Transcript Behavioral doesn`t work at line speed! These are still

Outside Threat Intelligence
HOST
AntiVirus
AV DAT Files
Kaspersky McAfee
Symantec
Microsoft
Email Filtering
Too much data.
Lack of relevancy.
NETWORK
MessageLabs
Microsoft
Google
Approaching ½ million samples
per day.
IP Address / URL /
Netblock / Domain
Name
Bad Guys
Filenames /
Paths
Malware
Distribution & Operation
File MD5
Registry Keys
/Paths
Honey Nets
Service Names
Scanners
Victim
Submissions
Mutex Names
IDS rule lists
Binary Signatures
Web Filtering
NIDS
Snort
PAIN COLUMN:
Signatures won’t
scale anymore.
All security
vendors are
struggling.
NIPS
Point of Presence
Encoded
Knowledge
Known Exploit
Vectors
Key criteria. ‘Quality’
of signature DB
effects enterprise
buying decision.
Wide gap between
players.
Raw
Knowledge
Internal
‘signature
research’
team
Threat Intelligence Service
Companies
Volunteer /
Non profit
FEED
The Feed Stack
Managed
Service
Non-signature based approach
Bad Guys
This does not scale at network perimeter.
SAS email, Google for example, is not
going to execute or render every
attachment.
Known Exploit Vectors
Malware
Distribution & Operation
HOST
Environment
Network
Sandbox
Email Filtering
Alert! Behavioral
doesn’t work at line
speed! These are still
signature based!
Behavior Blocking
Non-signature based
This is not behavioral, its
impossible to scale
behavioral here. This is
wholly dependant on known
exploit vector signatures.
NIPS
HOST
Weighted Threshold
Behavioral Engine
Web Filtering
NETWORK
Successful Attacks
HIPS
Point of Presence
IP Address / URL /
Netblock / Domain
Name
Successful Attacks
Submit to MSSP
Weighted Threshold
Digital DNA™
Behavioral Engine
FEED
HOST
HOST Physical Memory
Web Filtering
Encoded into
security
consumables.
Filenames /
Paths
IDS rule lists
File MD5
FW rule lists
Registry Keys
/Paths
AV DAT Files
Service Names
Submit to AV
Mutex Names
Email Filtering
NIDS
NETWORK
Malware
Distribution & Operation
Known threats
already present
in Enterprise.
NGFW
Makes existing
security
investment
smarter.
AntiVirus
HOST
Bad Guys
NETWORK
Risk Intelligence
AV converged suites
Binary Signatures
HBGary Active Defense™
Raw
Knowledge
Encoded
Knowledge
Point of Presence
Why we don’t want to be AV
• We have no chance to unseat “Big AV”
• But, AV doesn’t work and customers know this
– AV needs better intelligence to do its job
– Virus signatures don’t work
– Signature model won’t scale
• We have no interest in consumer endpoints
• We are not going to clean & remove infections
• There is zero tolerance for false positives
Can signatures be sustained?
• Known facts:
– Signatures are what Enterprises know how to manage
– Signatures work very well at the network layer and
customers want network-layer solutions
– Signature based model isn’t keeping up
– Bad guys are always going to get in
• Examine the way signatures are maintained
– Most of the DAT file is not relevant to an organization
– No signatures for targeted threats
Why we don’t want to be an IDS