Tripwire Adaptive Threat Protection
•Download as PPTX, PDF•
3 likes•1,252 views
Learn how Tripwire helps you to discover the assets on your network and quickly identify and tag the vulnerable assets while applying the appropriate policies and remediation to improve your security posture and efficiencies while reducing the overall cost to your organization. In this presentation, Tripwire’s CTO, Dwayne Melançon, discusses how vulnerability scanning can produce vulnerability intelligence, and how that intelligence can be integrated with other sources of context from within information security to produce more effective and efficient detection, response and prevention.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Tripwire Adaptive Threat Protection
Similar to Tripwire Adaptive Threat Protection (20)
More from Tripwire
More from Tripwire (20)
Recently uploaded
Recently uploaded (20)
Tripwire Adaptive Threat Protection
- 2. Percentage of breaches that could be prevented by remediating known vulnerabilities Average time to detect an advanced persistent threat on a corporate network Percentage of unauthorized data access was through compromised servers Days the average malicious data breach took to resolve
- 4. Response Gap Time between discovery to remediation to limit damage Detection Gap Time between actual breach and discovery Prevention Gap Time to put preventative measures in place to avoid future attacks Have we been breached? Can we prevent this from happening again? How bad is it? DETECTION GAP RESPONSE GAP PREVENTION GAP
- 5. Advanced attacks—harder to detect and faster compromises Limited resources/time – need better prioritization, what is at risk? what do I fix first? Limited context from fragmented tools — need high- confidence actionable information
- 12. Accelerated Threat Response by automatically applying Tripwire Enterprise policies and actions based on vulnerability intelligence. Faster Threat Detection by automatically delivering prioritized vulnerability intelligence to Tripwire Enterprise. Effective Threat Prevention by automatically correlating vulnerability intelligence to business context DETECTION GAP RESPONSE GAP PREVENTION GAP
- 14. Identify all changes to high value systems Investigate each change, determine if it is suspicious Kick-off an incident response workflow
- 15. Investigate each change, determine if it is suspicious
- 16. Malware Identification – Identify known malware on assets with a Tripwire Enteprise agent through integration with threat intelligence partners Identify Zero-Days and Unknown Threats – Identify zero days and previously unknown threats by ‘detonating’ executable files in partner sandboxes for analysis. Monitoring for Peer, Community and Commercial IoCs – Automate the forensics investigation and proactive monitoring on high risk assets of indicators of compromise sourced from threat intelligence services
- 17. Identify files on critical assets Send file hashes to partner for analysis Update controls based on identified malware 54781923 79834875 29475927 34975249 33215151 !54781923 79834875 29475927 34975249 31241542
- 18. Identify suspicious files on critical assets Send whole file for ‘detonation’ and analysis Update controls based on identified threats !
- 19. Obtain IoCs from Threat Intelligence vendor(s) Import IoCs into Tripwire Enterprise for monitoring Update controls based on identified indicators IoCs !
Editor's Notes
- We see a lot of these kinds of numbers, and they change over time, so I don’t want you to focus on the specific statistics here, but on the picture they present overall. It’s a picture that I find most customers agree with, even if we debate the individual numbers. The data shows us that most breaches don’t use the latest 0day, but start with known, patchable vulnerabilities. The data shows us that we lose our data from compromised servers, but despite these trends, we’re taking longer to detect and resolve breaches. That’s the threat landscape; there’s a corresponding infosec landscape to consider as well.
- The typical enterprise has a wealth of information security data, coming from a plethora of tools. Over the last few years, we’ve aimed to solve this problem of too much data with colossal, centralized data warehouses and complex analytics. It’s a great solution to one set of problems, but the results, while valuable, are not timely or contextually relevant to specific tasks. What’s left is a gap….we’ll call it the cyberthreat gap.
- Actually, we’re talking about three distinct gaps; detection, response and prevention. Vendors and customers alike often miss the prevention gap. While we focus on faster, more accurate detection and response, circling back to prevent the same type of attack from succeeding is an important part of the process. Our goal at Tripwire is to help customers close these gaps.
- There are challenges to overcome and address here, however. [walk through them]. The limited context is the primary challenge I’m discussing here. With feedback from our customers, we’ve increasingly realized that Tripwire tools can provide context in specific situations that directly benefit customers, without the need to pour through a data warehouse or create complex analytics.
- We call this solution, a collection of capabilities really, Adaptive Threat Protection. The idea is that we combine ‘pieces of context’ from multiple tools, Tripwire’s and partners, at specific points where they enable customers to make better decisions or automate specific actions. [walk through context bits and outcomes]. While adaptive threat protection is broad in concept, I want to make it concrete with two specific use cases: Vulnerability Intelligence from IP360 and Threat Intelligence from our partners.
- You’re familiar with Tripwire Enterprise and the data it collects. IP360 also collects data like [blah blah blah].
- Our goal with this use case is to combine these two data sets in a way that delivers value to customers. Specifically, we want to combine IP360’s information about the attack surface with the automation that Tripwire Enterprise can provide. In order to understand how this works, we started with how it’s not working for customers.
- In talking to customers who have Tripwire Enterprise, we found a common theme for how they might use vulnerability management tools. [Click] First, you scan your environment, find some assets, and find some vulnerabilities. Your results may be limited in terms of what assets are scanned if you don’t have an adequate way of filtering and prioritizing the data created—many organizations only scan portions of their network since they’re unable to manage and act upon the amount of data created. [Click] Next, somebody creates a report. The report might include some basic prioritization, but manual effort is still required to prioritize the results in terms of what’s most important to your business. This report also needs hand-off to other roles and groups in your organization, and that’s usually a manual effort as well. [Click] Then comes the real challenge: combining the results from your vulnerability tool with what you have in your security configuration management tool, requiring even more manual effort, slowing down your ability to respond and adapt to the changing environment. At this point, by the time the data is manually integrated, it’s already an outdated threat landscape. [ talk about assets tagging, business context] [Click] Finally, your response through Security Configuration Management may be ineffective and inefficient since manual work often results in errors and stale information. This cycle that you have today with standalone solutions results in a lot of manual effort, spending time exchanging reports and PDFs, and manually prioritizing results to take action. Without automation and integration of the process you’re already behind the curve in closing the enterprise cyberthreat gap.
- With the addition of IP360, you magically fill in that missing puzzle piece. Here’s how the process differs: [Click] With Tripwire, instead of scanning, you profile the environment to comprehensively identify the assets in your environment, the applications installed on those assets, and the vulnerabilities on those assets. [Click] Tripwire IP360 provides a host of useful factors and metadata about the vulnerabilities on your network, including a granular vulnerability risk score that you can use to prioritize remediation. [Click] Built-in integration allows transferring of these priorities into your Security Configuration Management solution, Tripwire Enterprise, automating a step that was heavily manual in the previous example. [Click] At that point, with integrated data, you’re automatically keeping your Security Configuration Management solution up to date with continuous threat and risk information. This means you can now dynamically adapt what you’re doing in Security Configuration Management by monitoring the threat landscape in an automated way, responding more effectively, reducing manual effort and saving time.
- The end result brings us back to the ultimate goal of reducing the Enterprise Cyberthreat Gap. [Click] In terms of detection, you achieve faster threat detection by automatically delivering prioritized vulnerability intelligence into your security configuration management tool. [Click] The integrated view, and automated flow, of up to date vulnerability intelligence allows you to respond faster to threats with a continuous view of network security posture. [Click] Finally, your organization becomes more effective at threat prevention through increased visibility.
- To detect an advanced threat on a critical system, you can break this down into 3 fundamental steps: First you must identify every change that is happening to that system. If you build a system into an initial trusted state, and nothing ever changes to it, it is still in a trusted state. When a change occurs, it indicates the potential for something malicious to have happened. We all know this at Tripwire, because this is fundamentally WHY Tripwire Enterprise is the most important fundamental security control that exists. This is why Tripwire Enterprise has been a compliance requirement for so long – because if you can’t detect the changes, It doesn’t matter what else you do after that. Once we know about every change, now we have to narrow that down to figure out was any change suspicious? We can eliminate many changes by identifying them as part of the normal Business operations, by integrating to change management and workflow processes. We then get down to a small number of unidentifiable changes where a tripwire enterprise user may go take some manual investigative actions to figure out what was the source of this change and what happened. At the end of this, we may have found that yes there was actually a very suspicious or provably malicious change that happened on a system. This is where we now transition away from just detecting an advanced threat and onto kicking off the incident response process for the organization. Tripwire Enterprise does ALL of these things today. Our customers use our products to detect advanced threats TODAY. In many ways, we are the best product in the market already for doing this. But we can get even better…
- So let’s dig into that second step a little more. Identifying if a change is suspicious can be an onerous process. How can I tell if a change was suspicious? Even if it was unidentified, I may have hundreds or thousands of unidentified changes happening every day on my systems. How can I figure out which of those changes I really need to pay attention to RIGHT NOW? That is where threat intelligence comes into play. By being able to automate looking at any change and seeing in the context of all this other sources of information and analysis I have at my disposal, does this look suspicious, I can make this investigation phase much easier. If this change is matching an indicator of compromise that malicious threat actors are using in the wild right now in active threat campaigns, that is a change that should stand-out immediately. If this change is actually a binary file and this binary contains suspicious behavior in it that is indicative of the kind of advanced malware threats being used today, that should stand-out immediately. If one of my peers detected an advanced threat against their network this morning, and I see the same kind of changes this afternoon they just shared with me they saw as a result of that attack this morning, that should stand-out immediately. These are the things that threat context can add to Tripwire Enterprise.
- We have been out talking to our customers about how they are approaching security in this modern breach environment. These are companies that have invested a lot into deploying Tripwire onto their high value assets, and not just going and putting that agent on those systems, but really tightly integrating the deep change detection capability of Tripwire into their operational workflows, so that they can identify suspicious changes, prioritize them, investigate, and then escalate them to a remediation effort. The overriding theme of what we have heard is that these companies are also making investments into other types of services around advanced threats to give them a better capability to identify new and unknown threats, and get specifically tailored information about the threat environment specific to their organization. We are definitely seeing more of this taking place at the very high-end of the market right now in the largest and most sophisticated organizations, but we are starting to see this move towards the broader market as well. We have developed new technology over the last 6 months to address this for our customers - giving them new capabilities to leverage their existing Tripwire deployments to add the capability to identify when suspicious changes that we already detect are specifically indicators of advanced threats. I’d like to show you 3 of these use cases for what we have built - this is operational today, working with 7 different partners that offer capabilities in this area, and we’ve been piloting this with some early customers for the last 60 days. The first is an advanced malware identification use case - finding when we see binaries that change if they behave in suspicious ways - bringing the same kind of network-based malware analytics that we have seen grow in the market to high value targets. The second is giving customers the ability to take in peer and community sourced indicators of compromise - the threat intelligence sharing we are seeing grow today around the STIX and TAXII standards, and letting our customers not just see that from a human analyst perspective, but directly integrate it into Tripwire so they can see if they have ever before, or ever in the future see those indicators on their critical systems. The third is integration to commercial threat intelligence services - these high-end services that today are producing comprehensive threat briefings that a CISO may be reading, we are now able to take the indicators of compromise coming as part of those reports and start automatically monitoring for those indicators on high risk assets, so at the same time the CISO may be reading a PDF document, Tripwire is providing data to the analysts. Let me walk you through how each of these 3 use cases work...
- Again and again customers are telling us that protecting business critical data from cyber attacks is a top priority. They don’t want business critical endpoints to be compromised and become the next data breach in the news. This can be really challenging because cyber attacks are becoming faster and more sophisticated each day with cyber criminals frequently changing their approach and tactics. Zero-day malware can slip by network perimeter defenses because network security prevention and detection solutions working alone are not effective as they lack endpoint visibility and intelligence. Tripwire Adaptive Threat Protection helps quickly identify potential threats on high-risk assets by continuously monitoring for all file system changes as well as automatically detecting which suspicious changes are indeed malware. Let me explain how this works. Tripwire Enterprise monitors files on your critical systems for changes as well as introduction of new files to your systems. When Tripwire identifies a suspicious file it is sent to a malware analysis service. This malware analysis service reports back to Tripwire Enterprise letting you know if it is a benign file of if it is a known threat.
- Again and again customers are telling us that protecting business critical data from cyber attacks is a top priority. They don’t want business critical endpoints to be compromised and become the next data breach in the news. This can be really challenging because cyber attacks are becoming faster and more sophisticated each day with cyber criminals frequently changing their approach and tactics. Zero-day malware can slip by network perimeter defenses because network security prevention and detection solutions working alone are not effective as they lack endpoint visibility and intelligence. Tripwire Adaptive Threat Protection helps quickly identify potential threats on high-risk assets by continuously monitoring for all file system changes as well as automatically detecting which suspicious changes are indeed malware. Let me explain how this works. Tripwire Enterprise monitors files on your critical systems for changes as well as introduction of new files to your systems. When Tripwire identifies a suspicious file it is sent to a malware analysis service. This malware analysis service reports back to Tripwire Enterprise letting you know if it is a benign file of if it is a known threat.
- Again and again customers are telling us that protecting business critical data from cyber attacks is a top priority. They don’t want business critical endpoints to be compromised and become the next data breach in the news. This can be really challenging because cyber attacks are becoming faster and more sophisticated each day with cyber criminals frequently changing their approach and tactics. Zero-day malware can slip by network perimeter defenses because network security prevention and detection solutions working alone are not effective as they lack endpoint visibility and intelligence. Tripwire Adaptive Threat Protection helps quickly identify potential threats on high-risk assets by continuously monitoring for all file system changes as well as automatically detecting which suspicious changes are indeed malware. Let me explain how this works. Tripwire Enterprise monitors files on your critical systems for changes as well as introduction of new files to your systems. When Tripwire identifies a suspicious file it is sent to a malware analysis service. This malware analysis service reports back to Tripwire Enterprise letting you know if it is a benign file of if it is a known threat.
- Companies are investing a great deal into how they are approaching security in this modern breach environment. They are not just putting agents on their high value assets, but tightly integrating the deep change detection capability of Tripwire into their operational workflows so that they can identify suspicious changes, prioritize them, investigate, and then escalate them to a remediation effort. Organizations are also making investments into other types of services around advanced threats to give them a better capability to identify new and unknown threats, and get specifically tailored information about the threat environment specific to their organization. The convergence of security controls depends on two important capabilities—the ability to integrate and the ability to automate. Integration allows sharing of important data between controls, and automation acts upon that shared data. We’ve created these partnerships to bring together the best information to make the best and most timely decisions. You have the flexibility to select the custom, open source, regional feeds that best meet your needs with access to a global network of leading technologies across the security community. <click> Tripwire continuously monitors and captures real-time, reliable data on endpoint systems. It integrates with threat intelligence to discover and identify new and zero-day threats. System binary changes are automatically reviewed for known and advanced threats ensuring malicious changes are rapidly detected. Once malware is identified, Tripwire determines which systems were compromised pre-zero-day and for how long. <click> With Tripwire Enterprise workflow automation, prioritize action for changes on systems with threats identified by threat intelligence provider over benign changes, reducing the time to remediate threats. <click> Turn attacks on endpoints into known threats, within minutes. Now a binary detected by Tripwire Enterprise is blocked within minutes from further infection at the network level. Control, monitor and adjust configurations based on new identified threats and new IOCs. Together, these combined solutions integrate network and endpoint security together to improve the accuracy and time to detect and protect against advanced threats. Let me share with you a few of these use cases.
- For more information, visit Tripwire.com to download the Vulnerability Intelligence Solution Brief, request a demonstration of adaptive threat protection, and learn more about Tripwire Enterprise and Tripwire IP360