2016 virus bulletin
-
Upload
adrian-sanabria -
Category
Technology
-
view
3 -
download
0
Transcript of 2016 virus bulletin
![Page 1: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/1.jpg)
The beginning of the end(point): where we are now and where we’ll be in five yearsAdrian Sanabria, Senior Security Analyst, 451 Research
![Page 2: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/2.jpg)
2
Adrian Sanabria (@sawaba)Industry Analyst: 3 yearsRed Team: 4 yearsBlue Team: 5 yearsIT: 4 years
OpinionatedGoofballCompulsive researcherEmbraces awkwardness
![Page 3: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/3.jpg)
TL;D
LThe Big Picture
Indu
stry
The Market View In
dust
ryThe Buyer’s View An
alys
isTrends and the Future
![Page 4: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/4.jpg)
Why are we here?• Disruption in the endpoint security market• Confused buyers• Confused sellers• Current and future opportunities
![Page 5: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/5.jpg)
5
TL;DL, or before I lose you in my rant...
IT and consumer technology has changed
Attacker TTMs have changed
Defenses stayed the same...
Sorry, no, they got worse
![Page 6: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/6.jpg)
6
Industry misstepsProducts that only work at corporate HQ
Products that break the user
Assuming any one layer must achieve 100% efficacy
Products that bury the customer in data
Making consumers a secondary priority
![Page 7: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/7.jpg)
TL;D
LThe Big Picture
Indu
stry
The Market View In
dust
ryThe Buyer’s View An
alys
isTrends and the Future
![Page 8: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/8.jpg)
8
The evolution of endpoint securityEndpoint Security = AV2002Endpoint Security = AV, VPN client, NAC client, host-based FW, HIPS, FDE, patching, device/port control, FIMaaaaaaa, this is so confusing!
2005Heavy consolidation2006Endpoint Security = EPP (AV ‘suites’)2008
![Page 9: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/9.jpg)
9
The evolution of endpoint securityRise of the advanced, sophisticated moderately well-read adversary2010Endpoint Security = AV, NGAV, EDR, Threat Hunting, Isolation, Exploit Prevaaaaaaaaaaaaa, this is so confusing!2015Heavy consolidation2016+Endpoint Security = NGEPP? (please, no)2018
![Page 10: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/10.jpg)
10
The only time I want to hear “Next Generation”
See, captain?
They stole the term from us!
I don’t think AI means what they think it
means.
![Page 11: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/11.jpg)
The Attacker Landscape has changed, permanently
![Page 12: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/12.jpg)
Is antivirus dead?“Nobody wants to say antivirus is dead, but let’s just say they’re planning ahead for the wake and eyeing the stereo.”
Wendy Nather, 451 Research (2013)
![Page 13: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/13.jpg)
Is antivirus dead?
![Page 14: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/14.jpg)
Is antivirus dead? What’s dead, if anything, then?
The traditional process of addressing endpoint threats is fundamentally
broken, and is in the process of being replaced
![Page 15: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/15.jpg)
There’s no Advanced, just the new Normal.
![Page 16: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/16.jpg)
16
The First Great Endpoint Security Consolidation
Chec
k Poin
t Zo
ne A
larm
CAPe
st Pa
trol
Sym
ante
c Sy
gate
Chec
k Poin
t Po
intSe
c
Trend
Micr
o Hi
jack T
hisLu
men
sion
Secu
reWa
ve McAf
ee
Safe
boot
Trend
Micr
o Th
ird
Briga
de
McAf
ee
Solid
Core
Sym
ante
c PG
P
2003 2006 2010
~30 acquisitions
![Page 17: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/17.jpg)
17
Events that helped kickstart the Second Great Endpoint Security Consolidation
Before 20102003-2009• Mostly adjacent endpoint
security/management technologies
• Took our eyes ‘off the ball’• Got waaaay too excited
about whitelisting• Laptops instead of Desktops
After 20102010: Stuxnet (whaaat?!)• State-sponsored malware
2013: APT1 (uh-oh)• More state-sponsored malware
2013: Snowden (oh crap)• Domestic malware, threats and
attack tools2014: Ransomware (HALP!)
![Page 18: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/18.jpg)
18
The Second Great Endpoint Security Consolidation
Webr
oot
Prev
x
Sour
cefir
e Im
mun
etMa
ntec
h HB
Gary
Goog
le Vi
rusT
otal
Lum
ensio
n Co
reTra
ce
FireE
ye
Mand
iant
Bit9
Ca
rbon
Bl
ack
Palo
Alto
Cy
vera
Fideli
s Re
solut
ion1
Digit
al Gu
ardia
n Sa
vant
Soph
os
SurfR
ight
Avas
t AV
G
2010 2014 2016+
26 acquisitions (so far)
![Page 19: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/19.jpg)
19
Stats and Facts!
13% run one endpoint security product
26.9% run two
59% run three or more concurrently
Why?
![Page 20: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/20.jpg)
20
Stats and Facts!67% using endpoint config mgmt
65% using HIDS/HIPS59% using FDE56% using NAC49% using FIM
47% using Whitelisting
![Page 21: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/21.jpg)
21
December, 2015
62 vendors
Five categories
![Page 22: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/22.jpg)
22
The market now, 10 months later
Prevention (pre-execution)
Detection (post-execution)
Data collectio
n77
Vendors50/50 split
complementary/ primary
![Page 23: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/23.jpg)
23
Prevention: Primary
Subcategory ExamplesAV Suites, aka ‘EPP’ Symantec, McAfee, Trend,
Malwarebytes, BitDefender, Kaspersky, Sophos, etc
Newcomers, aka “Next-Gen” AV Cylance, Invincea, Sentinel One, CrowdStrike
![Page 24: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/24.jpg)
24
NGAV? MY definition (not Gartner’s)The ability to stop threats without prior
knowledge of themWhat is prior knowledge?• Signatures• IoCs• Malware analysis
sandbox• Blacklisting
![Page 25: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/25.jpg)
25
Prevention: Detection • Behavioral analysis: Software• Behavioral analysis: Users• Kernel shims• Deception• In-memory scanning
Prevention vs Detection: a question of cost
![Page 26: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/26.jpg)
26
Endpoint Data Collection• Many use cases:• detection• forensics• incident response• No more blind spot
![Page 27: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/27.jpg)
27
What about remediation and response?Who is gonna clean this up?
• Remediation vs Containment
• Automated Endpoint Remediation
![Page 28: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/28.jpg)
Understanding the startup cycleIdea
Founded
Seed Funding
GA/MVPGrowth
& funding
Exit
Founders leave
Acquisition?
Acquisition?
Acquisition?
Founders leave?
3-5 year
cycle in security
![Page 29: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/29.jpg)
Adrian’s Endpoint Security Roadmap
1. Better malware mousetrap2. AV Certification (newer vendors)3. Non-malware attacks4. EPP features (newer vendors)5. Data visibility6. More robust and resilient platforms
![Page 30: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/30.jpg)
30
Do enterprises even need better AV?Hardening Windows• CIS benchmarks
(hardening)• Ad-blocking• Remove unnecessary
software/features• Least privilege: • flash click-to-run, • disable/restrict java
plugin• selective whitelisting
Free/OSS Tools• Microsoft EMET• Microsoft AppLocker• Artillery (Binary
Defense)• OSSEC (Trend Micro)• El Jefe (Immunity)• Cylance Detect• Sandboxie (Invincea)• AIDE (FIM)• ROMAD• 0Patch
![Page 31: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/31.jpg)
TL;D
LThe Big Picture
Indu
stry
The Market View In
dust
ryThe Buyer’s View An
alys
isTrends and the Future
![Page 32: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/32.jpg)
32
I have data: Voice of the Enterprise451 Research has a panel of highly accredited senior IT executives who participate in surveys focused on enterprise IT trends. This proprietary panel consists of 30,000+ IT decision-makers in North America and Europe. Respondents of this Information Security survey are members of the panel who were qualified based on their expertise in their organization’s IT deployment.
The Voice of the Enterprise: Information Security survey wave was completed during the month of June & July 2016. The survey represents more than 930 completes from pre-qualified IT decision-makers primarily based in North America and Europe. In addition to regular quarterly topics, this survey focuses on organizational dynamics around the information security function within enterprises.
![Page 33: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/33.jpg)
33
What’s happening in the enterprise?Endpoint sec is ubiquitous
Endpoint sec is mature
It is the #1 change Enterprises are planning to make
in 2016
Why?
![Page 34: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/34.jpg)
INFORMATION SECURITY:ORGANIZATIONAL DYNAMICS 2016
INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2016
Source: 451 Research, Voice of the Enterprise: Information Security, Organizational Dynamics 2016
Q4. What do you consider your top internal information security pain point within your organization for the previous 90 days?
34
Malicious Software (Malware)
Data Loss/Theft
User Behavior
Staffing Information Security
Organizational Politics/Lack of Attention to Information Security
Application Security
Security Awareness Training
Accurate, Timely Monitoring of Security Events
Endpoint Security
Firewall/Edge Network Security
Mobile Device Security
Cloud Security
Third-Party/Supplier Security
Lack of Budget
Malicious Insider Activity
Vulnerability Management
New Traffic Patterns via Virtualization
Keeping Up with New Technology
Overwhelming Threat Information/Intelligence
Supply Chain Attacks
Counterfeit Parts
17.9%
9.0%
8.4%
7.6%
7.2%
5.7%
4.1%
6.3%
5.4%
3.1%
3.9%
3.5%
2.1%
3.9%
1.4%
3.7%
1.1%
3.1%
1.3%
1.1%
0.1%
17.1%
10.2%
9.4%
6.6%
6.4%
6.2%
5.8%
5.8%
5.2%
5.0%
3.4%
3.2%
2.8%
2.5%
2.3%
2.3%
1.8%
1.7%
1.3%
0.8%
0.2%Q2 2016(n=843)
Q1 2016 (n=829)
Top Security Pain Point
Malware
Endpoint Security
23.3%, collectively
![Page 35: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/35.jpg)
35
“How would you rate your current suite of Endpoint Security tools against...
Use Case % effective or very effective
Detecting Known Malware 75%Preventing Known Malware 68%Detecting Unknown Malware 29%Preventing Unknown Malware 25%Detecting and/or preventing non-malware attacks
40%
![Page 36: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/36.jpg)
36
What are your organization’s top three Infosec projects over the next 12 months?
#1: Endpoint Security, 21.7%
#22: Network-based Anti-Malware, 6.2%
![Page 37: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/37.jpg)
TL;D
LThe Big Picture
Indu
stry
The Market View In
dust
ryThe Buyer’s View An
alys
isTrends and the Future
![Page 38: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/38.jpg)
38
What are the big problems?• We no longer have one perimeter: we have
many• Sloppy defense in depth• Information asymmetry• Market currently unstable (still
consolidating)• Blind Spots• Blaming the user (aka “stop clicking links”)• Discarding useful tech because it wasn’t a
silver bullet• Ending the leapfrogging and so much more!
![Page 39: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/39.jpg)
Where else do we find IT?
Traditional Data Center
Mobile
SaaSCloud
![Page 40: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/40.jpg)
CASB
SDNVPC
Where else do we find IT?
Traditional Data Center
MDMMobile
SaaS
Host FWCloud
![Page 41: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/41.jpg)
41
Why are we still investing so heavily in the perimeter?
90%+ of the security budget*
* - I made this number up. We have the number, I just didn’t look it up.
![Page 42: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/42.jpg)
Why are we still investing so heavily in the perimeter?
![Page 43: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/43.jpg)
43
Because this is where your employees actually work
Conclusion? Security controls MUST travel with the asset.
![Page 44: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/44.jpg)
Story time!Advanced Malware Detection, Day 1:
ZEUS
NETWORKENDPOINT
![Page 45: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/45.jpg)
Story time!
JAR File ZEUS(You can’t see me)
NETWORK ENDPOINT
Advanced Malware Detection, Day 2:
![Page 46: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/46.jpg)
Story time!The bad guys will find a way to evade preventative controls.
![Page 47: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/47.jpg)
47
DefenseExpense in depth has failedDefence AttackPhishing
EmailMalware LinkC2
CommsPivotingExfiltration
Email SecuritySecurity
AwarenessURL/IP reputation;
Malware SandboxEndpoint Security; IDS/IPS
East/West Security VisibilityData
Loss Preventio
n
FailuresUser clicks
Malicious link not
detectedAV misses malware,
Network Security misses C2
Enterprise blind spot
Alert doesn’t trigger, or is
missedConclusion? Thorough testing and configuration of defenses.
![Page 48: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/48.jpg)
48
Design for the real world
“Customers never enable the more effective functionality in our product!”
--Engineer, at a large incumbent AV vendor
Conclusion? Products need to adapt to different users.
![Page 49: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/49.jpg)
49
Information AsymmetryAV isn’t just protecting against ‘known threats’
It is a known threat.
To the bad guys!Conclusion? A detection engine will never stop determined adversaries.
![Page 50: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/50.jpg)
50
Blind spots: the traditional enterprise has five
Endpoint East-West Traffic
Cloud/SaaS Data
![Page 51: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/51.jpg)
51
PEBKAC
PWNED
NOT PWNED
![Page 52: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/52.jpg)
52
If already you know what can and will go wrong...
DESIGN FOR IT!
![Page 53: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/53.jpg)
53
Don’t punish the user
![Page 54: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/54.jpg)
54
Discarding useful tech because it wasn’t a silver bullet
2011: “By 2015, more than 50% of enterprises will have instituted 'default deny' policies that restrict
the applications users can install.”
![Page 55: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/55.jpg)
Myth: Solving the malware problem changes everything!
55
2012 2013 20140%
5%
10%
15%
20%
25%
30%
35%
40%
ErrorHackingMalwareMisuseSocial
How big a part of the breach problem is malware?
15% in 201224% in 201333% in 2014
Source: Verizon Enterprise Solutions
![Page 56: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/56.jpg)
56
Stop playing leapfrog and start playing chess
![Page 57: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/57.jpg)
57
The solution isn’t simple.We can’t get rid of AV1. R&D work done by AV
firms is irreplaceable2. Signatures still necessary
to track and communicate existing threats
3. Compliance4. AV Certification
New entrants can’t yet replace AV1. Remediation isn’t there yet2. Prevention isn’t complete
without detection3. Malware isn’t the only issue4. Curse of complementing
Conclusion? Customers will continue using multiple products until consolidation completes.
![Page 58: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/58.jpg)
58
The answer? Layers.Prevention
Known Threats Unknown Threats
DetectionKnown Threats Unknown Threats
Blacklists, reputation filtering, threat intel, signature-based network and endpoint tech
Exploit prevention, malware analysis sandboxes, isolation security, app whitelisting
Response/Remediation
Anti-Virus, IDS/IPS, WAF, threat intel
Behavioral analytics, anomaly detection, red flags, binary analysis
Anti-virus, automated incident response/remediation tools, automated endpoint remediation, reimaging PCs
![Page 59: 2016 virus bulletin](https://reader035.fdocuments.in/reader035/viewer/2022070521/58efc4041a28abd73c8b45f1/html5/thumbnails/59.jpg)
Thanks!
Adrian Sanabria - @sawaba
59