fireeye use cases — fireeye solution deployment experience

1

FireEye Use CasesFireEye Solution Deployment ExperienceValery Elanin, ITBiz

ReimaginedSecurity

Выступающий

Заметки для презентации

View the recording of the corporate FireEye presentation: https://www.brighttalk.com/webcast/7451/99551

2

FIREEYE PLATFORM OVERVIEW

REAL WORLD TESTS — REAL WORLD RESULTS

CASE STUDY

3

Virtual Machine-Based Model of Detection

Purpose-Built for Security

Hardened Hypervisor

Scalable

Portable

SECURITYNeeds To Be

To Address The New Threat

Landscape

FINDS KNOWN/ UNKNOWN CYBER-ATTACKS IN REAL TIME ACROSS ALL VECTORS



The underlying architecture that allows FireEye to detect in near real-time today’s new breed of constantly morphing threats is the MVX (Multi-Vector Virtual Execution) Engine. The MVX is purpose-built for security, with a homegrown hardened hypervisor that is designed and constantly evolved to catching evasion techniques, while the MVX architecture lends itself to be highly scalable and portable for different deployments and threat vectors.

4

FireEye’s Technology: State of the Art DetectionCORRELATEANALYZE

( 5 0 0 , 0 0 0 O B J E C T S / H O U R )

Within VMsAcross VMs

Cross-enterprise

Network

Email

Mobile

Files

Exploit

Callback

MalwareDownload

Lateral Transfer

Exfiltration

DETONATE



The advanced threats today have multiple stages… the first stage being the exploit (usually a very small piece of code that allows the attacker to make a home in your organization). Of course, as discussed earlier a detection system must be able to understand the various stages of an attack and the activities occurring in each stage. The FireEye MVX technology has been purposed built, over 9 years, to decipher each of these stages, including potential evasion techniques used by attackers. This architecture easily lends itself to be productized for multiple threats vectors – network (to detect web-borne attacks and multi-protocol callbacks), email (91% of advanced threats start with a spear-phishing attack – but could subsequently migrate to web-based threats via URLs and hence when you do multiple vectors it is critical to correlate across those vectors). More recently we launched this architecture for mobile threat prevention (the new and evolving class of threats, especially on the android platform). And we also offer this for file systems – for latent malware that may be residing on your content management systems. In Q4 we were working with one of the largest organizations, who have multiple business… one of these creates drawings that is handed off to suppliers to build off it. The purpose for this malware is to infect the suppliers and understand the costing for the manufacturing... thereby infecting the entire value chain.

5

FireEye Product Portfolio

SEG IPS SWG

IPS

MDMHost

Anti-virus

HostAnti-virus

MVX

Threat Analytics Platform

Mobile Threat PreventionEmail Threat

Prevention

Dynamic Threat Intelligence

Network Threat

Prevention

Content Threat

Prevention

Mobile ThreatPrevention

Endpoint Threat

Prevention

Email ThreatPrevention



Note: Threats @ perimeter – Network Threat Prevention Platform Data Center – Content Threat Prevention Platform for latent malware Obviously many people are now bringing in mobile devices… with Mobile Threat Prevention, we are able to leverage MVX to now analyze the new class of threats – threats via mobile apps. E.g. apps stealing contacts via mobile apps, which provides the attacker the email information (and legally valid sources) for the next stage of attack On the endpoint, Mandiant brings us the MSO product, which will be rebranded into the FireEye platform as the Endpoint Threat Prevention Platform Finally, we have the Email threat Prevention Platform for the spearphishing attacks that attackers use to penetrate organizations. The Threat Analytics Platform is a new product for analyzing advanced threats using a combination of of event logs and security device logs with homegrown threat intelligence from FireEye.

6

Why Trust FireEye?

11 of 13Zero Days

from 2013discovered by FireEye

First to detect malwareOver 80%

of the times(compared to traditional

AV engines)

55Industry-leading

Customer Net Promoter Score



Note: We’re not talking about identifying a zero-day vulnerability for which we need to write a signature, these are zero-day vulnerabilities that have an attack manifestation. Two that we didn’t identify: Java 0-day targeting Apple (Twitter hack) Microsoft Office for Mac (caught by Google) -- http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx Traditional AV engines (~45 engines) used by VirusTotal. 55 NPS is industry best – Technology company benchmarks are 23-52 w/ 35 midpoint. NPS methodology – On a scale of 1-10, how likely are you to recommend FE to a colleague or friend? 0-6 = Detractor. 7-8 = Neutral. 9-10 = Promoter. % Promoters - % Detractors = NPS Consistent themes: The product works. It catches threats no other technologies detect. Support is very strong.

7

Real World Tests, Real World ResultsData Collection Methodologies

Dynamic Threat Intelligence

Email ThreatPrevention

Network ThreatPrevention

1,614 NX and EX PoV Appliances with 2-way Sharing License from

October 2013 to March 2014

348 Customer Survey of Deployment Topology at time of PoV



1259 Web appliances and 355 email appliances

8

Real World Tests, Real World Results By the NumberWhat Was Discovered During FireEye PoV

1216*PoV

Customers

20+Industries

97%Customers

Compromised

27%Had APT

63Countries

* 1217 PoV executed (one customer conducted two PoV)



1182 customers compromised 331 APT customers

9

43%

29%

20%

N. America EMEA APACJAPAN LATAM ROW

FireEye POV Customers By Region

Number of PoVCustomers

% PoV

N. AMERICA 528 43%EMEA 351 29%APAC 242 20%JAPAN 54 4%LATAM 38 3%ROW 3 <1%



NORTH AMERICA LATAM APAC JAPAN EMEA

10

FireEye PoV Customers By Industry

16%Government

6%Energy

18%Financial

5%Retail

7%High-Tech

7%Chemical &

Manufacturing

7%Consulting

Others(12+) 30%

Others

4%Healthcare

11

Traditional Defense Fails to Stop Today’s Threats

Exploit Malware Download

Command and Control

of PoV customers were compromised(attacks went through customers’ defense) 97%of PoV customers hadCnC communication75%



The 97% number (compromised) means the % of PoV that FireEye detects any web infection, malware object, callback, or signature match events (exclude test, URL, and DNS events) The 75% number (active CnC) means the % of Pov that FireEye detects callback events (exclude test, URL, and DNS events) 1116 – Total number of PoV (Web only) 843 – Total number of PoV (Web only) with Callback The 75% (843/1116) number is from the Web PoV only because Email does not catch callback

12

Today’s Malware is Highly Targeted

of all the unique malware detected was seen ONCE

75%208,184Malware Download

124,289Unique Malware

93,755Malware Seen ONCE

13

Traditional Security Solution in POV

Cisco

Check PointPAN

Juniper

Fortinet

Others

212

Firewall

Blue Coat

WebSenseCisco

McAfee

Fortinet

Others

119

Proxy

138

McAfee

Cisco

HP

SourceFireCheck Point

Others

IDS/IPS

McAfee

SymantecTrendMicrosoft

Kaspersky

Others

75

Network AV

McAfee

SymantecTrend

Microsoft

Sophos

Others

169

Desktop AV



The number inside the donut hole is the number of customers who responded that FireEye is behind the security device Desktop AV is exception as that is the number of customers who responded that they have AV deployed on the endpoint Another data point is ~75% of Web PoV had callback. This means that the malware successfully installs itself onto the victim PC and is beaconing out, and AV is not able to detect it.

14

AV Ineffective for Today’s Threat

124,289Unique Malware MD5s

During PoVs

63,035MD5s Known To

Top 6 AV Vendors in PoV25%

Malware UndetectedBy Any of Top 6 AVs

62%Malware Undetected

By At Least4 of the Top 6 AVs



Top 6 AV – McAfee, Symantec, Trend, Microsoft, Sophos, Kaspersky

15

File-based Sandbox Also Insufficient for Today’s Threat

PoV CustomersReported Having

File-based Sandbox

18PoV Customers

Had CompromisedEndpoints with Active

Callback

15

They Were Protected By

32% 32% 11% 11% 5% 5% 5%



15 out of 18 have active Callback (indicated machine is compromised) PAN WildFire WebSense TRITON SourceFire AMP Blue Coat ATP Check Point Threat Emulation Fidelis XPS Fortinet FortiSandbox

16

Ignorant of environmentFixed behavior, no dataTheft capacity

Nuisance infection, loss of productivityCost of cleaning updevice and restoring

Noisy, sends spam, or DDOS, consumesSystem wide resources, is able to send andReceive instructions

Leads to disruptionand potentialFor embarrassment as sourceof illegal activity

Risk Exposure

Steals personal data, Identity theft, banking information,credit cards, social security numbers, resilient communicationSystem, modular system incremental payloads

Reputation risk, targets sensitive and controlled data,disclosure has potential forreduced morale/confidencefrom victims, grievances andregulatory controls may leadto possible legal action.

Remotely controlled asset, highly functional , is able to hide,is aware of it’s environmentSells access and steals data to make money

Financial RiskSteals corporate credentialsFor network access, email, etc.Will Leak or Sellconfidential information, Provides exposureTo all other threat levels

Highly targeted, preferredtool of Nation State Actors.stealthy campaigns

Major Business Risk.Espionage .Steals competitive AdvantageIntellectual propertyTrade secretsR&DCommercial andPolitical data

1

2

3

4

5

Low

HighAPT 1

Trojan 17

Backdoor 1

Bot 5

Virus 1

Infostealer 2

Worm 1

17

National PoV Results

5 +PoV

Customers

500+ users

3Industries

100%Customers

Compromised

Zero-day (1)Infostealler (300+)Trojans (1000+)

40%Had APT

18

Example: Council on Foreign Relations (CFR) Attack

Lateral spreadinfecting more machines

About CFR: • Independent, nonpartisan organization, think tank, and publisher• Influential among US policy makers• Members include preeminent personalities and corporations



Lets take a real-life example on how the FireEye technology can help you.. This example illustrates an attack that was targeted towards US foreign relations personnel, using the Council on Foreign Relations website. CFR is often visited by various dignitaries and foreign policy makers to consume information. On this day (in Dec 2012), this website was used to download an exploit to the client machine and take them over to infiltrate other machines in the environment. It followed the classic stage of attack life cycle we explained earlier… from initial exploit to malware download to lateral spread to exfiltration. Interestingly in this exploit the attackers also used object-level encryption for the malware download (which could only be detected if you detected the exploit phase!) While this was targeted towards nation state, the same mechanism has also used by attackers against other entities, such as the Google attack (Operation Aurora), the famous RSA attack, etc. In this case FireEye was deployed in front of some of the client machines @ the dignitaries and was able to detect and prevent the attack in progress.

19

FireEye Platform: Workflow

1 FireEye Network Platforms Monitor Flows for Events

Signature-less virtual execution technology

Monitors for Targeted and Zero-day attacks

Multi-vector threat defense

Real-time threat protection

MVX

2 FireEye Network Platforms Alert FireEye HX On Event

+ OS Change Report

20


3 FireEye HX Validates Endpoints For Compromise

Agent Anywhere™ AutomaticallyInvestigates Endpoints No Matter Where They Are

Reach Endpoints Anywhere

Understand WhatHappened Without Forensics

Detect Events in the Past

Airplane

HotelCorporate Headquarters

Home Office

Coffee Shop



Reference: Agent Anywhere is done through the presence of a DMZ device

21


4 Contain & Isolate Compromised Devices

Deny attackers access to systems with a single mouse click while still allowing remote investigation.

Airplane

HotelCorporate Headquarters

Home Office

Coffee Shop



Reference: Contain is done using device drivers on the endpoint to cut off communication with the network, but can still allow communications with the internal Endpoint appliance (and selected destinations) for forensics and remediation.

22

Large and Growing Base of Customers

Small Medium Enterprise

Government Infrastructure High Tech Healthcare Financial Services,Insurance Retail

Small Medium Enterprise



Note: Advanced threats aren’t just going after that large organizations.. They also go down to the smaller and mid-market enterprises. Purposes might be different – while I might penetrate larger organizations for a IP, a smaller organization might be a springboard for the larger organization (and several small organizations themselves hold tons of intellectual property and customer records, but are usually starved for resources to devote to security)

23

Key Takeaways: FireEye by the Numbers

Malware events detected

in customer networks in 2013

Callbacks to 184 countries

detected in 2013

APT campaigns detailed in the APT

Encyclopedia

Purpose built VMs and Endpoint Agents Deployed At Points of

Attack

Incidents Addressed by FireEye Security

Experts

Customers across various verticals

actively contributing to threat intelligence

54M 45M 248 4M 1000s 1500+



Note: 4M: 2M virtual machines running around the world, 2M endpoint agents providing world wide intelligence. 248: APT campaigns observed and detailed in the APT encyclopedia, which helps feed our intelligence and power the MVX engines and their evolution

24

ReimaginedSecurity ReimaginedSecurity

Thank You