Transcript Document
Advanced Threat Defense and
Next Generation Security
Joe Metzler, Network Security Architect, Intel Security
.
McAfee Confidential
Threat Landscape
236
New threats every minute, or almost 4 every second
46%
Increase in malicious signed binaries in Q1 2014
49%
Increase in new threats attacking the master boot
record in Q1 2014
Increase in the amount of mobile malware samples
in the past year
167%
1,000,000
18,000,000
200,000,000+
Source: McAfee Labs Threats Report: First Quarter 2014
McAfee Confidential
Number of new ransomware samples in 2013
New malicious URLs in Q1 2014 – a 19% increase
over the previous quarter
Unique malware samples contained in the McAfee
“Zoo” as of Q1 2014
.
2
What Is Advanced Malware?
Theft
Typically
Criminal
Stealthy
Targeted
Unknown
Evades
Legacy-based
Defenses
Discovered
After the Fact
Sabotage
Espionage
Data loss
Costly clean-up
Long-term damage
Key Challenges
• The major advance in new threats has been the level of tailoring and
targeting.
• Advanced threats are using targeted attacks to get past standard
levels of security controls.
• Poor security practices and unmonitored employee behaviors can
undermine the efficiency of advanced threat detection technologies.
Source: Strategies for Dealing With Advanced Targeted Attacks ( Published 6 June 2013)
McAfee Confidential
.
3
Advanced Malware
Market Wisdom
However, Sandboxing by Itself
Sandboxing
Should Not be Your Only Defense
?
?
?
?
?
Safe
?
?
?
Not Real Time
?
Malware
Resource Intensive
Lacks Scalability
Unknown
Because No Signature Match
Malware
Identified
Because of Behavior Analysis
.
McAfee Confidential
4
Comprehensive Layered Approach
White/
Black
Listing
GTI
AV
Real-time Emulation
Dynamic
and Static
Number of
Samples You
Can Process
Known Good
Known Bad
Emulation
File Execution
Compute Cycles Needed
.
McAfee Confidential
The Packing Challenge
Custom packers used in
targeted attacks
• Packing or protecting changes the
composition of the code or obfuscates
it to evade detection and reverse
engineering
Need to unpack to get to original
executable code
for analysis
Packed Malware in 2012
12,000,000
10,000,000
8,000,000
6,000,000
4,000,000
Packed malware can hide:
• Delayed execution
• Alternative execution paths
2,000,000
0
Q112
Q212
Q312
Q412
Source: McAfee Q4 2012 Quarterly Threat Report
.
McAfee Confidential
6
Understand Your Adversary
Advanced Threat Defense immediately identifies the
file as malicious with 14 specific classifications
Note, that static code analysis also shows the 43%
of the code did not execute in the sandbox
So what else is missed if only dynamic analysis is used?
.
McAfee Confidential
7
Static Code Analysis
Advanced Threat Defense unpacks and reverse engineers the file to expose
the actual code for analysis
Advanced Threat Defense is able to compare this code to known malicious
code, identifying this relatively unknown file as part of the Voter_1 malware
family
Note that static code analysis finds more than 71% similarity to known
malware family
.
McAfee Confidential
8
Dynamic And Static Analysis
Run Time DLLs
Unpacking
Network Operations
Disassembly of Code
Calculate Latent Code
File Operations
Familial Resemblance
Process Operations
Analyze
Analyze
Delayed execution
Dynamic Analysis
Static Analysis
.
McAfee Confidential
Broadest OS Support
Target-specific analysis: Analyze threats
under the exact conditions of the actual
host profile within the organization
• Reducing the chances of missed malware or
false positives
• Faster results: scales
sandboxing capacity
Customer-defined sandbox images
McAfee
Windows XP 32/64bit
Windows 8 32/64 bit
Windows 7 32/64 bit
Windows Server 2000-2008
Android
Custom Image
Broad support covers corporate
environments, including server and mobile
traffic
.
McAfee Confidential
10
AV-TEST Results
“The appliance showed great performance detecting 99.96% overall and no less than
99.5% in any single tested malware category. It also had a minimum of false positive
detections at 0.01%.”
Advanced Threat Defense
Detection
Sample Size: Malicious Files
•
7,616 Microsoft Office docs
•
4,752 PDF docs
•
131,871 Zoo Malware
•
12,132 Prevalent malware
Overall
99.96%
Microsoft Office Docs
PDF Documents
Zoo Malware
Sample Size: Clean Files
•
96,722 clean files
Prevalent Malware
96%
97%
98%
99%
100%
.
11
McAfee Confidential
Advanced Threat Defense
Key Differentiators
Advanced
Threat Defense
Comprehensive
Approach
High-detection
Accuracy
Centralized
Deployment
.
McAfee Confidential
12
Centralized
Deployment
Protocol-Specific
Deployment
Numerous
Appliances
Lower
Cost
of Ownership and Scalability
DMZ
Web Malware Analysis
Email Gateway
Data Center
Servers
Email Malware Analysis
Files Server Malware
Analysis
Email/DNS/App
Web Gateway
Firewall
IPS
Management
And Forensics
Malware Analysis/ Forensics
SIEM
ePO
Central
Advanced
Manager
Threat Defense
End-user
Endpoints
.
McAfee Confidential
13
Advanced
Threat Defense
Faster Time to Malware
Conviction, Containment,
and Remediation
Better Detection,
Better Protection
Lower Total
Cost of Ownership
.
McAfee Confidential
14
Firewall Evolution
“Connected” NGFW
Completeness of security
•
•
•
•
Connected to endpoint security
Connected to real-time global threat database
Connected to advanced threat detection
Connected to security information and event mgmt.
Performance Enhanced NGFWs
•
•
•
Central management for large networks
High availability
Advanced evasion protection
First NGFWs
•
•
Inspection
Application and user awareness
Traditional FWs
1988
2008
2012
2013
2014
time
.
McAfee Confidential
15
Building An Advanced Security Connected Ecosystem
Endpoint Management
GTI
Reputation in
the Cloud
Next Generation
Firewall
& SMC
SIEM
McAfee Advanced
Threat Defense
Integrates network, endpoint and global threat information for superior protection
.
McAfee Confidential
16
McAfee ePO
(Endpoint Management)
Security Connected Ecosystem
Endpoint Intelligence Integration
Discover and take action
on dangerous or malicious
endpoint behaviors
• IP addresses
• Ports
• Login credentials, etc.
SMC
admin
ePO
Direct links to
endpoint log
events
.
McAfee Confidential
17
McAfee ESM
(SIEM)
Security Connected Ecosystem
SIEM Integration
Quickly respond to alerts and unusual patterns on your network
}
Sum events and track averages
}
ID
Anomalies
18
McAfee Confidential
Alerts based on deviations
• Unusual user behavior
• Suspicious network activity spikes
• Anomalous communication patterns
.
18
Security Connected Ecosystem
McAfee Advanced
Threat Defense
Advanced Threat Integration
Deep analysis of suspect files exposes zero-day and advanced threats
.
McAfee Confidential
19
Security Connected Ecosystem
GTI Integration
McAfee GTI
Reputation in
the Cloud
Respond to real-time global
threat information including
insights from McAfee Labs
•
•
•
•
•
•
File reputation
URL reputation
Web categorization
Message reputation
IP reputation
Certification reputation
.
McAfee Confidential
20
Intel Security Connected Ecosystem
How it Works
Less Time to Find,
Freeze and Fix
advanced threats
FIND
FREEZE
FIX
McAfee
SIEM
AV Scan
New File
logs
McAfee
Next Generation
Firewall
McAfee
Advanced Threat
Defense
Malware Warning!
McAfee
ePolicy Orchestrator
McAfee
Global Threat
Intelligence (GTI)
McAfee Confidential
.
21
Internal
Additions
.
McAfee Confidential
22
McAfee NGFW
Features Landscape
5.8 addition
• The First “Connected” Next Generation
Firewall of the Market
• Leader in Advanced Evasions
Protection
• The Most Productive Centralized
Management on the Market
• Leader and Pioneer in High Availability
• Adaptable Unified Software Core
• Strong Inspection capabilities
• Increased Performance with Clustering
Advanced
Evasion
Detection
5.7 addition
Advanced
Malware
Detection
Low TCO
Performance
Application &
User Control
Support Diverse
Enterprise &
MSP Use Cases
Centralized
Management
Adaptive
Architecture
Site to Site VPN
High Availability
.
McAfee Confidential
23
…Comparing to the industry
McAfee provides adaptable security with competitive TCO
• Malware protection: Wildfire has limited
file type and decryption support
• VPN: Complicated, non-scalable VPN
management, no SSL VPN Portal
• Security Connected: Limited portfolio
compared to McAfee
• Malware protection: Limited threat
intelligence sources, unproven
FortiSandbox
• VPN: Poor, non-scalable VPN
management
• Security Connected: As UTM focused
company lacks integrations between
security systems and broad portfolio
Palo
Alto
Fortinet
Check
Point
Cisco
• Malware protection: Lack of true
sandboxing solution
• VPN: Requires extra licensing – TCO
impact
• Security Connected: Weak end-point
security and lack of SIEM solutions
• Malware protection: Lack of in-system
malware protection system
• VPN: Poor VPN and management
capabilities
• Security Connected: Not a security
focused company with no strong
security vision
.
McAfee Confidential
24
The Most Advanced Anti-Malware Protection
Strong in all aspects – superior as an integration solution
McAfee Anti-Virus
McAfee ATD
McAfee GTI
Most comprehensive threat
Intelligence on the market
Test
fee Advanced Threat Defense Test
Detection rate
oned by Intel Security and performed by AV-TEST GmbH
rt: July 10, 2014
False
positives
Result
99.96%
0.01%
July 2014
NSS Labs Protection & Evasion Test 2013
ummary
June 2014 AV-TEST performed a test of the McAfee Advanced Threat Defense appliance
malware detection capabilities. The appliance showed great performance detecting
nd no less than 99.5% in any single tested malware category. It also had a minimum of
tections at 0.01%.
McAfee Confidential
.
25
Delivering
ADAPTIVE
THREAT
PREVENTION
Apply the
POWER of
KNOWLEDGE
Advanced
Targeted Attack
ENCOUNTER to
CONTAINMENT
in milliseconds
.
McAfee Confidential
26
.
McAfee Confidential
27