201408 fire eye korea user event press roundtable

1

Threat and Response Combatting Advanced Attacks and Cyber Espionage Dave Merkel, CTO August 2014

Reimagined Security

2

Insecurity By the Numbers

3

Around the Enterprise in 229 Days

3 Months

6 Months

9 Months

229 Days Median # of days attackers are present on

a victim network before detection.

Initial Breach of Companies

Learned They Were

Breached from an External Entity

THREAT UNDETECTED REMEDIATION

Source: M-Trends Report 2014

4

Broad Sector Targeting • Extremely broad targeting • IP-intensive businesses

continually a focus • International business

dealings • Increase in Finance and

Media/Entertainment is notable

5

The Malware Lifespan: Two Hours

0

50000

100000

150000

200000

250000

300000

350000

0 1 2 3 4 5 6 7 2012 2013

Source: FireEye Labs

Mal

war

e Sa

mpl

es

Hours

6

Of Malware Only Exists Once

Of Malware Disappears After

One Hour

6

Ghost Hunting with Antivirus

7

Maginot Line Report • 1,216 Organizations Reviewed from

October 2013 – March 2014 • Sectors Included: Government, Financial

Services, Chemicals and Manufacturing, High-tech, Consulting, Energy, Retail, and Healthcare

8

Maginot Line Report

• 97% of Organizations Breached

• 27% of Attacks Consistent

with APT Tools and Tactics

• An Average of Over 120 Malware Payloads Bypassed Other Defenses

9

A Global Threat… 1. United States 2. South Korea 3. Canada 4. Japan 5. United Kingdom 6. Germany 7. Switzerland 8. Taiwan 9. Saudi Arabia

10

1 Year After APT1…

• APT1 and APT12 threat groups paused operations following the public release of Mandiant’s report

• Both groups changed operational infrastructure, replacing what had been exposed in the APT1 report.

• Despite specific warnings by the Obama administration, China-based APT activity indicates that the PRC has no intention of abandoning its cyber campaign.

Mandiant report, providing evidence linking China-based

cyber threat group to the People’s Republic of China

(PRC)

11

1 Year After APT1…

12

Anything Working?

13

Wartime vs. Peacetime Mindsets

14

Defense in Depth A military strategy; it seeks to delay rather than prevent the advance of an attacker…Rather than defeating an attacker with a single, strong defensive line, [it] relies on the tendency of an attack to lose momentum over a period of time…Once an attacker has lost momentum…defensive counter-attacks can be mounted on the attacker's weak points [to] drive the attacker back to its original starting position.

15

Defense in Depth A military strategy; it seeks to delay rather than prevent the advance of an attacker…Rather than defeating an attacker with a single, strong defensive line, [it] relies on the tendency of an attack to lose momentum over a period of time…Once an attacker has lost momentum…defensive counter-attacks can be mounted on the attacker's weak points [to] drive the attacker back to its original starting position.

Presumes the defensive measure limits or reduces

momentum.

16

Defense in Depth – IT Translation An information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.

17

Defense in Depth – IT Translation An information assurance (IA) concept in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle.

Presumes the defensive measure was effective in the

first place.

18

Defense in Depth

FW

19

Defense in Depth

FW IDS

20

Defense in Depth

FW IDS SIEM

21

Defense in Depth

FW IDS SIEM AV

22

Defense in Depth

FW IDS SIEM AV

Same Model, No Momentum Reduction

23

Defense in Shallow

AV

FW

IDS

SIEM

24

Defense in Depth

AV

FW

IDS

SIEM

Expertise and Forensics? Analytics? Behavior?

25

Multiple approaches to identify attacks at earliest stage

Detect Prevent Prevent what you can prevent…it

will never be 100%

Remediation support and threat intelligence to recover and improve risk posture

Resolve Analyze Containment, forensic

investigation and kill chain reconstruction

REAL TIME

The Continuous Threat Prevention Process

26



will never be 100%




REAL TIME


Make sure executives understand it’s not just “Detect and Prevent”

Make sure executives understand you’re dealing with humans attacking you…not malware

Make sure executives understand this is continuous…it’s not going

away…and may never go away

27

So What’s Working?

• War-time Mindset: Acceptance of the New Normal

• Beyond Compliance: Look

at Efficacy vs. Real Threats and Aligning Budget

• Resilience: Ability to

Operate Through the Breach

28

Why FireEye?

29

Virtual Machine-Based Model of Detection

Purpose-Built for Security Hardened Hypervisor Scalable Portable

SECURITY Needs To Be

To Address

The New Threat Landscape

FINDS KNOWN/ UNKNOWN CYBER-ATTACKS IN REAL TIME ACROSS ALL VECTORS

30

FireEye Managed Defense

The FireEye MVX Architecture

NETWORK EMAIL ENDPOINT MOBILE CONTENT ANALYTICS FORENSICS

Dynamic Threat Intelligence

Threat Prevention Platforms Powered by MVX Technology Powered by MVX Technology

31



will never be 100%




REAL TIME


201408 fire eye korea user event press roundtable

Technology

depth fwidssiemav

threat intelligence

global threat

apt1 report

cyber threat group

apt12 threat groups

apt1 apt1

maginot line report