Embed Size (px)
Citation preview
Advanced Endpoint Protection
CONTAIN | IDENTIFY | CONTROL
Nick Keller Director Federal Civilian Sales
Duncker Candle Problem
Solution – Creativity, Change
the Paradigm
Why listen to me?
• Connect these 3 Companies
– Cullinet Software
• 1st Software company on NYSE
– Netscape
– ArcSight
The Problem
95% of known breaches initiate at Windows endpoints
Users WILL be
tricked into
accessing malicious
content
45%
42%
5% 4% 3% 1%
Oracle Java Browsers Adobe Reader AndroidOS Adobe Flash Player Microsoft Office
© Kaspersky Labs
Cyber Kill Chain:
Invincea STOPS the Attack Early
Stage 1: Reconnaissance Research the target
Stage 2: Attack Delivery Spear-phish with malicious link
and/or attachment
Stage 5: Internal Recon Scan network for targets
Stage 8: Stage Data & Exfil
Archive/encrypt, leak to drop
sites
Stage 6: Lateral Movement
Spread throughout network
Stage 7: Establish Persistence
Root presence to re-infect as
machines are remediated
Stage 9: Incident Response
Analysis, remediation, public
relations, damage control
Stage 3: Client Exploit &
Compromise Vulnerability exploited or user
tricked into running executable
Stage 4: Command &
Control (C2) Remote command & control
6
Your Security Challenge by the
Numbers
7
77%
1%-3% 205 days
Evolution of Malware
2015 Changing Threat Curve
Mass Targeting Pinpoint Targeting
High
So
phis
tica
tio
n
Low
Script Kiddies
Lone Wolves
Organized Crime
“Hacktivists”
Nation States
(Tier 2)
Nation States
(Tier 1)
Anti-Virus defenses
Network Sandboxing
And Whitelisting Threat Curve
(today)
Takeaway:
Less advanced
adversaries now have
access to very
sophisticated malware Circa 1990’s
Circa 2000
2010 -2015
Most Prevalent Threats for 2015*
1. Just In Time (JIT) Malware Assembly
• All malware families now use JIT for delivery (e.g. Malvertising,
Dridex, Dyreza, Pony, CryptoWall)
• Completely bypasses perimeter controls such as EXE blocking
appliances
2. Macro-based Scripting via weaponized docs
• Entire process can be scripted - no file is written
• Containerization is the only way to stop these attacks
• Completely bypasses endpoint protection solutions such as
Cylance, PAN TRAPS, HIPS, AV, etc.
* Supporting data in Invincea First Half 2015 Threat Report
JIT Malware Scripting
• Just in Time Malware assembly is used in Malvertising, Dridex, Dyreza, Pony, CryptoWall
• Malware is assembled piece by piece on the endpoint instead of downloaded as a complete binary
• This bypasses perimeter controls such as EXE blocking appliances
• All malware families now use JIT for delivery
wscript
chcp
netsh
echo
winrshost
cscript
extract32
expand
ipconfig
ping
svchost
powershell
vssadmin
How has the industry tried to
solve this problem?
11
Prevent
Detect
Respond
Invincea’s Advanced Endpoint
Protection Strategy
Contain
Identify
Control
12
Prevent network
breach by containing
all threats – known
and unknown
Re-gain control over
network by quarantining
and eradicating threats
across the enterprise
Identify existing threats that
evaded conventional defenses
Contain the Attack
Protect 95% of endpoint attack
surface (vulnerable apps):
Protect against:
Spear-phishing
Web-based drive-by’s
Watering hole attacks
Malvertising
Ransomware
0-day exploits
Isolate endpoint attack surface with a secure container
Contain
13
Secure Virtual Container
Patented isolation
– Not (just) a sandbox! (Containment, behavioral detection, and automated response)
– Virtualization of process control, file system, and registry
– Protection against zero-day and known exploits
– One-way mirror design
– Malware “thinks” it’s attacking the host environment
Behavioral detection engine
– No need for signatures or constant definition updates
– Based on finite known good application behavior (not searching for IOC’s)
Automated response
– Ability to automatically terminate threat upon detection (why let malware run?)
Small footprint / low overhead
– <100 MB of RAM even under extreme load
– <1% average CPU utilization
Forensic intelligence
– Capture IOC and threat intelligence via controlled explosions of malware 14
Identify the Compromise
Identify compromises that evaded traditional network and endpoint security
Identify anomalous processes via OS monitoring
Vet process with local knowledge; escalate to cloud as needed
Analyze suspicious programs with DARPA-funded Cyber Genome
analysis technology
Identify
15
Endpoint Threat Identification
Risk Evaluation Framework
– Automated metadata analysis eliminates noise and identifies riskiest files
– Analysis of all executed binaries, loaded DLLs, and downloaded files via the SVC
Open, vendor-agnostic intelligence & analysis ingestion
– Ability to integrate any threat intelligence, whitelist/blacklist, or static/dynamic analysis
engine
Cynomix integration
– Advanced static analysis engine built from DARPA Cyber Genome project
– Corpus of millions of unique binary samples
– Identifies similar strains of malware via clustering (based on machine learning algorithms)
– Reports functional capabilities in plain English (e.g., Logs Keystrokes)
Small footprint / low overhead
– One agent/installer – seamlessly integrated with the SVC
– Analysis is performed by server, eliminating any impact to the user / endpoint
– Trivial network usage: Metadata transmitted to server is smaller than a DNS query
16
Risk Evaluation Framework
Confidential and Proprietary
Known Good
• (Reversing Labs, Kaspersky?)
Known Bad
• Virus Total , MetaScan
Similar to known (Static Analysis)
• Cynomix
Malicious Indicators (Static Analysis)
• Cylance?, …
Malicious Indicators (Dyn Analysis)
• LastLine?, FireEye?, MATD?, …
Invincea Management Framework
Monitoring
CYNOMIX
Identify
Unique Invincea Advantages
18
Prevention + Detection & Response
Small Footprint Zero-Day Threat
Protection
One Agent, One Price, One Vendor
Architecture
CONTAINMENT | DETECTION | PREVENTION | INTELLIGENCE
Architecture
Contain, Identify, Control
Recommended System Specs:
1 GB RAM, 150 MB free disk space,
Intel Pentium or better
Supported Operating Systems:
Windows XP
Windows 7 32 and 64-bit
Windows 8.1 32 and 64-bit
Windows 10 32 and 64-bit
Invincea Management • Threat Data
• Optional integration to other
technologies
• Config Management • Track deployments
• Manage groups
• Maintain audit trail
• Schedule software updates
• Reporting
• Multiple deployment options • Virtual appliance
• Cloud hosted
Invincea Endpoint • Endpoint application for
employees
• Protection options:
• Browser
• Office Suite
• Browser Plug-ins
11/18/2015 Confidential & Proprietary 20
Contain the Attack
• Protect 90-95% of endpoint
attack surface (vulnerable
apps):
• Protects against:
– Spear phishing
– Web drive-by’s
– Watering hole attacks
– Malvertising
– Ransomware
– 0-days Confidential & Proprietary
Isolate endpoint attack surface with a secure container
Contain
11/18/2015 21
Protect every user and the network from their error
Detection
Place the web browser and plug-ins, PDF reader, Office suite in a PATENTED secure virtual container
Container - How it Works
Containment
Detect malware without signatures…including
zero-days and APTs
Prevention
Feed actionable forensic intelligence without the breach
Intelligence
Contain
11/18/2015 Confidential & Proprietary 22
Secure Virtual Container
Single Sign-on
DLP
Host Security Plug-ins
Anti-Virus …
Contain
11/18/2015 Confidential & Proprietary 23
Invincea Management - Maintains all Enterprise clients
- Pushes policy changes and product
updates
Invincea Endpoint Client
- Talks securely to server
Invincea Secure Virtual Container - Single container with all untrusted
content
- Isolates all user areas of the host
filesystem.
- Copy on Write filesystem and
registry
- Low overhead <100MB RAM
- Does not increase in resource usage
with additional browser tabs
- “One way mirror” design for
interoperation
- Completely configurable isolation
- Completely configurable detection
engine
Invincea Endpoint Client
- Direct access to host
resources
- Monitors client health
Invincea Endpoint Contain
11/18/2015 Confidential & Proprietary 24
Real-time Intelligence Contain
11/18/2015 Confidential & Proprietary 25
Identify the Compromise
Identify compromises that evaded traditional network and endpoint security
Confidential & Proprietary
Identify anomalous processes via OS monitoring
Vet process with local knowledge; escalate to cloud as needed
Analyze suspicious programs with DARPA-funded Cyber Genome
analysis technology
Identify
11/18/2015 26
Invincea Management
Architecture
27
Clients Clients Invincea Endpoint
Invincea Management
• Process
metadata
• Binaries
• Activity Monitoring
• Remediation
• IOC searching
On-Premise
Cloud Services
CYNOMIX
CYNOMIX
Risk Evaluation Framework
VirusTotal
ReversingLabs
Cynomix
Metascan
Any binary or hash analysis
Lastline
Identify
11/18/2015 Confidential & Proprietary
Prevention + Detection
Sensor UI Module
Threat Data Module
Configuration Module
Cynomix: Cyber Genome
Analysis Tool
28
Cloud
Invincea Management
Cynomix Plug-in
Cynomix Server
Code Similarity Analysis
Capability Discovery
Known malware Unknown Files
Malware
Identification
& Capability
Discovery
Identify
11/18/2015 Confidential & Proprietary
Control the Threat
Execute granular escalating
controls – by policy or
human in the loop:
Confidential & Proprietary
Automatically eradicate threats enterprise-wide
Contain compromise to a single endpoint, and reduce dwell time from days to minutes
Quarantine suspicious processes
Kill indicted threats
Quarantine compromised devices
Eradicate threats enterprise-wide
Publish & Share with community
Control
11/18/2015 29
