©2013, UBM Tech, a division of United Business Media LLC. ALl Rights Reserved.

New Generation

Securityfor Advanced Threats

2Second Generation Security Threats: Targeted, Elusive,

Persistent

4Anatomy of an Attack

55 Ways Second

Generation Solutions Succeed Where the

First Generation Fails

9Next-Generation

Endpoint and Network

Security Tools Integrate to Remove

Endpoint Blind Spots

InsideSEPTEMBER 2013

Sponsored by:

Second Generation Security Threats: Targeted, Elusive, Persistent

UBM Tech2

New Generation Security for Advanced Threats

The enterprise security landscape has shifted dramatically in the past decade. It wasn’t so long ago that enterprises were mostly fighting off wide-spread, highly visible malware attacks perpetrated by young hackers seeking notoriety.

The impact of these attacks typically included lost business productivity and tempo-rary reputational damage. Because the threats were so visible and widespread, it was fair-ly easy for security vendors to crank out software updates to address them. And, because many of these attacks exploited Windows vulnerabilities, most organizations woke up to the need for a viable Windows OS patching strategy.

In recent years, enterprises have been plagued with a rapid rise in much more damag-ing advanced threats, which target specific enterprises or government agencies, con-tractors or critical infrastructure. Rather than teenagers out for fun and notoriety, perpe-trators of advanced threats are more likely to be nefarious elements of organized crime, foreign governments, or others motivated by financial reward, terrorism or the sponsor’s enhanced competitive position (see Figure 1, p.3). Now that they have gained an enter-

Second Generation Security Threats: Targeted, Elusive, Persistent

UBM Tech3

New Generation Security for Advanced Threats

Overall

55%Organized crime

State-affiliated

Unknown

Unaffiliated

Former employee

Activist

21%

13%

8%

2%

1%

57%

20%

13%

6%

2%

<1%

49%

222220570

Financial Espionage Other

24%

14%

6%

<1%

1%

Small Large

Figure 1. Variety of external actors.

Source: Verizon Data Breach Investigation Report 2013 Figure 12: Variety of External Actors

As a result of these

never-ending and very

successful attacks, many or ganizations are rethinking their security

strategies—and acknowledging that they have

probably already been attacked.

prise foothold, Macintosh OSX and common applications such as Adobe Acrobat and Mozilla Firefox are attack targets.

Unlike the highly visible attacks of yore, advanced threats aim to be invisible, which makes them much more problematic to detect and ad-dress. These exploits can remain on a network undetected for months or years, only addressed after much of the damage has been done. Sometimes they are never detected.

The relentless stream of highly publicized and damaging targeted ad-vanced threats illustrates the stakes. Through these attacks, criminals and nation states have stolen huge volumes of sensitive customer credit card

information, valuable intellectual property, and even state and defense secrets. Victims have included security-conscious organizations such as RSA, Sony, Microsoft, T.J. Maxx, large financial organizations, defense con-tractors, various branches of the U.S. military, and The New York Times.

As a result of these never-ending and very successful attacks, many organizations are rethinking their security strategies — and acknowl-edging that they have probably already been attacked.

For an eye-opening look at how widespread these attacks are and how many millions of records are involved in the biggest attacks, check out this interactive infographic. n

UBM Tech4

New Generation Security for Advanced Threats

Advanced threats typically involve these stages:Anatomy of an Attack

1Research

Before launching the attack, perpetrators usually spend

a lot of time learning as much as they can about

an organization and its senior management via social media, company blogs, websites and any

other means.

2Spear phishing

They then harness the information collected to

craft targeted, highly effective spear-phishing

exploits via emails or phone calls that appear to be

coming from the organiza-tion’s senior management.

Because they are so targeted and relevant, such exploits cannot easily be stopped

with current spam solutions. For example, a highly

publicized attack used an email header and Microsoft

Excel attachment called “2011 Recruitment Plan.”

3Zero day malware

Even people with significant training in security best

practices can be fooled into opening a malware-infected

attachment, clicking on a Web link that downloads

malware into their system, or giving their credentials

to someone who appears to be calling from IT or senior

management. This malware typically uses zero-day

exploits that are not detected by traditional,

signature-based antimalware and

intrusion-prevention solutions. Many of these

attacks take advantage of Macintosh OSX and

application vulnerabilities and files, because the

perpetrators know that many IT organizations

lack effective application management and patching

strategies.

4Control channel

Once the malware down-loads or credential theft is

successful, the perpetrators gain access to the

network and set up a secret, remotely accessible

control channel.

5Gradual spread

The attacker then uses the control channel

to gain access gradually to other systems and parts of the network over weeks,

months or even years.

6Data exfiltration

Once the desired information is identified

and located, the perpetrator uploads it to a remote

site, typically via an encrypted channel.

UBM Tech5

New Generation Security for Advanced Threats

Why have advanced threats succeeded so dramatically when most organizations have architected sophisticated defense-in-depth strategies? Because most of the tools and strategies organizations possess were built for the last generation of security threats. Here are

some reasons why first-generation security solutions fail and a new crop of next generations succeed.

1. VisibilityThe first requirement of a viable security strategy should be clear, comprehen-sive visibility into all the operating systems, applications, files and other resources running on the network. How else could IT detect suspicious applications, files, registry changes, and other behavior typical of first- and second-generation se-curity threats? Remarkably, however, few first-generation security solutions focus on endpoint and network visibility. Instead, their main focus is on specific, known vulnerabilities and attack signatures.

WaysSecond Generation Solutions Succeed Where the First Generation Fails5

UBM Tech6

New Generation Security for Advanced Threats

Many of today’s second-generation security solutions focus on visi-bility as an essential feature of their approach to security, tracking the actions of every operating system, application, system and file in order to discover suspicious behavior that may indicate an attack. If an attack is discovered, many provide comprehensive forensic information to help IT address all aspects of the attack and trace it back to its source.

2. SignaturesMost of the traditional security tools enterprises have deployed across servers and endpoints — such as antimalware and intrusion-prevention solutions — use threat signatures as the primary technique for detect-ing and addressing security threats.

Signatures worked pretty well when attacks were highly visible a nd widespread. However, the goal of today’s more sophisticated perpetrators is stealth, and the tactics mainly involve zero-day and polymorphic threats. By definition, zero-day attacks have no existing signatures. And, because they are hidden as well, signature-based solutions struggle to address them. Even if they are detected, the blinding pace and volume of new threats makes it nearly impossible to keep up with all the signatures involved.

According to the AV-Test Institute, approximately six million new pieces of malware were detected in June 2013 alone. The research and effort required to create signatures to address this malware flood is resource intensive. And, as anyone who uses a traditional antimalware solution knows, the real impact is the ever-increasing requirement for processing power and storage to support them. Security updates and

scans consume more and more resources on the average endpoint PCs, notebooks and mobile devices over time, limiting user productivity and increasing frustration.

Second-generation solutions focus on malware-like behavior instead of on signatures. These advanced solutions harness global and local intelligence to baseline normal, trusted behavior, then use that informa-tion to detect anomalies, changes and untrusted behavior that indicates an attack in progress. When they detect new suspicious files, many of these solutions use advanced techniques to activate and test them for malware-like behavior in a sandboxed, protected environment.

3. Bulky Malware ScansAside from updates, first-generation security solutions rely largely on periodic system scans to detect and address any threats that make it through their other defenses. The scans are comprehensive, but with the increasing size of system storage and pace of new signatures, they suck up system resources even more dramatically than signature up-dates, frustrating users and squashing productivity even further. Server scans are so bulky that they’re almost unusable in systems running mis-sion-critical applications.

System scans are intermittent, which means they can miss malware changes and activity that occur between scans. If a threat is discovered by some other means, system scans are a poor means of gathering forensic information, as they often take hours or days to run — valuable time that could have been used to analyze the new threat and limit its

According to the AV-Test

Institute, approximately

six million new pieces of

malware were detected in June, 2013

alone.

UBM Tech7

New Generation Security for Advanced Threats

impact before it does more harm. Instead of system scans, many second-generation solu-

tions monitor systems on a continuous basis, detecting and logging all changes and additions to the environment, including registry and memory changes, and new applica-tions and files. Although this approach might seem more intrusive than a periodic system scan, these solutions ac-tually tend to be lightweight and less obtrusive than their first-generation cousins because they don’t have to scan the entire storage media and constantly update and take into account thousands of new signatures per day.

When a successful breach is discovered, the compre-hensive forensic information second-generation security solutions have collected is immediately available, so IT doesn’t have to wait until a bulky, lengthy scan is com-plete. The forensic information they provide is also much more comprehensive than the information provided by an occasional scan.

4. Untrusted ApplicationsAside from antimalware solutions, enterprise security strategies have focused on centralized management and distribution of operating system security patches, which can be effective for addressing zero-day attacks that target operating system vulnerabilities. Unfortunately today’s malware increasingly takes advantage of vulnerabilities in a variety of commonly used ap-

plications, such as Adobe Acrobat Reader and Flash Player and Mozil-la Firefox, including the JPEG, PDF and other files they produce (see Figure 2). With more users bringing their Macintosh notebooks from

Top Security ThreatsWhich of the following possible sourcrs of breaches or espionage pose the greatest threat to your organization in 2012?

Authorized users/employees

Cybercriminals

Application vulnerabilities

Public interest groups/hacktivists

Contracted service providers/consultants/auditors

External users

Competitors

Foreign governments

Customers

Other

Unknown

52%

52%

44%

24%

21%

18%

15%

13%

12%

1%

4%Source: InformationWeek 2012 Strategic Security Survey of 946 business technology and security professionals at organizations with 100 or more employees, March 2012

Figure 2. Top security threats.

Instead of system scans, many second

generation solu tions

monitor systems on a continuous basis, detecting and logging all

changes and additions to the

environment.

UBM Tech8

New Generation Security for Advanced Threats

home, malware increasingly targets OS/X as well. Enterprises and application and security vendors are playing catch-

up when it comes to devising strategies and solutions that target and patch all application and Macintosh vulnerabilities. Organizations have attempted to deploy a variety of management tools to control the downloading of applications on user endpoints. However, with the explosion of bring your own device (BYOD) programs, the flood of new devices and software has been very difficult to stem.

New-generation security solutions harness sophisticated, contin-uously updated global intelligence to discover and track potentially malicious applications and files. Some also offer sandbox testing that isolates and activates newly discovered files and applications in order to analyze them for malware behavior. These solutions can then assign a trust rating to each apps and file, allowing organizations to set policy for allowing or blocking them.

5. Siloed Security StrategiesPerhaps the most successful strategy used in advanced threats takes ad-vantage of the silos typical of IT organizations by deploying a variety of techniques that cross network and endpoint boundaries. Many security solutions are designed to monitor a single or discrete number of attack paths and vectors. A single security solution may detect and eradicate a single exploit, providing the illusion that an attack has been prevented or stopped successfully, when in fact it has only addressed the tip of the iceberg. The siloed nature of tools makes it almost impossible for IT to achieve a holistic view of an advanced attack in progress or provide

adequate forensics to trace all the steps and paths of the attack, assess all the damage and address it comprehensively.

New-generation security tools employ an integrated approach that spans the network and its thousands of server, desktop and mobile device endpoints to track and analyze the entire scope of the attack and its impact. Instead of a deluge of disjointed, disconnected information from multiple displays, logs and consoles, IT gets a single view of the advanced threat and its entire impact, allowing it to coordinate a strate-gy to address all of its parts early in the game — before the devastating damage is done. n

New generation security

solutions harness sophisticated, continuously

updated global intelligence to discover and

track potentially malicious

applications and files.

UBM Tech9

New Generation Security for Advanced Threats

Bit9 employs all the strategies of new-generation security solutions, yielding a comprehensive, effective tool for detect-ing, analyzing, tracking and eradicating today’s most intrac-table advanced threats. Bit9 extends its security capabilities

by integrating with next-generation network security solutions such as FireEye and Palo Alto Networks. With this integration, IT gets com-prehensive visibility into the full scope of advanced threat activity, and the means to coordinate an effective forensics and remediation strategy to block or eradicate advanced threats effectively.

Real-Time Visibility and MonitoringThe Bit9 Security Platform installs a lightweight, real-time sensor and recorder on all enterprise endpoints, servers and fixed-function devices, providing continuous visibility across all devices and their installed files. It then tracks all changes to files, system registries and processes over time. All that endpoint monitoring information is uploaded to a centralized Bit9 server for comprehensive foren-

Next-Generation Endpoint and Network Security Tools Integrate to Remove Endpoint Blind Spots

UBM Tech10

New Generation Security for Advanced Threats

sic analysis at any time (see Figure 3, p. 11). With Bit9, IT achieves not only holistic, real-time visibility into its endpoint and server security posture, but also instant, comprehensive forensics in the event of advanced threat discovery. No burdensome, lengthy scans and bulky updates are needed.

Behavior and Reputation CountBit9’s new-generation threat detection goes beyond signatures to analyze behavior: trusted behaviors are whitelisted, and untrusted, typi-cal advanced threat behavior generates alerts. Untrusted behaviors may include suspicious file and registry changes and memory and process violations. This approach is extremely effective for detecting the ze-ro-day threats that traditional signatures miss.

The Bit9 Security platform also integrates information from Bit9’s Glob-al Software Reputation and Threat Indicator cloud services, which crawl the global Internet continuously to provide comprehensive, up-to-date intelligence on current and past software threats and threat behaviors. Based on this continuous information flow, Bit9 assigns trust ratings to all the software it discovers on endpoints. Bit9 then enables IT to set up what it considers acceptable trust ratings, as well as granular policies and rules for handling untrusted software and behavior.

Just a few dozen policies are sufficient to detect and stop most attacks, often before they start. For example, when an unacceptable registry change is attempted or an untrusted executable tries to activate, Bit9 can block the action based on preconfigured rules, rather than reacting to it after the fact.

Next-Generation Network Security Solutions Bit9 extends its endpoint and server capabilities via integration with next-generation network security solutions such as FireEye and Palo Alto Networks. When either of these second-generation solutions de-tects malware-like behavior, Bit9 combines the information across plat-forms to analyze the location, scope and severity of the threat across the network and all endpoints and servers. The same is true in reverse when new actions and files are discovered on endpoints — they can automat-ically or manually be sent to network security devices for analysis. All information is displayed on a single Bit9 console, allowing IT security to filter out nonactionable events and prioritize high-impact alerts for fast

UBM Tech11

New Generation Security for Advanced Threats

incident response and remediation. IT can then use automated granular security policy updates to prevent future attacks.

This integration also allows IT to set up granular rules to take advantage of network security solutions for sandboxing, detonating and analyzing newly dis-

covered files for malware-like behavior. IT can set up granular policies for determining which files to send to the network security solutions.

The resulting solution provides comprehensive visibility, analysis, policy and remediation of ad-vanced threats across the network and endpoints.

Bit9 for FireEye

The Bit9 for FireEye delivers a first-of-its-kind integration between network security and endpoint and server security. Click arrow to launch video

Bit9 for Palo Alto Networks

The Bit9 for Palo Alto Networks delivers a first-of-its-kind integration between network security and endpoint and server security.Click arrow to launch video

Figure 3. Bit9 security platform diagram.

UBM Tech12

New Generation Security for Advanced Threats

The End of Blind SpotsFirst-generation security solutions are far too siloed, signature based and resource intensive to protect today’s enterprises from second-generation advanced threats. Second-generation threats require lightweight, intelligent, next-generation security solutions that span network and endpoint silos to coordinate detection, protection, forensics and eradication of today’s multipronged, stealthy targeted advanced threats. Bit9’s Connector for FireEye and Palo Alto offers all the best as-pects of next-generation security solutions, providing the most-effective advanced threat defense in the enterprise security arsenal. n

Resources:Webcast on demand: Overcoming Security Blind Spots in Network, Endpoint and Server Securityhttps://www.bit9.com/resources/webinars/overcoming-security- blind-spots-in-network-endpoint-and-server-security/

Bit9 eBook: Detecting and Stopping Advanced Attackshttps://www.bit9.com/resources/ebooks/bit9-ebook-detecting-and-stop ping-advanced-attacks/

Figure 4. How network security enhances endpoint security.