the evolution of endpoint security detecting and responding to malware across the kill chain n.
Download
Skip this Video
Download Presentation
The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

Loading in 2 Seconds...

play fullscreen
1 / 21

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain - PowerPoint PPT Presentation


  • 66 Views
  • Uploaded on

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain. David Flournoy Bit9 Mid-Atlantic Regional Manager. Significant Data Breaches in Last Twelve Months. Jan. Feb. July. Dec. Nov. Aug. Oct. Sept. March. June. May. April.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain' - sissy


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the evolution of endpoint security detecting and responding to malware across the kill chain

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain

David Flournoy Bit9 Mid-Atlantic Regional Manager

slide2

Significant Data Breaches in Last Twelve Months

Jan

Feb

July

Dec

Nov

Aug

Oct

Sept

March

June

May

April

“In 2020, enterprises will be in a state of continuous compromise.”

why is the endpoint under attack
Why is the Endpoint Under Attack?
  • Host-based security software still relies on AV signatures
      • Antivirus vendors find a routine process: Takes time and can no longer keep up with the massive malware volume
      • Host-based security software’s dependency on signatures and scanning engines remains an Achilles heel when addressing modern malware
  • Evasion techniques can easily bypass host-based defenses
      • Malware writers use compression and encryption to bypass AV filters
      • Malware developers use software polymorphism or metamorphism to change the appearance of malicious code from system to system
  • Cyber adversaries test malware against popular host-based software
      • There are criminal web sites where malware authors can submit their exploits for testing against dozens of AV products
the state of information security
The State of Information Security

Compromise happens in seconds

Data exfiltration starts minutes later

It continues undetected for months

Remediation takes weeks

At $341k per incident in forensics costs

THIS IS UNSUSTAINABLE

the kill chain
The Kill Chain

C2

Action

Exploitation

Installation

Delivery

Weaponization

Reconnaissance

Attacker attempt to exfiltrate data

Attacker exploits vulnerability

Attacker changes system configuration

Attacker establishes control channel

Attacker transmits weapon in environment

Attacker creates deliverable payload

Attacker Researches potential victim

protection prevention detection and response
Protection = Prevention, Detection and Response

“Security…will shift to rapid detection and response capabilities linked to protection systems to block further spread of the attack.”

Gartner Endpoint Threat Detection and Response Tools and Practices, Sept. 2013

“Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.”

NIST Cybersecurity Framework for Critical Infrastructure, Feb 2014

need a security lifecycle to combat advanced threats
Need a Security Lifecycle to Combat Advanced Threats
  • Prevent
  • Prevention
  • Visibility
  • Detection
  • Response
  • Detect &
  • Respond
reduce attack surface with default deny
Reduce Attack Surface with Default-Deny
  • Traditional EPP failure
    • Scan/sweep based (strobe light)
    • Signaturebased
      • Block known bad
  • Success of emerging endpoint prevention solutions
    • Real time
    • Policy based
      • Tailor policies based on environment
    • Trust based
      • Block all but known good
  • Objective of emerging endpoint prevention solutions
    • Lock down endpoint/server
    • Reduce attack surface area
      • Make it as difficult as possible for advanced attacker
  • Prevention
  • Visibility
  • Visibility
  • Detection
  • Response
reduce attack surface across kill chain
Reduce Attack Surface Across Kill Chain

C2

Action

Exploitation

Installation

Prevention effective here

Delivery

Weaponization

Reconnaissance

Attacker attempt to exfiltrate data

Attacker exploits vulnerability

Attacker changes system configuration

Attacker establishes control channel

Attacker transmits weapon in environment

Attacker creates deliverable payload

Attacker Researches potential victim

detect in real time and without signatures
Detect in Real-time and Without Signatures
  • Traditional EPP failure
    • Scan/sweep based
    • Small signature database
  • Success of emerging endpoint detection solutions
    • Large global database of threat intelligence
    • Signature-less detection through threat indicators
    • Watchlists
  • Objective of emerging endpoint detection solutions
    • Prepare for inevitability of breach and continuous state of compromise
    • Cover more of the kill chain than prevention
    • Enable rapid response
  • Prevention
  • Visibility
  • Visibility
  • Detection
  • Response
reduce attack surface across kill chain1
Reduce Attack Surface Across Kill Chain

C2

Action

Exploitation

Installation

Prevention effective here

Delivery

Detection effective here

Weaponization

Reconnaissance

Attacker attempt to exfiltrate data

Attacker exploits vulnerability

Attacker changes system configuration

Attacker establishes control channel

Attacker transmits weapon in environment

Attacker creates deliverable payload

Attacker Researches potential victim

rapidly respond to attacks in motion
Rapidly Respond to Attacks in Motion
  • Traditional EPP failure
    • Expensive external consultants
    • Relies heavily on disk and memory artifacts for recorded history
  • Success of emerging endpoint incident response solutions
    • Real-time continuous recorded history delivers IR in seconds
      • In centralized database
    • Attack process visualization and analytics
    • Better, faster and less expensive
  • Objective of emerging endpoint incident response solutions
    • Pre-breach rapid incident response
    • Better prepare prevention moving forward
  • Prevention
  • Visibility
  • Visibility
  • Detection
  • Response
current failures within the incident response process
Current Failures Within the Incident Response Process

Identification & Scoping

Eradication & Remediation

Follow Up & Lessons Learned

Preparation

Containment

Recovery

The Six-Step IR Process

Failure:

Does not properly identify threat so cannot fully contain

Failure:

Organization resumesoperations with false sense of security

Failure:

No IR plan with processes and procedures in place

Failure:

After failing to fully scope threat, remediation is is impossible

Failure:

No post-incident process in place or does not implement expert recommendations

Failure:

Do not have recorded history to fully identify or scope threat

advanced threat protection for every endpoint and server
Advanced Threat Protection for Every Endpoint and Server

Watch and record

High-Risk/Targeted Users

Fixed-Function and Critical Infrastructure Devices

All Other Users

Data Center Servers

advanced threat protection for every endpoint and server1
Advanced Threat Protection for Every Endpoint and Server

Watch and record

Stop all untrusted software

High-Risk/Targeted Users

Fixed-Function and Critical Infrastructure Devices

All Other Users

Data Center Servers

advanced threat protection for every endpoint and server2
Advanced Threat Protection for Every Endpoint and Server

Watch and record

Stop all untrusted software

Detect and block on the fly

High-Risk/Targeted Users

Fixed-Function and Critical Infrastructure Devices

Data Center Servers

All Other Users

bit9 carbon black security lifecycle in one solution
Bit9 + Carbon Black: Security Lifecycle in One Solution
  • Prevent
  • Prevention
  • Visibility
  • Detect &
  • Respond
  • Detection
  • Response
bit9 carbon black
Bit9 + Carbon Black

Reduce Your Attack Surface

Rapidly Detect & Respond to Threats

1

2

New signature-less prevention techniques

Continuously monitor and record every endpoint/server

+

Incident Response in Seconds

Advanced Threat Prevention

Technology leader

Purpose-built by experts

Market leader in

Default-Deny

Super lightweight sensor that records/and monitors everything and deployable to everycomputer

Proactive prevention mechanisms customizable for different users and systems

bit9 carbon black understanding the entire kill chain
Bit9 + Carbon Black: Understanding the Entire Kill Chain
  • See the kill chain in seconds
  • From vulnerable processes to the persistent malicious service
  • Would take days or weeks to re-create using traditional tools
takeaways
Takeaways
  • Bit9 is much more than application control/application whitelisting
  • Reduce your attack surface with prevention
  • Prepare for inevitability of compromise
    • Detect in real time without signatures
    • Pre-breach rapid response in seconds with recorded history
  • Establish an IR plan
  • Understand the need for a security lifecycle
  • Deploy security solutions across entire environment

“In 2020, enterprises will be in a state of continuous compromise.”