Your SlideShare is downloading. ×
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cyber Security protection by MultiPoint Ltd.


Published on

How to defend your company from Cyber attacks

How to defend your company from Cyber attacks

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • SOURCE #1: 66% - Verizon “2013 Data Breach Investigations Report”
    SOURCE #2: 69% - Verizon “2013 Data Breach Investigations Report”
    SOURCE #3: 5% - New York Times, January 2013
  • Rapidly Respond:
    Customer (Raymond James) report 93% accuracy in our findings (other 7% may also be correct, as they couldn’t prove us wrong). Other customers (Warner Brothers – reports near 100% True Positive rate)
    This means customers have confidence in our findings to automate mitigation (things like blocking and quarantine).
    Without Damballa, they are dealing with tons of disparate 1-time alerts from other security products each which requires significant manual analysis. Most of these alerts are false positives, so they can’t automatically respond to these alerts. They must first spend hours validating if the alert is real or false.
    If they automatically responded to alerts by taking action like re-imaging a machine or blocking communications, they would be imposing on their business – stopping legitimate communications and causing significant loss or productivity
    With Damballa, our determination that a device is infected is not based on a single event. Instead it is based on multiple events from different detection techniques that are all corroborated to determine there is a true infection. Thus when damballa says a device is infected, there is certainty behind the verdict. This confidence allows organizations to automate the response actions (like automatically blocking communications, quarantining a device, triggering re-imaging, etc…)

    Optimize Resources:
    Without Damballa, organizations are forced to use personnel to manually hunt through logs and alerts to try to find evidence that a device is compromised. Reports from customers are that a single alert from a traditional security product can take 1 to 3 hours to research.
    Comment from current prospect Labcorp – estimated it would take an FTE 1 days work to discover a single infection)
    Without Damballa, organizations are trying to hire a record number of security professionals in a field where talent is sparse. Manual effort isn’t scaling for them. Throwing bodies doesn’t work.
    With Damballa, security teams stop the manual hunt, and focus on true infections. Allows them to spend their time on things like Managing their Portfolio, Adapting their Posture, and dealing with risky incidents.
    With Damballa, security teams are able to dedicate their time to not being reactive, but instead proactively improving their security posture (new techniques and policies for prevention) – See ADAPT below
    With Damballa, security teams have less “noisy infections” and can put those very skilled ‘hunters’ toward tracking down truly targeted and advanced threats (which we help with too).

    Manage Portfolio:
    We detect what preventative measures miss.
    Without detective controls like damballa, enterprises don’t know if their preventative controls are working or not. No way to measure.
    Examples: Disney indicated that of 75% of Damballa detections were not seen by their AV engines.
    We allow customers to determine which preventative controls are working and where gaps are.
    Ultimately may lead to being able to retire solutions or consolidate.

    By studying how a threat actor attacked them, what they did in their environment and what they are after – security teams can adapt their security posture by changing policies (e.g. – proof they need to take away admin rights) or modify prevention solutions so threats can’t be successful going forward.
    Without Damballa – organizations are focuses on individual incidents and inherently reactive. It is like plugging holes in a damn. New holes keep popping up (some they see, others they don’t see – causing floods). Never able to keep up.
    With Damballa – Damballa identifies the holes, gathers the evidence that lead to the hole, and allows the customer to both address the holes, but more importantly learn from the holes and spend time addressing the “structure” of the damn to keep holes from happening in the future.
  • Two main points.

    As a security industry, solutions have typically been focused on first seeing the malware and then building a signature for it. Similarly, enterprises have also approached security that you must first find the file and then respond. If that is the approach we continue to take, we have and will continue to lose the battle. You aren’t always going to see the file coming in through the front door as there are other places you can get infected. Also, often there are infected devices that even the best host forensics companies can’t find the malware file – the malware is that evasive.

    So you have to focus on rapidly identifying the “infection” rather than first focusing on only the file. Why? Because the business risk is too high to have hidden active infections within your network.
  • The Kill Chain is a well known model that explains the thought process and approach of the threat actors. At Damballa we constantly consider the mental approach of the attacker in everything we design. Today we will think about the kill chain from the corporate risk perspective.

    Recon: The threat actor is identifying his target whether it be a specific company, person, or industry.
    Weaponization: They then either build or hire someone to build the malware, targeted emails, etc..
    Delivery: This is the campaign that gets launched to try to infiltrate the target
    Exploitation: This is the act of the “Attack” where if successful and infection occurs.

    Let’s stop here and Ask yourself from the corporate RISK perspective, prior to a successful infection – what is the corporate risk? It is simply the risk of getting infected. At this point an infection hasn’t occurred, no one has control of a device within the corporate network and damage is not immanent.

    But once an infection gets past all your security prevention measures, the game changes. Now you have an active hidden infection and your adversary has control of a device inside your network – and you don’t know about it. Now you have a true business risk. Now the threat actor has command and control of a device in your network and can carry out “Damage” such as data exfiltration or damage your brand or damage your network infrastructure.

  • We could spend all day on the many infection vectors used to infect an asset. And with:
    the eroding borders of your network
    the consumerization of IT
    and influx of mobile devices its only getting worse, and
    in the end…… users will be users and do things they should not do… phishing attacks and poisoned SEO results are some of the leading causes of the initial infection.

    Whatever the vulnerability or exploit used…, the first step in the crimeware infection process is for a dropper to be installed. Once on the asset, the shell code executes or the user clicks, and the dropper unpacks itself, disabling local security and quickly learning more about the actual machine – the cpu speed, extent of internet access, network activity, ip/mac address, etc.

    It then reaches out to an updater site, confirms installation is performed, makes sure it has infected a real machine, and identifies if the machine has been seen before (confirming for the cyber broker they can pay the Pay Per Installer). The cyber broker may already have a threat actor ready for the infection, or can shop around to see if they can find a threat actor who wants an infection inside the organization. The updater will then pass back the location of the downloader site where the real malware agent can be selected and deployed.

    The next step is for the dropper to reach out to the downloader site and pulls down the first tier malware agent, could be one or many, and there is likely a selection of what agents are coming down, using whitelists, filters for certain IP blocks, etc. Typically a new, unique malware sample will be issued based on who you are and what the bad guys want downloaded. This is where things can get very targeted…if the infected asset is within an IP Block of significant interest to the criminals behind the operators… things could get very interesting…. Either way, there is now some intelligence being applied to this attack based on what is already known.

    The agent comes down from the downloader site – typically as an encrypted payload which won’t be detected by andy sandbox solution. The dropper has the key and decrypts the payload allowing the new malware to install. The new malware may or may not delete the dropper – it can remove all evidence, or leave something behind to throw off investigators, leaving disposable components so they think they cleaned it up…but the asset is still infected. The first tier malware agent now performs a bigger and better cataloguing of the victim machine, in this case looking at the data available on the device.

    Once collected, there is a quick blast to a repository, letting the operator know the infection was successful, sending with it stolen data, with any passwords, login credentials, interesting files, anything of value on that particular asset…

    The malware agent then begins communicating to a front line array of c&c proxy servers / control servers. Often, in this cycle, malware and domains are being updated not less than every 22 hours, because the AV signature process is typically a 24 hour update.

    SO, as you can see, this is a highly sophisticated and resilient installation and communication cycle.
    In many cases the companies that are making headlines today were originally breached by the same botnets and cyber campaigns that have breached hundreds of other companies. While the resulting activity is, or appears targeted, the successful infection is, a rather automated and agnostic event. But what makes it dangerous is the threat actors command-and-control over the assets in a network.
  • Damballa harvest over 22B unique DNS records a day from our Enterprise and ISP/Telco customers in to our hadoop clusters for use by our machine learning systems. Other information (Threat Discovery) such as the network and host behaviors of files, pcaps, and URL information is also captured. The machine learning systems generate new threat updates for Damballa Failsafe Profiler Platform which include new threat intelligence, behavioral classifiers, and threat attribution information. Trace reports that include AV results, host and network behaviors, malicious traits and other information from the result of performing sandbox analysis of suspicious files are delivered back to Damballa Failsafe.
  • Damballa Failsafe uses a hub and spoke distributed computing system architecture. Sensors are placed in key locations within the network to observe all ports of traffic in both directions (Egress, Proxy, and DNS). The Sensors and their Deep Packet Inspections engines listen to traffic passively off a tap or span. The sensors all talk to each other so they can track a devices activity over time. Suspicious evidence is brought back to the management console to be examined by the Case Analyzer and then a verdict is passed. All evidence is presented through the MC.

  • Because of Our Formula. Damballa has unique access to a very large data set of unfiltered, unstructured and unbiased internet and enterprise network data.

    While most security company’s “Labs” are filled with Reverse Malware Engineers, ours is filled with PhD’s, research scientist and Machine Learning experts that apply mathematical algorithms that reveal techniques and infrastructure being used by threat actors…and we’ve been doing this for seven years.

    No other security company that has the unique, Big Data that Damballa has…much less that has been applying leading-edge security research and related machine learning for as long as Damballa.

    Big Data
    -8 trillion records per year
    -200GB-300GB of internet and enterprise network data each day
    -Malware Samples Analyzed: 100K/day; / 36.5M yr.
    -Unique DNS Records: 22B/day; 8T/yr.
    -7 Years of Machine Learning Refinement

    Machine Learning/Data Science
    -7 years
    -13 Patents Filed, 2 already granted
    -8 Detection Profilers & Expanding
    -9 Risk Profilers & Expanding
    -Partnerships pivoting from Damballa Discoveries

    Engines Leverage Big Data
    -Fortune 2000 Enterprises
    -Global ISPs & Telcos
    -Academic and Industry Partnerships
    -Future Proof
    -Example: Domain Fluxing (DGA)
    -Example: Peer-To-Peer

  • Transcript

    • 1. Cyber security Security by MultiPoint Ltd.
    • 2. About MultiPoint • MultiPoint was founded in April 2009 • Managed by Arie Wolman and Ricardo Resnik • A Distributor of Security & Networking Software • Main exclusive product lines: – GFI Software, Damballa, Accellion, SpectorSoft, Centrify, IronKey, NovaStor, GFI MAX, LiebSoft, DataMotion, Netwrix, etc. • Certified, Qualified and Credible Technical team • Value Added for the Channel and the End-Users alike
    • 3. Main Vendors
    • 4. Some of our customers
    • 5. Attack Lifecycle TIME IMPACT Resource Validation Preventative Controls SOC / CIRT Incident Response Analysis Professional Services Marketing / PR Brand Loss of Intellectual Property
    • 6. Because prevention’s not enough! 69% of breaches Malware was involved in 69% of all breaches, and 95% of all stolen data. “Prevention is crucial…but detection/response represents an extremely critical line of defense. Let’s stop treating it like a backup plan and start making it a core part of THE plan." 2013 Verizon Data Breach Investigation Report 210 days The average time from breach to detection was 210 days. Trustwave 2013 Global Security Report New York Times, January 1, 2013 5% 82 new malware samples were put up against more than 40 antivirus products... the initial detection rate was less than 5 percent. “Signature-based methods of detecting malware is not keeping up.” detection rate
    • 7. Endpoint Security Network Security Systems Enterprise Assets ? ? ? ? ?? ? ?Infections Identified AV HIPS Firewall Firewall IDS/IPS WSG/Proxy VM/SandboxDNS Alerts Alerts Alerts AlertsAlerts AlertsBlockBlacklist/Signatures LogsUnknown Threats Logs Logs Why do these threats go undetected? 87% of victims of data theft had evidence in their log files but failed to identify it. 2011 Data Breach Report Verizon RISK team All this noise, how do I identify real infections?
    • 8. Automation needed to accelerate & improve Detection 66% of breaches remain undiscovered for months or more 69% of breaches are discovered by parties external to the victim 5% detection rate of 82 new malware samples by traditional signature-based products Sources: Verizon, New York Times
    • 9. MultiPoint empowers end users to… Adapt Posture enable improvements to security policies and controls Optimize Resources focus teams & tools on high-value activities vs. noisy alerts Manage Portfolio measure performance of preventative solutions Rapidly Respond automate discovery, verification & prioritization of true infections
    • 10. The Kill Chain and Risk Infection Risk Reconnaissance Weaponization Delivery Exploitation Command & Control Data Exfiltration/ Disruption/Damage Business Risk After Infection Takes Place, the Game Changes Infection Risk Reconnaissance Weaponization Delivery Exploitation Command & Control Data Exfiltration/ Disruption/Damage Infection
    • 11. Looking at the Threat After It Bypasses Prevention Initial Infection Update & Repurpose Initial C&C and 2nd Repurpose Evasion Cycle Continues… Malware is updated/customized Repository C&C Portals C&C Proxies Downloader Repository C&C Portals C&C Proxies Downloader Threat Actors … Victim Dropper Pay Per Installer Dropper unpacks on the Victim machine and runs Malware is updated/customized DownloaderUpdater Cyber Brokers Malware Author
    • 12. Prevention features you need for 2014 Patch automation Vulnerability assessment Integration Powerful » Microsoft®, Mac OS® and major Linux operating systems » Microsoft and other popular third-party applications » Security and non-security updates » More than 4000 critical security applications » Interactive dashboard » Workstations, laptops, servers, mobile devices and a wide range of network devices such as printers, switches and routers » Now checking for up to 50,000 vulnerabilities Dedicated reports » For PCI DSS, HIPAA, PSN CoCo and other regulations Improved scan and remediation performance » Through usage of agents and relay agents
    • 13. Secunia VIM Overview – Key Facts and Benefits A proactive approach to vulnerability management Leader in the field of Vulnerability Intelligence Pioneer and industry leader in the research and disclosure of vulnerabilities The market’s largest verified vulnerability database, 45,000+ products. The only vendor that guarantees coverage of your commercially available environment Award-winning solution Straight forward and simple to set up, maintain and use regardless of the size of an organization Customized asset lists mean targeted information based on your exact environment Filter information based on the asset location or critically, useful for business critical technology which receives less press coverage, e.g.. Lotus Notes Dynamic, customized, historic, and automated reporting. Track and document remediation strategies Eliminated information overload sifting through other sources, emails, and bulk RSS feeds Prioritize patch management based on verified real time information
    • 14. Sandbox technology helps ThreatTrack Security "Sandbox customization is the only way to adequately detect and stop targeted attacks" As a fully customizable platform, ThreatAnalyzer enables you to recreate your entire application stack (including virtual and native environments) in which you can detonate malicious code to see exactly how malware will behave across all your network and systems configurations. Moreover, custom malware determination rules help Dynamic Malware Analysis Know Your Exposure to Cyber Threats ThreatAnalyzer is the industry's only malware analysis solution that enables you to completely and accurately quantify the risk and exposure your organization faces from any malware threat. you fine tune ThreatAnalyzer to be on the alert for suspicious behavior and activity that concern you most, such as anomalous access to sensitive systems, data exfiltration to foreign domains, queries made to custom applications and more. Within minutes of detonating a malware sample, you will know exactly which system configurations on your network are vulnerable to any threat, enabling you to instantly respond by isolating systems and implementing defenses to prevent infections.
    • 15. ThreatUpdates Includes Intel,Classifiers,&Attribution MultiPoint vendors Labs Threat Updates & Discovery Services Enterprise Assets ISPs Enterprises MultiPoint Vendors Domains ThreatDiscovery Files TraceReports
    • 16. Why GFI LanGuard is so effective? Scan Analyze Remediate Install Takes only a few minutes to be up and running Agent-less or agent-based Identify assets (including mobile devices), find vulnerabilities, missing patches, open ports, services, hardware and software, etc. Vulnerability level assigned to each computer Reports, results filtering, network changes history Check external references Deploy missing updates, uninstall applications, deploy custom scripts, open remote desktop connections, etc. Definitions for vulnerabilities and patches are continuously updated from GFI® servers to report and remediate latest threats Deploy agents (agent-less) Powerful interactive dashboard
    • 17. Damballa Failsafe Architecture Hub & Spoke | 1 U Appliances | Out of Band
    • 18. Our Formula – Delivering Predictive Security Analytics
    • 19. Security 2.0: The New Security Stack Alerts & Logs SIEM (Single Pane of Glass) SOC Network DVR Forensics Client NGFW Endpoint Containment Infection Risk Business Risk Prevention Detection Response (Forensics) legacy IPS & Host AV/IPS/FW Infection Damage NBADSandboxing Email Gateway Predictive Security Analytics Attack Advanced Threat Protection
    • 20. Increasing customer value thru integrations & alliances Enrich, Correlate via SIEM & Forensics Block & Inform from Network to Endpoint Accelerate & Prioritize Response Damballa discovers with certainty & delivers evidence so customers can pivot to…