glihacker sonoin smart working da sempre€¦ · § advanced forensics and hunting tools used by...
TRANSCRIPT
©2019 FireEye
Heros Deidda
Gli hacker sono in Smart Working da sempre
©2019 FireEye©2019 FireEye
Our History
2
2004SignaturelessDetection 2014
2004
IncidentResponse
2016
2006AttackerIntelligence
EXPERT HUMAN CAPITAL AND INTELLIGENCE AS
COMPETITIVE ADVANTAGES
©2019 FireEye
Our real-time knowledge of the threat landscape ensures that FireEye solutions are built to directly address today’s threat actors and the techniques they employ.
©2019 FireEye©2019 FireEye
The FireEye Ecosystem
4
©2019 FireEye©2019 FireEye
Endpoint Security:Overview
5
Provides comprehensive endpoint defense, protecting from threats, detecting attacks, and empowering response.
§ Unified endpoint protection and endpoint detection and response
§ Protection against known threats with signatures
§ Protection against advanced threats with MalwareGuard
§ Protection against exploits and scripts with ExploitGuard
§ Detection of anomalous behavior with real-time IOC engine
§ Advanced forensics and hunting tools used by Mandiant
§ Deployable on premise, virtual, and cloud§ Covering Windows, MacOS, and Linux
©2019 FireEye©2019 FireEye
FireEye Endpoint Security at a Glance
6
§ Ultimate endpoint security: unified EDR + EPP
§ Protects against known threats with malware protection
§ Protects against unknown threats with MalwareGuard
§ Protects against malware and exploits with ExploitGuard
§ Detects anomalous behavior with real-time IOC engine
§ Provides advanced forensics and hunting tools
§ Deployable on premise, virtual, and cloud
©2019 FireEye©2019 FireEye
How We Do It
Protect RespondDetect
§ Malware Protection
§ MalwareGuard
§ ProcessGuard
§ ExploitGuard
§ Indicators of Compromise
§ Enterprise Search
§ Investigative Data Acquisition
§ Auto Containment
§ On or off network response
§ Respond at scale
©2019 FireEye©2019 FireEye
FireEye Endpoint Security in Action
InitialCompromise
MP Malware Protection
Automatic Block & Quarantine
Advanced Detection
Containment
EstablishFoothold
EscalatePrivileges
InternalReconnaissance
MaintainPresence
MoveLaterally
CompleteMission
ExploitGuardEG Real Time IoCRT
MalwareGuardMG
MP MGRT MP RT
RT
EGMG
RT
RTRT
InitialReconnaissance
©2019 FireEye©2019 FireEye9
TechnologyDetects and blocks unknown malicious threats.
Defends against phishing sites with Advanced URLinspection and re-write.
IntelligenceIdentifies impersonation techniques with Smart DNS.
Prioritizes critical threats using event context fromfrontline investigations.
AnalyticsConnects threats and attacks acrosssecurity environment.
Uses email specific threat intelligence to stop hard to detect threats.
Email Security:Overview
©2019 FireEye©2019 FireEye
Secure Email Gateway
10SMART DNS COMBINATION
MVX FAUDE
ATTACHMENTS URLs
IMPERSONATION MULTI-STAGE
Stops threats with first-hand knowledge of attacks and attackers
Identifies and blocks
New Phishing Sites
(credential theft)
Impersonation
(CEO fraud, sender spoofing)
Unknown Malware
(attachments, zero day)
Advanced URL Defense
Smart DNS*
(deep relationship
analysis)
MVX Engine
(attachment& URL
detonation)
40M+ Mailboxes
Thre
ats
Ca
pabi
litie
s
Intelligence
(frontline investigatio)
©2019 FireEye©2019 FireEye
Impersonation Detection
11
Techniques Used to Stop Evolving Inline Attacks
Newly Existing Domains
Looks-Like & Sounds-Like Domains
Reply-to Address & Message Header Analysis
Friendly Display Name & Username Matching
CEO Fraud Algorithms
©2019 FireEye©2019 FireEye
Auto Remediate for Office 365 Actions
12
Auto RemediateEmail becomes weaponized post-delivery (retroactively). Policy action quarantines, moves or deletes malicious message from inbox
MoveMoves malicious email from the inbox to any administrator-defined folder
QuarantineRemoves malicious email from the inbox and places it in quarantine within Cloud Edition for review
DeletePermanently deletes malicious email from the inbox
©2019 FireEye©2019 FireEye13
FireEye Network Security Business Value
Reduce Breach Impact by empowering expert decisions with frontline intelligence
Improve Security Efficiencies by eliminating noise and providing the alerts that matter
1
2
3
Prevent Malicious Attacks by catching threats that other solutions miss
©2019 FireEye©2019 FireEye14
The Benefits of FireEye Network SecurityDetect the
UndetectableGain Additive Protection via
FireEye’s Global Footprint Make Investments
More Efficient
ATTACKER INSIGHTDeep insight of attacker tactics, techniques and procedures
DYNAMIC THREAT INTELAutomated protection gained from threats detected worldwide
BREACH EXPERTISEApplied intelligence gained from the frontline
SMARTVISIONDetect suspicious lateral network traffic
INTELLIGENCE DRIVENInfused intelligence with advanced technologies
MULTI-OS SUPPORTStopping threats that target Macs and PCs
HIGH FIDELITY ALERTSLow false positives to target alerts that matter
ORCHESTRATIONPivot to Helix Platform to automate tasks
FLEXIBILITYMultiple deployment options (inline, out of band) and form factors
©2019 FireEye©2019 FireEye15
Greater Functionality
More than just a “sandbox"§ IPS
§ Riskware
§ SSL Intercept
§ Call back detection
§ Metadata generation
§ Smart Vision for Lateral Movement
§ Smart Grid and Cloud MVX
FireEye NetworkSecurity
©2019 FireEye©2019 FireEye16
Industry Leading AnalysisIndustry-leading Malware Analysis – Adding a multitude of heuristics, deep code and content analysis, including:
– Code Analysis, which includes: Function analysis and Similarity analysis;
– Statistical Analysis, which includes: N-gram analysis and Entropy analysis;
– Embedded URL analysis capability;
– Emulation Analysis, which includes Object emulation; and
– Global cloud-based analysis of known and unknown objects.
De-obfuscateDecompile
DecompressExtract Payload
Emulation
Code Analysis
Statistical AnalysisMVX
MVX
©2019 FireEye©2019 FireEye
Business Value
Detect advanced threatsby correlating data from multiple tools
Gain visibility by centralizing security data and infrastructure
Minimize the impact of an incident by accelerating response with orchestration and automation
1
2
3
©2019 FireEye©2019 FireEye
TechnologyNext-Gen SIEM to surface unseen threats
Cloud Visibility to detect threats outside your network
Behavior Analytics to spot malicious activities
FireEye Helix
ProcessesAutomation of time consuming steps
Guided investigation and hunting capabilities to accelerate response
Compliance Reporting
ExpertiseExpertise on Demand to leverage on Mandiant Analysts
Risk Prioritization
Integrated threat intelligence for contextual awareness
©2019 FireEye©2019 FireEye19
§ Real-time threat intelligence
§ Codified expertise from FireEye
§ Sub-Second search
§ Single log source
§ Guided investigations
§ Compliance reporting
SIEM
FireEye and Third Party
Data Sources
Intelligence Rules Analytics Event index
Evidence Collector
Intelligence Endpoints FirewallsOperating Systems
©2019 FireEye©2019 FireEye20
Security Orchestration
Other events remain in the
SIEM for reference
Hash/MD5 Analysis
Domain Analysis
URL Analysis
IP Analysis
Email Address Analysis
FireEye Validation
Analyst Decision
Point
Higher Priority Incidents pulled
out and automatically
escalated
Endpoint containment
§ 150+ pre-defined integration plug-ins
§ 400+ supported devices, actions and playbooks
§ Expertise codified by Mandiant
§ Built-in playbook builder
§ Role-based actions
©2019 FireEye©2019 FireEye21
Cloud Intelligence
VPN AccountMonitoring
Geo-InfeasibilityDetection
Credential Misuse
MisconfigurationDetection
Cloud ThreatAnalytics
Corporate Network
FireEye Network Security
FireEye Helix
Cloud Security
§ Guard against credential abuse
§ Single pane visibility across your enterprise
§ Prevent accidental misconfigurations that lead to attacker compromise
©2019 FireEye©2019 FireEye22
Intel Matches canleverage on FireEyethreat Intel to provideyou Contextualinformation and improveyour Incident MGMTprioritization
Helix Contextual Intelligence
©2019 FireEye©2019 FireEye23
Remote Access Security Assessment (RASA) –Service DescriptionService Overview
Our Approach
Values
Differentiators
Mandiant’s RASA helps clients Identify existing weaknesses and security risks around their remote users infrastructure
This Service is designed to give organizations a view of their remote access-based infrastructure, collaboration tools, security controls, and policies. Organizations can leverage this assessment to validate the security posture of their remote access solutions and collaboration platforms, while also ensuring that security best practices are followed when securing access and data across these platforms.
§ Identify missing processes § Identify missing security controls§ Identify security gaps and opportunities
to improve security operations
§ Identifies security architecture and configuration weaknesses
§ Facilitate future enhancements§ Strategic Phase: Gather information around infrastructure, practices and policies and comparing these against Mandiant best practice
§ Proactive Phase: Active and Passive reconnaissance methods against internet facing remote access systems
§ Report on the strategic element alongside the outcomes of the proactive element to provide a series of actionable recommendations.
©2019 FireEye©2019 FireEye24
©2019 FireEye
©2019 FireEye
Thank You