Slide 1

2014 Bit9. All Rights Reserved Building a Continuous Response Architecture

Slide 2

CONTINUOUS endpoint recorder INSTANT, aggregated threat intel. COMPLETE kill chain analysis CUSTOMIZED detection CONTINUOUS RECORDING IMMEDIATE endpoint threat isolation LIVE endpoint investigation REAL-TIME attack termination COMPREHENSIVE threat remediation LIVE RESPONSE First & only solution with continuous endpoint recording and live response Carbon Black: Industrys Best ETDR Solution

Slide 3

There are two kinds of companies: those that have been breached and those that dont know it yet. *Sources: Mandiant, Verizon CIO Fortune 100 company Days to discover* 243 Discovered externally* 69 % Average cost* $ 5.4 MILLION In 2020, enterprises will be in a state of continuous compromise. The Problem: Advanced Threats = $$$

Slide 4

July 2014 The Network is Not the Target Organizations continue to spend a lot of money on network security solutions, but its the endpoint that is the ultimate target of advanced threats and attacks. Firewalls [are] becoming less and less effective in a perimeter-less world Dec. 2014 When the perimeter disappears, we certainly would argue that the endpoint is the perimeter. Dec. 2014

Slide 5

Traditional Defenses Were Designed for Opp. Attacks OPPORTUNISTIC ADVANCED Goal for attacker is to compromise as few endpoints as possible Goal for attacker is to compromise as many endpoints as possible Hosts Compromised Time DETECTION THRESHOLD Signature available Hosts Compromised Time Signature available (if ever) ?

Slide 6

DETECTION RESPONSE RECOVERY Reduce Dwell Time By Prioritizing Data Collection Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME Proactively collecting data here is automated, efficient & conclusive Reactively collecting data here is time consuming, expensive & incomplete DETECTION RESPONSE RECOVERY Compromised (attacker present) Recovered (attacker expelled) Breach Discovered (attacker identified) DWELL TIME Eliminate expensive data collection process Optimize security team Instant answers to complex IR questions Avoid blind reimaging Zero end-user/endpoint impact Reduce dwell time

Slide 7

Expand Detection Beyond the Moment of Compromise Abnormal Behavior Lateral Movement & User Accounts Exfiltration & Data Gathering Weeks to Months (Years) Traditional Focus Missed without continuous data collection Only See Individual Detection Event You cant know whats bad ahead of time

Slide 8

Java exploitation User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions DETECTED Goal: Understand root cause Detection probability increases over time Investigations seek root cause Traditional detection filters out endpoint visibility missing the full context of the attack Highlight detected activity within continuous recording to understand root cause and scope faster DETECTED Proactive data collection also enables ability to detect entire attack processes Highlight As Opposed to Filter Endpoint Visibility

Slide 9

IT and Company Culture: Is Your Environment Like This?

Slide 10

Or This?

Slide 11

Prioritize Alerts with Data Collection & Threat Intelligence !!! ! !!!!!!!!!!! ALERT FATIGUE Too many alerts to manage & prioritize ACTIONABLE ALERTS Accelerate threat discovery Customize detection for organization Detect every threat vector Narrow focus by understanding data Detection Discovery Threat Intelligence

Slide 12

Respond at the Moment of Discovery Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Instantly Roll back the tape with a recorded history to understand scope DISCOVERED Prioritize investigations with applied threat intelligence User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Lateral Movement User visits website Downloads PDF Deleted Payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Deleted Payload Lateral Movement DISCOVERED Learn from investigation to build detection moving forward ! DISCOVERED

Slide 13

Drive Action on Endpoints with Live Response User visits website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Deleted payload BLOCK NETWORK COMMUNICATION KILL ATTACK PROCESS IDENTIFY ROOT CAUSE & REMEDIATE MACHINE Responders manage multiple tools for continuous recording & live response MODERN VIEW One comprehensive IR solution ISOLATED Use one IR solution without dropping admin. credentials Built by responders for responders Customize on-sensor actions by executing third-party tools Remove IT out of SecOps equation

Slide 14

Security as a process versus as a solution

Slide 15

CONTINUOUS endpoint recorder INSTANT, aggregated threat intel. COMPLETE kill chain analysis CUSTOMIZED detection CONTINUOUS RECORDING IMMEDIATE endpoint threat isolation LIVE endpoint investigation REAL-TIME attack termination COMPREHENSIVE threat remediation LIVE RESPONSE First & only solution with continuous endpoint recording and live response Carbon Black: Industrys Best ETDR Solution

Slide 16

Bit9 + Carbon Black: Arm Your Endpoints For IT and Security Teams Managing Desktops, Servers, and Fixed-function Devices +Worlds most widely deployed application control/whitelisting solution +Single agent for visibility, detection, response, prevention +Trust-based and policy-driven The Most Comprehensive Endpoint Threat Protection Solution For Security Operations Center and Incident Response Teams +Only solution with continuous recording; live response; threat isolation, termination and remediation +Real-time customizable detection +Complete kill chain analysis based on recorded history and attack visualization The Leading Endpoint Threat Detection and Response Solution Open API and Integrations Threat Intelligence Cloud ReputationThreat IndicatorsAttack Attribution Supported Operating Systems Network Security, Analytics and SIEM, In-House & Custom Tools

Slide 17

Questions?