With malware accounting for at least 40% of all breaches, knowing how malware works can be an extremely valuable asset in your threat detection cache – especially for the incident responder. According to Verizon’s 2013 Data Breach Investigations Report, “Malware and hacking still rank as the most common [threat] actions”. In general, malware can range from being simple annoyances like pop-up advertising to causing serious damage like stealing passwords and data or infecting other machines on the network.
Malware is as old as software itself and although there are new types of malware constantly under development, they generally fall into a few broad categories. Check out this SlideShare to learn how malware works, and what we believe are the most common types of malware you should be prepared for.
By learning how malware works and recognizing its different types, you’ll understand:
- How they find their way into your network
- How attackers control them remotely
- How they use your systems for nefarious purposes
- And most importantly, the security controls you need to effectively defend against and detect malware infections. (Hint: you need more than antivirus!)
3. Agenda
• What is malware?
• Malware variants
• How does it get in?
• Tips for mitigating risk
• Detecting malware with USM
4. What is Malware?
Malware is a portmanteau that
refers to malicious software and
encompasses a large variety of
computer programs designed to
steal sensitive data, gain
unauthorized access, or just
wreak havoc.
6. Top Threats seen by SpiceHeads
We asked SpiceHeads what kind of malware they are seeing and
these seem to be the most prevalent:
• Ransomware
• Potentially Unwanted Programs (PUPs)
• Misc phishing emails
• Malicious email attachments disguised as
PDFs, Excel docs, etc.
Most popular “funny” answer?
Users… :p
7. How does it get in?
Users
• Blindly clicking links in email, social media, etc.
• Downloading and running email attachments
• Disgruntled/generally malicious users
• Using company assets outside of corporate perimeter
Social Engineering
• Phishing/Spearphishing
• Drive-by downloads
• Malicious executables
8. But, wait… I have Endpoint Protection!
While Anti-Malware scanners will spot the majority of malicious files, there are
several ways to get past them:
• Polymorphic code
- Over lifespan of malware
- In real-time (every copy looks different)
• Encryption/packing
• Stealth
- Monitor system resource utilization
- Hiding malware in legitimate applications
- Sometimes even block anti-virus and/or system messages that
might alert a user to the malware’s presence
• Some legacy Firewalls may not have the tech to detect
9. Risk Mitigation
Education
• Ongoing training
- New, different malware variants
- Delivery mechanisms
• Institute a policy
- What you can and cannot download on the corporate network
- What to do if your users get hit
Containment
• Network segmentation
10. Risk Mitigation
Continuous Monitoring
• Operate under the assumption that you will get breached
- If prevention doesn’t work for these folks, why do you think it would
work for you?
• Multiple detection methods
- Don’t put all of your eggs in one basket
11. AlienVault Vision
Accelerating and simplifying threat
detection and incident response for IT
teams with limited resources, on day
one
Enable organizations of all sizes to
benefit from the power of crowd-
sourced threat intelligence & unified
security
13. Unified Security Management Platform
Accelerates and simplifies threat detection and incident response for IT teams with
limited resources, on day one
AlienVault Labs Threat Intelligence
Identifies the most significant threats targeting your
network and provides context-specific remediation
guidance
Open Threat Exchange
The world’s largest repository of crowd-sourced
threat data, provides a continuous view of
real-time threats
AlienVault Approach:
Unified Security Management
17. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Now for some Questions..
Questions? Hello@AlienVault.com
Twitter : @alienvault
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Check out our 15-Day Trial of USM for AWS
https://www.alienvault.com/free-trial/usm-for-aws
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Editor's Notes
We are dedicated to providing a simplified security solution that, when coupled with affordable pricing, is the perfect fit for organizations with limited budgets and few in-house resources.
AlienVault’ gives smaller IT organizations the ability to accelerate and simplify their threat detection and remediation efforts, as well as regulatory compliance.
With our unified, simplified approach, you can go from deployment to insight in less than one day
Predictability of USM platform and security data: Ownership of the built-in data sources and management platform, coupled with unmatched security expertise delivered by the AlienVault Labs team of security experts, provides effective security controls and seamlessly integrated threat intelligence for any environment
AlienVault Labs threat research team spends countless hours mapping out the different types of attacks, the latest threats, suspicious behavior, vulnerabilities and exploits they uncover across the entire threat landscape. They leverage the power of OTX, the world’s largest crowd-sourced repository of threat data to provide global insight into attack trends and bad actors. This eliminates the need for IT teams to conduct their own research on each threat.
They provide Specific, Relevant, and Actionable Threat Intelligence– such as, Over 2,000 predefined correlation directives, eliminating the need for customers to create their own, which is one of the primary sources of frustration with other SIEM products. Besides correlation directives, the AlienVault Labs Threat Intelligence regularly publishes threat intelligence updates to the USM platform in the form of IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, data source plugins, and report templates.
----- Meeting Notes (4/17/15 15:31) -----
These 5 essential capabilities are the strength of the platform
Rename Threat Detection "Intrusion Detection"