1

Derek Carver, Sr. Solutions Architect

2

3

4

7

8

9

10

REAL TIME

The Objective: “Continuous Threat Protection”

THEFT OF ASSETS & IP

COST OF RESPONSE

DISRUPTION TO BUSINESS

REPUTATION RISK

Prevent

Time to Detect Time to Fix

11

16

“Defense-in-Depth” is Ineffective

Firewalls/ NGFW UTM

Secure Web Gateways

IPSEmail

Gateways

Desktop AV

The New Breed of Attacks Evade Signature-Based Defenses

>95% organizations compromised*

* Based on data from customer evaluations conducted by FireEye

17

Result of Relying Solely on the Defense in Depth Model

3 Months

6 Months

9 Months

229 Days Median # of days attackers are present on

a victim network before detection.

Initial Breach of Companies Learned

They Were Breached from an External Entity

of Victims Had Up-To-Date Anti-Virus

Signatures

THREAT UNDETECTED REMEDIATION

Source: M-Trends Report

18

Latest Breaches Substantiate Sophistication of Attackers

19

Reimagined Security Reimagined Security

How Does FireEye Address Today’s Threats

20

Virtual Machine-Based Model of Detection

Purpose-Built for Security Hardened Hypervisor

Scalable Portable

SECURITY Needs To Be

To Address

The New Threat Landscape

FINDS KNOWN/ UNKNOWN CYBER-ATTACKS IN REAL TIME ACROSS ALL VECTORS

21

FireEye’s Technology: State of the Art Detection CORRELATE ANALYZE

(500,000 OBJECTS/HOUR)

Within VMs Across VMs

Cross-enterprise

Network

Email

Mobile

Files

Exploit

Callback

Malware Download

Lateral Transfer

Exfiltration

DETONATE

22

Exploit Detection is Critical   Malware exploits take a similar form:

–  Write data to memory –  Trick the system to execute that code in memory –  Apply Obfuscation to avoid detection

  Exploitation of system is the first stage –  Subsequent stages can be hidden –  You will miss attacks if relying on object/file analysis

  FireEye detects exploit stage –  Captures resulting stages –  Shares globally

23

FireEye Detection - Multi-Flow Analysis of APT Attacks

MVX exploit phase detection   Analyzes malware malicious behavior   Logs Malicious behavior and IOCs   Threat rule is created in real time &

automatically to block the threat MVX takes in encrypted malware object for analysis   Runs it within the MVX logging all activity that

happens when the malware executes   Confirms the malicious behavior irrefutably

and avoids false positives/ false negatives

Exploit in compromised Web page

Command and Control Server

Embedded Exploit Alters Endpoint

Callback and data exfiltration

1

Callback

Callback 3

Encrypted Malware

Encrypted malware downloads

2 4

24

FireEye Detection - Multi-Flow Analysis of APT Attacks

MVX detects callback phase   Can identify malicious transmissions

to known or unknown malicious destinations

  If command and control communication is observed, a C&C threat rule is created in real time & automatically blocks communication

  Outbound callback tracking and blocking across protocols of unauthorized communications

Exploit in compromised Web page

Command and Control Server

Embedded Exploit Alters Endpoint

Callback and data exfiltration

1

Callback

Callback 3

Encrypted Malware

Encrypted malware downloads

2 4

25

Reimagined Security Reimagined Security

Product Overview

26

Anti-Spam

Mail Servers

LAN

IPS

NX Series

EX Series

CM Series

Firewall

Web Sec GTWY

File Share 2

File Share 1

FX Series

AX Series

Network Threat Prevention Platforms

HX: Host Endpoint

Core Technology Multi Vector Virtual Execution

MVX

EX: Email MPS On Premise or Cloud

FX: File MPS

File Share Scanning Online Portal Scanning

AX: Forensics CM: Central Management

Internet Dynamic Threat Intelligence

DTI: Dynamic Threat Intelligence

HX Series

NX: Web MPS

27

FireEye Platform: Magic of MVX

  Custom hypervisor with built-in countermeasures   Designed for threat analysis

FireEye Hardened Hypervisor 1 Multi-modal Virtual Execution 2   Multiple operating systems   Multiple service packs   Multiple applications   Multiple file types

Threat Protection at Scale 3   Over 2,000 simultaneous executions   Multi-stage analysis

Hardware

FireEye Hardened Hypervisor

Multi-modal Virtual Execution

Parallel execution environments

Over 10 micro-tasks

v1 v1 v2 v3 v2 v3

MVX Core

DTI Enterprise DTI Cloud

28

Web MPS Technology Overview

Windows 7 – SP1

Virtual Execution Environment Analysis

Initial Analysis

Play Malware Attack

Windows XP - Base Windows XP – SP2

Windows XP – SP3 Windows 7 - Base

Fast Path Blocking of

Known Threats

WEB TRAFFIC

Aggressive Packet Capture

1 2 3 4

CA L L BACK ENG I NE

DTI Zero Day Malware Profiles

5 Exfiltration

& C&C Prevention

Port 0

65k

Outbound

  Exploit detection   Executable analysis   Cross-matrix of OS/apps   Originating URL

  Subsequent URLs   C&C protocol descriptors   OS Modification Report

29

Deployment Modes   SPAN/TAP

–  Used to monitor and alert

  Inline –  Used to monitor, alert and block

30

SPAN/TAP Deployment

SPAN/TAP

Proxy, Gateway, IPS/IDS

Internet

Firewall

Desktops/Laptops

Users

Web MPS

Administrator

SSH HTTPS Alerts

31

Inline Deployment

Proxy, Gateway, IPS/IDS

Internet

Firewall

Desktops/Laptops

Users

SSH HTTPS Alerts

Web MPS

Administrator

32

Extended/Integrated Deployments

Proxy, Gateway, IPS/IDS

Internet

Firewall

Desktops/Laptops

Users

Web MPS

Email MPS

CMS

Grey List URLs

URLs

Correlated Web & Email Traffic

Email Traffic

Web Traffic

33

Threat Prevention Platform P

rice/

Per

form

ance

Small Business Large Enterprise

NX 10000

Remote office / Branch office

NX 1400 4310, 4320 7300, 7320 900

35

Email MPS Technology Overview

8300 supports 96 Virtual Execution Environments (VXE)

Virtual Execution Environment (VXE) Analysis

Play Malware Attack

Windows XP - base Windows XP – SP2

Windows XP – SP3

Windows 7 - Base

Windows 7 – SP1

Object Breakdown Email Capture

1 2 3

URL’s passed to Web MPS via CMS for

gray listing

Reporting, Alerting and Quarantining

4

✔

✔

✔

  Exploit detection   Executable analysis   Cross-matrix of OS/apps   Originating URL   C & C Protocol descriptors

36

Deployment Modes   SPAN/TAP

–  Used to monitor and alert

  Bcc –  Used to monitor and alert

  MTA –  Used to monitor, alert and block

37

SPAN/TAP Deployment

SPAN/TAP

AntiSpam Gateway or MTA

Internet

Firewall

Mail Servers (Exchange, etc.)

Users

Quarantine Email MPS

Administrator

SSH HTTPS Alerts

38

Bcc Deployment

Quarantine

AntiSpam Gateway or MTA

Internet

Firewall

Mail Servers (Exchange, etc.)

Email MPS

Administrator

Users

Bcc

SSH HTTPS Alerts

39

MTA (Inline) Deployment

AntiSpam Gateway or MTA

Internet

Firewall

Mail Servers (Exchange, etc.)

Users

SSH HTTPS

Quarantine

Alerts

Email MPS

Administrator

40

Extended/Integrated Deployments

AntiSpam Gateway or MTA

Internet

Firewall

Mail Servers (Exchange, etc.)

Users

Email MPS

Web MPS

CMS

URLs

Correlated Web & Email Traffic

Web Traffic

Email Traffic

41

Email Threat Prevention

§ Open email attachment(s) in virtual machine to detect hidden malware

§ 30+ file types support

§ Leverage threat intelligence from FireEye DTI and NX platform to detect malicious URL(s) in email

MVX

MVX

Cloud based solution that detects and stops spear phishing attacks

46

Endpoint Security (FireEye HX Series)

47

  Integrated network and endpoint security

  Validates network alerts by finding

matching activity on endpoint   Continuously monitors all hosts for

current threats seen at the perimeter   Agent Anywhere™ technology provides

uninterrupted coverage for assets outside the corporate network

  Contain compromised endpoints

immediately to interrupt attacks in progress

Endpoint Threat Prevention Platform

Anti-Spam

Mail Servers

LAN

IPS

NX Series EX Series

CM Series

Firewall

Dynamic Threat Intelligence

HX Series

Web Sec GTWY

HX Series

48

Anti-Spam

Mail Servers

LAN

IPS

NX Series EX Series

HX Series CM Series

Firewall

Dynamic Threat Intelligence

Web Sec GTWY

1.  FireEye Network Platforms Monitor Flows for Advanced Threats

2.  A Threat is detected by the MVX 3.  FireEye Network Platforms

Alert FireEye HX On IOCs

IOCs From CMS

Endpoint Threat Prevention Platform: Workflow

49

LAN

4.  Sweeps Endpoint Points for Compromise 5.  Quickly Validates initially infected

endpoints 6.  Identifies other endpoints that are

compromised 7.  Tells Security Analyst who is compromised 8.  Then a triage package is collected from the

hosts for the security analyst to review and confirm the infection

Network Threat Prevention Platforms

Anti-Spam

Mail Servers

IPS

NX Series EX Series

HX Series CM Series

Firewall

Dynamic Threat Intelligence

Web Sec GTWY

IOCs From CMS

50

FireEye Platform: Workflow

9.  Contain & Isolate Compromised Devices

Deny attackers access to systems with a single mouse click while still allowing remote investigation.

Airplane

Hotel Corporate Headquarters

Home Office

Coffee Shop

Agent Anywhere™ Automatically Investigates Endpoints No Matter Where They Are

51