Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FireEye: Seamless Visibility and Detection for the Cloud


Published on

Organizations need to apply security analytics to obtain seamless visibility and monitoring across both their on-premises and cloud environments. These challenges can be solved with comprehensive detection rules and behavioral analytics to ensure you detect potential threats.

Join FireEye and AWS to learn how Threat Analytics Platform (TAP) helped unify a major U.S. financial company’s on-premises and cloud-based Security Operations Centers (SOCs) by providing a single, cloud-based solution for monitoring their hybrid IT environment. FireEye’s TAP provides seamless visibility, detection and investigation across your on-premises and AWS Cloud environments ensuring actionable insight into threats targeting your company.

Join us to learn:

• How TAP ingests and analyzes AWS CloudTrail log files, providing visibility into both your AWS environment and the applications running on it
• TAP's best practices workflow to guide and inform your threat investigation
• How a major U.S. financial company unified their on-premises and cloud-based SOCs in to a single, cloud-based security operation

Who should attend: Directors and Managers of Security, IT Administrators, IT Architects, and IT Security Engineers

Published in: Technology
  • Be the first to comment

FireEye: Seamless Visibility and Detection for the Cloud

  1. 1. Securing your Data on AWS
  2. 2. Presenters • Patrick McDowell- Solutions Architect, AWS • Josh Goldfarb - VP, CTO - Emerging Technologies, FireEye • Paul Lee - Senior Deployment Engineer – TAP, FireEye
  3. 3. $6.53M 56% 70% Increase in theft of hard intellectual property Of consumers indicated they’d avoid businesses following a security breach Average cost of a data breach Your Data and IP are your Most Valuable Assets security/information-security-survey.html
  4. 4. In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication AWS Can Be More Secure than your Existing Environment
  5. 5. AWS and you share responsibility for security AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption
  6. 6. Constantly monitored The AWS infrastructure is protected by extensive network and security monitoring systems: • Network access is monitored by AWS security managers daily • AWS CloudTrail lets you monitor and record all API calls • Amazon Inspector automatically assesses applications for vulnerabilities
  7. 7. Highly available The AWS infrastructure footprint protects your data from costly downtime • 35 Availability Zones in 13 regions for multi-synchronous geographic redundancy • Retain control of where your data resides for compliance with regulatory requirements • Mitigate the risk of DDoS attacks using services like AutoScaling, Amazon Route 53
  8. 8. Integrated with your existing resources AWS enables you to improve your security using many of your existing tools and practices • Integrate your existing Active Directory • Use dedicated connections as a secure, low-latency extension of your data center • Provide and manage your own encryption keys if you choose
  9. 9. Key AWS certifications and assurance programs
  10. 10. Threat Analytics Platform Overview Presented by: Josh Goldfarb, VP, CTO - Emerging Technologies Paul Lee, Senior Deployment Engineer - TAP Cloud-based Threat Detection and Incident Investigation
  11. 11. What’s at Risk? of organizations were breached Source: Mandiant M-trends Report / Ponemon Cost Of Data Breach Study Cyber Security’s Maginot line: A Real-World Assessment of the Defense-in-Depth Model had active command and control communications median number of days before detection to respond to a breach of companies learned they were breached from an external entity 97% 146 days 3/4 53% 32 days
  12. 12. SIEM  Built for Compliance – not Security  ‘Newly found’ “Analytics love is really old “SIEM hatred” Anton Chuvakin Jan 2015  Average 15.2 months fully implement, Ponemon 2015  Implementation costs 3-5x software expenditure, Ponemon 2015, FireEye Customer. MSSP  Built for operational efficiency – not Security  One size fits all – they don’t know your environment  No custom rules  Onboarding can be complex and slow  Present alerts but don’t tell you how to respond Traditional Detection Strategies Aren’t Working
  13. 13. Capability Investigation & response Proactive hunting Adaptive detection Compliance Moving from Compliance to Proactive Security Cyber security program maturity. Where do you fall? Time Security operations center Cyber incident response team Cyber defense center
  14. 14. Overwhelmed by alert noise – Alerts lack context Inability to proactively hunt for covert, non-malware Lack of Visibility Hard to find, train and retain Security Talent Investigation tools are expensive, complex and don’t easily scale What’s Holding you Back? Threat detection Analyst enablement
  15. 15. Visibility  Real-time, enterprise-wide visibility  Ingest AWS logs including AWS CloudTrail and VPC flow logs  Customizable views  Threat Intel sharing portal Investigation  Alerts enriched with supporting data  Threat intelligence and point-in-time context about users affected, actions taken and hosts involved  Guided Investigation leads you through industry-leading investigative strategies Detection  Dedicated rules team evolves detection to respond to new threats  Continuous application of threat insight to identify attack and provide context  Intel and rules evaluated against every event Time to value  Cloud-based infrastructure  Simplified deployment and management  Focus on managing incidents – not your tools FireEye’s Threat Analytics Platform Cloud-based threat detection and investigation
  16. 16.  Single interface gives analysts visibility into both cloud and datacenter resources  One tool for hunting, alerting, investigating, and responding.  Customizable views ensure analysts can quickly see what's most important  Pivot directly from dashboard into investigation to detect and respond to incidents more quickly  Control what you share and with whom you share it either openly or anonymously  Auto-extract IOC’s from documents and supports exporting in multiple standard formats Unified Single pane of glass Dashboards Customizable views Sharing Threat Intel sharing portal Real-time, Enterprise-wide Visibility
  17. 17.  Detects non-malware attacker methodology as well as malware family behavior  Dedicated team of data scientists and security researchers continually refine detection ruleset  Heuristic-based detection identifies previously unknown attacker behavior  Focused on non-malware activity such as lateral movement & exfiltration  Threat intelligence gleaned from the front lines  Domains, IP addresses, email addresses, MD5 hashes Rules Codifies 20+ years of security expertise Analytics Detects non-malware based activity INDICATORS Tactical, strategic, and operational intelligence Detection that Evolves with Your Attackers
  18. 18. Where Does Our Intel Come From? FireEye Sensors 3,400+ customers 250+ of the Fortune 500 67 countries Mandiant 1,200+ customers 200+ of the Fortune 500 46 countries with customers iSight 20 locations worldwide 18 countries 100+ experts FaaS 7 security operations centers 200+ clients 26+ million hits reviewed in 2015
  19. 19.  Alerts enriched with detailed attacker context  Point-in-time context regarding users impacted, actions taken and hosts involved  Quickly validate and scope the incident.  Easily pivot around indicators of compromise  Perform frequency analysis to spot anomalies  Scheduled search automates analysis activities  Industry-leading investigative strategies  Sets of queries, based on different attack scenarios.  Scenarios provides pre-populated, questions and answers to help guide investigation efforts Actionable Threat Insight Create breach storylines to plan your defense Agile Investigation Identify details around the intrusion Guided Investigation Inform and accelerate investigation efforts Agile, Guided Investigation
  20. 20.  Up and running in hours not months  Virtual log collection ensures minimal onsite configuration  Fee-based jumpstart support available if required  Elastic, cloud-based deployment model  Metered by volume of event data consumed and how long data is retained for search  Scale seamlessly during activity bursts  Cloud-based subscription model provides predictable operating expense  Includes software, support, infrastructure, threat intelligence and codified security expertise  Eliminates costly professional services engagements Quick Time to Value Easily Scalable Predictable Cost Cloud-based Threat Detection and Incident Investigation
  21. 21. Security for the Cloud, from the Cloud Detect malicious activity in AWS environments by providing increased simplicity, accessibility, and actionability to the data and information provided by Amazon’s cloud.
  22. 22. Simplicity  Move naturally from alerting to searching to incident response  Easy onboarding of logs from AWS services as well as Amazon EC2 instance and application logs – CloudTrail – CloudWatch (including VPC Flow Logs) – Elastic Load Balancing (ELB) – And more ….
  23. 23. Accessibility  Flexible deployment models to suit virtually any cloud- based or hybrid-cloud infrastructure  Provides a “single pane of glass” for monitoring cloud activity as well as traditional datacenter logs  Extensive signature sets curated by FireEye in response to emerging threats  RESTful API available for integration and automation
  24. 24. Flexible Deployment Model Intelligence Analytics Rules Event index Dedicated VCP User interface Alert Alert Reports Search Analyst CloudTrail CloudWatch Cloud Data center FireEye CloudDatabase Security Network TAP CB TAP CB
  25. 25. Actionability  Quickly search through billions of events with sub-second response  Deliver rich insight into threat actor profiles to provide context to threats targeting your organization  Alerting and incident response (IR) workflow  Prebuilt rule packs and custom rule capabilities
  26. 26. Customer Use Case – Problem Statement Customer decided to make a substantial investment in AWS but lacked the tooling to effectively monitor both their cloud infrastructure as well as their traditional datacenters. Existing security tools, while adequate for their legacy systems, were not well suited for the elastic nature of the cloud. Customer needed a solution that was able to provide the visibility to monitor both environments and give analysts the tools necessary to build an effective cyber defense center.
  27. 27. Customer Use Case – Solution FireEye implemented the Threat Analytics Platform (TAP) to provide enterprise-wide visibility across both the cloud and legacy environments. TAP’s scalable ingestion and cloud- based back end eliminated many traditional hurdles such as host- based agents and licensing counts. TAP’s rapid search and real-time alerting provided analysts the ability to move from compromised instances to compromised accounts and track attackers’ activities. 1 2 3
  28. 28.  Designed by incident responders on the front-lines of the world’s largest breaches  Sub-second search across billions of events  Inline integration with strategic threat intel for attack and attacker context  Integrated case management Built by practitioners for practitioners  Immediate time-to-value with minimal onsite configuration  Reduced management & tuning costs  Scale seamlessly during activity bursts  Discovered 25 of the last 40 zero days  Intelligence-informed detection leverages FireEye threat insight  Detection rules codify Incident response front-line expertise  Heuristic-based detection to identify anomalous activity Intelligence & expertise to detect the unknown Why FireEye? Simplified deployment and management
  29. 29. Live Demo Copyright © 2016, FireEye, Inc. All rights reserved. For more information, visit:
  30. 30. Q & A Copyright © 2016, FireEye, Inc. All rights reserved. For more information, visit: