Why Are We Still Being Breached? - Home - Data Connectors · threats (malware, exploit, file-less),...
Transcript of Why Are We Still Being Breached? - Home - Data Connectors · threats (malware, exploit, file-less),...
©SparkCognition, Inc. 2018. All rights reserved.
TM
Rick PitherDirector of Cybersecurity
TM
Why Are We Still Being Breached?Are 1st Generation and NexGen solutions working?
Why Are We Still Being Breached?
©SparkCognition, Inc. 2018. All rights reserved.
TM
Session Agenda
SparkCognition Introduction01
EPP, EDR, 1st GEN AV, NexGen?
Why Are We Still Being Breached?02
Tesla vs Legacy Auto Manufacturers
Differences in AI/ML03
Built from AI
DeepArmor Enterprise04
©SparkCognition, Inc. 2018. All rights reserved.©SparkCognition, Inc. 2018. All rights reserved.
Industrial and operational dataSEIM, IT logs, Threat Intelligence
PATENTED ALGORITMS
1M+ pages/documents10Ks
Research ReportsContracts
JSON, CSV, XML
Historical and Real Time Sensor Data
SECURITY OPERATIONS
Billions of Alerts
Files, Documents.
Scripts, Macros
Support TicketsIncident Reports
STUCTUREDUNSTRUCTURED
SOLUTIONS
PLATFORMS OR SERVICES
AUTOIMATED MODEL BUILDING
DOCUMENT CLASSIFICATIONWORKFLOW AUTOMATION
COGNITIVE QUERYSTRUCTURE TEXT
STRUCTURE TEX INTO TABLES
BEST ALGORITMFOR CUSTOMER DATA SET
MALWARE PREDICTION
INDUSTRIAL IOT PERFORMANCE PREDICTION
CLIENT CHURNFIREWALL RULE SETS
MALICIOUS BOT DETECTIONPII DATA LEAKAGE
THREAT PRIORITIZATIONNETWORK ANOMOLIES
AIR QUALITY/WEATHER PATERNSINVENTORY REQUIREMENTS
EMPLOYEE ATTRITIONHOME CREDIT DEFAULT RISK
FINANCIAL/INSURANCE FRAUDSSOLAR OUTPUT/WEATHER PATTERNS
PREVENT PRE-EXECUTIONPREVENT UNKNOWN
ASSET MAINTENANCEFAILURE PREDICTION
SparkCognition Portfolio
©SparkCognition, Inc. 2018. All rights reserved.
Why are we still being breached?The evolution of tools and tactics
PolymorphismAttacks that can automatically
mutate to evade signatures and IoCs
Trusted Application AttacksAttacks that leverage trusted
applications like document, macrosand scripts to deliver payload
Weaponized AILeveraging machine learning to generate adversarial malware
In Memory AttacksDirect injection of code into memory space to evade file
monitoring
Single Use MalwareHighly targeted, single use attacks
with no two variants being the same
Hacking as a ServiceOpen source tools and online services
that lower the technical barrier to entry for attackers
69% of organizations don't believe their antivirus can stop the threats they're seeing - Ponemon Institute
©SparkCognition, Inc. 2018. All rights reserved.
Quick History of the Endpoint Market
Effectiveness of solution
Time and adversary strength grow
1st Gen
2nd Gen
FUD Marketing
Rush to add AI/ML
capabilities
EDR tilt
85+ Vendors
Reverse engineered
Reverse engineered
• Broken; Not as effective• AI/ML is everywhere• FUD around file-less and in-memory• EDR is now ‘the answer’• Too many attacks/alerts/data• Zero day still a struggle
©SparkCognition, Inc. 2018. All rights reserved.©SparkCognition, Inc. 2018. All rights reserved.
Defense in Depth
FirewallCloud Email Gateway Network IDS/IPS EPP EDR ForensicsIR
Effectiveness
IR Cost
Effectiveness
©SparkCognition, Inc. 2018. All rights reserved.©SparkCognition, Inc. 2018. All rights reserved.
Why EPP?
PRE-EXECUTIONSTATIC DETECTION
FILE-BASED
IN MEMORY/FILE-LESS
POST-EXECUTIONINFECTEDDYNAMIC
BEHAVIORAL
FILE-LESS
101010101010101010101010101010101010101010101010101010101010
NETWORK ANONOMLY DETECTION
EDREndpoint Detection
and Remediation
EPPEndpoint Prevention
Platform
OUTSIDE 73%INSIDER 27%
ADVANCED MALWARE DETECTIONSANDBOXING
©SparkCognition, Inc. 2018. All rights reserved.
Impact of the Evolving Attack ModelEndpoint Protection must evolve to keep pace
77%Of successful cyber attacks include new or unknown threats (malware, exploit, file-less), 350,000 new variants are created each day1
53%Of organizations believe their current endpoint protection solutions do not provide adequate protection against the newest attacks1
35%Of cyber attacks were filelessexploits including macros, scripts and in-memory 1
97%Of malware infections employ polymorphic techniques3
Average cost of a successful endpoint security attack in 20171 – 42% of organizations reported an endpoint breach in the last year2
99% Of malware is seen for less than one minute before a new sample takes it place4
$5M
©SparkCognition, Inc. 2018. All rights reserved.©SparkCognition, Inc. 2018. All rights reserved.
Security Market Whiteboard
Vectors
PlaneBoat
Drug MuleSub
CatapultTunnelsDrone
Disguised
CISO=DEA
3,000 miles
5,000 miles
Already hereeast/west state/state
1. CHANGE THE DEFINITION OF WINNING
2. START REALLY CHANGING METHODOLOGY
3. REDUCE RELIANCE ON PRODUCTS/HUMANS
Detect Prevent Watch Remediate
SparkCognition Recommendations
Help IT practice good hygiene• patching• privilege escalation management• 2 factor authentication• Network segmentation• Leverage REAL AI/ML
Still need tripwires along the kill chain
Reduce incident response timesF/W, IDS and AV are easily bypassed
244 new threats
Per min
Up 22% in 201732m samples
46% malware30% zero day
33% LOTL
4. GET OUT OF DETECTION/ALERT BUSINESS Ex: SIEM’s on average on have only 12 YARA rules
And they generate 10,000-50,000 alerts/day
Start to reduce number of security vendors
©SparkCognition, Inc. 2018. All rights reserved.
Multi-Vector Protection, Built from AIDeepArmor leverages ground breaking algorithms and patented model building tools to predict and prevent across every attack vector including file-based, file-less and in-memory attacks
Pre-Execution PreventionDeepArmor intercepts and prevents attacks before they can execute, eliminating the need for post-infection behavioral analysis, ineffective system rollbacks and time-intensive reimaging
No Heuristics, No Signatures, No Control FeaturesDeepArmor leverages the power of AI to prevent unknown zero-day attacks with no need for rigid heuristics, out of date signatures or rudimentary “on/off” control features
DeepArmor: Endpoint ProtectionThe Future of Endpoint Protection, Built from AI
©SparkCognition, Inc. 2018. All rights reserved.
Threat Detection ArchitectureLightweight, Cognitive Agent
File ReputationApplication Control (Whitelist, Blacklist)
Machine Learning File Analysis
Block Known and Zero-Day UnknownMalware | Exploits
Kernel Level | Real-TimeExecutable Malware
Weaponized DocumentsIn-Memory Script/Macro
WindowsMacLinux
Desktops/Servers
1001010111010110101011000101010110101
1001010111010110101011000101010110101
©SparkCognition, Inc. 2018. All rights reserved.
Traditional Antivirus
Next-Generation Antivirus
DeepArmor Endpoint
Protection
Prevention TechniqueSignatures
Heuristics
Control Features
Basic ML &
Behavioral Analysis
Pre-Execution Machine
Learning
Known File-Based Malware ✔ ✔ ✔
Unknown File-Based Malware
✔ ✔
Unknown Document Attacks
✔
Unknown Script-Based Attacks
✔
Unknown Macro Attacks ✔
Unknown In-Memory Attacks
✔
DeepArmor’s Endpoint Protection platform delivers the strongest protection against zero-day malware, weaponized scripts, macros and in-memory attacks.
Replace Legacy AntivirusHow DeepArmor Replaces Antivirus with Algorithms
No Out-of-Date Signatures
No Rudimentary Control Features
No Post-Infection Behavioral
Analysis
No Rigid Heuristics (e.g., YARA)
©SparkCognition, Inc. 2018. All rights reserved.
The DeepArmor Efficacy DifferenceCommitment to Innovation, Differentiated Protection
50.00% 60.00% 70.00% 80.00% 90.00% 100.00%
DeepArmor
Next Generation
Average
1st Generation
Average
99.6%
77.1%
64.4%
Near Zero-Day (<24hrs. ) Malware Detection % (Pre-Execution)
50.00%
55.00%
60.00%
65.00%
70.00%
75.00%
80.00%
85.00%
90.00%
95.00%
100.00%
99
.6%
88
.4%
De
ep
Arm
or
Sym
ante
c
Cro
wd
Stri
ke
Cyl
ance
Bit
Def
en
de
r
83
.5%
77
%
75
%
©SparkCognition, Inc. 2018. All rights reserved.
Near Zero Day Testing (how well does your product correctly prevent something never seen before)
• Download random set daily• No File Reputation• Data Set Query
• Less than 24 hours old• Microsoft executable• Malicious • Detected by at least 20 vendors
• Static File Pre-Execution• Compare all AI/ML models
©SparkCognition, Inc. 2018. All rights reserved.