tim davidson system engineer n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Tim Davidson System Engineer PowerPoint Presentation
Download Presentation
Tim Davidson System Engineer

Loading in 2 Seconds...

play fullscreen
1 / 23

Tim Davidson System Engineer - PowerPoint PPT Presentation


  • 202 Views
  • Uploaded on

Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause…. Tim Davidson System Engineer. Agenda. Changing Threat Landscape. Changing Threat Landscape – Advanced Persistent Threats (APTs). The New Threat Landscape

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Tim Davidson System Engineer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Malware Pandemic? Sometimes getting a shot only treats the symptoms and not the cause… Tim Davidson System Engineer

    2. Agenda

    3. Changing Threat Landscape

    4. Changing Threat Landscape – Advanced Persistent Threats (APTs) The New Threat Landscape There is a new breed of attacks that are advanced, zero-day, and targeted MODERN Advanced Persistent Threats LEGACY

    5. High Profile Targeted Attacks • 3 minutes • On average, malware activities take place once every 3 minutes • 184 countries, 41% • Over the past year, FireEye captured callbacks to 184 countries, a 41% rise • 46% • Asia (China, Korea, India, Japan, Hong Kong) accounts for 24% callbacks • Eastern Europe (Russia, Poland, Romania, Ukraine, Kazakhstan, Latvia) accounts for 22% • Technology companies • Technology companies experienced highest rate of callback activity • 89% • 89% of callback activities linked with APT tools made in China or Chinese hacker groups Source: FireEye Advanced Threat Report, March 2013

    6. Significant Compromise Still Exists! Percent ofDeployments Infections/Weeks at Normalized Bandwidth 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 98.5% of deployments see at least 10 incidents*/week/Gbps Average is about 221 incidents*/week 1 Gbps 20% of deployments havethousands of incidents*/week Source: FireEye Advanced Threat Report, March, 2013 221 Average Net New Incidents Per Week at Only 1 Gbps! 10 100 1,000 10,000 100,000 * An incident is beyond inbound malware – it includes an exploit and callback

    7. Why Traditional Defenses Fail

    8. What’s causing the compromise? Dynamic, Polymorphic Malware Coordinated Persistent Threat Actors NEW THREAT LANDSCAPE Multi-Vector Attacks Multi-Staged Attacks

    9. The Attack Life Cycle – Multiple Stages Compromised Web server, or Web 2.0 site 1 Callback Server Exploitation of system 1 4 Malware executable download 2 Exploit detection is critical All subsequent stages can be hidden or obfuscated Callbacks and control established 3 File Share 2 IPS 5 Data exfiltration 4 File Share 1 2 3 Malware spreads laterally 5

    10. Traditional Defenses Don’t Work The new breed of attacks evade signature-based defenses Firewalls/NGFW Anti-SpamGateways IPS Secure WebGateways Desktop AV

    11. The Enterprise Security Hole Attack Vector NGFW FW Web-Based Attacks IPS SECURITYHOLE Spear Phishing Emails Malicious Files SWG AV

    12. A New Model is Required • Signature-Based • Reactive • Only known threats • Many false negatives Legacy Pattern-Matching Detection Model New Virtual Execution Model MATCH MATCH 101011010101101000101110001101010101011001101111100101011001001001001000 100100111001010101010110 100100111001010101010110 100100111001010101010110 110100101101011010101000 • Signature-less • Dynamic, real-time • Known/unknown threats • Minimal false positives

    13. Introducing the FireEye Platform

    14. FireEye Platform: Next Generation Threat Protection Dynamic Threat Intelligence (CLOUD) Multi-Vector Virtual Execution engine Dynamic Threat Intelligence (ENTERPRISE) Technology Interoperability Ecosystem Partners

    15. FireEye Platform: Multi-Vector Virtual Execution (MVX) Email MPS 4 2 1 3 6 5 CMS MVX SMTP Inbound Outbound HTTP Callback Server 1 – Email with weaponized pdf 2 – Executed in MVX (Email MPS) – phish suspected 3 – Web MPS notified via CMS 4 – Callback over HTTP to C&C server 5 – Callback detected by Web MPS and blocked 6 – End user defended from multi-vector attack Web MPS Multi-vector blended attack

    16. FireEye Platform: Multi-Flow Virtual Execution • File-oriented sandboxing can be easily evadedby malware • Lack of virtually executing flows vs. file-based approach • Lack of capturing and analyzing flows across multiple vectors • FireEye uses multi-vector, multi-flow analysis to understand the full context of today’s cyber attacks • Stateful attack analysis shows the entire attack life cycle • Enables FireEye to disrupt each stage and neutralize attack Infection Server Callback Server Malware Executable DataExfiltration Exploit Callbacks Downloads

    17. FireEye Platform: Dynamic Threat Intelligence Anonymized Malware Metadata Anonymized Malware Metadata DTI Cloud Ecosystem Partners Ecosystem Partners Ecosystem Partners Enterprise 1 Enterprise 3 Enterprise 2 DTI Enterprise DTI Enterprise DTI Enterprise

    18. FireEye Advantage

    19. FireEye Platform Advantage 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Local Loop MVX MVX Dynamic Threat Intelligence (DTI) Threat Protection Fabric Single Enterprise Cross Enterprise

    20. Sandbox Approach (Cloud) File-oriented sandbox - evasion 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection Single file • Sandbox in the cloud • Privacy violation • Compliance and regulation violation • Latency issues Single vector partial hours or days

    21. Sandbox Approach (On-Premises) File-oriented sandbox 1. Thousands of Permutations(files, OS, browser, apps) 2. Multi-flow analysis 3. Multi-vector analysis 4. Correlation of information 5. Cloud Sharing 6. Time to protection • Sandbox (On-Premises) • Malware can easily circumvent generic sandbox • File-based sandbox misses the exploit detection phase • No flow causes lack of stateful malware analysis Single file Single vector Hashes: limited value Non-realtime

    22. Key Takeaways

    23. Thank You