defending against advanced threats · this year we saw financial threat groups use spearphishing...
TRANSCRIPT
1 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Defending Against Advanced Threats
Technology, Intelligence, and Expertise working together
Jason Taylor
Solutions Architect, FireEye
2 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Agenda
Current threat landscape
What we’ve learned
The failure of legacy security, and what is working
How FireEye can help
Q&A
3 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL
CURRENT THREAT LANDSCAPE
4 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
$3.5M AVERAGE COST OF A BREACH
32
DAYS TO RESPOND TO A BREACH
205 DAYS MEDIAN NUMBER OF DAYS BEFORE DETECTION
S O U R C E : M A N D I A N T M - T R E N D S R E P O R T , P O N E M O N C O S T O F D A T A B R E A C H S T U D Y
67%
OF COMPANIES LEARNED THEY WERE
BREACHED FROM AN EXTERNAL ENTITY
97%
OF VICTIMS HAD FIREWALLS OR UP-TO-
DATE ANTI-VIRUS SIGNATURES
INITIAL BREACH
INITIAL BREACH
8 months is a LONG time…
5 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
IT’S A “WHO,” NOT A “WHAT”
THERE’S A HUMAN AT A
KEYBOARD
HIGHLY TAILORED AND
CUSTOMIZED ATTACKS
TARGETED SPECIFICALLY
AT YOU
THEY ARE PROFESSIONAL, ORGANIZED AND WELL FUNDED
NATION-STATE SPONSORED
ESCALATE SOPHISTICATION
OF TACTICS AS NEEDED
RELENTLESSLY FOCUSED
ON THEIR OBJECTIVE
IF YOU KICK THEM OUT THEY WILL RETURN
THEY HAVE SPECIFIC
OBJECTIVES
THEIR GOAL IS LONG-TERM
OCCUPATION
PERSISTENCE TOOLS ENSURE
ONGOING ACCESS
ABOUT THE ADVERSARY
6 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
7 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
The Number of Industries Targeted by Advanced Attackers Continues to
Expand and Evolve
Industries Where Mandiant Investigated Intrusions
In 2014 we noted changes in
the number of engagements
at companies in several key
industries including:
Retail – Increase from
4% to 14%
Media & Entertainment –
Decrease from 13% to 8%
Source: Mandiant M-Trends 2015
Several industries that
previously represented
a minor portion of our
investigations emerged
as notable targets:
Business &
Professional Services
Government &
International
Organizations
Healthcare
8 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
While Organizations Are Detecting Attackers Sooner, the Typical Incident
Saw Attackers Present for 6+ Months
416
243 229 205
2011 2012 2013 2014
Source: Mandiant M-Trends 2015
The longest time we detected attackers had been present
in the victim’s environment was 2,982 days (over 8 years).
9 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Spear Phishing Emails—Often Impersonating the IT Department—Remain
a Popular Attack Vector
Compared to last year, attackers sent a larger
portion of their emails during the weekend.
Source: Mandiant M-Trends 2015
10 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
The Evolving Attack Lifecycle
Advanced threat actors continue to evolve their tools and tactics to
reduce the forensic footprint of their activities and evade detection.
11 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Blurred Lines
Cyber criminals are stealing a page from the playbook of APT actors,
while APT actors are using tools widely deployed by cyber criminals.
Tactic Examples of Overlapping Usage
Social
Engineering This year we saw financial threat groups use spearphishing emails both as the initial infection vector and in
their repeated attempts to regain access to the victim after remediation using victim-specific phishes.
Custom
Malware &
Tools
In one case, cyber criminals deployed more than 60 variants of malware and utilities that they created over
the course of the several years they were in the victim’s environment.
Crimeware One suspected Russia-based APT group used zero-day exploits to install variants of BlackEnergy, a toolkit
widely used by cyber criminals for years.
Maintaining
Persistence
Maintaining persistence has long been a hallmark of APT actors, who work to stay in an environment until
they’ve completed their mission. But we have seen financial actors have increasingly shown their ability to
maintain a low profile.
Scope of
Data Theft The array of attackers interested in PII has broadened to include APT actors with their own unique objectives,
wholly unrelated to financial gain.
12 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Other Advanced Threat Trend Constants
Initial attack vector tends to be e-mail; minimal spearphishing protection in place
Attackers have stolen certificates
Attackers obtain domain administrator credentials quickly
Partner networks are often compromised
VPN is compromised
Attackers are able to freely move within environments undetected
13 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL
WHAT WE’VE LEARNED
14 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
If your network can be compromised,
IT WILL BE COMPROMISED
15 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Cyberspace is an ASSYMETRICAL theater
16 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Counter asymmetry by focusing on detection and response
Pe
rce
nt E
ffe
ctive
$ spent
Prevention
Detection & Response
17 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
ATTRIBUTION and THREAT
INTELLIGENCE is more important
18 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Disclosure is MORE PROBABLE
and not on your terms
19 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Enterprise VISIBILITY matters most
20 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Your RESPONSE must
be paced
21 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Your level of PREPAREDNESS
makes a difference
22 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
Smart organizations can
eliminate the
CONSEQUENCES
of breaches
23 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL
THE FAILURE OF LEGACY SECURITY… AND WHAT IS
WORKING
24 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
25 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
26 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
27 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
Whitelisting for critical servers
28 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
Whitelisting for critical servers
Incident preparedness with pre-
deployed forensic capability
29 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
Whitelisting for critical servers
Incident preparedness with pre-
deployed forensic capability
Advanced malware protection
30 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
Whitelisting for critical servers
Incident preparedness with pre-
deployed forensic capability
Advanced malware protection
Renewed focus on phishing prevention
31 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
Whitelisting for critical servers
Incident preparedness with pre-deployed
forensic capability
Advanced Threat Protection
Renewed focus on phishing prevention
Vuln Assessments Breach Assessment
32 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
Whitelisting for critical servers
Incident preparedness with pre-deployed forensic
capability
Advanced Threat Protection
Renewed focus on phishing prevention
Vuln Assessments Breach Assessment
Log Management Threat Analytics
33 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
What is working?
Network & data segmentation
Ubiquitous two factor authentication
Privileged identity management
Whitelisting for critical servers
Incident preparedness with pre-deployed forensic
capability
Advanced Threat Protection
Renewed focus on phishing prevention
Vuln Assessments Breach Assessment
Log Management Threat Analytics
Reactive Proactive Hunting
34 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL
HOW FIREYE CAN HELP
35 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
HOW SECURE DO YOU WANT TO BE?
WITHSTAND 3RD PARTY
INSPECTION
COMPLIANT
SO
PH
IST
ICA
TIO
N O
F T
HE
TH
RE
AT
SECURITY CAPABILITY
NATION STATE ATTACKS
CYBER CRIME
CONVENTIONAL THREATS
TOOLS-BASED
INTEGRATED FRAMEWORK
DYNAMIC DEFENSE
RESILIENT
36 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
DETECT
RESPOND
PREVENT
ANALYZE
SIGNATURE-LESS AND MULTI FLOW
VIRTUAL MACHINE BASED APPROACH
THAT LEVERAGES SUPERIOR THREAT
INTELLIGENCE
REMEDIATION SUPPORT AND THREAT
INTELLIGENCE TO RECOVER AND
IMPROVE RISK POSTURE
MULTI-VECTOR INLINE KNOWN AND
UNKNOWN THREAT PREVENTION
CONTAINMENT, FORENSICS
INVESTIGATION AND KILL CHAIN
RECONSTRUCTION
FIREEYE CONTINUOUS THREAT PREVENTION PROCESS
37 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
TECHNOLOGY
IDENTIFIES KNOWN, UNKNOWN, AND NON
MALWARE BASED THREATS
INTEGRATED TO PROTECT ACROSS ALL MAJOR
ATTACK VECTORS
PATENTED VIRTUAL MACHINE TECHNOLOGY
EXPERTISE
“GO-TO” RESPONDERS FOR SECURITY INCIDENTS
HUNDREDS OF CONSULTANTS AND ANALYSTS
UNMATCHED EXPERIENCE WITH ADVANCED
ATTACKERS
INTELLIGENCE
50 BILLION+ OBJECTS ANALYZED PER DAY
FRONT LINE INTEL FROM HUNDREDS OF INCIDENTS
MILLIONS OF NETWORK & ENDPOINT SENSORS
HUNDREDS OF INTEL AND MALWARE EXPERTS
HUNDREDS OF THREAT ACTOR PROFILES
DISCOVERED 16 OF THE LAST 22 ZERO-DAYS
FIREEYE ADAPTIVE DEFENSE
38 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL
HOW DO YOU WANT
TO ACCOUNT FOR IT?
WHAT VECTORS DO
YOU NEED TO PROTECT?
WHAT DO YOU WANT TO
KNOW ABOUT THE ATTACKER?
HOW DO YOU WANT TO
MANAGE AND RESPOND?
DEFINING AN ADAPTIVE DEFENSE STRATEGY
39 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Copyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL
QUESTIONS?
IT IS TIME TO REIMAGINE SECURITY