Advanced Endpoint Protection CONTAIN IDENTIFY CONTROL Nick Keller Director Federal Civilian Sales
Duncker Candle Problem
Solution Creativity, Change the Paradigm
Why listen to me? Connect these 3 Companies Cullinet Software 1 st Software company on NYSE Netscape ArcSight
The Problem 95% of known breaches initiate at Windows endpoints 5% 4% 3% 1% Users WILL be tricked into accessing malicious content 42% 45% Oracle Java Adobe Reader Adobe Flash Player Browsers AndroidOS Microsoft Office Kaspersky Labs
Cyber Kill Chain: Invincea STOPS the Attack Early Stage 1: Reconnaissance Research the target Stage 2: Attack Delivery Spear-phish with malicious link and/or attachment Stage 3: Client Exploit & Compromise Vulnerability exploited or user tricked into running executable Stage 6: Lateral Movement Spread throughout network Stage 5: Internal Recon Scan network for targets Stage 4: Command & Control (C2) Remote command & control Stage 7: Establish Persistence Root presence to re-infect as machines are remediated Stage 8: Stage Data & Exfil Archive/encrypt, leak to drop sites Stage 9: Incident Response Analysis, remediation, public relations, damage control 6
Your Security Challenge by the Numbers 77% 205 days 1%-3% 7
Sophistication Evolution of Malware 2015 Changing Threat Curve High Organized Crime Nation States (Tier 2) Nation States (Tier 1) 2010-2015 Low Network Sandboxing And Whitelisting Anti-Virus defenses Script Kiddies Lone Wolves Hacktivists Threat Curve (today) Takeaway: Less advanced adversaries now have access to very sophisticated malware Circa 2000 Circa 1990 s Mass Targeting Pinpoint Targeting
Most Prevalent Threats for 2015* 1. Just In Time (JIT) Malware Assembly All malware families now use JIT for delivery (e.g. Malvertising, Dridex, Dyreza, Pony, CryptoWall) Completely bypasses perimeter controls such as EXE blocking appliances 2. Macro-based Scripting via weaponized docs Entire process can be scripted - no file is written Containerization is the only way to stop these attacks Completely bypasses endpoint protection solutions such as Cylance, PAN TRAPS, HIPS, AV, etc. * Supporting data in Invincea First Half 2015 Threat Report
JIT Malware Scripting Just in Time Malware assembly is used in Malvertising, Dridex, Dyreza, Pony, CryptoWall Malware is assembled piece by piece on the endpoint instead of downloaded as a complete binary This bypasses perimeter controls such as EXE blocking appliances All malware families now use JIT for delivery wscript chcp netsh echo winrshost cscript extract32 expand ipconfig ping svchost powershell vssadmin
How has the industry tried to solve this problem? Prevent Detect Respond 11
Invincea s Advanced Endpoint Protection Strategy Re-gain control over network by quarantining and eradicating threats across the enterprise Control Contain Prevent network breach by containing all threats known and unknown Identify Identify existing threats that evaded conventional defenses 12
Contain the Attack Contain Isolate endpoint attack surface with a secure container Protect 95% of endpoint attack surface (vulnerable apps): Protect against: Spear-phishing Web-based drive-by s Watering hole attacks Malvertising Ransomware 0-day exploits 13
Secure Virtual Container Patented isolation Not (just) a sandbox! (Containment, behavioral detection, and automated response) Virtualization of process control, file system, and registry Protection against zero-day and known exploits One-way mirror design Malware thinks it s attacking the host environment Behavioral detection engine No need for signatures or constant definition updates Based on finite known good application behavior (not searching for IOC s) Automated response Ability to automatically terminate threat upon detection (why let malware run?) Small footprint / low overhead <100 MB of RAM even under extreme load <1% average CPU utilization Forensic intelligence Capture IOC and threat intelligence via controlled explosions of malware 14
Identify the Compromise Identify Identify compromises that evaded traditional network and endpoint security Identify anomalous processes via OS monitoring Vet process with local knowledge; escalate to cloud as needed Analyze suspicious programs with DARPA-funded Cyber Genome analysis technology 15
Endpoint Threat Identification Risk Evaluation Framework Automated metadata analysis eliminates noise and identifies riskiest files Analysis of all executed binaries, loaded DLLs, and downloaded files via the SVC Open, vendor-agnostic intelligence & analysis ingestion Ability to integrate any threat intelligence, whitelist/blacklist, or static/dynamic analysis engine Cynomix integration Advanced static analysis engine built from DARPA Cyber Genome project Corpus of millions of unique binary samples Identifies similar strains of malware via clustering (based on machine learning algorithms) Reports functional capabilities in plain English (e.g., Logs Keystrokes) Small footprint / low overhead One agent/installer seamlessly integrated with the SVC Analysis is performed by server, eliminating any impact to the user / endpoint Trivial network usage: Metadata transmitted to server is smaller than a DNS query 16
Risk Evaluation Framework Identify Invincea Management Framework Known Good (Reversing Labs, Kaspersky?) Known Bad Virus Total, MetaScan Similar to known (Static Analysis) Cynomix Malicious Indicators (Static Analysis) Cylance?, Malicious Indicators (Dyn Analysis) LastLine?, FireEye?, MATD?, Monitoring CYNOMIX Confidential and Proprietary
Unique Invincea Advantages Prevention + Detection & Response One Agent, One Price, One Vendor Small Footprint Zero-Day Threat Protection 18
CONTAINMENT DETECTION PREVENTION INTELLIGENCE Architecture
Architecture Contain, Identify, Control Invincea Endpoint Endpoint application for employees Protection options: Browser PDF Office Suite Browser Plug-ins Recommended System Specs: 1 GB RAM, 150 MB free disk space, Intel Pentium or better Supported Operating Systems: Windows XP Windows 7 32 and 64-bit Windows 8.1 32 and 64-bit Windows 10 32 and 64-bit Invincea Management Threat Data Optional integration to other technologies Config Management Track deployments Manage groups Maintain audit trail Schedule software updates Reporting Multiple deployment options Virtual appliance Cloud hosted 11/18/2015 Confidential & Proprietary 20
Contain the Attack Contain Isolate endpoint attack surface with a secure container Protect 90-95% of endpoint attack surface (vulnerable apps): Protects against: Spear phishing Web drive-by s Watering hole attacks Malvertising Ransomware 0-days 11/18/2015 Confidential & Proprietary 21
Container - How it Works Contain Containment Place the web browser and plug-ins, PDF reader, Office suite in a PATENTED secure virtual container Detection Detect malware without signatures including zero-days and APTs Prevention Protect every user and the network from their error Intelligence Feed actionable forensic intelligence without the breach 11/18/2015 Confidential & Proprietary 22
Secure Virtual Container Contain Host Security Plug-ins Anti-Virus DLP Single Sign-on 11/18/2015 Confidential & Proprietary 23
Invincea Endpoint Contain Invincea Secure Virtual Container - Single container with all untrusted content - Isolates all user areas of the host filesystem. - Copy on Write filesystem and registry - Low overhead <100MB RAM - Does not increase in resource usage with additional browser tabs - One way mirror design for interoperation - Completely configurable isolation - Completely configurable detection engine Invincea Management - Maintains all Enterprise clients - Pushes policy changes and product updates Invincea Endpoint Client - Talks securely to server Invincea Endpoint Client - Direct access to host resources - Monitors client health 11/18/2015 Confidential & Proprietary 24
Real-time Intelligence Contain 11/18/2015 Confidential & Proprietary 25
Identify the Compromise Identify Identify compromises that evaded traditional network and endpoint security Identify anomalous processes via OS monitoring Vet process with local knowledge; escalate to cloud as needed Analyze suspicious programs with DARPA-funded Cyber Genome analysis technology 11/18/2015 Confidential & Proprietary 26
Invincea Management Architecture Identify Invincea Management Sensor UI Module Threat Data Module Configuration Module Risk Evaluation Framework Cynomix VirusTotal Metascan ReversingLabs Lastline Any binary or hash analysis Cloud Services CYNOMIX On-Premise Process metadata Binaries Invincea Clients Endpoint Clients Prevention + Detection Activity Monitoring Remediation IOC searching CYNOMIX 11/18/2015 Confidential & Proprietary 27
Cynomix: Cyber Genome Analysis Tool Identify Invincea Management Cynomix Plug-in Unknown Files Malware Identification & Capability Discovery Cloud Cynomix Server Code Similarity Analysis Capability Discovery Known malware 11/18/2015 Confidential & Proprietary 28
Control the Threat Control Automatically eradicate threats enterprise-wide Execute granular escalating controls by policy or human in the loop: Quarantine suspicious processes Kill indicted threats Quarantine compromised devices Eradicate threats enterprise-wide Publish & Share with community Contain compromise to a single endpoint, and reduce dwell time from days to minutes 11/18/2015 Confidential & Proprietary 29
Advanced Endpoint Protection CONTAIN IDENTIFY CONTROL Spear-phish me at: nick.keller@invincea.com