F-Secure Detection Service Service description

Transcription

1 F-Secure Rapid Detection Service Service description Contents Overview 2 The case for a new approach to cyber security 3 Cyber security is a process 5 Why choose F-Secure? 7 What is F-Secure Rapid Detection Service? 9 Summary 14 Advanced, targeted attacks, performed by highly organized entities, have become commonplace over the last few years. These attacks are perpetrated by sophisticated threat actors who utilize advanced tactics, techniques and procedures to breach security infrastructure and maintain persistence within an organization. Attacks such as these easily circumvent traditional defensive perimeters. In order to protect your organization against these modern threats, you re going to want to quickly adapt your approach to cyber security. F-Secure Rapid Detection Service is designed to quickly catch advanced, targeted attacks aimed at your organization s network. Using a combination of threat intelligence, big data analytics, machine learning and security experts, our fully managed service promises to quickly deliver accurate, actionable data directly to you, whenever a relevant, verified alert is triggered. This approach allows us to accurately and quickly identify early-breach scenarios in your network, while significantly limiting an intruder s dwell time and ability to act. F-SECURE LABS Technology whitepaper

2 2 F-Secure Rapid Detection Service Overview This document introduces the F-Secure Rapid Detection Service (RDS), a next generation managed intrusion detection and incident response service. In a nutshell, RDS is designed to quickly detect and remediate any and all breaches that occur within the defensive perimeter of your organization s network. This document explains how RDS works and illustrates how it can be used as part of a multi-layer approach in your own organization s cyber security strategy. How does F-Secure Rapid Detection work? The F-Secure Rapid Detection Service operating model is based on the following three key principles: 1. Security experts working out of our Rapid Detection Center provide incident response and forensics services within thirty minutes of a relevant, verified anomaly being detected in your organization. 2. By using a complex process of data enrichment, big data analytics and threat intelligence, we are able to accurately detect breaches, anomalies and signs of intrusion with minimal false positives. 3. We collect relevant event data from the right places using lightweight, discreet, easily deployable sensors on both endpoints and network segments, and store that data for forensic evidence purposes. Our combination of endpoint sensors and honeypots is unique in the industry. Why choose F-Secure Rapid Detection Service? F-Secure Rapid Detection Service provides customers with the following differentiating benefits: 1. F-Secure is an experienced player in the information security industry. We know how threat actors work. We ve also been building backend automation and deploying systemlevel protection components onto millions of customer endpoints for decades. 2. As a European vendor, based in Finland, we are subject to some of the strictest privacy laws in the world. We take information security seriously and we apply those same principles to the way we handle your data. 3. We provide cutting-edge threat intelligence sourced from advanced big data analytics, machine learning, and security experts. Our experts have both high-level knowledge of the global threat landscape and in-depth technical knowledge of the tactics, techniques and procedures employed by attackers. DISCLAIMERS The purpose of this document is to help customers better understand how F-Secure products function, and the benefits F-Secure Rapid Detection Service provides. This document is not designed to be a legally binding agreement that defines the content of products and services provided by F-Secure Corporation. F-Secure Rapid Detection Service, as with any of our other products and services, is a constantly evolving set of software, systems and processes. This document may become partly inaccurate as this evolution takes place. F-Secure Corporation will update this document every time major changes are made to our products, systems or processes. The latest version will always be available on F-Secure s website. Any metrics or diagrams presented in this document are valid at the time of publication. Metrics or diagrams may change over time. Presented metrics should therefore be interpreted as approximate figures.

3 F-Secure Rapid Detection Service 3 The case for a new approach to cyber security Over the past few years, the world has encountered a rapidly changing security landscape where the commoditization of attack tools and processes have given organized groups the ability to focus cyberattacks on individual organizations. These organized groups can include cyber criminals, nation states, and providers of cyber espionage and sabotage. Their motives can include financial gain, theft of data, disruption of operations, and destruction of reputation. The sophisticated tactics, techniques and procedures (TTPs) developed by nation states and other well-funded organizations, once public, rapidly fall into the hands of common cyber criminals, who use them for their own purposes. Threats to organizations may also originate from internal actors, such as employees, contractors, customers, and supply chain employees. In all of the above cases, breaches can and do occur as the result of defensive security measures being circumvented. During the last few years, not only have more corporate security breaches become public knowledge than ever before, the origin and motives of these attacks have been more diverse than at any time in history. Disruptive attacks, such as those that destroy data and systems, hold data for ransom, or modify business data or source code in malicious ways, have been on the rise. Advanced Persistent Threats (APTs) are classified as attacks originating from highly organized and resourced threat actors. Advanced refers to the tactics, techniques and procedures (TTPs) used by these actors. Persistent refers to both their attempts to gain access to an environment and in their mechanisms for maintaining compromise. Attackers such as these will often perform lengthy reconnaissance on a target, execute sophisticated pinpoint attacks to gain entry to an organization, and then utilize stealthy techniques to move throughout the network, obtaining and exfiltrating sensitive data or sabotaging systems. Attacks from such actors can target any part of the Once an attacker has a foothold inside an organization s infrastructure, they will often live off the land, utilizing common tools and scripts to hide their presence and maintain persistence. organization s infrastructure from servers to network infrastructure, to end-users, to external collaborators. Advanced persistent threat actors often use multiple methods to breach an organization s defensive perimeter. These methods can include exploitation of software vulnerabilities on both servers and endpoints, and social engineering tactics such as phishing, spearphishing, watering holes, or man-in-the-middle attacks. Once an attacker has a foothold inside an organization s infrastructure, they will often live off the land, utilizing common tools and scripts to hide their presence and maintain persistence. Intruders will exploit resources normally used by legitimate users or system administrators in order to access assets, and move laterally within the organization. Built-in software and commonly available tools, such as those available from Windows Sysinternals are frequently used by actors wishing to maintain persistence, while also keeping a low profile. In this modus operandi, no malicious files or operations are employed by the attacker and they remain indistinguishable from every other user. Detection of such behavior requires deep analysis of organizationwide system accesses, file changes and network behavior. The value of a well-executed cyber security strategy is always most apparent in hindsight. It is all too common for infrastructure breaches to go unnoticed for extended periods of time. Often, an external party will be the first to observe a problem. Once a breach has been detected, determining the repercussions can be a lengthy, expensive, and difficult process at best. One must have access to the sequence of events that occurred before, during, and after the breach, across all components within the organization. This sequence is then used to identify a timeline of steps the adversary took, including initial breach, securing a foothold, lateral movement, tampering with data or systems, theft of data, and destruction of systems or

4 4 F-Secure Rapid Detection Service data. Such a timeline would require persistent storage of network events, file system events, access and identity management activity, changes to the configuration of operating systems and applications, and application activity. In order to trust the timeline of events, the stored data should be inaccessible to the attacker. Putting such an event collection and storage strategy in place is complicated and can create strain on both staff and systems. F-Secure s Rapid Detection Service is designed to collect and store relevant event data from your organization s endpoints and network segments. This collected data is then correlated with threat intelligence and processed by advanced data analytics algorithms for signs of intrusion or anomalous behavior. If such behavior is detected, an expert at our Rapid Detection Center will immediately investigate the incident. By using historically collected event data, our analysts will be able to determine and verify the cause of the alert before contacting your organization. In our experience, this is the most reliable way to detect the subtle behavior employed by skilled intruders as they lay low in a corporate network. By utilizing a combination of human experts and complex analytics, both new and historical event data collected from sources across your entire network are processed in order to quickly and accurately pinpoint the minute anomalies associated with an intruder living off the land. When responding to an alert, our experts have all the tools and data needed to trace a breach back to the moment of ingress and provide your organization with actionable data to respond to the incident. By utilizing a combination of human experts and complex analytics, both new and historical event data collected from sources across your entire network are processed in order to quickly and accurately pinpoint the minute anomalies associated with an intruder living off the land.

5 F-Secure Rapid Detection Service 5 Cyber security is a process Understand your risk, know your attack surface, uncover weak spots PREDICT Prevent Minimize the attack surface, prevent incidents React to breaches, mitigate the damage, analyze and learn Respond Detect Recognize incidents and threats, isolate and contain them Figure 1: The four phases of an iterative approach to securing an organization s infrastructure. Many organizations still follow an outdated approach to cyber security, wherein they rely almost solely on a defensive perimeter to protect their infrastructure. They also assume that attacks cannot penetrate their defensive measures. By building and staffing a security operations center (SOC), deploying a security information and event management (SIEM) system, adding an off-the-shelf intrusion detection system (IDS), and sourcing commercially available threat intelligence feeds, security professionals have been attempting to build additional situational awareness into their security infrastructure. We recommend a more robust, iterative approach to securing an organization s infrastructure which can be broken down into four phases Predict, Prevent, Detect, and Respond. In the Predict phase, a corporate exposure analysis is performed in order to assess the attack surface of the organization s infrastructure. In this phase, threat assessments and penetration tests are often employed. The findings of these analyses are used to plan the construction of a solid defensive perimeter for the organization. In the Prevent phase, these plans are put into action. Defensive solutions are deployed to harden infrastructure and reduce its attack surface, security Persistent threat actors will eventually circumvent even the best defense perimeters. software is deployed, vulnerabilities are patched, employees are trained, and the security culture of an organization is generally improved. Persistent threat actors will eventually circumvent even the best defense perimeters. This is where the third phase, the Detect phase, comes into play. In this phase, infrastructure is carefully monitored for signs of intrusion or other suspicious behavior. By monitoring events generated within an organization s infrastructure, both on endpoints and on the network, and by enriching that collected data with threat intelligence and forensics knowledge, breaches can be pinpointed quickly and accurately. Threat intelligence, in the form of an extensive, constantly updated database of samples, reputation verdicts, prevalence information, and indicators of compromise, coupled with knowledge of the tactics, techniques and procedures employed by advanced attackers forms the backbone of this process. Once a breach has been detected, the cycle moves to the Respond phase. During this phase, forensic evidence is examined in order to determine how the breach happened and what impact it had on systems, data and infrastructure. Based on the findings of the forensic examination, an incident response process

6 6 F-Secure Rapid Detection Service F-Secure Rapid Detection Service Threat Intelligence Internal Network Detection (IDS) Situational awareness (SOC/SIEM) Relevant feeds (IOC) Ground zero knowledge (IR) Attacker intel (TTP/vertical) From detection to response in < 30 minutes Detections for old data (time machine) Also protects on internal network 24/7 expert coverage (monitoring/ir) Act as trusted forensics/ir storage Easy APIs for SIEM integration Preventive (End-point Protection & Firewalls) IMMEDIATE ROI Gain critical capabilities within weeks of deployment years API: Application program interface IDS: Intrusion detection system IOC: Indicator of compromise IR: Incident response ROI: Return on investment SIEM: Security information and event management SOC: Security operations center TTP: Tactics, techniques, and procedures Figure 2: The cyber security solution implemented by F-Secure RDS. is initiated in order to restore the environment to a known-good state and to fix any security problems found. The findings of this phase are, in turn, fed back into the next Predict phase, and the cycle continues. Implementing a complete end-toend cyber security solution can take between three and five years. From a cost-benefit point of view, purchasing a managed cyber security service makes sense. An organization would ordinarily need to hire a sizeable staff of cyber security experts and analysts, build and maintain their own monitoring infrastructure and source their own threat intelligence data, all of which can be costly. Implementing a complete endto-end cyber security solution can take from three to five years. Finding and retaining good cyber security experts and sourcing good threat intelligence data and expertise is extremely difficult and expensive. Even if an organization goes to these lengths, an in-house solution requires constant maintenance and improvement, and can be prone to a large number of false alerts.

7 F-Secure Rapid Detection Service 7 Why choose F-Secure? F-Secure Rapid Detection Service is designed to address an organization s cyber security needs in one turnkey solution and to provide an immediate, tangible return on investment. We provide infrastructure, threat intelligence, and security experts as part of that service. Here at F-Secure, we know how threat actors operate and we have in-depth technical knowledge of the tactics, techniques and procedures employed by attackers. When one of our analysts notices an anomaly, they will contact your own security experts directly and discuss their findings, the severity of the situation, and how it might be remediated. With F-Secure Rapid Detection Service deployed in your organization, you ll invest a lot less time and money running expensive internal security projects and hiring and training personnel to handle complex incident response cases. For organizations that have invested into infrastructure such as SOC, SIEM, or IDS, our Rapid Detection Service provides an additional layer of security that easily integrates into, (via processes and APIs) and enhances any existing ecosystem. F-Secure Rapid Detection Service provides your organization with our own expert approach to cyber security. RDS turns your data into intelligence. We then use that intelligence to quickly and accurately detect and respond to breaches and provide your organization with exposure analysis data that can be used to further reduce the attack surface of your infrastructure. Attack view Top 10 countries Germany China United States South Korea Ukraine Belarus Russia Bulgaria Japan Finland Heartbeats per hour Histogram Figure 3: F-Secure RDS turns data into intelligence, which is used to quickly detect and respond to breaches.

8 8 F-Secure Rapid Detection Service We differentiate ourselves from other cyber security providers in the following ways: We have performed the largest number of real crime scene investigations (via Incident Response and forensics services) in Europe. We frequently collaborate with EU law enforcement officials on malware investigations and campaign takedowns. We are treated as a trusted and reliable partner by those agencies. F-Secure is based in Finland, a country with very low corruption, strict and fair rules for warrants, and no legal obligation to include backdoors. We utilize a constant feed of global malware usage data from millions of customers in both the consumer and corporate spaces. In order to protect the privacy and security of our customers, we have chosen not to disclose details or even statistics found from any law enforcement investigations we have participated in. We are actively mimicking targeted attacks in customer environments. we have created a solution that can even catch our own attacks. We are experts in threat assessment and penetration testing. Our investigative experience translated into real threat intelligence on how security incidents actually occur. In effect, we have created a solution that can even catch our own attacks. We focus on investigating all aspects of the threat, from the way it gets into the system to the tools that it uses once it gets in. Instead of studying each threat independently, we identify relationships between threats, allowing us to understand the capabilities and motives of an adversary. We focus on the puzzle and not just on the individual pieces. F-Secure has been in the security business for over 25 years. We have massive historical sample collections that allow us to find other relevant threats that were left undiscovered from currently active threat actors. Due to our long history as an anti-malware player, we ve already spent years building automation, and we continue to put great emphasis on improving and adding to it. Our infrastructure is already highly scalable. We also source multiple valuable threat intelligence feeds directly from this automation. Our researchers do both threat intelligence investigations and reverse engineering. This gives us both high-level knowledge of the global threat landscape and in-depth technical knowledge of the threats themselves. If you are breached, we will communicate information about the incident to you alone. You won t learn you were a victim by hearing about it from the media. We re constantly improving F-Secure Rapid Detection Service by collaborating with our customers. By iteratively improving and transforming the solution to meet your needs and to address the rapidly evolving global threat landscape, we are able to maintain maximum effectiveness. We also strive to maintain compliance with regulations such as the Payment Card Industry Data Security Standard (PCI-DSS).

9 F-Secure Rapid Detection Service 9 What is F-Secure Rapid Detection Service? F-Secure Rapid Detection Service is a managed service that combines technology, threat intelligence, and cyber security experts to provide an all-in-one intrusion detection and response solution. At the heart of this solution is our Rapid Detection Center, which is comprised of actual people tasked with monitoring and analyzing threat intelligence data on a 24/7 basis. When an anomaly is detected in your infrastructure, our experts will contact your experts with immediate incident response and forensics services. By putting our people in charge of monitoring your threat intelligence data, we are able to immediately open a dialogue with your organization when a relevant, verified alert is triggered. This approach not only minimizes the chances of encountering false positives, it provides your organization with actionable data during the early-breach phase of an intrusion. F-Secure Rapid Detection Service consists of a combination of easily deployable on-site components and a set of F-Secure hosted services. The onsite portion of the deployment includes endpoint monitoring software that is installed onto workstations, network sensors that are placed in various network segments, and locally installed backend services and detonation boxes (a detonation box is a place where suspicious samples can be detonated in a safe environment). Network sensors can be provided in a number of forms, including small Advanced RISC Machine (ARM) devices, virtual machine (VM) images, or rack-mount servers. F-Secure hosts the Detection and Forensics Platform which includes event storage, rules engines, hosted analytics and, of course, our own Rapid Detection Center. The key components that make up F-Secure Rapid Detection Service are described in the following sections. Rapid Detection Center F-Secure Rapid Detection Service combines man and machine to provide a service that utilizes advanced data analytics, machine learning, and cyber security experts. The analysts at our Rapid Detection Center utilize world-class analytical tools, most of which have been customdeveloped inhouse, to interpret and evaluate incoming threat data. Our Rapid Detection Center is powered by the vast expertise of F-Secure Labs (our malware analysis, threat intelligence, backend systems development, and endpoint protection development department) and F-Secure Cyber Security Services (our security consulting arm). The response time, from initial detection to customer visible alert, is guaranteed to be less than 30 minutes. By doing this, we minimize the time an attacker has to do damage or get access to business-critical data. By putting our people in charge of monitoring your threat intelligence data, we are able to immediately open a dialogue with your organization when an alert is triggered. To accurately identify security anomalies, F-Secure has chosen to utilize both automation and human analysts to process forensic data. Through the use of automation, a balance can be achieved between expectations of privacy, accuracy of analysis, and speed of detection. Automated analysis follows three usage scenarios: The response time, from initial detection to customer visible alert, is guaranteed to be less than 30 minutes. 1. Near-Real-Time Analytics matches the incoming flow of data with detection rules and identifies known security threats. 2. Stored Data Analytics matches historical data with the newly acquired and mission-specific information about specific threats. 3. Big Data Analytics is performed on anonymized data sets. Through big data, F-Secure is able to identify evolving threats, maintain baseline metrics, and detect macro-level anomalies.

10 10 F-Secure Rapid Detection Service F-Secure Rapid Detection Service your company Endpoint sensor network decoy sensor network of companies F-Secure rapid detection center )) alert < 30 min ( ) anomaly detection and forensics platform F-Secure Threat Intelligence behavioral analytics Figure 4: A diagram describing how F-Secure RDS works. The purpose of manual processing is to examine an already identified security incident and establish enough evidence to support the customer s remediation activities. By allowing F-Secure to combine your organization s data with data and findings from other organizations, you help us better protect our whole customer base. The more organizations that contribute to security analytics, the better F-Secure can identify emerging attack vectors. This, in turn, allows us to provide better protection to each individual organization. F-Secure Rapid Detection Center provides customers with both alert escalation and periodical reporting. Ad-hoc alerts are produced whenever a critical incident occurs. These alerts, which are always delivered by one of our security experts, feature actionable information that helps the customer determine the source and cause of the anomaly. Customers can also utilize F-Secure s Incident Response and Forensic Services, either on-site or remotely. We deliver periodical reports, as part of this service, which feature a summary of incident alerts and leads on potential problems worth investigating. Customers will also receive benchmark data where their own data is compared with data in the same vertical and region (subject to availability). These reports are also enriched with information about trending threats.

11 F-Secure Rapid Detection Service 11 Figure 5: Periodical reports featuring a summary of incident alerts are delivered to customers as part of RDS service. Data Collection and Enrichment Data collected by endpoint and network sensors is relayed to the F-Secure Detection and Forensics Platform, which is hosted by F-Secure. In the Detection and Forensics Platform, incoming data is normalized and then enriched in near-real-time using threat intelligence from both F-Secure s Security Cloud and from third-party cloud services. Data is correlated with information collected over our whole customer base. By combining F-Secure Labs extensive malware repository with insights acquired through our own threat intelligence research, we are able to flag anomalies, such as signs of lateral movement and use of stolen credentials, in ways not possible with other security solutions. Collected data is stored for an extended period of time in order to help preserve a historical timeline of security events. In the aftermath of a breach, evidence is critical. With F-Secure Rapid Detection Service in place, incident responders and forensic investigators will have access to a wealth of historical data collected before, during, and after the breach occurred. Often times threat actors will attempt to wipe evidence after a successful breach has taken place. Data collected in our Detection and Forensics Platform is tamperproof and thus provides an accurate timeline of events that have taken place. All data collected from customer deployments is sent through secure, encrypted channels and stored on controlled, secured servers. Access to data is carefully restricted to authorized users and for authorized purposes only. All data is physically stored in Europe. We respect our users privacy and our customers need to protect sensitive data and corporate secrets. Collected data from one customer is never shared with other customers. You can find more information on our privacy and confidentiality policies, especially with regards to data handling, on F-Secure website. By combining F-Secure Labs extensive malware repository with insights acquired through our own threat intelligence research, we are able to flag anomalies, such as signs of lateral movement and use of stolen credentials, in ways not possible with other security solutions.

12 12 F-Secure Rapid Detection Service Threat Intelligence In order to detect anomalies occurring in an organization s infrastructure, the vast amount of data being collected by F-Secure s Detection and Forensics Platform is continually processed. Incoming event data is processed in near-real-time using optimized, complex rule engines with temporal correlation support. This upfront processing delivers first-level anomaly detections and new indicator of compromises (IoCs). Since all incoming data is archived, as new IoCs and TTPs are discovered (from event data processing on any of our customer streams, from third-party IoC feeds, or from our own threat intelligence sources), this historical data is processed offline, against new rules, using big data analytics services. This step provides second-level anomaly detections. F-Secure Rapid Detection Service combines a variety of proprietary data sources to provide its subscribers with early warning information and highly actionable incident detections that are necessary to successfully counter advanced cyber threats. In the event of an incident, F-Secure Rapid Detection Service helps the customer preserve any evidence that is essential in subsequent incident response actions. Endpoint Sensors F-Secure s Endpoint Sensors are lightweight, discreet monitoring tools designed to be deployed on all relevant Windows and Linux computers within an organization. These components are customconfigured for each organization and are easily deployed using standard IT administrator tools. Endpoint Sensors collect behavioral data from endpoint devices using well-documented mechanisms, and are specifically designed to withstand attacks from threat actors. Endpoint Sensors are also able to function in Payment Card Industry Data Security Standard (PCI- DSS) compliant environments. Due to the way Network Decoy Sensors keep the attacker busy and grant us visibility into the tools he is using, while allowing us to build a detailed base of forensic evidence. our sensors monitor endpoint activity, content that might jeopardize cardholder data is not collected or transferred from those endpoints. However, metadata associated with the activity of the endpoint is collected. An analogy would be that we collect the names of files and not the content of the files themselves. This metadata can be used, if needed, for forensic analyses. This metadata is exclusively communicated from the sensor to the F-Secure Detection and Forensics Platform; at no point will a human operator interact directly with a sensor itself. Network Decoy Sensors F-Secure Rapid Detection Service utilizes active decoys, or honeypots, instead of utilizing a direct network scanning approach. We find that this reduces both noise and false alerts associated with the latter. Attackers typically perform a recon phase once they ve gained access to a network in order to identify easy targets for lateral movement and privilege escalation. Network Decoy Sensors will catch the scans associated with this sort of reconnaissance and provide easy targets for the attacker to focus on. Any action the attacker performs on the active decoy will be detected and logged by our solution. Our Network Decoy Sensors keep the attacker busy and grant us visibility into the tools they re using, while allowing us to build a detailed base of forensic evidence. Network Decoy Sensors are capable of monitoring popular services including SSH, HTTP, SMB, MSSQL, SIP, and FTP. All connection attempts to and from the network sensor are recorded, and any files that arrive on the system are automatically sent to F-Secure Security Cloud for analysis. You can read more about F-Secure Security Cloud in this whitepaper. All Network Decoy Sensors deployed within your organization will communicate recorded events to a local server that we also provide. From there, the data is relayed to our Detection and Forensics Platform.

13 F-Secure Rapid Detection Service 13 System Architecture Organization F-Secure Cloud RDS Network Honeypot Submit data Real-Time Analysis Adjust Big Data Analytics Submit data RDS Honeypot Backend Submit data RDS Network Honeypot RDS Backend Services RDS Data RDS Data Store events & detections RDS Endpoint Sensor Submit data F-Secure rapid detection center System status & detections Monitor Investigate RDS Endpoint Sensor IT IT Admin Alert RDC Watch 24/7 Alert Incident Response Figure 6: A diagram of F-Secure RDS s system architecture.

14 14 F-Secure Rapid Detection Service F-Secure Rapid Detection Service 14 Summary The robust and advanced technologies behind F-Secure Rapid Detection Service provide several benefits that can be summarized as follows: 1. A full end-to-end solution that addresses current and future advanced persistent threats. F-Secure Rapid Detection Service provides a costeffective way of managing your organization s cyber security requirements. It functions as an important part of a robust, modern cyber security strategy and delivers on its promise to protect against a rapidly evolving, complex threat landscape. 2. A scalable, secure, managed cyber security service run by industry professionals. By choosing to deploy F-Secure Rapid Detection Service, your organization will benefit from the expertise of a company with more than 25 years of industry experience in the field. Here at F-Secure, we know how threat actors operate and we have in-depth technical knowledge of the tactics, techniques and procedures employed by attackers. We take information security seriously and apply those same principles to the way we handle your data. As a European vendor, based in Finland, we are subject to some of the strictest privacy laws in the world. 3. A combination of advanced big data analytics, machine learning, and security experts. Because F-Secure Rapid Detection Service combines big data analytics, machine learning, and security experts, we guarantee not only accurate data, but fast response times. F-Secure Detection and Forensics Platform keeps important evidence safe and out of the reach of attackers. We provide forensics and incident response services when a breach is detected. In fact, F-Secure can provide services and solutions to cover your entire cyber security strategy, should you need them.

15 F-Secure Rapid Detection Service 15 SEE ALSO F-Secure privacy principles Contact information If you have any further questions about F-Secure Advanced Threat Protection, please contact: F-Secure Corporation Tammasaarenkatu 7 PL Helsinki Finland

16 F-Secure has been defending tens of millions of people around the globe from digital threats for over 25 years. Our award-winning products protect people and companies against everything from crimeware to corporate cyberattacks, and are available from over 6000 resellers and 200 operators in more than 40 countries. We re on a mission to help people connect safely with the world around them, so join the movement and switch on freedom! Founded in 1988, F-Secure is listed on NASDAQ OMX Helsinki Ltd. F-Secure Corporation All rights reserved.