Post on 15-Jan-2015
description
1
Threat and Response Combatting Advanced Attacks and Cyber Espionage Dave Merkel, CTO August 2014
Reimagined Security
2
Insecurity By the Numbers
3
Around the Enterprise in 229 Days
3 Months
6 Months
9 Months
229 Days Median # of days attackers are present on
a victim network before detection.
Initial Breach of Companies
Learned They Were
Breached from an External Entity
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report 2014
4
Broad Sector Targeting • Extremely broad targeting • IP-intensive businesses
continually a focus • International business
dealings • Increase in Finance and
Media/Entertainment is notable
5
The Malware Lifespan: Two Hours
0
50000
100000
150000
200000
250000
300000
350000
0 1 2 3 4 5 6 7 2012 2013
Source: FireEye Labs
Mal
war
e Sa
mpl
es
Hours
6
Of Malware Only Exists Once
Of Malware Disappears After
One Hour
6
Ghost Hunting with Antivirus
7
Maginot Line Report • 1,216 Organizations Reviewed from
October 2013 – March 2014 • Sectors Included: Government, Financial
Services, Chemicals and Manufacturing, High-tech, Consulting, Energy, Retail, and Healthcare
8
Maginot Line Report
• 97% of Organizations Breached
• 27% of Attacks Consistent
with APT Tools and Tactics
• An Average of Over 120 Malware Payloads Bypassed Other Defenses
9
A Global Threat… 1. United States 2. South Korea 3. Canada 4. Japan 5. United Kingdom 6. Germany 7. Switzerland 8. Taiwan 9. Saudi Arabia
10
1 Year After APT1…
• APT1 and APT12 threat groups paused operations following the public release of Mandiant’s report
• Both groups changed operational infrastructure, replacing what had been exposed in the APT1 report.
• Despite specific warnings by the Obama administration, China-based APT activity indicates that the PRC has no intention of abandoning its cyber campaign.
Mandiant report, providing evidence linking China-based
cyber threat group to the People’s Republic of China
(PRC)
11
1 Year After APT1…
12
Anything Working?
13
Wartime vs. Peacetime Mindsets
14
Defense in Depth A military strategy; it seeks to delay rather than prevent the advance of an attacker…Rather than defeating an attacker with a single, strong defensive line, [it] relies on the tendency of an attack to lose momentum over a period of time…Once an attacker has lost momentum…defensive counter-attacks can be mounted on the attacker's weak points [to] drive the attacker back to its original starting position.
15
Defense in Depth A military strategy; it seeks to delay rather than prevent the advance of an attacker…Rather than defeating an attacker with a single, strong defensive line, [it] relies on the tendency of an attack to lose momentum over a period of time…Once an attacker has lost momentum…defensive counter-attacks can be mounted on the attacker's weak points [to] drive the attacker back to its original starting position.
Presumes the defensive measure limits or reduces
momentum.
16
Defense in Depth – IT Translation An information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
17
Defense in Depth – IT Translation An information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.
Presumes the defensive measure was effective in the
first place.
18
Defense in Depth
FW
19
Defense in Depth
FW IDS
20
Defense in Depth
FW IDS SIEM
21
Defense in Depth
FW IDS SIEM AV
22
Defense in Depth
FW IDS SIEM AV
Same Model, No Momentum Reduction
23
Defense in Shallow
AV
FW
IDS
SIEM
24
Defense in Depth
AV
FW
IDS
SIEM
Expertise and Forensics? Analytics? Behavior?
25
Multiple approaches to identify attacks at earliest stage
Detect Prevent Prevent what you can prevent…it
will never be 100%
Remediation support and threat intelligence to recover and improve risk posture
Resolve Analyze Containment, forensic
investigation and kill chain reconstruction
REAL TIME
The Continuous Threat Prevention Process
26
Multiple approaches to identify attacks at earliest stage
Detect Prevent Prevent what you can prevent…it
will never be 100%
Remediation support and threat intelligence to recover and improve risk posture
Resolve Analyze Containment, forensic
investigation and kill chain reconstruction
REAL TIME
The Continuous Threat Prevention Process
Make sure executives understand it’s not just “Detect and Prevent”
Make sure executives understand you’re dealing with humans attacking you…not malware
Make sure executives understand this is continuous…it’s not going
away…and may never go away
27
So What’s Working?
• War-time Mindset: Acceptance of the New Normal
• Beyond Compliance: Look
at Efficacy vs. Real Threats and Aligning Budget
• Resilience: Ability to
Operate Through the Breach
28
Why FireEye?
29
Virtual Machine-Based Model of Detection
Purpose-Built for Security Hardened Hypervisor Scalable Portable
SECURITY Needs To Be
To Address
The New Threat Landscape
FINDS KNOWN/ UNKNOWN CYBER-ATTACKS IN REAL TIME ACROSS ALL VECTORS
30
FireEye Managed Defense
The FireEye MVX Architecture
NETWORK EMAIL ENDPOINT MOBILE CONTENT ANALYTICS FORENSICS
Dynamic Threat Intelligence
Threat Prevention Platforms Powered by MVX Technology Powered by MVX Technology
31
Multiple approaches to identify attacks at earliest stage
Detect Prevent Prevent what you can prevent…it
will never be 100%
Remediation support and threat intelligence to recover and improve risk posture
Resolve Analyze Containment, forensic
investigation and kill chain reconstruction
REAL TIME
The Continuous Threat Prevention Process
Copyright © 2014, FireEye, Inc. All rights reserved. 32 Reimagined Security Reimagined Security
Thank You