copyright (c) 2012, fireeye, inc. all rights reserved. | confidential 1 fireeye overview john bolger...
Post on 16-Dec-2015
227 Views
Preview:
TRANSCRIPT
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1
FireEye Overview
John Bolger
Manager Channels, US-Central
FireEye
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 2
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 3
Company Overview
• The leader in stopping advanced targeted attacks
• Marquee customers across every industry– Top banks, hi-tech, oil and gas,
government– All major Internet search engines, top
social networks, and auction sites
• One of the fastest growing enterprise technology companies in the world
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 4
We Are Only Seeing the Tip of the Iceberg
HEADLINE GRABBING ATTACKS
THOUSANDS MORE BELOW THE SURFACEAPT Attacks
Zero-Day AttacksPolymorphic Attacks
Targeted Attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 5
Manufacturing Hit Worst
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 6
Don’t Take Usual Vacations (Email Attacks)
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 7
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 8
Chinese Hacking Methodology
http://www.thedarkvisitor.com/2008/11/chinese-hacker-attack-flowchart/
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 9
Chinese Hacking Methodology - Translated
http://www.thedarkvisitor.com/2008/11/chinese-hacker-attack-flowchart/
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 10
Characteristics of Malware
• Stealth Level
• Ranges from High to Low
• Target Vulnerability
• Unpatched machines, plug-ins, browsers
• Intended victim(s)
• Specific victims - using Spearphishing
• Objectives
• Theft? Disruption? Fear?
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 11
High Profile APT Attacks Are Increasingly Common
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 12
We Are Only Seeing the Tip of the Iceberg
HEADLINE GRABBING ATTACKS
THOUSANDS MORE BELOW THE SURFACEAPT Attacks
Zero-Day AttacksPolymorphic Attacks
Targeted Attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 13
ADVANCED
TRADITIONAL
Advanced Targeted Attack
Defining Advanced Targeted Attacks
• Utilizes advanced techniques and/or malware
– Unknown– Targeted– Polymorphic– Dynamic– Personalized
• Uses zero-day exploits, commercial quality toolkits, and social engineering
• Often targets IP, credentials and often spreads laterally throughout network
• AKA—Advanced Persistent Threat (APT)
StealthyUnknown and
Zero DayTargeted Persistent
OpenKnown andPatchable
Broad One Time
The New Threat LandscapeThere is a new breed of attacks that are
advanced, zero-day, and targeted
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 14
The Enterprise Security Hole
Web-basedAttacks
NGFW FW
IPS
SWG AV
Attack Vector
SECURITYHOLE
Malicious Files
Spear Phishing Emails
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 15
Traditional Defenses Don’t Work
Advanced attacks bypass both signature and heuristics-based technologies in existing IT security defenses
Networks Are Being Compromised as APTs Easily Bypass Traditional Signature-Based Defenses
Like NGFW, IPS, AV, and Gateways
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 16
Typical Enterprise Security Architecture
Firewalls/NGFW
Block IP/port connections, application-level control, no visibility into exploits and ineffective vs. advanced targeted attacks
IPS
Attack-signature based detection, shallow application analysis, high-false positives, no visibility into advancedattack lifecycle
Secure WebGateways
Some analysis of script-based malware, AV, IP/URL filtering; ineffective vs. advanced targeted attacks
Anti-SpamGateways
Relies largely on antivirus, signature-based detection (some behavioral); no true spear phishing protection
Desktop AV
Signature-based detection (some behavioral); ineffective vs. advanced targeted attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 17
Attacks Increasingly Sophisticated
Dynamic Web Attacks
Malicious Exploits
Spear Phishing Emails
Multi-Vector• Delivered via Web or email
• Blended attacks with email containing malicious URLs
• Uses application/OS exploits
Multi-Stage• Initial exploit stage followed
by malware executable download, callbacks and exfiltration
• Lateral movement to infect other network assets
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 18
The Attack Lifecycle – Multiple Stages
Exploitation of system1
3 Callbacks and control established
2 Malware executable download
CompromisedWeb server, or
Web 2.0 site
1Callback Server
IPS
32Malware spreads laterally
4 Data exfiltration
5
File Share 2
File Share 1
5
4
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 19
FireEye Malware-VM™ Filter
Phase 1: Aggressive capture heuristics Deploys out-of-band/passive or inline Multi-protocol capture of HTML, files (e.g. PDF), & EXEs Maximizes capture of potential zero-day attacks
Phase 2: Virtual machine analysis Confirmation of malicious attacks Removal of false positives
Phase 3: Block Call Back Stop data/asset theft
XML/SNMP alerts on infections as well as C&C destinations
Global loop sharing into MAX Cloud Intelligence
Fast Path Real-time Blocking in Appliance
Phase 3
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 20
The FireEye Difference
Multi-Vector Protection
• Protection against Web attacks
• Protection against email attacks
• Protection against file-based attacks
Multi-Stage Protection
•Inbound zero-day exploit detection
•Outbound malware callback blocking
•Malware binary payload analysis
•Latent malware quarantine
Multi-Vector
Multi-Stage
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 21
Multi-Vector Protection
Blended Web/Email Threats
Internal Lateral Movement of Threats
Web Threats Email Threats
CMS
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 22
LATERAL SPREAD
Multi-Staged Attack Pieces Connected
Point Products
WEB EXPLOIT
MALWARE
EXECUTABLE
DOWNLOAD
CALLBACK
WEB OR EMAILEXPLOIT
MALWAREEXECUTABLEDOWNLOAD
DATAEXFILTRATION
CALLBACK
LATERAL MOVEMENT
DATAEXFILTRATION
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 23
• Inline blocking both inbound and outbound
• Advanced content analysis (PDF, JavaScript, URLs)
• Models up to 1 Gbps at microseconds latency
FEATURES
Web Malware Protection System
• Inline, real-time, signature-less malware protection at near-zero false positives• Analyzes all web objects, e.g., web pages, flash, PDF, Office docs and executables• Blocks malicious callbacks terminating data exfiltration across protocols• Dynamically generates zero-day malware and malicious URL security content and
shares through Malware Protection Cloud network• Integration with Email and File MPS and MAS for real-time callback channel blocking
http://
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 24
Multi-Protocol, Real-Time VX Engine
PHASE 1Multi-Protocol Object Capture
PHASE 2Virtual Execution Environments
PHASE 1: WEB MPS• Aggressive Capture• Web Object Filter
DYNAMIC, REAL-TIME ANALYSIS
• Exploit detection
• Malware executable analysis
• Cross-matrix of OS/apps
• Originating URL
• Subsequent URLs
• OS modification report
• C&C protocol descriptors
Map to TargetOS and
Applications
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 25
• Supports large range of file types (PDF, Office formats, ZIP, etc.)
• Attachment analysis• URL analysis• Correlation of malicious
URLs to emails at the CMS
FEATURES
Email Malware Protection System
• Protection against spear phishing and blended attacks• Analyzes all emails for malicious attachments and URLs• In-line MTA active security or SPAN/BCC for monitoring• Brute-force analysis of all Email attachments in VX Engine• Web MPS integration for malicious URL analysis/blocking• Web MPS integration for blocking of newly discovered callback channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 26
Multi-Protocol, Real-Time VX Engine
PHASE 1Multi-Protocol Object Capture
PHASE 2Virtual Execution Environments
PHASE 1: WEB MPS• Aggressive Capture• Web Object Filter
DYNAMIC, REAL-TIME ANALYSIS
• Exploit detection
• Malware executable analysis
• Cross-matrix of OS/apps
• Originating URL
• Subsequent URLs
• OS modification report
• C&C protocol descriptors
Map to TargetOS and
Applications
PHASE 1: E-MAIL MPS• Email Attachments• URL Analysis
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 27
Protecting Against Blended Threats
Secures Against Attacks Using URLs in Email
• High priority URL analysis through Web MPS VX engine
• Web MPS integration for correlation of malicious URL with spear phished email message
• Web MPS integration for blocking of newly discovered callback channels
Central Management System
Web MPS Email MPS
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 28
File Malware Protection System
• Supports large range of file types (PDF, Office, ZIP, etc.)
• CIFS support
• Malicious file quarantine
• Integration via CMS
FEATURES
• Protects file sharing servers from latent malware • Addresses malware brought into the network via web or email or file
sharing as well as other manual means• Detects the lateral spread of malware through network file shares• Continuous and incremental network file share analysis• Web MPS integration for blocking of newly discovered callback channels
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 29
Multi-Protocol, Real-Time VX Engine
PHASE 1Multi-Protocol Object Capture
PHASE 2Virtual Execution Environments
PHASE 1: WEB MPS• Aggressive Capture• Web Object Filter
DYNAMIC, REAL-TIME ANALYSIS
• Exploit detection
• Malware executable analysis
• Cross-matrix of OS/apps
• Originating URL
• Subsequent URLs
• OS modification report
• C&C protocol descriptors
Map to TargetOS and
Applications
PHASE 1: E-MAIL MPS• Email Attachments• URL Analysis
PHASE 1: FILE MPS• Network File Shares
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 30
Multi-Layered Threat Intelligence Sharing
Local Sharing
Seconds
Internal Feedback Loop
Web MPS
Cross-Enterprise Sharing
Central Management System
Global Sharing
Cross-Enterprise Web MPS Deployment
Many 3rd party Feeds Validated by FireEye Technology
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 31
Summary
• Pace of advanced targeted attacks is accelerating, affecting all verticals and all segments
• Traditional defenses (NGFW, IPS, AV, and gateways) no longer stop these attacks
• Real-time, integrated signature-less solution is required across Web, email and file attack vectors
• FireEye has engineered themost advanced threat protection to supplement traditionaldefenses and stop advanced targeted attacks
Complete Protection Against Advanced Targeted Attacks
Web Malware
Protection System
EmailMalware
ProtectionSystem
FileMalware
Protection System
Copyright (c) 2012, FireEye, Inc. All rights reserved. | CONFIDENTIAL 32
Enjoy the rest of the show!
Thank You!
top related