defending against advanced threats -...

1 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Defending Against Advanced Threats

Technology, Intelligence, and Expertise working together

Jason Taylor

Solutions Architect, FireEye

2 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL

Agenda

Current threat landscape

What we’ve learned

The failure of legacy security, and what is working

How FireEye can help

Q&A


CURRENT THREAT LANDSCAPE


$3.5M AVERAGE COST OF A BREACH

32

DAYS TO RESPOND TO A BREACH

205 DAYS MEDIAN NUMBER OF DAYS BEFORE DETECTION

S O U R C E : M A N D I A N T M - T R E N D S R E P O R T , P O N E M O N C O S T O F D A T A B R E A C H S T U D Y

67%

OF COMPANIES LEARNED THEY WERE

BREACHED FROM AN EXTERNAL ENTITY

97%

OF VICTIMS HAD FIREWALLS OR UP-TO-

DATE ANTI-VIRUS SIGNATURES

INITIAL BREACH

INITIAL BREACH

8 months is a LONG time…


IT’S A “WHO,” NOT A “WHAT”

THERE’S A HUMAN AT A

KEYBOARD

HIGHLY TAILORED AND

CUSTOMIZED ATTACKS

TARGETED SPECIFICALLY

AT YOU

THEY ARE PROFESSIONAL, ORGANIZED AND WELL FUNDED

NATION-STATE SPONSORED

ESCALATE SOPHISTICATION

OF TACTICS AS NEEDED

RELENTLESSLY FOCUSED

ON THEIR OBJECTIVE

IF YOU KICK THEM OUT THEY WILL RETURN

THEY HAVE SPECIFIC

OBJECTIVES

THEIR GOAL IS LONG-TERM

OCCUPATION

PERSISTENCE TOOLS ENSURE

ONGOING ACCESS

ABOUT THE ADVERSARY


The Number of Industries Targeted by Advanced Attackers Continues to

Expand and Evolve

Industries Where Mandiant Investigated Intrusions

In 2014 we noted changes in

the number of engagements

at companies in several key

industries including:

Retail – Increase from

4% to 14%

Media & Entertainment –

Decrease from 13% to 8%

Source: Mandiant M-Trends 2015

Several industries that

previously represented

a minor portion of our

investigations emerged

as notable targets:

Business &

Professional Services

Government &

International

Organizations

Healthcare


While Organizations Are Detecting Attackers Sooner, the Typical Incident

Saw Attackers Present for 6+ Months

416

243 229 205

2011 2012 2013 2014


The longest time we detected attackers had been present

in the victim’s environment was 2,982 days (over 8 years).


Spear Phishing Emails—Often Impersonating the IT Department—Remain

a Popular Attack Vector

Compared to last year, attackers sent a larger

portion of their emails during the weekend.



The Evolving Attack Lifecycle

Advanced threat actors continue to evolve their tools and tactics to

reduce the forensic footprint of their activities and evade detection.


Blurred Lines

Cyber criminals are stealing a page from the playbook of APT actors,

while APT actors are using tools widely deployed by cyber criminals.

Tactic Examples of Overlapping Usage

Social

Engineering This year we saw financial threat groups use spearphishing emails both as the initial infection vector and in

their repeated attempts to regain access to the victim after remediation using victim-specific phishes.

Custom

Malware &

Tools

In one case, cyber criminals deployed more than 60 variants of malware and utilities that they created over

the course of the several years they were in the victim’s environment.

Crimeware One suspected Russia-based APT group used zero-day exploits to install variants of BlackEnergy, a toolkit

widely used by cyber criminals for years.

Maintaining

Persistence

Maintaining persistence has long been a hallmark of APT actors, who work to stay in an environment until

they’ve completed their mission. But we have seen financial actors have increasingly shown their ability to

maintain a low profile.

Scope of

Data Theft The array of attackers interested in PII has broadened to include APT actors with their own unique objectives,

wholly unrelated to financial gain.


Other Advanced Threat Trend Constants

Initial attack vector tends to be e-mail; minimal spearphishing protection in place

Attackers have stolen certificates

Attackers obtain domain administrator credentials quickly

Partner networks are often compromised

VPN is compromised

Attackers are able to freely move within environments undetected


WHAT WE’VE LEARNED


If your network can be compromised,

IT WILL BE COMPROMISED


Cyberspace is an ASSYMETRICAL theater


Counter asymmetry by focusing on detection and response

Pe

rce

nt E

ffe

ctive

$ spent

Prevention

Detection & Response


ATTRIBUTION and THREAT

INTELLIGENCE is more important


Disclosure is MORE PROBABLE

and not on your terms


Enterprise VISIBILITY matters most


Your RESPONSE must

be paced


Your level of PREPAREDNESS

makes a difference


Smart organizations can

eliminate the

CONSEQUENCES

of breaches


THE FAILURE OF LEGACY SECURITY… AND WHAT IS

WORKING


What is working?

Network & data segmentation


What is working?


Ubiquitous two factor authentication


What is working?



Privileged identity management


What is working?




Whitelisting for critical servers


What is working?





Incident preparedness with pre-

deployed forensic capability


What is working?







Advanced malware protection


What is working?







Advanced malware protection

Renewed focus on phishing prevention


What is working?





Incident preparedness with pre-deployed

forensic capability

Advanced Threat Protection


Vuln Assessments Breach Assessment


What is working?





Incident preparedness with pre-deployed forensic

capability




Log Management Threat Analytics


What is working?





Incident preparedness with pre-deployed forensic

capability




Log Management Threat Analytics

Reactive Proactive Hunting


HOW FIREYE CAN HELP


HOW SECURE DO YOU WANT TO BE?

WITHSTAND 3RD PARTY

INSPECTION

COMPLIANT

SO

PH

IST

ICA

TIO

N O

F T

HE

TH

RE

AT

SECURITY CAPABILITY

NATION STATE ATTACKS

CYBER CRIME

CONVENTIONAL THREATS

TOOLS-BASED

INTEGRATED FRAMEWORK

DYNAMIC DEFENSE

RESILIENT


DETECT

RESPOND

PREVENT

ANALYZE

SIGNATURE-LESS AND MULTI FLOW

VIRTUAL MACHINE BASED APPROACH

THAT LEVERAGES SUPERIOR THREAT

INTELLIGENCE

REMEDIATION SUPPORT AND THREAT

INTELLIGENCE TO RECOVER AND

IMPROVE RISK POSTURE

MULTI-VECTOR INLINE KNOWN AND

UNKNOWN THREAT PREVENTION

CONTAINMENT, FORENSICS

INVESTIGATION AND KILL CHAIN

RECONSTRUCTION

FIREEYE CONTINUOUS THREAT PREVENTION PROCESS


TECHNOLOGY

IDENTIFIES KNOWN, UNKNOWN, AND NON

MALWARE BASED THREATS

INTEGRATED TO PROTECT ACROSS ALL MAJOR

ATTACK VECTORS

PATENTED VIRTUAL MACHINE TECHNOLOGY

EXPERTISE

“GO-TO” RESPONDERS FOR SECURITY INCIDENTS

HUNDREDS OF CONSULTANTS AND ANALYSTS

UNMATCHED EXPERIENCE WITH ADVANCED

ATTACKERS

INTELLIGENCE

50 BILLION+ OBJECTS ANALYZED PER DAY

FRONT LINE INTEL FROM HUNDREDS OF INCIDENTS

MILLIONS OF NETWORK & ENDPOINT SENSORS

HUNDREDS OF INTEL AND MALWARE EXPERTS

HUNDREDS OF THREAT ACTOR PROFILES

DISCOVERED 16 OF THE LAST 22 ZERO-DAYS

FIREEYE ADAPTIVE DEFENSE


HOW DO YOU WANT

TO ACCOUNT FOR IT?

WHAT VECTORS DO

YOU NEED TO PROTECT?

WHAT DO YOU WANT TO

KNOW ABOUT THE ATTACKER?

HOW DO YOU WANT TO

MANAGE AND RESPOND?

DEFINING AN ADAPTIVE DEFENSE STRATEGY


QUESTIONS?

[email protected]

IT IS TIME TO REIMAGINE SECURITY

defending against advanced threats -...

Documents