2014 Bit9. All Rights Reserved Building a Continuous Response
Architecture
Slide 2
CONTINUOUS endpoint recorder INSTANT, aggregated threat intel.
COMPLETE kill chain analysis CUSTOMIZED detection CONTINUOUS
RECORDING IMMEDIATE endpoint threat isolation LIVE endpoint
investigation REAL-TIME attack termination COMPREHENSIVE threat
remediation LIVE RESPONSE First & only solution with continuous
endpoint recording and live response Carbon Black: Industrys Best
ETDR Solution
Slide 3
There are two kinds of companies: those that have been breached
and those that dont know it yet. *Sources: Mandiant, Verizon CIO
Fortune 100 company Days to discover* 243 Discovered externally* 69
% Average cost* $ 5.4 MILLION In 2020, enterprises will be in a
state of continuous compromise. The Problem: Advanced Threats =
$$$
Slide 4
July 2014 The Network is Not the Target Organizations continue
to spend a lot of money on network security solutions, but its the
endpoint that is the ultimate target of advanced threats and
attacks. Firewalls [are] becoming less and less effective in a
perimeter-less world Dec. 2014 When the perimeter disappears, we
certainly would argue that the endpoint is the perimeter. Dec.
2014
Slide 5
Traditional Defenses Were Designed for Opp. Attacks
OPPORTUNISTIC ADVANCED Goal for attacker is to compromise as few
endpoints as possible Goal for attacker is to compromise as many
endpoints as possible Hosts Compromised Time DETECTION THRESHOLD
Signature available Hosts Compromised Time Signature available (if
ever) ?
Slide 6
DETECTION RESPONSE RECOVERY Reduce Dwell Time By Prioritizing
Data Collection Compromised (attacker present) Recovered (attacker
expelled) Breach Discovered (attacker identified) DWELL TIME
Proactively collecting data here is automated, efficient &
conclusive Reactively collecting data here is time consuming,
expensive & incomplete DETECTION RESPONSE RECOVERY Compromised
(attacker present) Recovered (attacker expelled) Breach Discovered
(attacker identified) DWELL TIME Eliminate expensive data
collection process Optimize security team Instant answers to
complex IR questions Avoid blind reimaging Zero end-user/endpoint
impact Reduce dwell time
Slide 7
Expand Detection Beyond the Moment of Compromise Abnormal
Behavior Lateral Movement & User Accounts Exfiltration &
Data Gathering Weeks to Months (Years) Traditional Focus Missed
without continuous data collection Only See Individual Detection
Event You cant know whats bad ahead of time
Slide 8
Java exploitation User visits website Is sent malicious Java
applet Spawns first stage payload Spawns second stage payload
Injects code into Windows Explorer Takes malicious actions DETECTED
Goal: Understand root cause Detection probability increases over
time Investigations seek root cause Traditional detection filters
out endpoint visibility missing the full context of the attack
Highlight detected activity within continuous recording to
understand root cause and scope faster DETECTED Proactive data
collection also enables ability to detect entire attack processes
Highlight As Opposed to Filter Endpoint Visibility
Slide 9
IT and Company Culture: Is Your Environment Like This?
Slide 10
Or This?
Slide 11
Prioritize Alerts with Data Collection & Threat
Intelligence !!! ! !!!!!!!!!!! ALERT FATIGUE Too many alerts to
manage & prioritize ACTIONABLE ALERTS Accelerate threat
discovery Customize detection for organization Detect every threat
vector Narrow focus by understanding data Detection Discovery
Threat Intelligence
Slide 12
Respond at the Moment of Discovery Spawns second stage payload
Injects code into Windows Explorer Takes malicious actions
Instantly Roll back the tape with a recorded history to understand
scope DISCOVERED Prioritize investigations with applied threat
intelligence User visits website Is sent malicious Java applet
Spawns first stage payload Spawns second stage payload Injects code
into Windows Explorer Takes malicious actions Lateral Movement User
visits website Downloads PDF Deleted Payload Spawns second stage
payload Injects code into Windows Explorer Takes malicious actions
User visits website Is sent malicious Java applet Spawns first
stage payload Spawns second stage payload Injects code into Windows
Explorer Takes malicious actions Deleted Payload Lateral Movement
DISCOVERED Learn from investigation to build detection moving
forward ! DISCOVERED
Slide 13
Drive Action on Endpoints with Live Response User visits
website Is sent malicious Java applet Spawns first stage payload
Spawns second stage payload Injects code into Windows Explorer
Takes malicious actions Deleted payload BLOCK NETWORK COMMUNICATION
KILL ATTACK PROCESS IDENTIFY ROOT CAUSE & REMEDIATE MACHINE
Responders manage multiple tools for continuous recording &
live response MODERN VIEW One comprehensive IR solution ISOLATED
Use one IR solution without dropping admin. credentials Built by
responders for responders Customize on-sensor actions by executing
third-party tools Remove IT out of SecOps equation
Slide 14
Security as a process versus as a solution
Slide 15
CONTINUOUS endpoint recorder INSTANT, aggregated threat intel.
COMPLETE kill chain analysis CUSTOMIZED detection CONTINUOUS
RECORDING IMMEDIATE endpoint threat isolation LIVE endpoint
investigation REAL-TIME attack termination COMPREHENSIVE threat
remediation LIVE RESPONSE First & only solution with continuous
endpoint recording and live response Carbon Black: Industrys Best
ETDR Solution
Slide 16
Bit9 + Carbon Black: Arm Your Endpoints For IT and Security
Teams Managing Desktops, Servers, and Fixed-function Devices
+Worlds most widely deployed application control/whitelisting
solution +Single agent for visibility, detection, response,
prevention +Trust-based and policy-driven The Most Comprehensive
Endpoint Threat Protection Solution For Security Operations Center
and Incident Response Teams +Only solution with continuous
recording; live response; threat isolation, termination and
remediation +Real-time customizable detection +Complete kill chain
analysis based on recorded history and attack visualization The
Leading Endpoint Threat Detection and Response Solution Open API
and Integrations Threat Intelligence Cloud ReputationThreat
IndicatorsAttack Attribution Supported Operating Systems Network
Security, Analytics and SIEM, In-House & Custom Tools