Upload
lythu
View
223
Download
3
Embed Size (px)
Citation preview
1
Derek Carver, Sr. Solutions Architect
2
3
4
7
8
9
10
REAL TIME
The Objective: “Continuous Threat Protection”
THEFT OF ASSETS & IP
COST OF RESPONSE
DISRUPTION TO BUSINESS
REPUTATION RISK
Prevent
Time to Detect Time to Fix
11
16
“Defense-in-Depth” is Ineffective
Firewalls/ NGFW UTM
Secure Web Gateways
IPSEmail
Gateways
Desktop AV
The New Breed of Attacks Evade Signature-Based Defenses
>95% organizations compromised*
* Based on data from customer evaluations conducted by FireEye
17
Result of Relying Solely on the Defense in Depth Model
3 Months
6 Months
9 Months
229 Days Median # of days attackers are present on
a victim network before detection.
Initial Breach of Companies Learned
They Were Breached from an External Entity
of Victims Had Up-To-Date Anti-Virus
Signatures
THREAT UNDETECTED REMEDIATION
Source: M-Trends Report
18
Latest Breaches Substantiate Sophistication of Attackers
19
Reimagined Security Reimagined Security
How Does FireEye Address Today’s Threats
20
Virtual Machine-Based Model of Detection
Purpose-Built for Security Hardened Hypervisor
Scalable Portable
SECURITY Needs To Be
To Address
The New Threat Landscape
FINDS KNOWN/ UNKNOWN CYBER-ATTACKS IN REAL TIME ACROSS ALL VECTORS
21
FireEye’s Technology: State of the Art Detection CORRELATE ANALYZE
(500,000 OBJECTS/HOUR)
Within VMs Across VMs
Cross-enterprise
Network
Mobile
Files
Exploit
Callback
Malware Download
Lateral Transfer
Exfiltration
DETONATE
22
Exploit Detection is Critical Malware exploits take a similar form:
– Write data to memory – Trick the system to execute that code in memory – Apply Obfuscation to avoid detection
Exploitation of system is the first stage – Subsequent stages can be hidden – You will miss attacks if relying on object/file analysis
FireEye detects exploit stage – Captures resulting stages – Shares globally
23
FireEye Detection - Multi-Flow Analysis of APT Attacks
MVX exploit phase detection Analyzes malware malicious behavior Logs Malicious behavior and IOCs Threat rule is created in real time &
automatically to block the threat MVX takes in encrypted malware object for analysis Runs it within the MVX logging all activity that
happens when the malware executes Confirms the malicious behavior irrefutably
and avoids false positives/ false negatives
Exploit in compromised Web page
Command and Control Server
Embedded Exploit Alters Endpoint
Callback and data exfiltration
1
Callback
Callback 3
Encrypted Malware
Encrypted malware downloads
2 4
24
FireEye Detection - Multi-Flow Analysis of APT Attacks
MVX detects callback phase Can identify malicious transmissions
to known or unknown malicious destinations
If command and control communication is observed, a C&C threat rule is created in real time & automatically blocks communication
Outbound callback tracking and blocking across protocols of unauthorized communications
Exploit in compromised Web page
Command and Control Server
Embedded Exploit Alters Endpoint
Callback and data exfiltration
1
Callback
Callback 3
Encrypted Malware
Encrypted malware downloads
2 4
25
Reimagined Security Reimagined Security
Product Overview
26
Anti-Spam
Mail Servers
LAN
IPS
NX Series
EX Series
CM Series
Firewall
Web Sec GTWY
File Share 2
File Share 1
FX Series
AX Series
Network Threat Prevention Platforms
HX: Host Endpoint
Core Technology Multi Vector Virtual Execution
MVX
EX: Email MPS On Premise or Cloud
FX: File MPS
File Share Scanning Online Portal Scanning
AX: Forensics CM: Central Management
Internet Dynamic Threat Intelligence
DTI: Dynamic Threat Intelligence
HX Series
NX: Web MPS
27
FireEye Platform: Magic of MVX
Custom hypervisor with built-in countermeasures Designed for threat analysis
FireEye Hardened Hypervisor 1 Multi-modal Virtual Execution 2 Multiple operating systems Multiple service packs Multiple applications Multiple file types
Threat Protection at Scale 3 Over 2,000 simultaneous executions Multi-stage analysis
Hardware
FireEye Hardened Hypervisor
Multi-modal Virtual Execution
Parallel execution environments
Over 10 micro-tasks
v1 v1 v2 v3 v2 v3
MVX Core
DTI Enterprise DTI Cloud
28
Web MPS Technology Overview
Windows 7 – SP1
Virtual Execution Environment Analysis
Initial Analysis
Play Malware Attack
Windows XP - Base Windows XP – SP2
Windows XP – SP3 Windows 7 - Base
Fast Path Blocking of
Known Threats
WEB TRAFFIC
Aggressive Packet Capture
1 2 3 4
CA L L BACK ENG I NE
DTI Zero Day Malware Profiles
5 Exfiltration
& C&C Prevention
Port 0
65k
Outbound
Exploit detection Executable analysis Cross-matrix of OS/apps Originating URL
Subsequent URLs C&C protocol descriptors OS Modification Report
29
Deployment Modes SPAN/TAP
– Used to monitor and alert
Inline – Used to monitor, alert and block
30
SPAN/TAP Deployment
SPAN/TAP
Proxy, Gateway, IPS/IDS
Internet
Firewall
Desktops/Laptops
Users
Web MPS
Administrator
SSH HTTPS Alerts
31
Inline Deployment
Proxy, Gateway, IPS/IDS
Internet
Firewall
Desktops/Laptops
Users
SSH HTTPS Alerts
Web MPS
Administrator
32
Extended/Integrated Deployments
Proxy, Gateway, IPS/IDS
Internet
Firewall
Desktops/Laptops
Users
Web MPS
Email MPS
CMS
Grey List URLs
URLs
Correlated Web & Email Traffic
Email Traffic
Web Traffic
33
Threat Prevention Platform P
rice/
Per
form
ance
Small Business Large Enterprise
NX 10000
Remote office / Branch office
NX 1400 4310, 4320 7300, 7320 900
35
Email MPS Technology Overview
8300 supports 96 Virtual Execution Environments (VXE)
Virtual Execution Environment (VXE) Analysis
Play Malware Attack
Windows XP - base Windows XP – SP2
Windows XP – SP3
Windows 7 - Base
Windows 7 – SP1
Object Breakdown Email Capture
1 2 3
URL’s passed to Web MPS via CMS for
gray listing
Reporting, Alerting and Quarantining
4
✔
✔
✔
Exploit detection Executable analysis Cross-matrix of OS/apps Originating URL C & C Protocol descriptors
36
Deployment Modes SPAN/TAP
– Used to monitor and alert
Bcc – Used to monitor and alert
MTA – Used to monitor, alert and block
37
SPAN/TAP Deployment
SPAN/TAP
AntiSpam Gateway or MTA
Internet
Firewall
Mail Servers (Exchange, etc.)
Users
Quarantine Email MPS
Administrator
SSH HTTPS Alerts
38
Bcc Deployment
Quarantine
AntiSpam Gateway or MTA
Internet
Firewall
Mail Servers (Exchange, etc.)
Email MPS
Administrator
Users
Bcc
SSH HTTPS Alerts
39
MTA (Inline) Deployment
AntiSpam Gateway or MTA
Internet
Firewall
Mail Servers (Exchange, etc.)
Users
SSH HTTPS
Quarantine
Alerts
Email MPS
Administrator
40
Extended/Integrated Deployments
AntiSpam Gateway or MTA
Internet
Firewall
Mail Servers (Exchange, etc.)
Users
Email MPS
Web MPS
CMS
URLs
Correlated Web & Email Traffic
Web Traffic
Email Traffic
41
Email Threat Prevention
§ Open email attachment(s) in virtual machine to detect hidden malware
§ 30+ file types support
§ Leverage threat intelligence from FireEye DTI and NX platform to detect malicious URL(s) in email
MVX
MVX
Cloud based solution that detects and stops spear phishing attacks
46
Endpoint Security (FireEye HX Series)
47
Integrated network and endpoint security
Validates network alerts by finding
matching activity on endpoint Continuously monitors all hosts for
current threats seen at the perimeter Agent Anywhere™ technology provides
uninterrupted coverage for assets outside the corporate network
Contain compromised endpoints
immediately to interrupt attacks in progress
Endpoint Threat Prevention Platform
Anti-Spam
Mail Servers
LAN
IPS
NX Series EX Series
CM Series
Firewall
Dynamic Threat Intelligence
HX Series
Web Sec GTWY
HX Series
48
Anti-Spam
Mail Servers
LAN
IPS
NX Series EX Series
HX Series CM Series
Firewall
Dynamic Threat Intelligence
Web Sec GTWY
1. FireEye Network Platforms Monitor Flows for Advanced Threats
2. A Threat is detected by the MVX 3. FireEye Network Platforms
Alert FireEye HX On IOCs
IOCs From CMS
Endpoint Threat Prevention Platform: Workflow
49
LAN
4. Sweeps Endpoint Points for Compromise 5. Quickly Validates initially infected
endpoints 6. Identifies other endpoints that are
compromised 7. Tells Security Analyst who is compromised 8. Then a triage package is collected from the
hosts for the security analyst to review and confirm the infection
Network Threat Prevention Platforms
Anti-Spam
Mail Servers
IPS
NX Series EX Series
HX Series CM Series
Firewall
Dynamic Threat Intelligence
Web Sec GTWY
IOCs From CMS
50
FireEye Platform: Workflow
9. Contain & Isolate Compromised Devices
Deny attackers access to systems with a single mouse click while still allowing remote investigation.
Airplane
Hotel Corporate Headquarters
Home Office
Coffee Shop
Agent Anywhere™ Automatically Investigates Endpoints No Matter Where They Are
51