View the webinar on demand now! https://goo.gl/Mvv4Hw
Defensive security technologies increasingly fail to prevent advanced attackers from gaining access to enterprise networks. Sophisticated attackers can only be stopped by proactive security measures that harness skilled analysts and advanced technology.
Join Morphick and Endgame for a webinar to learn effective strategies to detect and eliminate advanced threats in your Enterprise. This webinar will highlight:
- Today’s security landscape
- How to close the protection gap
- Three strategic considerations to stop advanced threats
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Three Considerations To Amplify Your Detection and Response Program
1. Three Considerations To Amplify Your Detection and Response Program
with Mark Dufresne and David Lavinder
Confidential and Proprietary
2. Who Are We?
Mark Dufresne (@mark_dufresne)
Endgame - Director of Threat
Research and Adversary Prevention
David Lavinder (@dllavinder)
Morphick - Vice President,
Threat Intelligence
Prior: 13 years at NSA, Operations Chief
for Offensive and Defensive Cyber Ops
Prior: 7 years as Air Force Digital Network
Intelligence Principal Intelligence Analyst
Confidential and Proprietary
3. Topics
§ 3 Key Challenges to a Detection and Response Program
– Advanced TTPs
– Analytical Tradecraft
– Detection Methodologies
§ The Morphick / Endgame Approach
– Beyond IOC/Signature Detection
– Uncovering the Full Story
– Integrated Prevention, Detection, and Response
Confidential and Proprietary
4. Advanced TTPs
§ New Attacks > Existing Defenses
– Paradigm Shift – Attackers are People
§ Designed to defeat off-the-shelf defense
– Advanced Evasion Techniques
– Custom rolled malware
Confidential and Proprietary
§ In-memory Attacks
– DLL side-loading
– Malware-less attacks
§ Malicious use of Admin Tools
– Powershell
– WMI
6. The Detection Problem
The technology problem:
§ Limited enterprise-wide visibility
§ Complex tools that don’t work well together
§ Static defenses that do not adapt
§ Difficult to deploy and maintain solutions
§ SOC analyst talent shortage
§ Alert fatigue
§ Fighting an asymmetric battle
§ Unprepared for an incident
The people problem:
Confidential and Proprietary
7. So What Do I Need?
The right tradecraft
armed with
The right technology
Confidential and Proprietary
8. The Right Technology
§ Detection
– Beyond IOC/Signature-based detection
§ Visibility
– Enabling visibility and rapid detection of unknown advanced attackers
§ Prevention
– Automatically protecting against the vast majority of malicious activity
Confidential and Proprietary
9. Beyond IOC/Signature-Based Detection
§ Signatures (IOCs) aren’t enough
§ Attackers adjust tools and tradecraft
§ Attackers cycle infrastructure
§ Attackers live off the land
Good for pivoting.
Bad foundation for protection.
WHAT ABOUT THE UNKNOWN?
Confidential and Proprietary
10. So What Should I Do Instead?
10
Confidential and Proprietary
§ Focused on behaviors/techniques
§ At each stage off the attacker lifecycle
§ Layered and working together
You need a different method of detection
11. But EVERYONE is Saying “Behavior”
11
Confidential and Proprietary
§ NGAV – malware and exploit prevention
§ But what about bypass and file-less attacks? Only part of the problem
§ Both EDR and NGAV are adding detection of behaviors
§ Capturing process actions and writing rules (IOAs)
§ Still a signature. Still brittle. Vulnerable to bypass.
§ Experts needed for configuration
This is still not the right mix
12. Gather Visibility – Endpoints and Network
§ You need full visibility on system events and other data
– Persistence
– Processes
– Network
– Users
– More
§ A mountain of data doesn’t do you much good without analytics
– Endgame provides sophisticated analytics to guide the hunt
– Chatbot guides users through the hunt
– Robust API allows for flexible and powerful access and
enrichment
Confidential and Proprietary
13. Gather Visibility - Memory
§ Memory is a permissive environment for attackers. Why?
– Memory analysis doesn’t scale
– Need to know what you are looking for (search based)
– Until now…
§ Endgame technology
– Patent-pending technology detects stealthy adversaries in
memory in seconds, at scale
– Detects process hollowing, thread hijacking, module hiding,
and much more
§ Precise identification of suspicious memory and remediation
§ Follow on analytic actions such as extraction of IOCs
Confidential and Proprietary
14. Behavioral Preventions
§ Exploits – Hardware and Software approaches
§ Macros – Detecting malicious execution of macros
§ Malware – Machine learning (Malwarescore™)
§ Kernel-level technique preventions
– Atomic-level system state in the presence of malicious behaviors
– More than streaming rules. Simple configuration, inline and hardened.
§ Ransomware
Layered prevention minimizes adversary’s capability to entrench
Much more than traditional AV
Confidential and Proprietary
15. The Right Tradecraft
§ Analytical Pivoting
– Discovering unknowns from knowns, across the kill chain
§ Generate Threat Intelligence
– Extract as much intel from a positive detection event as possible
§ Harden Defenses
– Update defenses with new intelligence
Confidential and Proprietary
16. Visibility Across the Kill Chain
§ A security analyst’s job doesn’t END at detection, it BEGINS there
§ Take that single detection event and explore the kill chain
– How did it get here?
– What was it going to do next?
Confidential and Proprietary
17. Visibility Across the Kill Chain
§ A security analyst’s job doesn’t END at detection, it BEGINS there
§ Take that single detection event and explore the kill chain
– How did it get here?
– What was it going to do next?
Confidential and Proprietary
18. The Power of a Security Analyst
§ Discovering unknowns from knowns
– Identifying missed detection opportunities
§ Telling the whole story
– Tracing an event to earlier kill chain steps
§ Then BUILD IT BACK IN
§ The analysis tradecraft is getting lost amongst all the tools
§ Visibility is key, but good tradecraft unlocks the power of that visibility
Confidential and Proprietary
19. SOLUTION
§ Combination of Technology and Tradecraft
Technology provides layered behavioral prevention
Technology provides visibility and access
Tradecraft finds the remaining adversary
Tradecraft hardens defenses
Confidential and Proprietary
20. Managed Endpoint Detection and Response (MEDR)
§ Continuous Endpoint Threat Monitoring & Advanced Prevention
§ Full Attack Cycle Threat Detection
§ Proactive, scalable Threat Hunting
§ Detailed Forensic Investigation and Threat Validation
§ NSA-CIRA Accredited Incident Response Services
Best in-class Tech, Wrapped in Best in-class Service
Confidential and Proprietary
21. Interested in learning more?
Come see us at RSA
§ Endgame Booth, South Hall #1739
§ Morphick Booth, North Hall #5004
Schedule a Demo
§ Endgame
– Ashwini Almad
– AAlmad@Endgame.com
§ Morphick
– Tom Doepker
– Tom.Doepker@Morphick.com
Confidential and Proprietary