Defending Against Known & Unknown Threats
Transcript of Defending Against Known & Unknown Threats
Defending Against Known & Unknown Threats Jack Walsh, New Initiatives & Mobility Programs Manager
Copyright © 2016 ICSA Labs
About ICSA Labs We’re known for • Providing independent 3rd-party assurance • Security-focused certification testing • Stakeholder consortia
Founded in 1989 25 years of testing •Anti-malware products, network firewalls, etc.
ISO accredited •ISO 9001: 2008 •ISO/IEC 17025: 2005 •ISO/IEC 17065: 2012
Recent initiatives Security product testing •Advanced threat defense (ATD) •Internet of Things devices & sensors
Mobile testing •Mobile device platform security
Healthcare testing •ONC EHR, HIMSS ConCert, IHE USA
Our seal of approval
The value of certification testing Buyers need an objective way to confirm that security products introduced into their organization will function as advertised, interoperate and conform to privacy & security requirements.
Vendors need a cost effective way to credibly demonstrate that their products will satisfy buyers’ needs.
Ongoing certification testing by a credible, independent third party like ICSA Labs helps satisfy the needs of both.
Enterprises are being attacked
2005 – 2010
source: www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Organizations protected & secured themselves with all the traditional standards
• anti-malware, network firewalls, intrusion prevention systems, web application firewalls, etc.
To defend against threats…
Enterprises still being breached!
2010 – 2016
Things did not improve
source: www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Growth in security spend • Up 294% since 2006 to
$21B in 2014 (source Gartner)
What resulted? • Data breach explosion! • 614 breaches reported in
North America in 2013 • Over 91M records
disclosed
Breaches put another way
AOL
TK / TJ Maxx
Sony PSN
Heartland
eBay
Target
LexisNexis
Michael’s
Home Depot
NASDAQ American Express
Citigroup
Neiman Marcus
Snapchat
Washington Post
AT&T
TD Ameritrade
RBS Worldpay
source: https://blogs.bromium.com/2014/08/14/the-rise-and-fall-of-enterprise-security/
• ICSA Labs “AV” Testing Program • Key Characteristics
• Wild List based testing • Threats known “in the wild”
• On access • On demand
Known malicious threat testing
25 years
More Malicious Sample Sources
ICSA Labs anti-malware testing
Enhanced & Reloaded for 2017
More Comprehensive
Testing
From:
To:
Static Signatures
Static Signatures
URL Blocking
Anomaly Detection
Behavior-Based
From:
To:
Wild List
Enterprise Samples
Wild List (Delta)
Real Time Threat List
Microsoft Prevalence
ATD Program
Wild List
The “Collection”
The “Collection”
Testing unknown malicious threats
ICSA Labs began ATD certification testing in
fall 2015
ICSA Labs added ATD-Email testing
in Q4 2016
a. Protect from ADVANCED Threats?
b. Protect from PERSISTENT Threats?
c. Protect from UNKNOWN Threats?
Advanced threat defense (ATD)
What does ATD mean anyhow?
Where does ATD occur?
a. The Endpoint b. Network perimeter c. Local Sandbox d. Sandbox in Cloud e. Cloud Analysis Cluster
A: Any or All of These!
Basis for ATD & ATD-Email testing
•Threat vectors leading to breaches
•Verizon Data Breach Investigations Report (DBIR)
3706
869
588
551
453
230
138
72
16
13
0 500 1000 1500 2000 2500 3000 3500 4000
Direct Install
Email Attachment
Web Download
Web Drive-By
Email Link
Download by Malware
Network Propagation
Remote Injection
Removable Media
Other
ATD & ATD-Email testing programs
• Does it detect 100s of new threats? • Quarterly test cycles
• Does it have minimal FPs? • Continuous testing for 3 to 5 wks
Test cycles begin mid-month
FREE Reports available at quarter end
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Testing focus
Test cycles last 3-5 weeks Detecting threats
• Unknown • Little-known
While having • minimal false positives
Recurring testing with latest threats • Keep informed with quarterly testing results. • Know how ATD solutions perform against latest threats. • Observe over time how products fare against the norm.
No cost to enterprises • Only participating vendors register and pay • Includes free reports on our website
https://www.icsalabs.com/products?tid[]=5352
How you benefit
Statistics from 3 ATD test cycles
Vendors currently registered for ATD testing
11
Vendors with an ICSA Labs Certified
ATD Solution 5
Average Test Cycle Length
30.75 days
Average Number Test runs per
test cycle 610
Average Detection Effectiveness of Certified ATD Solutions Failing ATD Solutions
Approximate Number of ATD
Developers ~30
About Jack Walsh Jack has worked eighteen years at ICSA Labs. Currently driving development of programs that test the security of IoT devices, advanced threat defense solutions and all things mobile, his prior roles included network intrusion prevention systems program manager, anti-spam program manager and firewall lab technical lead. Prior to joining ICSA Labs, Jack tested commercial products at the National Security Agency. While there he co-authored the first firewall protection profile. Jack earned his B.S. in Electrical Engineering from Penn State and later earned an M.S. in Computer Science from Johns Hopkins.
Jack Walsh New Initiatives & Mobility Programs Manager [email protected] 717.790.8126