FE SecurityReimagined PartII Web Final

WHITE PAPER

SECURITY REIMAGINED, PART II: BUILDING OUT AN ADAPTIVE INFRASTRUCTURE

2

WHITEPAPERSecurity Reimagined, Part II: Building out an Adaptive Infrastructure

CONTENTS

4 9A VISION IS JUST THE BEGINNING

HUNTING AND GATHERING

6DETECTION: MINUTES, NOT MONTHS

11PREVENTION: BLOCK WHAT YOU CAN, STOP WHAT YOU CAN’T

5A HISTORY OF REIMAGINING: THE REST OF THE STORY

18CONCLUSION AND RECOMMENDATIONS

13ANALYSIS: FULL CONTEXT FOR A FULL PICTURE

15INTELLIGENCE AT THE CORE

16RESOLUTION: FOCUSED ON CONTINUITY

14TELLING A STORY WITH THE NARRATIVE MODEL

3


EXECUTIVE SUMMARY

Reimagining security takes more than a breakthrough vision. It takes the right tools and follow-through. This paper explains how to put Adaptive Defense™ into practice, outlining the capabilities needed to prevent, detect, analyze, and resolve today’s threats.

PREVENTIn an adaptive architecture, prevention comes in two forms: preventing many attacks outright, and preventing the worst outcomes of attacks that slip through. Tightly integrated defenses instantly block malicious callbacks. At the same time, endpoint defenses can locate compromised systems and quarantine them.

DETECTWith an adaptive strategy, security teams detect threats in minutes—not months. This requires tools that go beyond signature-based technologies such as anti-virus (AV) software and even next-generation firewalls. These tools must cover multiple threat vectors such as web and email. And they must see the entire lifecycle of an attack.

ANALYZEFor analysis, adaptive architectures must provide full context to give security teams the full picture. This means providing a narrative of the attack, not reams of data. To fill the gaps of security information and event management (SIEM) products, adaptive architectures incorporate enterprise forensics systems and endpoint tools.

RESOLVEResolving threats still requires human insight and action. But an adaptive posture can speed the process with tools that collect, curate, and correlate date in real time.

Though adaptive approach may require new tools, it isn’t about spending more. It’s about getting the best return on your security investment by directing spending where it makes the most sense.

4


The first part of this series detailed three pivotal advances that hinged on someone reimagining a domain: Arthur Cumming’s curveball pitch, George Westinghouse’s push to deliver electricity via alternating current, and Henry Ford’s assembly line.

A VISION IS

JUST THE BEGINNING

Henry Ford stands next to a Model T car.

5


1 Peter Morris. “Catcher: The Evolution of an American Folk Hero.” 2009. 2, 3, 4 Ibid. 5 John W. Klooster. “Icons of Invention: The Makers of the Modern World from Gutenberg to Gates.” 2009. 6 Quentin R. . “George Westinghouse: Gentle Genius.” 2007. 7 IEEE Global History Network. “Milestones: Alternating Current Electrification, 1886.” October 2004. 8 Ford Motor Company archives. “The Reminiscences of Mr. W. C. Klann.” Recorded September 1955; transcribed November 2011. 9 Frederick Taylor. “The Principles of Scientific Management.” 1911. 10 The History Channel website. “Ford’s assembly line starts rolling.” Accessed September 2014.

In each of these cases, a breakthrough vision was only a starting point. Reimagining the status quo also required having the necessary tools and following through on the idea.

Arthur Cummings needed a catcher who could work with the curveball and prevent it from rolling into the backstop.1 He found that in Nat Hicks, one of only a few players at the time to crouch directly behind the batter during a pitch.2 Hicks’ position, along with a willingness to indulge “Cummings’ crazy curve,” enabled Cummings to wield his new throw—and made the pair a force on the baseball diamond.3 As baseball historian Pete Morris puts it: “…the most lethal pitch had no value without a skilled catcher.”4

George Westinghouse knew that alternating current would slash the costs

of delivering electricity. But the changeover from the prevailing direct current standard depended on key innovations from others. Nikola Tesla’s dual-phase induction motor and transformer designs,5 Ottó Bláthy’s improved transformer and electric meter,6 and William Stanley’s parallel connected transformer7 were just a few of the advances that enabled Westinghouse’s vision.

And when Henry Ford wanted to build the Model T faster and less expensively, someone had already invented the conveyer belt (widely used in grain warehouses) and assembly lines (common in Chicago slaughterhouses).8 And industrial efficiency pioneer Frederick Taylor’s scientific management theory9 was taking root when Ford transformed the complex, specialized work of making cars into a series of

discrete steps that required far less craftsmanship.10

Like these historical examples, reimagining security also requires the right tools and follow-through.

Part I of this series outlined what FireEye calls Adaptive Defense. This approach integrates tools end to end. It enables big-picture vigilance. It adopts a lean-forward posture with intelligence. And it responds nimbly with a responsive architecture.

This installment examines how to put this strategy into practice. It describes the tools and expertise organizations need to adopt an adaptive posture. And it prescribes a framework that will enable them to continuously prevent, detect, analyze, and resolve todays’ threats.

A HISTORY OF REIMAGINING: THE REST OF THE STORY

6


DETECT

PREVENT

ANALY

ZERESOLVE

7


11 Mandiant, a FireEye Company. “M-Trends: Beyond the Breach.” April 2014. 12 FireEye and Mandiant, a FireEye Company. “Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model.” May 2014.

DETECTION: MINUTES, NOT MONTHS

In breaches that Mandiant, a FireEye company, helped resolve in 2013, attackers had free rein inside a victim’s networks for 229 days before

being discovered.11 With an adaptive strategy, security teams can detect threats in minutes— not months.

You must detect attacks early to avert their worst effects. By the time most organizations detect a breach, the damage is done.

DETECTION DOES NOT LIVE ON SIGNATURES ALONEMuch of the problem stems from conventional signature-based defenses. Anti-detection techniques, such as code-morphing and binary packing, can generate a barrage of unique binary samples from the same malware family. Each has a unique binary signature. And many targeted attackers tailor code for each of their victims.

Anti-virus software vendors can’t keep up with new binaries. In many cases, they don’t even get the chance to even create a signature. Out of 124,289 unique malware variants that slipped past conventional “defense-in-depth” security deployments in a recent FireEye study, 75 percent appeared only once.12

Like signatures, reputation-based defenses such as URL blacklisting detect only known, confirmed threats. Relying solely on this approach is like preventing the FBI’s most wanted criminals from entering your house—but leaving the doors open to everyone else.

Instead of signature- or reputation-based detection, an adaptive security architecture analyzes suspicious files, web objects and traffic in real time to detect new, unknown threats. Dynamic analysis technology observes malware and exploit behavior using virtual machines (VMs). These walled-off, simulated environments allow files to execute without doing any real damage.

By watching the files in VMs, automated analysis can flag telltale behavior, such as changes to the operating system or calls to the attacker’s command-and-control (CnC) servers.

Just as today’s advanced attacks unfold across multiple threat vectors and multiple connection flows, dynamic analysis tools must analyze suspicious code in context of other system and network activity. Most VM-based analysis tools, more commonly known as sandboxes, analyze files and objects in isolation. They never see the full picture. The most effective solutions at this layer analyze exploits, malware, and associated behaviors as a series of flows. And they can group those flows into more complete pictures of attack activity.

8


Signature-based defenses still have a place in an adaptive strategy. For instance, AV software and intrusion prevention systems (IPS) can instantly block known commodity malware so adaptive methods can focus on unknown, targeted attacks that present a higher risk.

Even so-called “signature-less” detection technologies (such as VM-based analysis) spawn and circulate signatures for newly discovered threats to quickly inoculate the whole enterprise. When shared within a broader defense community, these new signatures can also help shield other networks.

Firewalls, albeit smarter versions of them, remain a key component of adaptive security architecture. Applying an adaptive strategy doesn’t mean ripping up and replacing current security investments. Instead, it blends these legacy tools with dynamic analysis for fast, efficient detection.

Applying intelligence with indicators of compromiseIndicators of compromise (IOCs), those digital breadcrumbs so essential to incident response and forensics efforts, are also vital to detection.

In the simplest terms, IOCs are forensic artifacts of a breach, evidence created in the wake of an intrusion. This evidence can be anything from a new registry key to the name of a mutex inside a malicious process running on an infected machine.13

Security teams use IOCs to describe, catalog, and share threat data. Think of it as a criminal mug book that depicts traits such as the malware used, attackers’ methods, and other telltale signs. IOCs gathered from previous attacks help security teams know what to look for when detecting future attacks.

In an adaptive architecture, security teams can define IOC rules that meet all of the following conditions:

• It is actionable. IOCs lead to the threat, or at least to the trail of the threat.

• It is contextual. IOCs reveal detail that describes the severity, risk, and sometimes, the confidence of the threat.

• It is applicable. IOCs are useless if they don’t work with your detection tools.

To get the full benefit from IOCs, adaptive security infrastructures define them in industry-standard formats. Having standards allows security teams to share, incorporate, and combine threat intelligence from internal, third-party, shared, and open-source sources.

While some emerging IOC formats cover the gamut, many are not well defined and require specialized tools and expertise. Consider one that does not rely on any specific technology or setup. IOCs should also easily convert into other IOC formats.

Seeing the forest, not just the treesIn a recent survey by the SANS Institute, correlating information from multiple sources ranked as the second-biggest challenge of security professionals, just behind telling the difference between key events from normal background behavior.14

That correlation is possible only when the security architecture is tightly integrated for an end-to-end view. Point products see only part of the picture, so security teams usually get a disjointed account of the attack. By implementing an adaptive strategy, they get the whole story. It’s the difference between a photograph and a Picasso painting.

Think of how a preschooler might view F. Scott Fitzgerald’s The Great Gatsby. The child might understand most of the individual letters but none of the words. Fast-forward a few years, a first grader might know some words but miss the flow of the sentences and their meaning. A fifth grader will likely understand many sentences and perhaps even full paragraphs. But that child will likely miss much of the

13 Will Gragido (RSA). “Understanding Indicators of Compromise (IOC), Part I.” October 2012. 14 Jerry Shenk (SANS Institute). “Sorting Through the Noise.” May 2012.

9

WHITEPAPERWHITEPAPER

subtext, innuendo, and poetry of Fitzgerald’s prose. Finally, a high-school freshman might understand all of these—and still not have enough life experience to appreciate the deeper themes of the classic work.

In the same way, your security architecture must be mature enough to not only detect individual events, but to piece them together in a meaningful way. Just as a great novel requires more than knowing your ABCs, an adaptive security architecture hinges on a deeper grasp of how attacks play out. This insight usually draws on outside experience in the form of threat intelligence.

Having a cohesive view of an attack allows for meaningful, correlated alerts. Today’s security teams are overwhelmed with an ever-growing flood of alerts from their point products. They waste time chasing down false alarms and lose important alerts in the noise.15

Let’s face it: most alerts generated by conventional security tools are glorified event logs. What organizations really want is answers to the questions that matter. They need information they can do something about.

Because adaptive, integrated defenses have an end-to-end view of the attack, they can correlate activity among different tools to consolidate related alerts and prioritize the most urgent. Although security teams get fewer alerts, they can be confident that those alerts are worth following up.

Adaptive approaches provide crucial context to ascertain what happened, when it happened, and where it happened (in other words, what systems are affected).

HUNTING AND GATHERING

Detecting threats can take the form of “hunting” and “gathering.” In conventional security, gathering—collecting alerts generated from IOCs rules—is the most common approach.

For example, security teams might want gathering-style alerts for the following situations:

• Five failed logins occur on a privileged account• Someone runs the at.exe command on a

Windows system

With an adaptive strategy, you’ll also be hunting—actively looking for hidden threats based on fresh intelligence—with powerful, data-driven IOC rules that security teams can easily fine-tune. These IOCs use the latest specific intelligence, so you’ll get high-fidelity alerts with few false positives.

In hunting mode, security teams would likely want more free-form queries such as:

• Show all Windows processes across the enterprise executed in the past year. Then show the top unique five percent to investigate.

• Query all endpoints looking for the methodology or behavior indicators of compromises or the top targeted threats attacking the enterprise’s industry.

• Find unusual VPN activity and show trends by geography, user, and time.

• Analyze questionable Windows processes such as AT, PSEXEC and NET.

Hunting requires a higher level of expertise. Like a skilled detective, the hunter sifts through reams of information to find that all-important clue, the tiniest detail that seems odd or out of place. Depending on a your budget and in-house resources, this expertise can be nurtured internally or delivered by an outside service provider.

[ [

15 FireEye. “The SIEM Who Cried Wolf: Focusing Your Cybersecurity Efforts on the Alerts that Matter.” August 2014.

Security Reimagined, Part II: Building out an Adaptive Infrastructure

10


DETECT

PREVENT

ANALY

ZERESOLVE

11


Conventional security lets too many attacks go undetected and unchallenged for far too long.

In an adaptive architecture, prevention comes in two forms: preventing many attacks outright, and preventing the worst outcomes of attacks that slip through.

Today’s best tools can stop many threats automatically. Legacy signature-based tools block known commodity threats. And dynamic analysis can catch many attacks that signature-based tools miss.

For attacks that slip through your perimeter defenses, the name of the game is preventing lasting harm. An adaptive approach enables security teams to quickly contain attacks by reducing of those two important metrics: time to detection and time to resolution.

Tightly integrated defenses instantly block malicious callbacks to attackers’ CnC servers. At the same time, endpoint defenses can locate compromised systems and quarantine them.

With an adaptive strategy, all of this occurs without badly disrupting operations. Used effectively, dynamic analysis tools do not weigh down the network or hinder users. And by pinpointing affected systems, security teams do not have to take major systems offline to remediate.

BLOCK WHAT YOU CAN, STOP WHAT YOU CAN’T

PREVENTION:

12


DETECT

PREVENT

ANALY

ZERESOLVE

13


Analysis is one of the most important aspects of security—the very basis for detection, prevention, and resolution

efforts. It is also one of the most difficult to get right.

Adaptive strategies automate much of the analysis process to detect and resolve incidents faster. Dynamic analysis tools find threats by analyzing the behavior of suspicious files, for example. And endpoint defenses inspect OS changes for signs of a breach.

Forensics and related activities still require human judgment. But automation can improve the process by making it faster and more accessible. Forensics shouldn’t have to be a manual, specialized chore.

ASKING THE RIGHT QUESTIONS, GETTING USEFUL ANSWERSIn the midst of a breach, security teams want answers, not data. The difference might seem pedantic—information, after all, is essential to finding answers. But reams of data are a poor substitute for knowledge.

FULL-CONTEXT FOR A FULL PICTURE

ANALYSIS:

A series of funny television ads that ran a few years ago for an Internet search site illustrates the point. In the commercials, someone asks a basic question, such as “Did you pick up a cell phone?” Instead of answering the question, others nearby begin reciting random facts about cellular membranes, telephone poles, and so on. Those facts may be accurate, even helpful in another context. But they didn’t help our hapless protagonist. Many of today’s security tools take a similar “everything and the kitchen sink” approach.

An adaptive strategy not only gives you answers, but helps you ask the right questions. By giving security teams information they need when threats are detected, an adaptive security strategy gives you a running start as you analyze the breach so you can prevent further damage and resolve the attack.

By asking and answering the right questions, an adaptive approach can reduce expertise needed to deploy, maintain, and operate your security tools. And more important, an adaptive approach make these tools more powerful.

14


TELLING A STORY: THE NARRATIVE MODELAll aspects of the adaptive approach—real-time analysis, useful IOCs, context about attacks, and the right answers to the right questions—become even more potent as part of a connected narrative.

By fitting all the pieces together, an adaptive strategy helps security teams respond to and resolve incidents faster. It also provides operating metrics that are critical to gauging the depth of the security architecture.

Enterprise forensicsEnterprise forensics solutions (EFS) are a big part of this narrative. By fusing network and endpoint telemetry into a single interface—or single “pane of glass”—an EFS gives incident responders complete, reliable access to the data they need to stop and resolve attacks.

With an adaptive strategy, incident responders can pull in data from any tool using the same, simple-to-use interface, query syntax, and reporting format. With an easy, familiar way of interacting with the security architecture, even non-specialists can harness powerful capabilities.

An EFS should not be confused with SIEM or log-management products. SIEMs collect and correlate logs. EFS, in contrast, combines forensic artifacts and events into a single interface to find threats.

While they have their place in an adaptive strategy, legacy SIEM platforms are not well suited to EFS tasks. They are far too slow and limited to process the torrent of data needed to analyze events completely for continuous monitoring and response.

SIEM products also lack high-quality threat intelligence feeds. Some products do incorporate open source threat intel. But this approach typically results in a deluge of false positives and lacks key attribution details that help identify the attacker.

And most SIEM offerings cannot update rules quickly to detect new threats. Instead, security engineers must manually research threats and build any new alert rules themselves.

As the SANS Institute recently put it: “Reviewing SIEM data is like reviewing a phone bill and seeing who talked to whom at what time, but not having the actual conversation.”16

As part of an adaptive approach, an EFS enables security teams to easily see activity from the perimeter, internal network streams, and endpoint activity for an end-to-end narrative. Network telemetry captures, monitors, and stores network traffic throughout the network, not just ingress and egress points. Attackers’ lateral movement, largely invisible to legacy tools, comes into full view. This movement can be reconstructed after the fact to retrace every step of the breach.

Endpoint visibilityNo narrative would be complete without a view into endpoint. An adaptive strategy enables security teams to quickly pinpoint, isolate, and fix compromised endpoints.

For full endpoint visibility, your tools must do the following:

• Retrieve data from specific endpoints. Organizations can query any endpoint in the network to find IOCs and fill out the forensic narrative. Security teams can pose complex questions such as “Show me all endpoints that have the file “C:\help\help.exe” matching the MD5 checksum of “329e73bd3c7036b28c6ca041867afd2b.” Such queries are difficult, if not impossible in conventional architectures.

16 Dave Shackleford (SANS Institute). “When Breaches Happen: Top Five Questions to Prepare For.” June 2012.

15


An adaptive approach combines intelligence gathered from remote and local endpoints, network forensics, and cloud-based intel-sharing networks to form a complete narrative.

• Get live responses to queries. If security teams find a compromised system, they can expand the narrative by getting a live response from the endpoint. This response can be a full forensics snapshot of the endpoint including files, memory space, registry, connection state, and more. The incident responder can analyze the live response remotely or transfer it to their console.

• Have a full, bit-by-bit record of endpoint activity. Just as an adaptive architecture captures every data packet on the network for a full picture of activity, adaptive endpoint security technologies have evolved similar functionality. With packet capture and look-back recording, an endpoint can track, store, and index changes to key markers such as registries, settings, started and stopped processes, and inbound and outbound network connections. When requested in targeted acquisition (“hunting”) mode, this record is sent to the security team to help responders pinpoint what endpoints the attacker hit and gauge the impact.

• Contain and remediate anywhere. When security tools detect a breach, teams must quickly isolate and fix breached endpoints to contain the damage. This process often takes

place remotely, when the endpoint is not wired directly to the organization’s main network. If an endpoint is located, say, inside of a coffee shop, incident responders must still be able to “reach into” the machine to analyze forensic artifacts and contain the threat.

INTELLIGENCE AT THE COREIntelligence is the lifeblood of analysis, giving security teams a wider-angle view of potential threats inside and outside their network.

Tactical intelligence—both internal auto-generated signatures and data shared among a global defense community—enables security tools to instantly block known threats. Contextual intelligence helps guide analysis efforts, spotlighting threat trends and tactics so security teams know where to focus their efforts. And strategic intelligence gives security leaders the tools for macro-level analysis and long-term strategy.

Advanced Threat Protection

Signature/Rule Based Blocking

Threat Intelligence

Mob

ile

Endpoint Forensics

C

loud

Network Forensics

16


FOCUSED ON CONTINUITY

RESOLUTION:

DETECT

PREVENT

RESOLVE

ANALY

ZE

17


For now, resolving threats still requires human insight and action. But an adaptive posture can speed the process to contain the threat,

fix any damage, and re-secure your network—all without severely disrupting business.

Today, most resolution efforts fall into a matrix. One axis indicates whether they’re static (requiring security teams to take systems offline) or dynamic (fixed while the system is still online and running). The other axis indicates whether they’re either disruptive (interrupting normal operations) or non-disruptive.

This matrix leaves incident responders with four choices:

The goal of an adaptive strategy is dynamic, non-disruptive resolution. With the wealth of information curated for detection, prevention, and analysis, security teams have information from networks, content repositories, and endpoints at their fingertips for a pinpoint response. An adaptive approach can’t automate the response itself. But it can automate the requisite information gathering, help direct the process to stop attacks sooner, and avoid the most severe damage and disruption.

The benefit is reciprocal: information gathered while resolving an issue can, in turn, bolster detection, prevention, and analysis with newly gleaned intelligence.

This is ideal, keeping every system up and running and business humming along as normal. A typical example is killing a malicious process and removing files from an infected system while it’s still running.

DYNAMIC, DISRUPTIVE CHANGE. With this choice, systems continue running, but resolution may briefly interrupt work. An example is requiring an enterprise-wide password reset.

STATIC, NON-DISRUPTIVE CHANGE.With this choice, some systems are taken offline, but operations continue infected system offline and reimaging it is one example.

STATIC, DISRUPTIVE CHANGE. Most organizations avoid this choice if they can. It amounts to taking the whole organization offline and reimaging the entire IT infrastructure. Entire systems are down—irritating customers, grinding business to a halt, and ravaging the bottom line.

DYNAMIC, NON-DISRUPTIVE CHANGE.

18


CONCLUSION AND RECOMMENDATIONS

We’ve described a new model to transform the way you prevent, detect, analyze, and resolve new

threats. But like Cummings, Westinghouse, Ford, and so many others knew, reimagining the status quo is only a starting point. Now we’ll describe what an adaptive approach looks like in practical terms—and how to begin building one.

An adaptive approach incorporates several layers of defense. Unlike most defense-in-depth deployments today (which, as explained in Part I, are really “defense in shallow”), an adaptive posture uses multiple layers of defenses that complement but don’t duplicate each other.

In other words, each layer should both slow an attacker’s momentum, equip security teams to more quickly contain and resolve attacks, or ideally, both. Conventional defense-in-depth deployments use similar signature-based detection at every layer. An attacker that can get past one layer of signature-based defense—because no signature yet exists for the tools used in that attack—has a good chance of getting past all of them.

In an adaptive architecture, one layer of defense might fail, but the others remain intact.

BUILDING AN ADAPTIVE APPROACH, LAYER BY LAYER For a true multi-layered defense, FireEye recommends the following:

• A signature layer. This tier handles commodity malware and known patterns of attack. This layer frees up your advanced layers to focus on new and unknown threats.

• A layer with advanced threat detection technology. This layer might use virtual-machine analysis and heuristic techniques to detect and sometimes automatically block attacks that signature-based tools miss.

• A layer with network forensics and advanced endpoint capabilities. Network forensics products should provide a “single pane of glass” to easily see activity from the perimeter, internal network streams, and endpoint activity. The idea isn’t to spawn more useless data, but to get an end-to-end narrative. Security teams should be able to retrieve data from specific endpoints and get a live response to queries. They should have a full, bit-by-bit record of endpoint activity when needed. And they should be able to contain and fix problems wherever the endpoint is.

• An intelligence layer that provides information on specific attackers. This layer should reveal attackers’ motives, what they’re after, what tools they use, and how their attacks unfold. Armed with those details, security teams can more closely monitor specific threat vectors. They can look for telltale markers and bolster defenses around the assets most at risk.

19


The more tightly integrated these tools are, the more powerful they become. A solution that can monitor email and web traffic together, for instance, can see multi-vector attacks that individual tools might miss. And a full picture of endpoint activity helps security teams detect threats faster, and quickly isolate and fix breached systems to prevent lasting harm.

INVESTING WISELY FOR THE FUTUREBy definition, every budget has limits. A truly adaptive strategy recognizes those spending constraints and works within them. Though an adaptive approach may require new tools, it isn’t about spending more. It’s about getting the best return on your security investment by directing spending where it makes the most sense.

By reducing spending on ineffective or redundant technology, organizations can free up money for capabilities that make them more nimble and effective.

To that end, FireEye recommends the following:

• Minimize investment in compliance-oriented event management tools. For many organizations, these are must-haves. But complying with industry or government guidelines isn’t the same thing as truly securing your IT assets. Once you have met the basic requirements, use what you’ve saved to invest in capabilities that can apply intelligence, analytics, or both to the security events these tools generate.

• Trim anti-virus and other signature-based technology spending to the bare minimum. Consider free or low cost solutions from Microsoft and others. Invest the savings in advanced threat detection and response capabilities on the endpoint.

• Reevaluate your managed security services provider (MSSP) if you have one. Spend less on ineffective or limited services. Reinvest the savings in a strategic partner that owns all aspects of the solution—technology, expertise, and intelligence. Make sure that provider is a recognized leader in all three domains.

• Identify metrics to measure the efficacy of your cyber security plan over time. Response and resolution times are two key measures. The effort your team expends to prevent, detect, analyze, and resolve threats is another. Map these benchmarks to your investments in technology, intelligence, and expertise. And gauge them over time to assess your architecture. Are your tools helping reimagine your security strategy—or rehashing old approaches? Consider your answer a good starting point.

Threat Intel (Strategic, Tactical)

Network Forensics and Endpoint Live Response

Advanced Threat Protection (Signature-Less)

Signature Based Detection

Analyze and Respond

Detect and Prevent

Narrative-Based Response

The tightly integrated layers of an adaptive architecture


FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | [email protected] | www.fireeye.com

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. WP.SRII.EN-US.092014

Documents

FE SecurityReimagined PartII Web Final