STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE

Transcription

1 ANALYST DAY STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE TRAVIS REESE, PRESIDENT, MANDIANT CONSULTING AND ISIGHT INTELLIGENCE COPYRIGHT 2016, FIREEYE, INC. ALL RIGHTS RESERVED.

2 INTELLIGENCE- LED SECURITY: THREAT INTELLIGENCE AND EXPERISE: DIFFERENTIATE OUR SOLUTIONS AND REPRESENT A SUSTAINABLE STRATEGIC ADVANTAGE DRIVE STRATEGIC CUSTOMER RELATIONSHIPS AND PRODUCT PULL-THROUGH SCALABLE THROUGH OUR TECHNOLOGY AND AUTOMATION

3 GLOBAL NATION STATE GRADE INTELLIGENCE

4 INTELLIGENCE DRIVES EVERYTHING

5 TRIPLE THREAT ECOSYSTEM FIREEYE GLOBAL THREAT MANAGEMENT PLATFORM

6 THE MOST COMPREHENSIVE INTELLIGENCE IN THE WORLD MACHINE INTELLIGENCE + HUMAN INTELLIGENCE = ACTIONABLE INTELLIGENCE

7 Threat Intelligence Video

8 FIREEYE THREAT INTELLIGENCE ENGINE ACQUIRE APPLY INCIDENT RESPONSE Over 100,000 incident response hours /year Hundreds of subject matter experts across 16 countries SENSORS 11 million sensors around the world Deployed across 60 countries 24x7x365 visibility through 6 worldwide SOCs ADVERSARY INTELLIGENCE 300+ experts, 18 countries, 29 languages EXPERTS across security, analytics, and geo-political domains 115+ MILLION node graph-based analytics engine 340 MILLION correlation relationships defined 212 PETABYTES sensor traffic analyzed each month 45 BILLION URLS analyzed each month ANTICIPATE Stay a step ahead of the attacker DETECT Identify threats that other solutions miss RESPOND Answer key questions and prioritize threats SHARE Collaborate to drive community defenses ANALYZE

9 INTELLIGENCE PORTFOLIO FIREEYE PRODUCTS & AS-A-SERVICE OFFERINGS FIREEYE FORWARD DEPLOYED ANALYST INTELLIGENCE PORTAL FIREEYE CLOUD ENDPOINT ORCHESTRATION (INTEGRATE 3 RD PARTY PRODUCTS) ADVANCE THREAT INTELLIGENCE DYNAMIC THREAT INTELLIGENCE VERTICALIZED THREAT INTELLIGENCE NETWORK INTELLIGNCE MANDIANT SERVICES (+NEW INTEL LED) PORTAL VERTICAL PARTNER PORTALS

10 INTELLIGENCE PORTFOLIO TACTICAL: Detect & Prevent DTI Best-of-breed detection with MVX codification of attacker intent isight s intelligence network extends visibility into new attacker motivations across 16,000 threat actors. CONTEXTUAL: Analyze & Respond ATI Alert context for FireEye alerts enhanced with derivative intelligence from isight IOCs STRATEGIC Assess & Prepare ATI+ Foundational strategic intelligence through the FIC portal 24/7/465 critical alert and detection efficacy monitoring ThreatScape APIs ThreatScape APIs Enhance existing security infrastructure with IOCs derived from earlier visibility into threats via over-the-horizon visibility Context for the alerts across the infrastructure; enhanced with FireEye s victim-based context from incident responders and deployed sensors Mandiant Response Combined FireEye and isight intelligence will inform incident response engagements Customer reports informed through isight threat intelligence ThreatScape MySIGHT Subscription Deep dive on specific motivations that present a higher level of risk to an organization Consultative intelligence engagements (e.g. client inquiries, engagement manager)

11 FURTHER EXTENDING THE PORTFOLIO VISIBILITY ACROSS THE ATTACK LIFECYCLE MAGNIFY CONTEXT AND ATTRIBUTION TO ACCELERATE RISK REDUCTION EXPAND PATHWAYS TO OPERATIONALIZE THREAT INTELLIGENCE ENHANCE FAAS & INCIDENT RESPONSE CAPABILITIES

12 NOT ALL THREAT DATA IS CREATED EQUAL COMMODITY FEEDS: RAW DATA Misses the threats that matter Becomes part of the problem The race to free THREAT INTELLIGENCE Curated data sources create highfidelity, precise alerts Right-sizes problem with context and attribution required to prioritize response

13 IMPACT OF THREAT INTELLIGENCE 1. Be Proactive 2. Shrink the Problem 3. Improve Prioritization 4. Enhance Executive Communications 5. Connect Security With Business Strategic Planning Assumption: By 2018, 60% of large enterprises globally will utilize commercial threat intelligence services to help inform their security strategies. Rob McMillan & Khushbu Pratap Market Guide for Security Threat Intelligence Services

14 MANDIANT PORTFOLIO AM I AT RISK? AM I PREPARED? Red Teaming and Penetration Testing Security Program Assessment Response Readiness Assessment ICS Security Assessment Compromise Assessment AM I COMPROMISED? I AM BREACHED! Incident Response PREPARE FOR FUTURE EVENTS Cyber Defense Center Development SOC/CIRT transformation Education Deployment & Integration

15 WHY SERVICES TRUSTED ADVISOR / STRATEGIC PARTNER INTELLIGENCE FROM THE FRONT LINES PRODUCT PULL THROUGH

16 HOW WE SCALE

17 SHRINK THE PROBLEM ATTACK SURFACE ATTACK ALERTS VICTIMS SIDE CORRELATED EVENTS INCIDENT INDICATORS NOISE TO SIGNAL INTELLIGENCE FROM isight VERIFIED THREAT INDICATORS PRE-PROCESSED ANALYSIS NEW OBSERVATION THREAT SOURCES

18 INTELLIGENCE AT THE CORE

19 GIVING THE ADVANTAGE BACK TO THE DEFENDERS

20 ANALYST DAY 2016 FIREEYE TECHNOLOGY & PRODUCT ROADMAP GRADY SUMMERS CHIEF TECHNOLOGY OFFICER COPYRIGHT 2016, FIREEYE, INC. ALL RIGHTS RESERVED.

21 TECHNOLOGY UPDATE MVX Line Rate Intelligent Capture MVX Core POWER OF THE PLATFORM EVOLVING MVX PRODUCT INNOVATION

22 THIS IS NOT A PLATFORM 22 COPYRIGHT 2016, FIREEYE, INC. ALL RIGHTS RESERVED.

23 FIREEYE PLATFORM 23 COPYRIGHT 2016, FIREEYE, INC. ALL RIGHTS RESERVED.

24 ALERT TO FIX IN MINUTES ALERTS INDICATORS AND TTPs DTI HIGH FIDELITY ALERTS MVX / Analytics AUTOMATE WITH INVOTAS THREAT INTELLIGENCE CONTEXT isight & Mandiant FIX

25 PLATFORM CYCLE 1. Immediately block callbacks with FireEye NX 5. Analyst (in-house or FaaS) briefly reviews case summary, approves Invotas to initiate remediation process 2. Send data to FireEye TAP for indexing and correlation EX Alert 3. Open incident in Invotas Results sent to Invotas 4. Request HX triage package from potentially impacted computers Invotas workflow 1. Search TAP for prior evidence (or ArcSight/Qradar/Splunk) 2. Send suspect attachment to VirusTotal and Symantec for corroboration 3. Query DomainTools for reverse DNS and historical registration information 4. Review HX triage packages to verify extent of compromise 5. Determination: high severity alert that needs escalation 6. Block C2 using Blue Coat proxy 7. Update Cisco Sourcefire IDS with new signatures 8. Send sample to Symantec for AV updates 9. Add isight summary of threat actor to case and forward to Level 3 analyst

26 FIREYE PRODUCT & TECHNOLOGY HIGHLIGHTS MVX Re-Architecture Product Segmentation Endpoint Protection Orchestration Cloud FireEye as a Service 26 COPYRIGHT 2016, FIREEYE, INC. ALL RIGHTS RESERVED.

27 NOT ALL DETECTION IS THE SAME

28 MVX ENGINE MVX Purpose-Built for Security Hardened Hypervisor Finds known/ unknown cyber-attacks in real time across all attack vectors Line Rate Intelligent Capture MVX Core (Detonation) Multi-flow Multi-vector Reduce False Negatives Reduce False Positives Scalable Extensible 28

29 FIREEYE PLATFORM ADVANTAGES MVX Thousands of Permutations (files, OS, browser, apps) Multi-Flow Analysis Multi-Vector Analysis Correlation of Information Bi-directional Cloud Sharing Time to Protection 29

30 FIREEYE PLATFORM ADVANTAGES MVX Thousands of Permutations (files, OS, browser, apps) Multi-Flow Analysis Multi-Vector Analysis Correlation of Information Bi-directional Cloud Sharing Time to Protection 30

31 FIREEYE PLATFORM ADVANTAGES MVX Web File Mobile Thousands of Permutations (files, OS, browser, apps) Multi-Flow Analysis Multi-Vector Analysis Correlation of Information Bi-directional Cloud Sharing Time to Protection 31

32 FIREEYE PLATFORM ADVANTAGES MVX Web File CMS Cross-enterprise Mobile Thousands of Permutations (files, OS, browser, apps) Multi-Flow Analysis Multi-Vector Analysis Crosscorrelated Intelligence Bi-directional Cloud Sharing Time to Protection 32

33 FIREEYE PLATFORM ADVANTAGES MVX Web Dynamic Threat Intelligence Cloud File CMS Cross-enterprise Mobile Thousands of Permutations (files, OS, browser, apps) Multi-Flow Analysis Multi-Vector Analysis Cross-correlated Intelligence Bi-directional Cloud Sharing Time to Protection 33

34 FIREEYE PLATFORM ADVANTAGES Web MVX Dynamic Threat Intelligence Cloud Real Time Private Scalable Cross-Enterprise File CMS Cross-enterprise Mobile Thousands of Permutations (files, OS, browser, apps) Multi-Flow Analysis Multi-Vector Analysis Cross-correlated Intelligence Bi-directional Cloud Sharing Time to Protection 34

35 FIREEYE PLATFORM ADVANTAGES Web MVX Dynamic Threat Intelligence Cloud Real Time Private Scalable Cross-Enterprise File CMS Cross-enterprise Mobile Thousands of Permutations (files, OS, browser, apps) Multi-Flow Analysis Multi-Vector Analysis Crosscorrelated Intelligence Bi-directional Cloud Sharing Time to Protection 35

36 TRUE POSITIVES: ACCURACY MATTERS 99% 37% 36% 37% 29% 26% 4% Cisco Trend Micro Palo Alto Networks AhnLab Check Point Intel Security 20 COPYRIGHT 2016 FIREEYE, INC. ALL RIGHTS RESERVED

37 FALSE POSITIVES: CHASE AND WASTE On average, an organization wastes $1.3 million annually on unreliable alerts 2/3 of the time spent by security staff responding to malware attacks is wasted because of faulty intelligence." Ponemon, The Cost of Malware Containment, January x 4.3x 8.9x 23.9x 74.8x 246x Cisco AhnLab Check Point Palo Alto Networks Trend Micro Intel Security 21 COPYRIGHT 2016 FIREEYE, INC. ALL RIGHTS RESERVED

38 MVX RE- ARCHITECTURE Q4 15 Q3 16 Q4 16 Q1 17 MVX 2.0 Re-architect MVX 2.0 Distributed MVX 2.0 Hybrid/ Subscription MVX 2.0 Pure Cloud MVX Line Rate Intelligent Analysis Hardware & Virtual Hardware & Virtual MVX Core Line Rate Intelligent Analysis MVX Core MVX Core MVX Core FireEye Data Center FireEye Data Center MVX Core Customer Data Center 38 COPYRIGHT 2016, FIREEYE, INC. ALL RIGHTS RESERVED.

39 NETWORK SECURITY SOLUTIONS FOR ALL ORGANIZATIONS AFFORDABLE ADVANCED THREAT PROTECTION COMPREHENSIVE ADVANCED THREAT PROTECTION Network Security Essentials Network Security Power MVX IPS + Riskware DTI MVX IPS IPS + Riskware MTP TAP ATI Network Security Essentials High detection efficacy Simple inline deployment Low TCO Expanded visibility Workflow integration Alert context Multi-vector correlation Orchestration / integration Cloud analytics

40 ENDPOINT ROADMAP 1H H H 2016 DETECT & PREVENT DTI-based detection NX Integration IoC validation (any source) Internationalization Exploit Detection FIPS/CC compliance ANALYZE & RESPOND Endpoint forensics One-click containment Internationalization Enterprise Search 2H 2016 Exploit Prevention Mac (OSX) support Q4 15 Enterprise Search 1H 16 Exploit Detection 2H 16 Exploit Prevention

41 ORCHESTRATION: A FORCE MULTIPLIER STREAMLINE REPEATABLE TASKS ELIMINATE SWIVEL CHAIR INVESTIGATIONS Automate repeatable tasks of a limited security staff Remove friction from managing hundreds of point solutions HUNTING VALIDATION ACCELERATE RESPONSE CREATE TIME FOR HIGHER ORDER TASKS Reduce risk by minimizing the risk exposure window and persistence of an attack Increase efficiency and performance of security staff to do more with less

42 INTELLIGENT SECURITY ORCHESTRATION AND AUTOMATION 1H 16 2H 16 Invotas On the FireEye Platform Orchestrating FireEye platform + isight Multi-vendor platform Integration Playbook Mandiant processes 42

43 FIREEYE FOR THE CLOUD THREAT PROTECTION Threat Protection Anti-Virus / Anti Spam Advanced Threat Detection Contextual Intelligence 43

44 FIREEYE FOR THE CLOUD: THREAT ANALYTICS PLATFORM Amazon Cloudtrail Threat Analytics Platform Advanced Detection Indicators Rules Analytics 44

45 FIREEYE AS A SERVICE 45

46 FireEye as a Service Video

47 FIREEYE AS A SERVICE SEGMENTATION PRODUCTS ALERTS SERVICES DETECT INVESTIGATE FaaS Today NX EX HX ETP PX HX APT ONLY CONTINUOUS MONITORING (ATI+) CONTINUOUS PROTECTION CONTINUOUS VIGILANCE FaaS vnext NX EX HX ETP PX HX +TAP APT ONLY OR HIGH PRIORITY ALERTS ACROSS ALL PRODUCTS (VIA FIREEYE TAP) CONTINUOUS MONITORING (ATI+) CONTINUOUS PROTECTION CONTINUOUS VIGILANCE FaaS Essentials NO PRODUCT VULNERABILITY REPORTING & CALLBACKS REMOTE MONITORING

48 IT' S TIME TO REIMAGINE SECURITY

49 LUNCH BREAK