You Can't Stop The Breach Without Prevention And Detection
-
Upload
crowdstrike -
Category
Technology
-
view
199 -
download
1
Transcript of You Can't Stop The Breach Without Prevention And Detection
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
YOU CAN’T STOP THE BREACH WITHOUT PREVENTION AND DETECTION
CHRIS SHERMAN, SENIOR ANALYST, FORRESTER
ROD MURCHISON, VP, PRODUCT MANAGEMENT, CROWDSTRIKE
Mastering the Endpoint: Leverage Forrester’s Targeted Attack Hierarchy Of NeedsChris Sherman, Senior Analyst
October 20th, 2016
© 2016 Forrester Research, Inc. Reproduction Prohibited 3
The 90’s called, they want their endpoint security strategy backDespite…
Anti-Virus Application patching
80%
63%48%
42% of breaches
involved a software exploit over the past year
a 19% increase in costs associated with cyberattacks Y-Y
Base: 671 IT and IT security practitioners. Source: Ponemon 2013 State of the Endpoint SurveyBase: 881 IT Security Decision Makers. Source: Forrester BT Security Survey, Q3 2015
…Many organizations still rely heavily on antivirus.A New Approach Is Needed!
48%
Application control
55% 53%
Endpoint Visibility & Control
© 2016 Forrester Research, Inc. Reproduction Prohibited 4
Organizations Must Refocus Their Endpoint Security Strategies
© 2016 Forrester Research, Inc. Reproduction Prohibited 5
The Targeted-Attack Hierarchy Of Needs
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 1: An Actual Security Strategy
© 2016 Forrester Research, Inc. Reproduction Prohibited 7
Expense in Depth
© 2016 Forrester Research, Inc. Reproduction Prohibited 8
Return on Expense in Depth?
© 2016 Forrester Research, Inc. Reproduction Prohibited 9
Components of a sound strategy› Adopt principals of the Zero
Trust model› Data driven security not alert
driven security› Data driven security is really
business driven security which is supported by executives
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 2: A Dedication To Recruiting And Retaining Staff
© 2016 Forrester Research, Inc. Reproduction Prohibited 11
Double down on higher education› There is intense
competition between the emerging cyber programs
› Make them more competitive; join advisory board drive curriculum that produces capable graduates
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 3: A Focus On The Fundamentals
© 2016 Forrester Research, Inc. Reproduction Prohibited 13
A Focus On The Fundamentals
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 4: An Integrated Portfolio That Enables Orchestration
© 2016 Forrester Research, Inc. Reproduction Prohibited 15
Friction?› “Create friction for the
attacker. Slow them down and make their job more difficult.”
› What about all the friction we create for ourselves?
› Most orgs don’t have the resources to automate their InfoSec processes.
© 2016 Forrester Research, Inc. Reproduction Prohibited 16
What can you do? › Invest in software
development staff › Prioritize vendors that
integrate and automate between the endpoint and network layers
› Pay attention to vendors who see the need and are developing solutions.
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 5: Prevention
© 2016 Forrester Research, Inc. Reproduction Prohibited 18
Prevention is shifting› Traditional approaches to
prevention will continue › If you can prevent an
action, why not?› Prevention with threat
intelligence• Command and Control
indicators should be used to prevent communications
© 2016 Forrester Research, Inc. Reproduction Prohibited 19
Prevention begins and ends with attack surface reduction
Photo credit: Jan Stromme, Bloomberg Business
© 2016 Forrester Research, Inc. Reproduction Prohibited
Targeted-Attack Hierarchy Of NeedsNeed No. 6: Detection & Response
© 2016 Forrester Research, Inc. Reproduction Prohibited 21
Detection› Detection is the only option
when dealing with higher tier adversaries
› No single control is your breach detection system
› Your aggregate controls and your people are your breach detection system
© 2016 Forrester Research, Inc. Reproduction Prohibited 22
Response› Once you have
identified malicious activity, how do you respond?
› Is your remediation a reimage?
› Time to containment and remediation will never improve without automated response
© 2016 Forrester Research, Inc. Reproduction Prohibited 23
To be successful, an endpoint security strategy must balance prevention with detection
© 2016 Forrester Research, Inc. Reproduction Prohibited 24
Prevention
Detection
Control / Remediation
Endpoint Security Requires A Balanced Approach
© 2016 Forrester Research, Inc. Reproduction Prohibited 25
Prevention
Detection
Control / Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
Endpoint Security Requires A Balanced Approach
© 2016 Forrester Research, Inc. Reproduction Prohibited 26
Prevention
Detection
Control / Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
• Endpoint visibility and integration• Catches what gets through• Threat intelligence required
Endpoint Security Requires A Balanced Approach
© 2016 Forrester Research, Inc. Reproduction Prohibited 27
Prevention
Detection
Control / Remediation • Addresses attack surface
• Limits time spent on detection/response
• Doesn’t require frequent updates
• Endpoint visibility and integration• Catches what gets through• Threat intelligence required
• Automated/assisted remediation reduces friction
• Ensures policy compliance
• Operationalizes threat intelligence
Endpoint Security Requires A Balanced Approach
© 2016 Forrester Research, Inc. Reproduction Prohibited 28
Recommendations›Choose prevention technologies based on your risk appetite and impact to user experience. › Look to expand your detection capabilities beyond malicious process identification and IOC identification›Reduce your attack surface through a balance of prevention, detection, and remediation proficiency.
THE YING & YANG OF ENDPOINT PROTECTION
§ You need to see Prevention & Detection in a holistic way
§ There needs to be a virtuous approach - one feeds the other and vice-versa
§ You need to have a vision, from the outset to build this, you can’t just make this up as you go along
PREVENTIONDETECTION
Cloud Delivered Endpoint Protection
MANAGEDHUNTING
ENDPOINT DETECTION AND RESPONSE
NEXT-GEN ANTIVIRUS
CrowdStrike is the only security technology provider to unify next-gen AV and EDR into a single agent, backed by 24/7 proactive threat hunting – all delivered via the cloud
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PREVENTIONBENEFITS
PREVENTS ALL TYPES OF ATTACKSProtect against Known/Unknown Malware
Protect Against Zero-Day Attacks
Eliminate Ransomware
No Signature Updates
No User Impact—Less than 1% CPU overhead
Reduce re-imaging time and costs
BUSINESS VALUE
MachineLearning
IOABehavioral
Blocking
Block Known Bad
ExploitMitigation
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
CLASSIC EDR JUSTIFICATION: THERE IS NO SUCH THING AS 100% PREVENTION
§ Attacks will always get through
§ Even with 99% efficacy you still need something to deal with the 1%
§ So, you need EDR to deal with this and solve the ‘silent failure’ problem
1% missed
99%stopped
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT 99% CAN MEAN…
33
Cha
nce
of a
t lea
st o
ne su
cces
s fo
r adv
ersa
ry
Number of attempts
1%
>99%
500
Bottom line: change the binary 500 times and with 99% detection efficacy -you will get one file thru
PREVENT AGAINST
SILENT FAILURE
DVR FOR ENDPOINT
BUSINESS VALUE
5 Second Enterprise Search
No Hardware or Storage Costs
Full Spectrum Visibility
ReducedTime to Remediation
BENEFITS
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DETECTION AND RESPONSE
FINDING THE ADVERSARYSo You Don’t Have To
BREACH PREVENTION SERVICES
Team of Hunters Working for You
24 x 7
BUSINESS VALUE
Force Multiplier
Community Immunity
BENEFITS
Reduce Alert Fatigue:Focus on What Matters!
Stop the “Mega” Breach
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
MANAGED HUNTING
SO YOU GOT DETECTION AND PREVENTION, WHY ARE YOU STILL DISAPPOINTED?
§ You can’t just slam two things together - detection & prevention
§ You can’t just tick a list of features where you check-off features
§ This is tough stuff, you need to be thoughtful and considered in how you architect a prevention and detection solution
§ You can’t see prevention and EDR as two separate things
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SO, WHERE DOES PREVENTION END & DETECTION START?
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
PREVENTIONDETECTION
OVERVIEW OF WHAT’S REQUIRED TO PROPERLY UNIFY NEXT-GEN AV AND EDR
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Complete and accurate
visibility
Analysis capacity
1 2 3
Ability to turn data into information and insight
COMPLETE AND ACCURATE VISIBILITY
§ Data: Need lot’s of it
§ Scalability: In the Cloud
§ Power: Storage, throughput and compute power
§ Integrity: High fidelity
§ Usefulness: Insightful
§ Flexible Capture: distributed/mobile/BYOD and or on/off network
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ANALYSIS CAPACITY
§ Organize and analyze big data
§ You need to analyze this at massive scale
§ You need to ‘glue’ all this data together
§ That’s why a ‘Graph’ is the answer
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ABILITY TO TURN DATA INTO INFORMATION AND INSIGHT
§ Piecing data together and establishing the relationships between drives ‘Context’ - the more data you have the ‘richer the context’
§ Understanding context let’s you understand behavior and that allows you to get to IOA
THREAT GRAPHIndicators of Attack
EDR
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHICH IN TURN MAKES BOTH PREVENTION AND EDR BETTER
§ IOA’s = better ‘prevention’
§ IOA’s = defeat attackers who are ‘living of the land’
§ Traditional malware and security approaches inadequate
§ IOA’s = better EDR and better EDR = better IOA’s
SUMMARY
§ You need to see Prevention & Detection in a holistic way
§ There needs to be a virtuous approach - one feeds the other and vice-versa
§ You need to have a vision, from the outset to build this, you can’t just make this up as you go along
NEW FORRESTER WAVE
The Forrester Wave™: Endpoint Security, Q4 2016 The 15 Providers That Matter Most And How They Stack Up
§ CrowdStrike will be sending a copy to ALL webcast registrants
2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Q&A2016 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.