FireEye Use CasesFireEye Solution Deployment ExperienceValery Elanin, ITBiz
ReimaginedSecurity
Выступающий
Заметки для презентации
View the recording of the corporate FireEye presentation: https://www.brighttalk.com/webcast/7451/99551
2
FIREEYE PLATFORM OVERVIEW
REAL WORLD TESTS — REAL WORLD RESULTS
CASE STUDY
3
Virtual Machine-Based Model of Detection
Purpose-Built for Security
Hardened Hypervisor
Scalable
Portable
SECURITYNeeds To Be
To Address The New Threat
Landscape
FINDS KNOWN/ UNKNOWN CYBER-ATTACKS IN REAL TIME ACROSS ALL VECTORS
Выступающий
Заметки для презентации
The underlying architecture that allows FireEye to detect in near real-time today’s new breed of constantly morphing threats is the MVX (Multi-Vector Virtual Execution) Engine. The MVX is purpose-built for security, with a homegrown hardened hypervisor that is designed and constantly evolved to catching evasion techniques, while the MVX architecture lends itself to be highly scalable and portable for different deployments and threat vectors.
4
FireEye’s Technology: State of the Art DetectionCORRELATEANALYZE
( 5 0 0 , 0 0 0 O B J E C T S / H O U R )
Within VMsAcross VMs
Cross-enterprise
Network
Email
Mobile
Files
Exploit
Callback
MalwareDownload
Lateral Transfer
Exfiltration
DETONATE
Выступающий
Заметки для презентации
The advanced threats today have multiple stages… the first stage being the exploit (usually a very small piece of code that allows the attacker to make a home in your organization). Of course, as discussed earlier a detection system must be able to understand the various stages of an attack and the activities occurring in each stage. The FireEye MVX technology has been purposed built, over 9 years, to decipher each of these stages, including potential evasion techniques used by attackers. This architecture easily lends itself to be productized for multiple threats vectors – network (to detect web-borne attacks and multi-protocol callbacks), email (91% of advanced threats start with a spear-phishing attack – but could subsequently migrate to web-based threats via URLs and hence when you do multiple vectors it is critical to correlate across those vectors). More recently we launched this architecture for mobile threat prevention (the new and evolving class of threats, especially on the android platform). And we also offer this for file systems – for latent malware that may be residing on your content management systems. In Q4 we were working with one of the largest organizations, who have multiple business… one of these creates drawings that is handed off to suppliers to build off it. The purpose for this malware is to infect the suppliers and understand the costing for the manufacturing... thereby infecting the entire value chain.
5
FireEye Product Portfolio
SEG IPS SWG
IPS
MDMHost
Anti-virus
HostAnti-virus
MVX
Threat Analytics Platform
Mobile Threat PreventionEmail Threat
Prevention
Dynamic Threat Intelligence
Network Threat
Prevention
Content Threat
Prevention
Mobile ThreatPrevention
Endpoint Threat
Prevention
Email ThreatPrevention
Выступающий
Заметки для презентации
Note: Threats @ perimeter – Network Threat Prevention Platform Data Center – Content Threat Prevention Platform for latent malware Obviously many people are now bringing in mobile devices… with Mobile Threat Prevention, we are able to leverage MVX to now analyze the new class of threats – threats via mobile apps. E.g. apps stealing contacts via mobile apps, which provides the attacker the email information (and legally valid sources) for the next stage of attack On the endpoint, Mandiant brings us the MSO product, which will be rebranded into the FireEye platform as the Endpoint Threat Prevention Platform Finally, we have the Email threat Prevention Platform for the spearphishing attacks that attackers use to penetrate organizations. The Threat Analytics Platform is a new product for analyzing advanced threats using a combination of of event logs and security device logs with homegrown threat intelligence from FireEye.
6
Why Trust FireEye?
11 of 13Zero Days
from 2013discovered by FireEye
First to detect malwareOver 80%
of the times(compared to traditional
AV engines)
55Industry-leading
Customer Net Promoter Score
Выступающий
Заметки для презентации
Note: We’re not talking about identifying a zero-day vulnerability for which we need to write a signature, these are zero-day vulnerabilities that have an attack manifestation. Two that we didn’t identify: Java 0-day targeting Apple (Twitter hack) Microsoft Office for Mac (caught by Google) -- http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx Traditional AV engines (~45 engines) used by VirusTotal. 55 NPS is industry best – Technology company benchmarks are 23-52 w/ 35 midpoint. NPS methodology – On a scale of 1-10, how likely are you to recommend FE to a colleague or friend? 0-6 = Detractor. 7-8 = Neutral. 9-10 = Promoter. % Promoters - % Detractors = NPS Consistent themes: The product works. It catches threats no other technologies detect. Support is very strong.
7
Real World Tests, Real World ResultsData Collection Methodologies
Dynamic Threat Intelligence
Email ThreatPrevention
Network ThreatPrevention
1,614 NX and EX PoV Appliances with 2-way Sharing License from
October 2013 to March 2014
348 Customer Survey of Deployment Topology at time of PoV
Выступающий
Заметки для презентации
1259 Web appliances and 355 email appliances
8
Real World Tests, Real World Results By the NumberWhat Was Discovered During FireEye PoV
1216*PoV
Customers
20+Industries
97%Customers
Compromised
27%Had APT
63Countries
* 1217 PoV executed (one customer conducted two PoV)
Выступающий
Заметки для презентации
1182 customers compromised 331 APT customers
9
43%
29%
20%
N. America EMEA APACJAPAN LATAM ROW
FireEye POV Customers By Region
Number of PoVCustomers
% PoV
N. AMERICA 528 43%EMEA 351 29%APAC 242 20%JAPAN 54 4%LATAM 38 3%ROW 3 <1%
Выступающий
Заметки для презентации
NORTH AMERICA LATAM APAC JAPAN EMEA
10
FireEye PoV Customers By Industry
16%Government
6%Energy
18%Financial
5%Retail
7%High-Tech
7%Chemical &
Manufacturing
7%Consulting
Others(12+) 30%
Others
4%Healthcare
11
Traditional Defense Fails to Stop Today’s Threats
Exploit Malware Download
Command and Control
of PoV customers were compromised(attacks went through customers’ defense) 97%of PoV customers hadCnC communication75%
Выступающий
Заметки для презентации
The 97% number (compromised) means the % of PoV that FireEye detects any web infection, malware object, callback, or signature match events (exclude test, URL, and DNS events) The 75% number (active CnC) means the % of Pov that FireEye detects callback events (exclude test, URL, and DNS events) 1116 – Total number of PoV (Web only) 843 – Total number of PoV (Web only) with Callback The 75% (843/1116) number is from the Web PoV only because Email does not catch callback
12
Today’s Malware is Highly Targeted
of all the unique malware detected was seen ONCE
75%208,184Malware Download
124,289Unique Malware
93,755Malware Seen ONCE
13
Traditional Security Solution in POV
Cisco
Check PointPAN
Juniper
Fortinet
Others
212
Firewall
Blue Coat
WebSenseCisco
McAfee
Fortinet
Others
119
Proxy
138
McAfee
Cisco
HP
SourceFireCheck Point
Others
IDS/IPS
McAfee
SymantecTrendMicrosoft
Kaspersky
Others
75
Network AV
McAfee
SymantecTrend
Microsoft
Sophos
Others
169
Desktop AV
Выступающий
Заметки для презентации
The number inside the donut hole is the number of customers who responded that FireEye is behind the security device Desktop AV is exception as that is the number of customers who responded that they have AV deployed on the endpoint Another data point is ~75% of Web PoV had callback. This means that the malware successfully installs itself onto the victim PC and is beaconing out, and AV is not able to detect it.
14
AV Ineffective for Today’s Threat
124,289Unique Malware MD5s
During PoVs
63,035MD5s Known To
Top 6 AV Vendors in PoV25%
Malware UndetectedBy Any of Top 6 AVs
62%Malware Undetected
By At Least4 of the Top 6 AVs
Выступающий
Заметки для презентации
Top 6 AV – McAfee, Symantec, Trend, Microsoft, Sophos, Kaspersky
15
File-based Sandbox Also Insufficient for Today’s Threat
PoV CustomersReported Having
File-based Sandbox
18PoV Customers
Had CompromisedEndpoints with Active
Callback
15
They Were Protected By
32% 32% 11% 11% 5% 5% 5%
Выступающий
Заметки для презентации
15 out of 18 have active Callback (indicated machine is compromised) PAN WildFire WebSense TRITON SourceFire AMP Blue Coat ATP Check Point Threat Emulation Fidelis XPS Fortinet FortiSandbox
16
Ignorant of environmentFixed behavior, no dataTheft capacity
Nuisance infection, loss of productivityCost of cleaning updevice and restoring
Noisy, sends spam, or DDOS, consumesSystem wide resources, is able to send andReceive instructions
Leads to disruptionand potentialFor embarrassment as sourceof illegal activity
Risk Exposure
Steals personal data, Identity theft, banking information,credit cards, social security numbers, resilient communicationSystem, modular system incremental payloads
Reputation risk, targets sensitive and controlled data,disclosure has potential forreduced morale/confidencefrom victims, grievances andregulatory controls may leadto possible legal action.
Remotely controlled asset, highly functional , is able to hide,is aware of it’s environmentSells access and steals data to make money
Financial RiskSteals corporate credentialsFor network access, email, etc.Will Leak or Sellconfidential information, Provides exposureTo all other threat levels
Highly targeted, preferredtool of Nation State Actors.stealthy campaigns
Major Business Risk.Espionage .Steals competitive AdvantageIntellectual propertyTrade secretsR&DCommercial andPolitical data
1
2
3
4
5
Low
HighAPT 1
Trojan 17
Backdoor 1
Bot 5
Virus 1
Infostealer 2
Worm 1
17
National PoV Results
5 +PoV
Customers
500+ users
3Industries
100%Customers
Compromised
Zero-day (1)Infostealler (300+)Trojans (1000+)
40%Had APT
18
Example: Council on Foreign Relations (CFR) Attack
Lateral spreadinfecting more machines
About CFR: • Independent, nonpartisan organization, think tank, and publisher• Influential among US policy makers• Members include preeminent personalities and corporations
Выступающий
Заметки для презентации
Lets take a real-life example on how the FireEye technology can help you.. This example illustrates an attack that was targeted towards US foreign relations personnel, using the Council on Foreign Relations website. CFR is often visited by various dignitaries and foreign policy makers to consume information. On this day (in Dec 2012), this website was used to download an exploit to the client machine and take them over to infiltrate other machines in the environment. It followed the classic stage of attack life cycle we explained earlier… from initial exploit to malware download to lateral spread to exfiltration. Interestingly in this exploit the attackers also used object-level encryption for the malware download (which could only be detected if you detected the exploit phase!) While this was targeted towards nation state, the same mechanism has also used by attackers against other entities, such as the Google attack (Operation Aurora), the famous RSA attack, etc. In this case FireEye was deployed in front of some of the client machines @ the dignitaries and was able to detect and prevent the attack in progress.
19
FireEye Platform: Workflow
1 FireEye Network Platforms Monitor Flows for Events
Signature-less virtual execution technology
Monitors for Targeted and Zero-day attacks
Multi-vector threat defense
Real-time threat protection
MVX
2 FireEye Network Platforms Alert FireEye HX On Event
+ OS Change Report
20
FireEye Platform: Workflow
3 FireEye HX Validates Endpoints For Compromise
Agent Anywhere™ AutomaticallyInvestigates Endpoints No Matter Where They Are
Reach Endpoints Anywhere
Understand WhatHappened Without Forensics
Detect Events in the Past
Airplane
HotelCorporate Headquarters
Home Office
Coffee Shop
Выступающий
Заметки для презентации
Reference: Agent Anywhere is done through the presence of a DMZ device
21
FireEye Platform: Workflow
4 Contain & Isolate Compromised Devices
Deny attackers access to systems with a single mouse click while still allowing remote investigation.
Airplane
HotelCorporate Headquarters
Home Office
Coffee Shop
Выступающий
Заметки для презентации
Reference: Contain is done using device drivers on the endpoint to cut off communication with the network, but can still allow communications with the internal Endpoint appliance (and selected destinations) for forensics and remediation.
22
Large and Growing Base of Customers
Small Medium Enterprise
Government Infrastructure High Tech Healthcare Financial Services,Insurance Retail
Small Medium Enterprise
Выступающий
Заметки для презентации
Note: Advanced threats aren’t just going after that large organizations.. They also go down to the smaller and mid-market enterprises. Purposes might be different – while I might penetrate larger organizations for a IP, a smaller organization might be a springboard for the larger organization (and several small organizations themselves hold tons of intellectual property and customer records, but are usually starved for resources to devote to security)
23
Key Takeaways: FireEye by the Numbers
Malware events detected
in customer networks in 2013
Callbacks to 184 countries
detected in 2013
APT campaigns detailed in the APT
Encyclopedia
Purpose built VMs and Endpoint Agents Deployed At Points of
Attack
Incidents Addressed by FireEye Security
Experts
Customers across various verticals
actively contributing to threat intelligence
54M 45M 248 4M 1000s 1500+
Выступающий
Заметки для презентации
Note: 4M: 2M virtual machines running around the world, 2M endpoint agents providing world wide intelligence. 248: APT campaigns observed and detailed in the APT encyclopedia, which helps feed our intelligence and power the MVX engines and their evolution