SOURCE #1: 66% - Verizon “2013 Data Breach Investigations Report” SOURCE #2: 69% - Verizon “2013 Data Breach Investigations Report” SOURCE #3: 5% - New York Times, January 2013
Rapidly Respond: Customer (Raymond James) report 93% accuracy in our findings (other 7% may also be correct, as they couldn’t prove us wrong). Other customers (Warner Brothers – reports near 100% True Positive rate) This means customers have confidence in our findings to automate mitigation (things like blocking and quarantine). Without Damballa, they are dealing with tons of disparate 1-time alerts from other security products each which requires significant manual analysis. Most of these alerts are false positives, so they can’t automatically respond to these alerts. They must first spend hours validating if the alert is real or false. If they automatically responded to alerts by taking action like re-imaging a machine or blocking communications, they would be imposing on their business – stopping legitimate communications and causing significant loss or productivity With Damballa, our determination that a device is infected is not based on a single event. Instead it is based on multiple events from different detection techniques that are all corroborated to determine there is a true infection. Thus when damballa says a device is infected, there is certainty behind the verdict. This confidence allows organizations to automate the response actions (like automatically blocking communications, quarantining a device, triggering re-imaging, etc…)
Optimize Resources: Without Damballa, organizations are forced to use personnel to manually hunt through logs and alerts to try to find evidence that a device is compromised. Reports from customers are that a single alert from a traditional security product can take 1 to 3 hours to research. Comment from current prospect Labcorp – estimated it would take an FTE 1 days work to discover a single infection) Without Damballa, organizations are trying to hire a record number of security professionals in a field where talent is sparse. Manual effort isn’t scaling for them. Throwing bodies doesn’t work. With Damballa, security teams stop the manual hunt, and focus on true infections. Allows them to spend their time on things like Managing their Portfolio, Adapting their Posture, and dealing with risky incidents. With Damballa, security teams are able to dedicate their time to not being reactive, but instead proactively improving their security posture (new techniques and policies for prevention) – See ADAPT below With Damballa, security teams have less “noisy infections” and can put those very skilled ‘hunters’ toward tracking down truly targeted and advanced threats (which we help with too).
Manage Portfolio: We detect what preventative measures miss. Without detective controls like damballa, enterprises don’t know if their preventative controls are working or not. No way to measure. Examples: Disney indicated that of 75% of Damballa detections were not seen by their AV engines. We allow customers to determine which preventative controls are working and where gaps are. Ultimately may lead to being able to retire solutions or consolidate.
Adapt: By studying how a threat actor attacked them, what they did in their environment and what they are after – security teams can adapt their security posture by changing policies (e.g. – proof they need to take away admin rights) or modify prevention solutions so threats can’t be successful going forward. Without Damballa – organizations are focuses on individual incidents and inherently reactive. It is like plugging holes in a damn. New holes keep popping up (some they see, others they don’t see – causing floods). Never able to keep up. With Damballa – Damballa identifies the holes, gathers the evidence that lead to the hole, and allows the customer to both address the holes, but more importantly learn from the holes and spend time addressing the “structure” of the damn to keep holes from happening in the future.
Two main points.
As a security industry, solutions have typically been focused on first seeing the malware and then building a signature for it. Similarly, enterprises have also approached security that you must first find the file and then respond. If that is the approach we continue to take, we have and will continue to lose the battle. You aren’t always going to see the file coming in through the front door as there are other places you can get infected. Also, often there are infected devices that even the best host forensics companies can’t find the malware file – the malware is that evasive.
So you have to focus on rapidly identifying the “infection” rather than first focusing on only the file. Why? Because the business risk is too high to have hidden active infections within your network.
The Kill Chain is a well known model that explains the thought process and approach of the threat actors. At Damballa we constantly consider the mental approach of the attacker in everything we design. Today we will think about the kill chain from the corporate risk perspective.
Recon: The threat actor is identifying his target whether it be a specific company, person, or industry. Weaponization: They then either build or hire someone to build the malware, targeted emails, etc.. Delivery: This is the campaign that gets launched to try to infiltrate the target Exploitation: This is the act of the “Attack” where if successful and infection occurs.
Let’s stop here and Ask yourself from the corporate RISK perspective, prior to a successful infection – what is the corporate risk? It is simply the risk of getting infected. At this point an infection hasn’t occurred, no one has control of a device within the corporate network and damage is not immanent.
[click] But once an infection gets past all your security prevention measures, the game changes. Now you have an active hidden infection and your adversary has control of a device inside your network – and you don’t know about it. Now you have a true business risk. Now the threat actor has command and control of a device in your network and can carry out “Damage” such as data exfiltration or damage your brand or damage your network infrastructure.
We could spend all day on the many infection vectors used to infect an asset. And with: the eroding borders of your network the consumerization of IT and influx of mobile devices its only getting worse, and in the end…… users will be users and do things they should not do… phishing attacks and poisoned SEO results are some of the leading causes of the initial infection.
Whatever the vulnerability or exploit used…, the first step in the crimeware infection process is for a dropper to be installed. Once on the asset, the shell code executes or the user clicks, and the dropper unpacks itself, disabling local security and quickly learning more about the actual machine – the cpu speed, extent of internet access, network activity, ip/mac address, etc.
It then reaches out to an updater site, confirms installation is performed, makes sure it has infected a real machine, and identifies if the machine has been seen before (confirming for the cyber broker they can pay the Pay Per Installer). The cyber broker may already have a threat actor ready for the infection, or can shop around to see if they can find a threat actor who wants an infection inside the organization. The updater will then pass back the location of the downloader site where the real malware agent can be selected and deployed.
The next step is for the dropper to reach out to the downloader site and pulls down the first tier malware agent, could be one or many, and there is likely a selection of what agents are coming down, using whitelists, filters for certain IP blocks, etc. Typically a new, unique malware sample will be issued based on who you are and what the bad guys want downloaded. This is where things can get very targeted…if the infected asset is within an IP Block of significant interest to the criminals behind the operators… things could get very interesting…. Either way, there is now some intelligence being applied to this attack based on what is already known.
The agent comes down from the downloader site – typically as an encrypted payload which won’t be detected by andy sandbox solution. The dropper has the key and decrypts the payload allowing the new malware to install. The new malware may or may not delete the dropper – it can remove all evidence, or leave something behind to throw off investigators, leaving disposable components so they think they cleaned it up…but the asset is still infected. The first tier malware agent now performs a bigger and better cataloguing of the victim machine, in this case looking at the data available on the device.
Once collected, there is a quick blast to a repository, letting the operator know the infection was successful, sending with it stolen data, with any passwords, login credentials, interesting files, anything of value on that particular asset…
The malware agent then begins communicating to a front line array of c&c proxy servers / control servers. Often, in this cycle, malware and domains are being updated not less than every 22 hours, because the AV signature process is typically a 24 hour update.
SO, as you can see, this is a highly sophisticated and resilient installation and communication cycle. In many cases the companies that are making headlines today were originally breached by the same botnets and cyber campaigns that have breached hundreds of other companies. While the resulting activity is, or appears targeted, the successful infection is, a rather automated and agnostic event. But what makes it dangerous is the threat actors command-and-control over the assets in a network.
Damballa harvest over 22B unique DNS records a day from our Enterprise and ISP/Telco customers in to our hadoop clusters for use by our machine learning systems. Other information (Threat Discovery) such as the network and host behaviors of files, pcaps, and URL information is also captured. The machine learning systems generate new threat updates for Damballa Failsafe Profiler Platform which include new threat intelligence, behavioral classifiers, and threat attribution information. Trace reports that include AV results, host and network behaviors, malicious traits and other information from the result of performing sandbox analysis of suspicious files are delivered back to Damballa Failsafe.
Damballa Failsafe uses a hub and spoke distributed computing system architecture. Sensors are placed in key locations within the network to observe all ports of traffic in both directions (Egress, Proxy, and DNS). The Sensors and their Deep Packet Inspections engines listen to traffic passively off a tap or span. The sensors all talk to each other so they can track a devices activity over time. Suspicious evidence is brought back to the management console to be examined by the Case Analyzer and then a verdict is passed. All evidence is presented through the MC.
Because of Our Formula. Damballa has unique access to a very large data set of unfiltered, unstructured and unbiased internet and enterprise network data.
While most security company’s “Labs” are filled with Reverse Malware Engineers, ours is filled with PhD’s, research scientist and Machine Learning experts that apply mathematical algorithms that reveal techniques and infrastructure being used by threat actors…and we’ve been doing this for seven years.
No other security company that has the unique, Big Data that Damballa has…much less that has been applying leading-edge security research and related machine learning for as long as Damballa.
Big Data -8 trillion records per year -200GB-300GB of internet and enterprise network data each day -Malware Samples Analyzed: 100K/day; / 36.5M yr. -Unique DNS Records: 22B/day; 8T/yr. -7 Years of Machine Learning Refinement
Engines Leverage Big Data -Fortune 2000 Enterprises -Global ISPs & Telcos -Academic and Industry Partnerships -Future Proof -Behavioral -Example: Domain Fluxing (DGA) -Example: Peer-To-Peer
1. Cyber security
2. About MultiPoint
• MultiPoint was founded in April 2009
• Managed by Arie Wolman and Ricardo Resnik
• A Distributor of Security & Networking Software
• Main exclusive product lines:
– GFI Software, Damballa, Accellion, SpectorSoft,
Centrify, IronKey, NovaStor, GFI MAX, LiebSoft,
DataMotion, Netwrix, etc.
• Certified, Qualified and Credible Technical team
• Value Added for the Channel and the End-Users alike
3. Main Vendors
4. Some of our customers
5. Attack Lifecycle
SOC / CIRT
Marketing / PR
Loss of Intellectual
6. Because prevention’s not enough!
Malware was involved in 69% of
all breaches, and
95% of all stolen data.
“Prevention is crucial…but
detection/response represents an
extremely critical line of defense.
Let’s stop treating it like a backup
plan and start making it a core part
of THE plan."
2013 Verizon Data Breach Investigation Report
The average time from
breach to detection was 210
Trustwave 2013 Global Security Report
New York Times, January 1, 2013
82 new malware samples were put up
against more than 40 antivirus
products... the initial detection rate was
less than 5 percent.
“Signature-based methods of detecting
malware is not keeping up.”
7. Endpoint Security Network Security Systems
? ? ? ? ?? ? ?Infections Identified
AV HIPS Firewall Firewall IDS/IPS WSG/Proxy VM/SandboxDNS
Alerts Alerts Alerts AlertsAlerts AlertsBlockBlacklist/Signatures
LogsUnknown Threats Logs Logs
Why do these threats go undetected?
87% of victims of data theft had evidence
in their log files but failed to identify it.
2011 Data Breach Report
Verizon RISK team
All this noise, how do I identify real infections?
8. Automation needed to accelerate & improve
of breaches remain
undiscovered for months or
of breaches are discovered by
parties external to the victim
detection rate of 82 new malware
samples by traditional
Sources: Verizon, New York Times
9. MultiPoint empowers end users to…
enable improvements to
security policies and controls
focus teams & tools on high-value
activities vs. noisy alerts
measure performance of
automate discovery, verification &
prioritization of true infections
10. The Kill Chain and Risk
Reconnaissance Weaponization Delivery Exploitation Command & Control
After Infection Takes Place, the Game Changes
Reconnaissance Weaponization Delivery Exploitation Command & Control
11. Looking at the Threat After It Bypasses
Initial Infection Update & Repurpose Initial C&C and 2nd Repurpose Evasion Cycle Continues…
Repository C&C Portals
Downloader Repository C&C Portals
Pay Per Installer
Dropper unpacks on the
Victim machine and runs
12. Prevention features you need for 2014
» Microsoft®, Mac OS® and major Linux operating systems
» Microsoft and other popular third-party applications
» Security and non-security updates
» More than 4000 critical security applications
» Interactive dashboard
» Workstations, laptops, servers, mobile devices and a wide range of
network devices such as printers, switches and routers
» Now checking for up to 50,000 vulnerabilities
Dedicated reports » For PCI DSS, HIPAA, PSN CoCo and other regulations
» Through usage of agents and relay agents
13. Secunia VIM Overview – Key Facts and Benefits
A proactive approach to vulnerability management
Leader in the field of Vulnerability Intelligence
Pioneer and industry leader in the research and disclosure of vulnerabilities
The market’s largest verified vulnerability database, 45,000+ products.
The only vendor that guarantees coverage of your commercially available environment
Straight forward and simple to set up, maintain and use regardless of the size of an organization
Customized asset lists mean targeted information based on your exact environment
Filter information based on the asset location or critically, useful for business critical technology
which receives less press coverage, e.g.. Lotus Notes
Dynamic, customized, historic, and automated reporting.
Track and document remediation strategies
Eliminated information overload sifting through other sources, emails, and bulk RSS feeds
Prioritize patch management based on verified real time information
14. Sandbox technology helps
customization is the
only way to adequately
and stop targeted
As a fully customizable platform,
ThreatAnalyzer enables you to recreate your
entire application stack (including virtual and
native environments) in which you can
detonate malicious code to see exactly how
malware will behave across all your network
and systems configurations. Moreover,
custom malware determination rules help
Dynamic Malware Analysis
Know Your Exposure to Cyber Threats
ThreatAnalyzer is the industry's only malware analysis solution that enables you to completely and accurately quantify the risk and exposure
your organization faces from any malware threat.
you fine tune ThreatAnalyzer to be on the alert for suspicious behavior and activity that concern you most, such as anomalous access to
sensitive systems, data exfiltration to foreign domains, queries made to custom applications and more.
Within minutes of detonating a malware sample, you will know exactly which system configurations on your network are vulnerable to any
threat, enabling you to instantly respond by isolating systems and implementing defenses to prevent infections.
16. Why GFI LanGuard is so effective?
Takes only a few
minutes to be up
patches, open ports,
and software, etc.
level assigned to
Deploy missing updates,
deploy custom scripts,
open remote desktop
Definitions for vulnerabilities
and patches are
continuously updated from
GFI® servers to report and
remediate latest threats
17. Damballa Failsafe Architecture
Hub & Spoke | 1 U Appliances | Out of Band
18. Our Formula – Delivering Predictive