Professional Documents
Culture Documents
Building Out An Adaptive Infrastructure PDF
Building Out An Adaptive Infrastructure PDF
SECURITY
REIMAGINED,
PART II:
BUILDING OUT
AN ADAPTIVE
INFRASTRUCTURE
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
CONTENTS
4 5 6 9 11
A VISION IS JUST A HISTORY OF DETECTION: HUNTING AND PREVENTION:
THE BEGINNING REIMAGINING: MINUTES, NOT GATHERING BLOCK WHAT YOU
THE REST OF MONTHS CAN, STOP WHAT
THE STORY YOU CAN’T
13 14 15 16 18
ANALYSIS: FULL TELLING A STORY INTELLIGENCE RESOLUTION: CONCLUSION AND
CONTEXT FOR A WITH THE AT THE CORE FOCUSED ON RECOMMENDATIONS
FULL PICTURE NARRATIVE CONTINUITY
MODEL
2
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
EXECUTIVE SUMMARY
3
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
A VISION IS
JUST THE
BEGINNING
The first part of this series detailed three pivotal
advances that hinged on someone reimagining a
domain: Arthur Cumming’s curveball pitch, George
Westinghouse’s push to deliver electricity via
alternating current, and Henry Ford’s assembly line.
4
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
A HISTORY OF REIMAGINING:
THE REST OF THE STORY
In each of these cases, a breakthrough of delivering electricity. But the discrete steps that required far
vision was only a starting point. changeover from the prevailing direct less craftsmanship.10
Reimagining the status quo also current standard depended on key
required having the necessary tools innovations from others. Nikola Tesla’s Like these historical examples,
and following through on the idea. dual-phase induction motor and reimagining security also requires
transformer designs,5 Ottó Bláthy’s the right tools and follow-through.
Arthur Cummings needed a catcher improved transformer and electric
who could work with the curveball meter,6 and William Stanley’s parallel Part I of this series outlined what
and prevent it from rolling into the connected transformer7 were just a FireEye calls Adaptive Defense. This
backstop.1 He found that in Nat Hicks, few of the advances that enabled approach integrates tools end to end.
one of only a few players at the time to Westinghouse’s vision. It enables big-picture vigilance. It
crouch directly behind the batter during adopts a lean-forward posture with
a pitch.2 Hicks’ position, along with a And when Henry Ford wanted to build intelligence. And it responds nimbly
willingness to indulge “Cummings’ crazy the Model T faster and less expensively, with a responsive architecture.
curve,” enabled Cummings to wield his someone had already invented the
new throw—and made the pair a force on conveyer belt (widely used in grain This installment examines how to put
the baseball diamond.3 As baseball warehouses) and assembly lines this strategy into practice. It describes
historian Pete Morris puts it: “…the most (common in Chicago slaughterhouses).8 the tools and expertise organizations
lethal pitch had no value without a And industrial efficiency pioneer need to adopt an adaptive posture.
skilled catcher.”4 Frederick Taylor’s scientific management And it prescribes a framework that
theory9 was taking root when Ford will enable them to continuously
George Westinghouse knew that transformed the complex, specialized prevent, detect, analyze, and resolve
alternating current would slash the costs work of making cars into a series of todays’ threats.
1
Peter Morris. “Catcher: The Evolution of an American Folk Hero.” 2009.
Ibid.
2, 3, 4
5
John W. Klooster. “Icons of Invention: The Makers of the Modern World from Gutenberg to Gates.” 2009.
6
Quentin R. . “George Westinghouse: Gentle Genius.” 2007.
7
IEEE Global History Network. “Milestones: Alternating Current Electrification, 1886.” October 2004.
8
Ford Motor Company archives. “The Reminiscences of Mr. W. C. Klann.” Recorded September 1955; transcribed November 2011.
9
Frederick Taylor. “The Principles of Scientific Management.” 1911.
10
The History Channel website. “Ford’s assembly line starts rolling.” Accessed September 2014.
5
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
T PR
EC E
T
VE
DE
NT
E
RE
YZ
SO
AL
LV
AN
E
6
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
DETECTION:
MINUTES, NOT MONTHS
I
n breaches that Mandiant, a FireEye company, Like signatures, reputation-based defenses such
helped resolve in 2013, attackers had free rein as URL blacklisting detect only known, confirmed
inside a victim’s networks for 229 days before threats. Relying solely on this approach is like
being discovered.11 With an adaptive strategy, preventing the FBI’s most wanted criminals from
security teams can detect threats in minutes— entering your house—but leaving the doors open
not months. to everyone else.
You must detect attacks early to avert their worst Instead of signature- or reputation-based
effects. By the time most organizations detect a detection, an adaptive security architecture
breach, the damage is done. analyzes suspicious files, web objects and traffic in
real time to detect new, unknown threats.
DETECTION DOES NOT LIVE ON Dynamic analysis technology observes malware
SIGNATURES ALONE and exploit behavior using virtual machines (VMs).
Much of the problem stems from conventional These walled-off, simulated environments allow
signature-based defenses. Anti-detection files to execute without doing any real damage.
techniques, such as code-morphing and binary
packing, can generate a barrage of unique binary By watching the files in VMs, automated analysis
samples from the same malware family. Each has a can flag telltale behavior, such as changes to the
unique binary signature. And many targeted operating system or calls to the attacker’s
attackers tailor code for each of their victims. command-and-control (CnC) servers.
Anti-virus software vendors can’t keep up with Just as today’s advanced attacks unfold across
new binaries. In many cases, they don’t even get multiple threat vectors and multiple connection
the chance to even create a signature. Out of flows, dynamic analysis tools must analyze
124,289 unique malware variants that slipped suspicious code in context of other system and
past conventional “defense-in-depth” security network activity. Most VM-based analysis tools,
deployments in a recent FireEye study, 75 percent more commonly known as sandboxes, analyze files
appeared only once.12 and objects in isolation. They never see the full
picture. The most effective solutions at this layer
analyze exploits, malware, and associated behaviors
as a series of flows. And they can group those flows
into more complete pictures of attack activity.
11
Mandiant, a FireEye Company. “M-Trends: Beyond the Breach.” April 2014.
12
FireEye and Mandiant, a FireEye Company. “Cybersecurity’s Maginot Line: A Real-World Assessment of the Defense-in-Depth Model.” May 2014.
7
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
Signature-based defenses still have a place in an • It is actionable. IOCs lead to the threat, or at
adaptive strategy. For instance, AV software and least to the trail of the threat.
intrusion prevention systems (IPS) can instantly • It is contextual. IOCs reveal detail that
block known commodity malware so adaptive describes the severity, risk, and sometimes, the
methods can focus on unknown, targeted attacks confidence of the threat.
that present a higher risk. • It is applicable. IOCs are useless if they don’t
work with your detection tools.
Even so-called “signature-less” detection
technologies (such as VM-based analysis) spawn and To get the full benefit from IOCs, adaptive security
circulate signatures for newly discovered threats to infrastructures define them in industry-standard
quickly inoculate the whole enterprise. When shared formats. Having standards allows security teams
within a broader defense community, these new to share, incorporate, and combine threat
signatures can also help shield other networks. intelligence from internal, third-party, shared, and
open-source sources.
Firewalls, albeit smarter versions of them, remain a
key component of adaptive security architecture. While some emerging IOC formats cover the gamut,
Applying an adaptive strategy doesn’t mean ripping many are not well defined and require specialized
up and replacing current security investments. tools and expertise. Consider one that does not
Instead, it blends these legacy tools with dynamic rely on any specific technology or setup. IOCs
analysis for fast, efficient detection. should also easily convert into other IOC formats.
Applying intelligence with Seeing the forest, not just the trees
indicators of compromise In a recent survey by the SANS Institute,
Indicators of compromise (IOCs), those digital correlating information from multiple sources
breadcrumbs so essential to incident response and ranked as the second-biggest challenge of
forensics efforts, are also vital to detection. security professionals, just behind telling the
difference between key events from normal
In the simplest terms, IOCs are forensic artifacts background behavior.14
of a breach, evidence created in the wake of an
intrusion. This evidence can be anything from a That correlation is possible only when the security
new registry key to the name of a mutex inside a architecture is tightly integrated for an end-to-end
malicious process running on an infected machine.13 view. Point products see only part of the picture, so
security teams usually get a disjointed account of
Security teams use IOCs to describe, catalog, and the attack. By implementing an adaptive strategy,
share threat data. Think of it as a criminal mug they get the whole story. It’s the difference
book that depicts traits such as the malware used, between a photograph and a Picasso painting.
attackers’ methods, and other telltale signs. IOCs
gathered from previous attacks help security Think of how a preschooler might view F. Scott
teams know what to look for when detecting Fitzgerald’s The Great Gatsby. The child might
future attacks. understand most of the individual letters but none of
the words. Fast-forward a few years, a first grader
In an adaptive architecture, security teams might know some words but miss the flow of the
can define IOC rules that meet all of the sentences and their meaning. A fifth grader will likely
following conditions: understand many sentences and perhaps even full
paragraphs. But that child will likely miss much of the
13
Will Gragido (RSA). “Understanding Indicators of Compromise (IOC), Part I.” October 2012.
14
Jerry Shenk (SANS Institute). “Sorting Through the Noise.” May 2012.
8
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
subtext, innuendo, and poetry of Fitzgerald’s prose. Let’s face it: most alerts generated by conventional
Finally, a high-school freshman might understand security tools are glorified event logs. What
all of these—and still not have enough life organizations really want is answers to the
experience to appreciate the deeper themes of the questions that matter. They need information they
classic work. can do something about.
In the same way, your security architecture must Because adaptive, integrated defenses have an
be mature enough to not only detect individual end-to-end view of the attack, they can correlate
events, but to piece them together in a activity among different tools to consolidate
meaningful way. Just as a great novel requires related alerts and prioritize the most urgent.
more than knowing your ABCs, an adaptive Although security teams get fewer alerts, they
security architecture hinges on a deeper grasp can be confident that those alerts are worth
of how attacks play out. This insight usually following up.
draws on outside experience in the form of
threat intelligence. Adaptive approaches provide crucial context to
ascertain what happened, when it happened, and
Having a cohesive view of an attack allows for where it happened (in other words, what systems
meaningful, correlated alerts. Today’s security are affected).
teams are overwhelmed with an ever-growing
flood of alerts from their point products. They
waste time chasing down false alarms and lose
important alerts in the noise.15
15
FireEye. “The SIEM Who Cried Wolf: Focusing Your Cybersecurity Efforts on the Alerts that Matter.” August 2014.
9
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
T PR
EC E
T
VE
DE
NT
E
RE
YZ
SO
AL
LV
AN
E
10
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
PREVENTION:
BLOCK WHAT YOU CAN,
STOP WHAT YOU CAN’T
C
onventional security lets too many Tightly integrated defenses instantly block
attacks go undetected and malicious callbacks to attackers’ CnC
unchallenged for far too long. servers. At the same time, endpoint defenses
can locate compromised systems and
In an adaptive architecture, prevention quarantine them.
comes in two forms: preventing many
attacks outright, and preventing the worst With an adaptive strategy, all of this occurs
outcomes of attacks that slip through. without badly disrupting operations. Used
effectively, dynamic analysis tools do not
Today’s best tools can stop many threats weigh down the network or hinder users.
automatically. Legacy signature-based tools And by pinpointing affected systems,
block known commodity threats. And security teams do not have to take major
dynamic analysis can catch many attacks systems offline to remediate.
that signature-based tools miss.
11
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
T PR
EC E
T
VE
DE
NT
E
RE
YZ
SO
AL
LV
AN
E
12
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
A
nalysis is one of the most important A series of funny television ads that ran a few
aspects of security—the very basis for years ago for an Internet search site illustrates the
detection, prevention, and resolution point. In the commercials, someone asks a basic
efforts. It is also one of the most difficult to get right. question, such as “Did you pick up a cell phone?”
Instead of answering the question, others nearby
Adaptive strategies automate much of the begin reciting random facts about cellular
analysis process to detect and resolve incidents membranes, telephone poles, and so on. Those
faster. Dynamic analysis tools find threats by facts may be accurate, even helpful in another
analyzing the behavior of suspicious files, for context. But they didn’t help our hapless
example. And endpoint defenses inspect OS protagonist. Many of today’s security tools take a
changes for signs of a breach. similar “everything and the kitchen sink” approach.
Forensics and related activities still require An adaptive strategy not only gives you answers,
human judgment. But automation can improve but helps you ask the right questions. By giving
the process by making it faster and more security teams information they need when
accessible. Forensics shouldn’t have to be a threats are detected, an adaptive security strategy
manual, specialized chore. gives you a running start as you analyze the
breach so you can prevent further damage and
ASKING THE RIGHT QUESTIONS, resolve the attack.
GETTING USEFUL ANSWERS
In the midst of a breach, security teams want By asking and answering the right questions, an
answers, not data. The difference might seem adaptive approach can reduce expertise needed to
pedantic—information, after all, is essential to deploy, maintain, and operate your security tools.
finding answers. But reams of data are a poor And more important, an adaptive approach make
substitute for knowledge. these tools more powerful.
ANALYSIS:
FULL-CONTEXT FOR A FULL PICTURE
13
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
16
Dave Shackleford (SANS Institute). “When Breaches Happen: Top Five Questions to Prepare For.” June 2012.
14
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
• Get live responses to queries. If security place remotely, when the endpoint is not wired
teams find a compromised system, they can directly to the organization’s main network. If
expand the narrative by getting a live response an endpoint is located, say, inside of a coffee
from the endpoint. This response can be a full shop, incident responders must still be able to
forensics snapshot of the endpoint including “reach into” the machine to analyze forensic
files, memory space, registry, connection state, artifacts and contain the threat.
and more. The incident responder can analyze
the live response remotely or transfer it to INTELLIGENCE AT THE CORE
their console. Intelligence is the lifeblood of analysis, giving
• Have a full, bit-by-bit record of endpoint security teams a wider-angle view of potential
activity. Just as an adaptive architecture threats inside and outside their network.
captures every data packet on the network for
a full picture of activity, adaptive endpoint Tactical intelligence—both internal auto-
security technologies have evolved similar generated signatures and data shared among a
functionality. With packet capture and global defense community—enables security tools
look-back recording, an endpoint can track, to instantly block known threats. Contextual
store, and index changes to key markers such intelligence helps guide analysis efforts, spotlighting
as registries, settings, started and stopped threat trends and tactics so security teams know
processes, and inbound and outbound where to focus their efforts. And strategic
network connections. When requested in intelligence gives security leaders the tools for
targeted acquisition (“hunting”) mode, this macro-level analysis and long-term strategy.
record is sent to the security team to help
responders pinpoint what endpoints the
attacker hit and gauge the impact.
• Contain and remediate anywhere. When
security tools detect a breach, teams must
quickly isolate and fix breached endpoints to
contain the damage. This process often takes Endpoint Forensics
Cloud
Threat Intelligence
15
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
T PR
EC E
T
VE
DE
NT
RE
SO
YZ
E
L
LV
A
AN
E
RESOLUTION:
FOCUSED ON CONTINUITY
16
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
F
or now, resolving threats still requires human The goal of an adaptive strategy is dynamic,
insight and action. But an adaptive posture non-disruptive resolution. With the wealth of
can speed the process to contain the threat, information curated for detection, prevention,
fix any damage, and re-secure your network—all and analysis, security teams have information
without severely disrupting business. from networks, content repositories, and
endpoints at their fingertips for a pinpoint
Today, most resolution efforts fall into a matrix. response. An adaptive approach can’t automate
One axis indicates whether they’re static the response itself. But it can automate the
(requiring security teams to take systems offline) requisite information gathering, help direct the
or dynamic (fixed while the system is still online process to stop attacks sooner, and avoid the
and running). The other axis indicates whether most severe damage and disruption.
they’re either disruptive (interrupting normal
operations) or non-disruptive. The benefit is reciprocal: information gathered
while resolving an issue can, in turn, bolster
This matrix leaves incident responders with detection, prevention, and analysis with newly
four choices: gleaned intelligence.
17
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
CONCLUSION AND
RECOMMENDATIONS
W
e’ve described a new model to BUILDING AN ADAPTIVE
transform the way you prevent, APPROACH, LAYER BY LAYER
detect, analyze, and resolve new For a true multi-layered defense, FireEye
threats. But like Cummings, Westinghouse, Ford, recommends the following:
and so many others knew, reimagining the status
quo is only a starting point. Now we’ll describe • A signature layer. This tier handles
what an adaptive approach looks like in practical commodity malware and known patterns of
terms—and how to begin building one. attack. This layer frees up your advanced
layers to focus on new and unknown threats.
An adaptive approach incorporates several layers • A layer with advanced threat detection
of defense. Unlike most defense-in-depth technology. This layer might use virtual-
deployments today (which, as explained in Part I, machine analysis and heuristic techniques to
are really “defense in shallow”), an adaptive detect and sometimes automatically block
posture uses multiple layers of defenses that attacks that signature-based tools miss.
complement but don’t duplicate each other. • A layer with network forensics and
advanced endpoint capabilities. Network
In other words, each layer should both slow an forensics products should provide a “single
attacker’s momentum, equip security teams to pane of glass” to easily see activity from the
more quickly contain and resolve attacks, or perimeter, internal network streams, and
ideally, both. Conventional defense-in-depth endpoint activity. The idea isn’t to spawn
deployments use similar signature-based more useless data, but to get an end-to-end
detection at every layer. An attacker that can get narrative. Security teams should be able to
past one layer of signature-based defense— retrieve data from specific endpoints and get
because no signature yet exists for the tools used a live response to queries. They should have a
in that attack—has a good chance of getting past full, bit-by-bit record of endpoint activity
all of them. when needed. And they should be able to
contain and fix problems wherever the
In an adaptive architecture, one layer of defense endpoint is.
might fail, but the others remain intact. • An intelligence layer that provides
information on specific attackers. This layer
should reveal attackers’ motives, what they’re
after, what tools they use, and how their
attacks unfold. Armed with those details,
security teams can more closely monitor
specific threat vectors. They can look for
telltale markers and bolster defenses around
the assets most at risk.
18
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
The more tightly integrated these tools are, the • Trim anti-virus and other signature-based
more powerful they become. A solution that can technology spending to the bare minimum.
monitor email and web traffic together, for Consider free or low cost solutions from
instance, can see multi-vector attacks that Microsoft and others. Invest the savings in
individual tools might miss. And a full picture of advanced threat detection and response
endpoint activity helps security teams detect capabilities on the endpoint.
threats faster, and quickly isolate and fix breached • Reevaluate your managed security
systems to prevent lasting harm. services provider (MSSP) if you have one.
Spend less on ineffective or limited services.
INVESTING WISELY FOR THE FUTURE Reinvest the savings in a strategic partner
By definition, every budget has limits. A truly that owns all aspects of the solution—
adaptive strategy recognizes those spending technology, expertise, and intelligence. Make
constraints and works within them. Though an sure that provider is a recognized leader in
adaptive approach may require new tools, it isn’t all three domains.
about spending more. It’s about getting the best • Identify metrics to measure the efficacy of
return on your security investment by directing your cyber security plan over time.
spending where it makes the most sense. Response and resolution times are two key
measures. The effort your team expends to
By reducing spending on ineffective or redundant prevent, detect, analyze, and resolve threats
technology, organizations can free up money for is another. Map these benchmarks to your
capabilities that make them more nimble and investments in technology, intelligence, and
effective. expertise. And gauge them over time to
assess your architecture. Are your tools
To that end, FireEye recommends the following: helping reimagine your security strategy—or
rehashing old approaches? Consider your
• Minimize investment in compliance- answer a good starting point.
oriented event management tools. For many
organizations, these are must-haves. But
complying with industry or government
guidelines isn’t the same thing as truly
securing your IT assets. Once you have met
the basic requirements, use what you’ve
saved to invest in capabilities that can apply
intelligence, analytics, or both to the security
events these tools generate.
19
Security Reimagined, Part II: Building out an Adaptive Infrastructure WHITEPAPER
FireEye, Inc. | 1440 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com
© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye,
Inc. All other brands, products, or service names are or may be trademarks or service
marks of their respective owners. WP.SRII.EN-US.092014