Slide 1

2014 Bit9. All Rights Reserved Slide 2 Prevent Detect & Respond Prevention Visibility Detection Response Security Life Cycle for Advanced Threats EPP ETDR Slide 3 Once Upon A Time You could keep the enemy at the gates Slide 4 Technology Has Evolved Cloud Computing Mobile Computing Internet of Things Surface area is ever-increasing Perimeters are becoming less relevant Everything is connected to something Technology is crossing into our physical world Slide 5 Threat Actors Have Evolved Criminal Enterprises Broad-based and targeted attacks Financially motivated Getting more sophisticated Hactivists Targeted and destructive attacks Unpredictable motivations Generally less sophisticated Nation-States Targeted and multi-stage attacks Motivated by information and IP Highly sophisticated, endless resources Slide 6 Endless Stream of News Slide 7 The Malware Problem By the Numbers 66% of malware took months or even years to discover (dwell time) 1 69% of intrusions are discovered by an external party 1 1. 2013 Verizon Data Breach Investigations Report | 2. McAfee Threats Report: First Quarter 2013 | 3. Ponemon Institute 2013 Cost of a Data Breach Study $5.4M The average total cost of a data breach 3 155k The number of new malware samples that are seen daily 2 Slide 8 The State of Information Security Compromise happens in seconds Data exfiltration starts minutes later It continues undetected for months Remediation takes weeks At $341k per incident in forensics costs THIS IS UNSUSTAINABLE Slide 9 DONT OVERCOMPLICATE THE THREAT SIMPLE THREAT MODEL: 1: OPPORTUNISTIC 2: NOT Slide 10 Opportunistic threats find value in our computers. Goal: breadth of access. Advanced threats find value in our data. Goal: precision of access. Slide 11 How This Impacts Traditional Security Hosts Compromised Time 10 100 1k 10k 100k Week 2Week 1Week 3Week 4Week 5Week 6Week 7 Hosts Compromised Time 10 100 1k 10k 100k Week 2Week 1Week 3Week 4Week 5Week 6Week 7 Opportunistic Advanced THRESHOLD OF DETECTION Goal is to maximize slope. Goal is to minimize slope. Signature available. Signature available? Slide 12 A New Perspective Is Required assume you will be breached compromise is inevitable Slide 13 In 2020, enterprises will be in a state of continuous compromise. Gartner, Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence, Neil MacDonald, May 30, 2013 Slide 14 The Assumption of Breach how will you know? what will you do? Slide 15 Rethink Your Security Strategy security cannot be done in isolation it is a continuous process prevention is no longer enough invest in detection and response traditional approaches are ineffective move from reactive to proactive Slide 16 The Adaptive Security Architecture Gartner, Designing an Adaptive Security Architecture for Protection From Advanced Attacks, February, 2014 Slide 17 The Adaptive Security Architecture Gartner, Designing an Adaptive Security Architecture for Protection From Advanced Attacks, February, 2014 Slide 18 The Adaptive Security Architecture - Capabilities Gartner, Designing an Adaptive Security Architecture for Protection From Advanced Attacks, February, 2014 Slide 19 Key Characteristics of Next Gen Security Forensic quality data collection and analysis Threat intelligence to interpret and prioritize data At all stages of kill chain, not just point of delivery Based on behaviors and context, not just files/IPs Real-time, not scan or snapshot based Provide full historical context of activity Information needed to assess impact and scope Remediation and containment Proactive signature-less prevention techniques Adapt based on detection and response Incorporate and correlate data from third party sources Export data and alerts to other tools Detection Visibility Response Integration Prevention Slide 20 Visibility Detection Response Security Life Cycle for Advanced Threats Slide 21 Reduce Attack Surface with Default-Deny Traditional EPP failure Scan/sweep based Signature based Block known bad Success of emerging endpoint prevention solutions Real time Policy based Tailor policies based on environment Trust based Block all but known good Objective of emerging endpoint prevention solutions Lock down endpoint/server Reduce attack surface area Make it as difficult as possible for advanced attacker Prevention Visibility Detection Response Visibility Slide 22 Prevention Visibility Detection Response Visibility Detect in Real-time and Without Signatures Traditional EPP failure Scan/sweep based Small signature database Success of emerging endpoint detection solutions Large global database of threat intelligence Signature-less detection through threat indicators Watchlists Objective of emerging endpoint detection solutions Prepare for inevitability of breach and continuous state of compromise Cover more of the kill chain than prevention Enable rapid response Slide 23 Prevention Visibility Detection Response Visibility Rapidly Respond to Attacks in Motion Traditional EPP failure Expensive external consultants Relies heavily on disk and memory artifacts for recorded history Success of emerging endpoint incident response solutions Real-time continuous recorded history delivers IR in seconds In centralized database Attack process visualization and analytics Better, faster and less expensive Objective of emerging endpoint incident response solutions Pre-breach rapid incident response Better prepare prevention moving forward Slide 24 Too Much Data, Not Enough Intelligence incorporate threat intelligence what happens to someone else can happen to you filter, prioritize and alert on third party feeds, reputation and indicators integrate your tools attacks happen on endpoints correlate network and endpoint for actionable intelligence Slide 25 Summary The threat landscape continues to evolve The enemy is more advanced, attacks are more targeted Rethink your security strategy, traditional security tools are insufficient Assume you will breached Invest in entire lifecycle: detection, response and prevention Dont treat security tools as islands, integrate them Slide 26 Endpoint Threat Detection, Response and Prevention for DUMMIES Download the eBook at Bit9.com eBook resources section https://www.bit9.com/resources/ebook s/endpoint-threat-detection-response- prevention-dummies/ https://www.bit9.com/resources/ebook s/endpoint-threat-detection-response- prevention-dummies/ Slide 27 questions Slide 28 2014 Bit9. All Rights Reserved