vulnerability • Unpatched machines, plug-ins, browsers • Intended victim(s) • Specific victims - using Spearphishing • Objectives • Theft? Disruption? Fear?

  9. High Profile APT Attacks Are Increasingly Common

  10. We Are Only Seeing the Tip of the Iceberg HEADLINE GRABBING ATTACKS THOUSANDS MORE BELOW THE SURFACE APT Attacks Zero-Day Attacks Polymorphic Attacks Targeted Attacks

  11. Defining Advanced Targeted Attacks • Utilizes advanced techniques and/or malware • Unknown • Targeted • Polymorphic • Dynamic • Personalized • Uses zero-dayexploits, commercial quality toolkits, and social engineering • Often targets IP, credentials and often spreads laterally throughout network • AKA—Advanced Persistent Threat (APT) The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted ADVANCED Advanced Targeted Attack TRADITIONAL

  12. The Enterprise Security Hole Attack Vector NGFW FW Web-based Attacks IPS SECURITYHOLE Spear Phishing Emails Malicious Files SWG AV

  13. Traditional Defenses Don’t Work Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses Like NGFW, IPS, AV, and Gateways Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses

  14. Typical Enterprise Security Architecture Firewalls/NGFW Secure WebGateways Anti-SpamGateways Desktop AV IPS Block IP/port connections, application-level control, no visibility into exploits and ineffective vs. advanced targeted attacks Attack-signature based detection, shallow application analysis, high-false positives, no visibility into advancedattack lifecycle Some analysis of script-based malware, AV, IP/URL filtering; ineffective vs. advanced targeted attacks Relies largely on antivirus, signature-based detection (some behavioral); no true spear phishing protection Signature-based detection (some behavioral); ineffective vs. advanced targeted attacks

  15. Attacks Increasingly Sophisticated Multi-Vector • Delivered via Webor email • Blended attacks with email containing malicious URLs • Uses application/OS exploits Dynamic Web Attacks Multi-Stage • Initial exploit stage followed by malware executable download, callbacks and exfiltration • Lateral movement to infect other network assets Malicious Exploits Spear Phishing Emails

  16. The Attack Lifecycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 4 Malware executable download 2 Callbacks and control established 3 File Share 2 IPS 5 Data exfiltration 4 File Share 1 2 3 Malware spreads laterally 5

  17. FireEye Malware-VM™ Filter Global loop sharing into MAX Cloud Intelligence Phase 3 XML/SNMP alerts on infections as well as C&C destinations Fast Path Real-time Blocking in Appliance • Phase 1: Aggressive capture heuristics • Deploys out-of-band/passive or inline • Multi-protocol capture of HTML, files (e.g. PDF), & EXEs • Maximizes capture of potential zero-day attacks • Phase 2: Virtual machine analysis • Confirmation of malicious attacks • Removal of false positives • Phase 3: Block Call Back • Stop data/asset theft

  18. The FireEye Difference Multi-Vector Protection • Protection against Web attacks • Protection against email attacks • Protection against file-based attacks Multi-Stage Protection • Inbound zero-day exploit detection • Outbound malware callback blocking • Malware binary payload analysis • Latent malware quarantine Multi-Stage Multi-Vector

  19. Multi-Vector Protection Blended Web/Email Threats Email MPS Web MPS CMS File MPS Web Threats Email Threats Internal Lateral Movement of Threats

  20. Multi-Staged Attack Pieces Connected Point Products CALLBACK WEB EXPLOIT WEB OR EMAILEXPLOIT CALLBACK LATERAL MOVEMENT LATERAL SPREAD MALWAREEXECUTABLE DOWNLOAD MALWAREEXECUTABLE DOWNLOAD DATAEXFILTRATION DATAEXFILTRATION

  21. Web Malware Protection System • Inline, real-time, signature-less malware protectionat near-zero false positives • Analyzes all web objects, e.g., web pages, flash, PDF, Office docs and executables • Blocks malicious callbacks terminating data exfiltration across protocols • Dynamically generates zero-day malware and malicious URL security content and shares through Malware Protection Cloud network • Integration with Email and File MPS and MAS for real-time callback channel blocking FEATURES http:// • Inline blocking both inbound and outbound • Advanced content analysis (PDF, JavaScript, URLs) • Models up to 1 Gbps at microseconds latency

  22. Multi-Protocol, Real-Time VX Engine PHASE 1 Multi-Protocol Object Capture PHASE 2 Virtual Execution Environments • PHASE 1: WEB MPS • Aggressive Capture • Web Object Filter • DYNAMIC, REAL-TIME ANALYSIS • Exploit detection • Malware executable analysis • Cross-matrix of OS/apps • Originating URL • Subsequent URLs • OS modification report • C&C protocol descriptors Map to Target OS and Applications

  23. Email Malware Protection System • Protection against spear phishing and blended attacks • Analyzes all emails for malicious attachments and URLs • In-line MTA active security or SPAN/BCC for monitoring • Brute-force analysis of all Email attachments in VX Engine • Web MPS integration for malicious URL analysis/blocking • Web MPS integration for blocking of newly discovered callback channels FEATURES • Supports large range of file types (PDF, Office formats, ZIP, etc.) • Attachment analysis • URL analysis • Correlation of malicious URLs to emails at the CMS

  24. Multi-Protocol, Real-Time VX Engine PHASE 1 Multi-Protocol Object Capture PHASE 2 Virtual Execution Environments • PHASE 1: WEB MPS • Aggressive Capture • Web Object Filter • PHASE 1: E-MAIL MPS • Email Attachments • URL Analysis • DYNAMIC, REAL-TIME ANALYSIS • Exploit detection • Malware executable analysis • Cross-matrix of OS/apps • Originating URL • Subsequent URLs • OS modification report • C&C protocol descriptors Map to Target OS and Applications

  25. Protecting Against Blended Threats Secures Against Attacks Using URLs in Email • High priority URL analysis through Web MPS VX engine • Web MPS integration for correlation of malicious URL with spear phished email message • Web MPS integration for blocking of newly discovered callback channels Central Management System Web MPS Email MPS

  26. File Malware Protection System • Protects file sharing servers from latent malware • Addresses malware brought into the network via web or email or file sharing as well as other manual means • Detects the lateral spread of malware through network file shares • Continuous and incremental network file share analysis • Web MPS integration for blocking of newly discovered callback channels FEATURES • Supports large range of file types (PDF, Office, ZIP, etc.) • CIFS support • Malicious file quarantine • Integration via CMS

  27. Multi-Protocol, Real-Time VX Engine PHASE 1 Multi-Protocol Object Capture PHASE 2 Virtual Execution Environments • PHASE 1: WEB MPS • Aggressive Capture • Web Object Filter • PHASE 1: E-MAIL MPS • Email Attachments • URL Analysis • PHASE 1: FILE MPS • Network File Shares • DYNAMIC, REAL-TIME ANALYSIS • Exploit detection • Malware executable analysis • Cross-matrix of OS/apps • Originating URL • Subsequent URLs • OS modification report • C&C protocol descriptors Map to Target OS and Applications

  28. Multi-Layered Threat Intelligence Sharing Local Sharing Cross-Enterprise Sharing Global Sharing Central Management System Web MPS Seconds Internal Feedback Loop Many 3rd party Feeds Validated by FireEye Technology Cross-Enterprise Web MPS Deployment

  29. Summary • Pace of advanced targeted attacks is accelerating, affecting all verticals and all segments • Traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks • Real-time, integrated signature-less solution is required across Web, email and file attack vectors • FireEye has engineered themost advanced threat protection to supplement traditionaldefenses and stop advanced targeted attacks Complete Protection Against Advanced Targeted Attacks Malware Protection Cloud Central Management System Malware Analysis System Web Malware Protection System EmailMalwareProtectionSystem File Malware Protection System

  30. Enjoy the rest of the show! Thank You!

More Related