Mais conteúdo relacionado Semelhante a Addressing the cyber kill chain (20) Mais de Symantec Brasil (20) Addressing the cyber kill chain2. Agenda
1 Current Threat Landscape Challenges
2 The Cyber Kill Chain
3 How Symantec can help
4 Q&A
Copyright © 2015 Symantec Corporation
2
4. Enterprise Threat Landscape
4
Attackers Moving Faster
Digital extortion
on the rise
Malware gets
smarter
Zero-Day Threats Many Sectors Under Attack
5 of 6 large
companies
attacked
317M new
malware
created
1M new
threats
daily
60% of
attacks
targeted SMEs
113%
increase in
ransomware
45X more
devices
held
hostage
28% of malware
was Virtual
Machine Aware
24
all-time
high
Top 5
unpatched for
295 days
24
Healthcare
+ 37%
Retail
+11%
Education
+10%
Government
+8%
Financial
+6%
Source: Symantec Internet Security Threat Report 2015
5. Key Trends Reshaping the Enterprise Security Market
RESURGENCE OF ENDPOINT Rapid shift to mobile and IoT
DISAPPEARING PERIMETER Decreasingly relevant with “fuzzy” perimeter
RAPID CLOUD ADOPTION Enterprise data and applications moving to cloud
SERVICES Security as a Service; box fatigue
CYBERSECURITY Governments and regulators playing ever larger role
5
Copyright © 2015 Symantec Corporation
10. Top Breaches in 2015 (so far...)
Copyright © 2015 Symantec Corporation
10
11. Top Breaches in 2015 (so far...)
Copyright © 2015 Symantec Corporation
11
13. The Cyber Kill Chain
• Military concept, now applied to
Cyber Security
• Developed by Lockheed Martin in
2011
• Describes the phases an Adversary
will follow to target an Organization
• It has 7 well defined phases
• Attack is considered successfull
if/when all phases have been
accomplished
Copyright © 2015 Symantec Corporation
13
14. Enterprise Threat Landscape
4
Attackers Moving Faster
Digital extortion
on the rise
Malware gets
smarter
Zero-Day Threats Many Sectors Under Attack
5 of 6 large
companies
attacked
317M new
malware
created
1M new
threats
daily
60% of
attacks
targeted SMEs
113%
increase in
ransomware
45X more
devices
held
hostage
28% of malware
was Virtual
Machine Aware
24
all-time
high
Top 5
unpatched for
295 days
24
Healthcare
+ 37%
Retail
+11%
Education
+10%
Government
+8%
Financial
+6%
Source: Symantec Internet Security Threat Report 2015
15. Addressing the Cyber Kill Chain
Phase Detect Deny or Contain Disrupt, Eradicate
or Deceive
Recover
Reconnaissance Web analytics, Internet scannning
reports, vuln. scanning, pen testing,
SIEM, DAST/SAST, threat
intelligence, TIP
Firewall ACL, system and service
hardening, network obfuscation,
logical segmentation
Honeypot SAST/DAST
Weaponization sentiment analysis, vuln.
announcements, vuln. assessm.
NIPS, NGFW, patch management,
configuration hardening,
application remediation
SEG, SWG
Delivery user training, security analytics,
network behavior analysis, threat
intelligence, NIPS, NGFW, WAF,
DDoS, SSL inspection, TIP
SWG, NGIPS, ATD, TIP EPP Backup or EPP
cleanup
Exploitation EPP, NIPS, SIEM, WAF EPP, NGIPS, ATD, WAF NIPS, NGFW, EPP,
ATD
data restoration
from backups
Installation EPP, endpoint forensics or ETDR,
sandboxing, FIM
EPP, MDM, IAM, endpoint
containerization/app wrapping
EPP, HIPS, incidente
forensic tools
incident response,
ETDR
Command and
Control
NIPS, NBA, network forensics, SIEM,
DNS security,TIP
IP/DNS reputation blocking, DLP,
ATA
DNS redirect, threat
intelligence on DNS,
egress filtering, NIPS
incident response,
system restore
Action on
Targets
Logging, SIEM, DLP, honeypot, TIP,
DAP
egress filtering, SWG, trust zones,
DLP
QoS, DNS, DLP, ATA incident response
Copyright © 2015 Symantec Corporation
15
Source: Gartner (August 2014) – G00263765
17. Symantec Enterprise Security | STRONG FRANCHISES
17
#1 share; AAArating
12 quarters in a row
Endpoint
Security
#1 share; 100% uptime with
<0.0003% FPs 5 years in a row
Email
Security
#1 DLP share;
100% of Fortune 100
Data
Protection
#1 share
6B certificate lookups/day
Trust
Services
13B validations every day
100% uptime last 5 years
Authentication
& Authorization
Managed
Security Services
12 Yrs Gartner MQ leader
30B logs analyzed/day
Copyright © 2015 Symantec Corporation
18. Symantec Enterprise Security | UNIQUE VISIBILITY
18
57M attack sensors in
157 countries
175M
endpoints
182M web attacks
blocked last year
3.7T
rows of telemetry
100 Billion
more/month
9
threat response centers
500+
rapid security response team
30% of world’s enterprise
email traffic scanned/day
1.8 Billion
web requests
Copyright © 2015 Symantec Corporation
19. Key Trends Reshaping the Enterprise Security Market
RESURGENCE OF ENDPOINT Rapid shift to mobile and IoT
DISAPPEARING PERIMETER Decreasingly relevant with “fuzzy” perimeter
RAPID CLOUD ADOPTION Enterprise data and applications moving to cloud
SERVICES Security as a Service; box fatigue
CYBERSECURITY Governments and regulators playing ever larger role
5
Copyright © 2015 Symantec Corporation
20. Addressing the Cyber Kill Chain with Symantec
Phase Detect Deny or Contain Disrupt, Eradicate
or Deceive
Recover
Reconnaissance Deepsight Threat Intelligence,
Managed Security Services (MSS)
Control Compliance Suite
Control Compliance Suite,
Datacenter Security
N/A N/A
Weaponization Deepsight Managed Adversary
Threat Intelligence (MATI)
Control Compliance Suite,
Altiris ITMS
Messaging Gateway,
Symantec.cloud
(email/web)
N/A
Delivery MSS, Deepsight Threat Intelligence,
Blackfin acquisition (user training,
phishing tests)
ATP Suite, Deepsight Threat
Intelligence
Endpoint Protection Endpoint
Protection (Power
Eraser), Veritas
Exploitation Endpoint Protection, Datacenter
Security, MSS
Endpoint Protection, Datacenter
Security, ATP Suite, Deepsight
Threat Intelligence
Endpoint Protection,
ATP Suite,
Datacenter Security
Veritas
Installation Endpoint Protection, Advanced
Threat Protection Suite (ATP Suite),
Datacenter Security
Endpoint Protection, Moblity
Suite, Authentication Manager,
VIP, Managed PKI
Endpoint Protection,
ATP Suite,
Datacenter Security
Incident Response
Retainer Services
Command and
Control
MSS, Deepsight Threat Intelligence Deepsight Threat Intelligence,
DLP, ATP Suite
Deepsight Threat
Inteligence
Incident Response
Retainer Services
Action on
Targets
MSS, Data Loss Prevention (DLP),
Deepsight Threat Intelligence
Data Loss Prevention DLP, ATP Suite Incident Response
Retainer Services
Copyright © 2015 Symantec Corporation
20
Source: Gartner (August 2014) – G00263765
21. Recommendations
Reconnaissance
• Regular external scannings / pentest
• Deepsight MATI: Monitor
underground Internet
• DCS:SA: Enforce least privilegie
concept on Internet-facing servers
• MSS: Analytics to detect indicators
of unwanted activity against
Internet-facing servers
• Employ SLDC to guarantee
applications are processing
untrusted input correctly
Weaponization
• Deepsight Intelligence: keep
informed of recently discovered
vulnerabilities and weaponized
exploits available to them
• Deepsight MATI: Monitor
possible/future activities planned
against your organization and to
track adversaries
Copyright © 2015 Symantec Corporation
21
22. Recommendations
Delivery
• Keep using your traditional controls
(NGFW, NGIPS, SWG, DDoS, WAF) to
provide visibility and prevent
compromise attempts
• ATP Suite: inspect suspicious files
through sandboxing analysis
• Analyze DNS resolution to unwanted
or malicious hosts
Exploitation
• MSS: collect and correlate logs from
various control points to provide
better visibility of malicious behavior
• Email Security.cloud, Endpoint
Protection: those can help limit
most of the attack attempts
• Deepsight Datafeeds: provide
intelligence over malicious
IPs/Domains to your SIEM.
• ATP Suite: inspect suspicious files
through sandboxing analysis
Copyright © 2015 Symantec Corporation
22
23. Recommendations
Installation
• Endpoint Protection: to provide
greater protection over advanced
malware, browser attacks and
application white/blacklisting
• SAM/VIP/MPKI: employ strong
authentication to reduce likelyhood
of installation and data access
• Incident Response Retainer: helps
with incidente response practices
and containment
Command and Control
• Deepsight Datafeeds: provide
intelligence over malicious
IPs/Domains to your SIEM. It can
also be used to create a “DNS
Sinkhole” to divert malicious
connections
• MSS: collect and correlate logs from
various control points to provide
better visibility of malicious
behavior, including C&C connections
Copyright © 2015 Symantec Corporation
23
24. Recommendations
Action on Targets
• Data Loss Prevention: to perform
continous monitoring of user
behavior/data access
• Employ Database monitoring tools
to detect/block suspicious data
access (excess in volume, abnormal
times, locations, etc)
Copyright © 2015 Symantec Corporation
24
26. Thank you!
Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or
implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
André Carraretto, CISSP
andre_carraretto@symantec.com
@andrecarraretto
https://br.linkedin.com/in/andrecarraretto