An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Transcription

1 An New Approach to Security Chris Ellis McAfee Senior System Engineer

2 Advanced Targeted Attack Challenges Criminal Theft Sabotage Espionage After the Fact Expensive Public Uncertainty COMPROMISE CONTAINMENT ATTACK DISCOVERY High Value Data Key Systems Exploit Weakness Stealthy Replacement Process Preparation Sadder but Wiser 2

3 Challenges Faced by Security Professionals 20% False Positives 22% Protection 11% Timely Response 35% Discovery 3% Other 9% Damage Repair 3 Source: McAfee Survey at Black Hat USA 2013

4 Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO DISCOVERY DISCOVERY TO CONTAINMENT CONTAINMENT 9% Hours 4% 12% Months Years 19% Hours 2% Minutes 23% Months DISCOVERY COMPROMISE 11% Days 14% Weeks ATTACK 64% Weeks 42% Days $8,769 / Incident $3,840,988 / Year 1.2 incidents / Day 4 Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model

5 Security-Related TCO Is Skyrocketing Multiple products operate in separate functional silos Constantly rising costs of operational security No efficiency, no effectiveness Stale defenses lack adaptive, contextaware capabilities 5 Increasingly complex to manage

6 Advanced Targeted Attacks The Reality Downtime Brand Impact Data Loss Priceless INTELLECTUAL PROPERTY LEAKAGE 6

7 Let s look at our current arsenal.

8 The Current Arsenal Reputation Intelligence Server Protection Virtualization Optimization DB Protection Firewall / More Needs To Be Done! DLP Network IPS Compliance Management ATMs Mobile Devices Desktop Protection Mail Web Mobile Protection Endpoint Protection Security Management Network Protection

9 Targeted Attack Protection Examples Meeting the Needs of Different Operational Environments File Is New Execution Location Low Prevalence Packed Suspiciously Low Prevalence Revoked Certificate 9

10 Recent Notable Advanced Targeted Attacks Targeted attacks against Point-of-Sale (POS) systems Memory parsing/scraping malware Extracts full magnetic stripe data out of memory Not detected by traditional A/V Not detected for a significant amount of time Substantial damage 40 million credit cards where ex-filtrated in the TARGET compromise Estimated $652 million loss in market cap after Target breach Containment took long (VISA) 10

11 Dissecting the Target Breach Suspicions of initial intrusion through HVAC supplier credentials Initiated through phishing attack, Citadel password stealing bot Off-the-shelf Malware BlackPOS Memory scraping of credit card data on the POS Data accumulated on compromised internal share Best1_user password BackupU$r Malware events ignored on Nov 30, Dec 2, breach public Dec 15 Numerous other retailers are now under similar attacks

12 Targeted Attack Protection Examples Meeting the Needs of Different Operational Environments File Is New Execution Location Low Prevalence Packed Suspiciously Low Prevalence Revoked Certificate 12

13 CSIS Economic Impact Analysis > Study Key Findings Annual loss to global economy is likely more $445 billion Globally the loss from cybercrime is between 0.5% and 0.8% of global economy G20 Countries lost about $200 billion Annual loss to U.S. economy could be more than $100 billion Annual loss of U.S. jobs estimated at more than 200,000 EU Job loss of more than 150,000 Cybercrime would rank 27th if it were a nation ahead Singapore, Austria, Thailand, Denmark and South Africa

14 Economic Impact Analysis - CSIS McAfee Took a Unique Approach Builds economic model to scope the direct losses from cybercrime and cyberespionage CSIS enlisted economists, intellectual property experts, security researchers to develop report Surveys not effective because: Not all companies willing to state their losses Those that are willing often can t estimate what s been taken Intellectual property losses difficult to value Self-selection process of surveys can distort results CSIS (csis.org) 50-year old bipartisan nonprofit headquartered in Washington, D.C. Source: Net Losses: Estimating the Global Cost of Cybercrime Center for Strategic and International Studies

15 Economic Impact Analysis - Canada Source: Net Losses: Estimating the Global Cost of Cybercrime Center for Strategic and International Studies

16 Source: Verizon 2014 Data Breach Investigations Report 16

17 Source: Verizon 2014 Data Breach Investigations Report POINT-OF-SALE INTRUSIONS WEB APP ATTACKS INSIDER AND PRIVILEGE MISUSE PHYSICAL THEFT AND LOSS MISCELLANEOUS ERRORS CRIMEWARE PAYMENT CARD SKIMMERS DENIAL OF SERVICE CYBER-ESPIONAGE 17

18 The Challenge - Hackers are getting more sophisticated - Zero day malware is getting through - Computing environments are getting more sophisticated. Think Cloud - Users continue to click web links - Budgets are not increasing - Finding and maintaining training security professionals is difficult. 18

19 What Can We Do? Leverage Cyber Threat Intelligence Introduce Local Malware Analysis Increase Situational Awareness 19

20 Leverage Cyber Threat Intelligence

21 Threat Intelligence Sources Organizational Intelligence Reputation Data File, IP / Domain, Mail Digest Administrator Organizational Knowledge Centralized Repository Vendor Reputation Feeds 3 rd Party Feeds Local Threat Intelligence Threat Intelligence Mail Gateway IPS Assemble, override, augment and tune the intelligence source information Firewall Sandboxing Endpoint Agents Web Gateway

22 Cyber Threat Intelligence And Analysis Adapt and Immunize From Encounter to Containment in Milliseconds Malicious Code Security Management Local Threat Intelligence Reputation Intelligence Local Threat Intelligence - Consolidates threat information across the enterprise - Provides malware administrators appropriate context to make decisions - Enables more effective malware policy

23 New Levers for Security Admins Local Context Execute Tunable Policy Classification Decision Prevent and Remediate Prevent and Quarantine Site Specific Threat Intelligence Variable Degrees of Risk Tolerance Submit to Application Sandboxing

24 Targeted Attack Protection Examples Watch and Act Upon Usual Events! File Is New Execution Location Low Prevalence Packed Suspiciously Low Prevalence Revoked Certificate

25 Local Threat Intelligence Adapt and Immunize From Encounter to Containment in Milliseconds Reputation Intelligence YES NO OTHER FILE CHARACTERISTICS Malicious Code Security Management Local Threat Intelligence File Reputation Certificate Reputation 3rd Party File Reputation 3rd Party Cert. Reputation Enterprise Prevalence (Occurrence) Enterprise Age (First Contact) Enterprise File Reputation Enterprise Cert. Reputation Endpoint Context Endpoint Detection Info. ATD Detection Info. Administrator Classifications Existing Files & Certificates New Files & Certificates

26 Advanced Threat Analysis Reputation Intelligence Malicious Code Security Management Local Threat Intelligence Advanced Threat Analysis

27 Advanced Threat Analysis Centralized Malware Analysis and Action Reputation Intelligence DYNAMIC ANALYSIS Observe Registry Modifications Observe Network Communications Observe Process Activities Observe File System Changes YES NO YES NO STATIC ANALYSIS Unpacking Malicious Code Security Management Local Threat Intelligence Advanced Threat Analysis Static Analysis of Disassembled Code Discovery of Latent Code Hidden Logic Paths

28 Extending to the Network The network device can utilize the sandbox to evaluate malware! Reputation Intelligence Network IPS YES NO IPS device evaluates malware inline against AV and reputation. Malicious Code Security Management Local Threat Intelligence Advanced Threat Analysis File moved to the sandbox for analysis Convicted hash populated in malware cache. All future occurrences are thwarted

29 Extending to the Network Reputation Intelligence Protection Across the Network! Network IPS NGFW Mail Web Malicious Code Security Management Local Threat Intelligence Advanced Threat Analysis All network devices could be updated.

30 Value of Security Connected Point Products Layered Tools Integrated Tools Security Connected Architecture TCO CapEx + OpEx Security Posture Parity Security Optimization Advancement 30

31 . Questions

32