Proactively Discovering Malicious Activity On Your...

30
1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip Product Marketing, Symantec 1487 - Proactively Discovering Malicious Activity on Your Network Mark Feeney Manager, IT Security, AMETEK

Transcript of Proactively Discovering Malicious Activity On Your...

Page 1: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

1

Proactively Discovering Malicious Activity On Your Network

Mark Guntrip Product Marketing, Symantec

1487 - Proactively Discovering Malicious Activity on Your Network

Mark Feeney Manager, IT Security, AMETEK

Page 2: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Agenda

1487 - Proactively Discovering Malicious Activity on Your Network 2

The Best Place to Detect Malicious Behavior 1

Different Viewpoints 2

AMETEK Real-World Case Study 3

Page 3: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

The big question…

“Where is the best place to detect malicious behavior?”

1487 - Proactively Discovering Malicious Activity on Your Network 3

Page 5: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

The big question…

1487 - Proactively Discovering Malicious Activity on Your Network 5

0 5 10 15 20 25

Server

Cloud

Network

Endpoint

Gateway

At what point do you believe advanced threats are stopped or identified?

Page 6: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

What does this question mean to different people?

1487 - Proactively Discovering Malicious Activity on Your Network 6

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

Page 7: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

What does this question mean to different people?

1487 - Proactively Discovering Malicious Activity on Your Network 7

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

I’m blocking threats

before they get in

I’m blocking threats

before they get in

Page 8: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Shortened URLs

1487 - Proactively Discovering Malicious Activity on Your Network 8

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

Page 9: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Real Time Link Following

1487 - Proactively Discovering Malicious Activity on Your Network 9

Page 10: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Active Content

1487 - Proactively Discovering Malicious Activity on Your Network 10

What I think malicious activity is

Where my core data

resides

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

Page 11: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Disarm Technology

• Problem: attacks using malicious, attached email documents

– Primarily used in spear phishing emails – Advanced Persistent Threat (APT)

– Contain malicious active content, or exploit payloads targeting parser vulnerabilities

1487 - Proactively Discovering Malicious Activity on Your Network 11

• Solution: reconstruct attachment documents from scratch before presenting to the user

Page 12: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Content Download

1487 - Proactively Discovering Malicious Activity on Your Network 12

Where my core data

resides

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

Page 13: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Symantec Insight

1487 - Proactively Discovering Malicious Activity on Your Network

6.3 billion files

300 million machines

2 million URLs

Insight makes decisions based on who downloads what from where…

When one machine downloads a file, all reputations must be re-calculated!

Not just how many times a file is downloaded.

That’s over 100 billion associations that must be refreshed every few hours!

13

Page 14: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Drive-by Download

1487 - Proactively Discovering Malicious Activity on Your Network 14

What I think malicious activity is

Where I believe I might be

vulnerable

Within the bounds of my control

I’m blocking threats

before they get in

Where my core data

resides

Page 15: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Network Threat Protection

• Threat Protection Efficacy from Drive-by Downloads

• Prevent browser exploitation

• Blocks attacks where endpoint protection may not be in place such as BOYD support

• Detect internal malware proliferation

1487 - Proactively Discovering Malicious Activity on Your Network 15

64% of Symantec malware blocks due to network threat detection

Page 16: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Devices Outside The Network

1487 - Proactively Discovering Malicious Activity on Your Network 16

What I think malicious activity is

Within the bounds of my control

I’m blocking threats

before they get in

Where I believe I might be

vulnerable

Where my core data

resides

Page 17: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Cloud Security

1487 - Proactively Discovering Malicious Activity on Your Network 17

Page 18: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Unmanaged Devices

1487 - Proactively Discovering Malicious Activity on Your Network 18

What I think malicious activity is

Within the bounds of my control

I’m blocking threats

before they get in

Where I believe I might be

vulnerable

Where my core data

resides

Page 19: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Protect Technologies

• Gateway/cloud

– Email Security – on-premise and cloud – strip active content, follow links

– Web Security – on premise and cloud – detect botnet activity, protect remote devices when they are off-network

– Protect unmanaged devices

• Server/Endpoint

– Prevent malicious content from installing

– Detect malware post-infection

1487 - Proactively Discovering Malicious Activity on Your Network 19

Within the bounds of my control

Page 20: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Shift in viewpoint

1487 - Proactively Discovering Malicious Activity on Your Network 20

Protect Detect Respond Recover

Realization

Customer Needs Shift

Breach is Inevitable

From Protection Only To Protection +

Detection and Response

Understanding Where Important

Data Is

Stopping Incoming Attacks

Finding Incursions

Containing & Remediating

Problems

Restoring Operations

Identify

I’m blocking threats

before they get in

Page 21: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Detecting and stopping malware activity

1487 - Proactively Discovering Malicious Activity on Your Network 21

I’m blocking threats

before they get in

Page 22: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Gateway

• Command &Control Communications

• Botnet activity

• Inactive botnets

1487 - Proactively Discovering Malicious Activity on Your Network 22

I’m blocking threats

before they get in

Bo

tnet

D

ete

ctio

n

Infe

cte

d C

lien

t D

ete

ctio

n

Ap

plic

atio

n

Co

ntr

ol

Mal

war

e C

on

ten

t Sc

ann

ing

UR

L Fi

lte

rin

g

Mal

war

e D

om

ain

s

& IP

s

Web Client

systems

Inspects packets, IPs, URLs, files,

active content, applications, behavior

Symantec Web Gateway

Page 23: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Detecting and stopping malware activity

• Managed Security Services

1487 - Proactively Discovering Malicious Activity on Your Network 23

I’m blocking threats

before they get in

Desktops

Symantec MSS

• Network

• Server

• Endpoint

• Data

• Compliance

Restriction

• Organization

• Asset Value

• System

Function

•Threats

• Vulnerabilities

• Malcode

• File & Site

Reputation

Page 24: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Shift in viewpoint

1487 - Proactively Discovering Malicious Activity on Your Network 24

Protect Detect Respond Recover

Realization

Customer Needs Shift

Breach is Inevitable

From Protection Only To Protection +

Detection and Response

Understanding Where Important

Data Is

Stopping Incoming Attacks

Finding Incursions

Containing & Remediating

Problems

Restoring Operations

Identify

Page 25: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

How AMETEK Found, Watched & Beat a Malware Campaign

Mark Feeney Manager, IT Security - AMETEK

1487 - Proactively Discovering Malicious Activity on Your Network 25

Page 26: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

• $3.6B global manufacturer of electronic instruments and electro-mechanical devices

• AMETEK is a component of the S&P 500 Index. (AME)

• Over 120 Manufacturing and 80 sales and services locations

• 30 Countries

• 4 Data Centers. Boston MA , Horsham PA, Leicester UK, Singapore

• 14,000 employees worldwide

1487 - Proactively Discovering Malicious Activity on Your Network 26

Page 27: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Timeline

• FBI, San Diego Sept 2013

• Just a little “noise” June 2013

• Aahh. There it is! Oct 2013

• FBI, Boston

• Ongoing process begins Nov 2013

1487 - Proactively Discovering Malicious Activity on Your Network 27

Page 28: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

Key Takeaways

• If the FBI wants to talk to you, talk to them

• Don’t be afraid to ask your vendors for help

• If you haven’t already, upgrade to SEP 12.1

• Reduce lateral movement

• Eliminate password reuse

• Look to gateway security measures to maximize visibility

• Devices outside your control are still critical

• Plan to Protect, Detect, Respond, Recover

1487 - Proactively Discovering Malicious Activity on Your Network 28

Page 29: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

SYMANTEC VISION 2014

For more information on Symantec future plans for malware and targeted attack detection: Gateway, Cloud and Targeted Attacks: Symantec’s Vision, Strategy and Roadmap 10.15 – 11.15AM AUGUSTUS BALLROOM 2

1487 - Proactively Discovering Malicious Activity on Your Network 29

Page 30: Proactively Discovering Malicious Activity On Your …vox.veritas.com/legacyfs/online/veritasdata/9am_1487...1 Proactively Discovering Malicious Activity On Your Network Mark Guntrip

Thank you!

30

YOUR FEEDBACK IS VALUABLE TO US!

Please take a few minutes to fill out the short session survey available on the mobile app—the survey will be available shortly after the session ends. Watch for and complete the more extensive post-event survey that will arrive via email a few days after the conference.

To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the iTunes or Android stores.

1487 - Proactively Discovering Malicious Activity on Your Network