why are we still being breached? - home - data connectors · threats (malware, exploit, file-less),...

©SparkCognition, Inc. 2018. All rights reserved.

TM

Rick PitherDirector of Cybersecurity

TM

Why Are We Still Being Breached?Are 1st Generation and NexGen solutions working?

Why Are We Still Being Breached?


TM

Session Agenda

SparkCognition Introduction01

EPP, EDR, 1st GEN AV, NexGen?

Why Are We Still Being Breached?02

Tesla vs Legacy Auto Manufacturers

Differences in AI/ML03

Built from AI

DeepArmor Enterprise04

©SparkCognition, Inc. 2018. All rights reserved.©SparkCognition, Inc. 2018. All rights reserved.

Industrial and operational dataSEIM, IT logs, Threat Intelligence

PATENTED ALGORITMS

1M+ pages/documents10Ks

Research ReportsContracts

JSON, CSV, XML

Historical and Real Time Sensor Data

SECURITY OPERATIONS

Billions of Alerts

Files, Documents.

Scripts, Macros

Support TicketsIncident Reports

STUCTUREDUNSTRUCTURED

SOLUTIONS

PLATFORMS OR SERVICES

AUTOIMATED MODEL BUILDING

DOCUMENT CLASSIFICATIONWORKFLOW AUTOMATION

COGNITIVE QUERYSTRUCTURE TEXT

STRUCTURE TEX INTO TABLES

BEST ALGORITMFOR CUSTOMER DATA SET

MALWARE PREDICTION

INDUSTRIAL IOT PERFORMANCE PREDICTION

CLIENT CHURNFIREWALL RULE SETS

MALICIOUS BOT DETECTIONPII DATA LEAKAGE

THREAT PRIORITIZATIONNETWORK ANOMOLIES

AIR QUALITY/WEATHER PATERNSINVENTORY REQUIREMENTS

EMPLOYEE ATTRITIONHOME CREDIT DEFAULT RISK

FINANCIAL/INSURANCE FRAUDSSOLAR OUTPUT/WEATHER PATTERNS

PREVENT PRE-EXECUTIONPREVENT UNKNOWN

ASSET MAINTENANCEFAILURE PREDICTION

SparkCognition Portfolio


Why are we still being breached?The evolution of tools and tactics

PolymorphismAttacks that can automatically

mutate to evade signatures and IoCs

Trusted Application AttacksAttacks that leverage trusted

applications like document, macrosand scripts to deliver payload

Weaponized AILeveraging machine learning to generate adversarial malware

In Memory AttacksDirect injection of code into memory space to evade file

monitoring

Single Use MalwareHighly targeted, single use attacks

with no two variants being the same

Hacking as a ServiceOpen source tools and online services

that lower the technical barrier to entry for attackers

69% of organizations don't believe their antivirus can stop the threats they're seeing - Ponemon Institute


Quick History of the Endpoint Market

Effectiveness of solution

Time and adversary strength grow

1st Gen

2nd Gen

FUD Marketing

Rush to add AI/ML

capabilities

EDR tilt

85+ Vendors

Reverse engineered

Reverse engineered

• Broken; Not as effective• AI/ML is everywhere• FUD around file-less and in-memory• EDR is now ‘the answer’• Too many attacks/alerts/data• Zero day still a struggle


Defense in Depth

FirewallCloud Email Gateway Network IDS/IPS EPP EDR ForensicsIR

Effectiveness

IR Cost

Effectiveness


Why EPP?

PRE-EXECUTIONSTATIC DETECTION

FILE-BASED

IN MEMORY/FILE-LESS

POST-EXECUTIONINFECTEDDYNAMIC

BEHAVIORAL

FILE-LESS

101010101010101010101010101010101010101010101010101010101010

NETWORK ANONOMLY DETECTION

EDREndpoint Detection

and Remediation

EPPEndpoint Prevention

Platform

OUTSIDE 73%INSIDER 27%

ADVANCED MALWARE DETECTIONSANDBOXING


Impact of the Evolving Attack ModelEndpoint Protection must evolve to keep pace

77%Of successful cyber attacks include new or unknown threats (malware, exploit, file-less), 350,000 new variants are created each day1

53%Of organizations believe their current endpoint protection solutions do not provide adequate protection against the newest attacks1

35%Of cyber attacks were filelessexploits including macros, scripts and in-memory 1

97%Of malware infections employ polymorphic techniques3

Average cost of a successful endpoint security attack in 20171 – 42% of organizations reported an endpoint breach in the last year2

99% Of malware is seen for less than one minute before a new sample takes it place4

$5M


Security Market Whiteboard

Vectors

PlaneBoat

Drug MuleSub

CatapultTunnelsDrone

Disguised

CISO=DEA

3,000 miles

5,000 miles

Already hereeast/west state/state

1. CHANGE THE DEFINITION OF WINNING

2. START REALLY CHANGING METHODOLOGY

3. REDUCE RELIANCE ON PRODUCTS/HUMANS

Detect Prevent Watch Remediate

SparkCognition Recommendations

Help IT practice good hygiene• patching• privilege escalation management• 2 factor authentication• Network segmentation• Leverage REAL AI/ML

Still need tripwires along the kill chain

Reduce incident response timesF/W, IDS and AV are easily bypassed

244 new threats

Per min

Up 22% in 201732m samples

46% malware30% zero day

33% LOTL

4. GET OUT OF DETECTION/ALERT BUSINESS Ex: SIEM’s on average on have only 12 YARA rules

And they generate 10,000-50,000 alerts/day

Start to reduce number of security vendors


Multi-Vector Protection, Built from AIDeepArmor leverages ground breaking algorithms and patented model building tools to predict and prevent across every attack vector including file-based, file-less and in-memory attacks

Pre-Execution PreventionDeepArmor intercepts and prevents attacks before they can execute, eliminating the need for post-infection behavioral analysis, ineffective system rollbacks and time-intensive reimaging

No Heuristics, No Signatures, No Control FeaturesDeepArmor leverages the power of AI to prevent unknown zero-day attacks with no need for rigid heuristics, out of date signatures or rudimentary “on/off” control features

DeepArmor: Endpoint ProtectionThe Future of Endpoint Protection, Built from AI


Threat Detection ArchitectureLightweight, Cognitive Agent

File ReputationApplication Control (Whitelist, Blacklist)

Machine Learning File Analysis

Block Known and Zero-Day UnknownMalware | Exploits

Kernel Level | Real-TimeExecutable Malware

Weaponized DocumentsIn-Memory Script/Macro

WindowsMacLinux

Desktops/Servers

1001010111010110101011000101010110101

1001010111010110101011000101010110101


Traditional Antivirus

Next-Generation Antivirus

DeepArmor Endpoint

Protection

Prevention TechniqueSignatures

Heuristics

Control Features

Basic ML &

Behavioral Analysis

Pre-Execution Machine

Learning

Known File-Based Malware ✔ ✔ ✔

Unknown File-Based Malware

✔ ✔

Unknown Document Attacks

✔

Unknown Script-Based Attacks

✔

Unknown Macro Attacks ✔

Unknown In-Memory Attacks

✔

DeepArmor’s Endpoint Protection platform delivers the strongest protection against zero-day malware, weaponized scripts, macros and in-memory attacks.

Replace Legacy AntivirusHow DeepArmor Replaces Antivirus with Algorithms

No Out-of-Date Signatures

No Rudimentary Control Features

No Post-Infection Behavioral

Analysis

No Rigid Heuristics (e.g., YARA)


The DeepArmor Efficacy DifferenceCommitment to Innovation, Differentiated Protection

50.00% 60.00% 70.00% 80.00% 90.00% 100.00%

DeepArmor

Next Generation

Average

1st Generation

Average

99.6%

77.1%

64.4%

Near Zero-Day (<24hrs. ) Malware Detection % (Pre-Execution)

50.00%

55.00%

60.00%

65.00%

70.00%

75.00%

80.00%

85.00%

90.00%

95.00%

100.00%

99

.6%

88

.4%

De

ep

Arm

or

Sym

ante

c

Cro

wd

Stri

ke

Cyl

ance

Bit

Def

en

de

r

83

.5%

77

%

75

%


Near Zero Day Testing (how well does your product correctly prevent something never seen before)

• Download random set daily• No File Reputation• Data Set Query

• Less than 24 hours old• Microsoft executable• Malicious • Detected by at least 20 vendors

• Static File Pre-Execution• Compare all AI/ML models