WHITE PAPER

Combating Advanced Persistent Threats Through Detection

Table of Contents

Introduction 3 What is an Advanced Persistent Threat? Malware Prevention Methods Under Fire The Power of Big Data Analytics Beyond the Enterprise - BYOD Seculert: The Best Bet for your Budget 4 4 5 6 7

Summary 7

Share this

white paper Combating Advanced Persistent Threats Through Detection

| 2

INTRODUCTION
A series of recent high-profile security breaches have underscored that malware prevention strategies are consistently failing to adequately protect enterprises from advanced persistent threats (APTs). Its time to embrace a better alternativethreat detection built on big data analytics. When it comes to prevention methods, information security vendors have traditionally fallen into two camps: either allowing whats on a whitelist and preventing everything else; or preventing whats on a blacklist, and allowing everything else. Either way, theyre fixated on the tactic of prevention. In addition, the failure of systems, such as firewalls, IPS, IDS and Secure Web Gateways, to detect and protect the network is due to the fact that they are policy- and/or signature-based, and can manage only real-time traffic. They are also limited by the capacity of the appliance (CPU, storage, etc.), which means they cannot detect persistent threats. At Seculert, our take is different. We know that no prevention method is able to be perfectly implemented, and something is always going to get through. Therefore, it is far more effective to focus solely on postinfection detectionand we use big data analytics as the best way to achieve that goal.

Customer Internal Log Big Data Analytics

Live Botnet Intelligence

SECULERT

APT detection (with zero false positives)

Share this

white paper Combating Advanced Persistent Threats Through Detection

| 3

What is an Advanced Persistent Threat?

There has been some debate in the security industry over just what is the definition of an advanced persistent threat (APT) and how the term came into use. Most agree that the term began to be widely used since January 2010, when Google publicly announced that it had become the victim of a prolonged cyber-attack in 2009. Google admitted that valuable intellectual property had been stolen via network break-in. Some associate APT with state-sponsored cyberwarfare, but for our purposes the term refers to any attack targeted at an organization to steal data, especially intellectual property. APT attacks are typically stealthy, targeted efforts, which are not one-time events, but last a protracted period of time.

The ongoing rash of security breaches underlines an indisputable fact: prevention methods simply can never be 100% certain. So, if the real question is post-infection detection, the answer is big data analytics.

The Power of Big Data Analytics

According to IDCs 2011 Digital Universe Study, Data will grow 50X in the next 10 years. Both the sources and types of data are expanding continuously, every minute of every day. This digital universe presents unique opportunities and huge infrastructure challenges. Big data analytics is the process of examining large amounts of a variety of data types to uncover hidden patterns, previously unknown correlations and other useful information. Big data is having an impact on every IT segment, including business intelligence (agile analytics and the predictive enterprise), marketing (powerful social media insights), IT infrastructure (tracking mobile device usage) and more. In the cyber-security arena, harnessing big data analytics makes it possible to create a powerful threat detection engine that will achieve better results than any known malware prevention methods. Seculerts big data engine collects and analyzes terabytes of data collected from sources both internal and external to the organization. 1. By actually joining live botnets, Seculert allows for effective interception of live botnet traffic. The botnet traffic is compiled into a large dataset which can then enable infection detection on both internal and remote devices. 2. Customers can upload suspicious executables to a cloud-based elastic sandbox and allow the malware to evolve over time. The sandbox enables robust malware profiling by simulating different environments and geographical regions. 3. Seculert facilitates crowdsourcing in the truest sense of the word. The system is vendor agnostic, allowing customers to upload HTTP traffic log files and share data no matter which security solutions they are using. This is a win-win: the more data available, the more malware that can be discovered.

Malware Prevention Methods Under Fire

In January 2013, the New York Times reported that it had been the subject of a sophisticated attack by Chinese hackers for the previous four months. PC Worlds 2012 reporting concluded that digitally-signed malware was becoming increasingly prevalent in the marketplace. Malware authors are interested in signing installers and not just the drivers, because some antivirus solutions assume that digitally signed files are legitimate and dont scan them. One prevention method, whitelisting, has recently been the darling of the media. In September 2012, Forrester came out with a report touting whitelisting as a tantalizing alternative to legacy security methodologies, what they refer to as whack-a-mole approaches. In spite of the hype, major failures continued to surface in the media. In February 2013, news outlets reported a major breach of security firm Bit9s methodologies. What stands out about this breach is not that the malware managed to get past their whitelist in a hack, but rather that the hackers actually stole Bit9s own encryption certificates, making the malware appear benign, as if it was coming from a trusted source. As far back as April 2011 Dark Reading published an article stating that attackers are using better encryption or customized functions to make reverse engineering more difficult. Attackers use obfuscation to make it harder to analyze malicious software and stymie security tools, such as intrusion-detection systems, from recognizing the attack.

Share this

white paper Combating Advanced Persistent Threats Through Detection

| 4

4. As a pure cloud service, Seculert is able to digest huge amounts of data over time. Over 40,000 unique samples of unknown malware are collected and profiled by Seculert on a daily basis. Seven million new infected IP addresses are identified every day. Tens of thousands of compromised enterprises are detected worldwide. Petabytes of botnet traffic and customer logs are analyzed monthly. Over time, Seculert continues to digest huge amounts of data in order to identify persistent attacks that have gone undetected by other on-premises security solutions for days, weeks, months or even years. How? Built on Amazon Elastic MapReduce, Seculerts big data analysis cloud rapidly analyzes vast amounts of log data, going back months and even years to compare it against the myriad unique malware samples collected and profiled by Seculert. Seculerts solution utilizes the Apache Hadoop framework, which supports data-intensive distributed applications across large hardware clusters. Using this state-of-the-art big data backbone, Seculert scans massive amounts of data to find tracks from malware connectivity. Unlike traditional firewalls that require an on-the-spot decision regarding whether or not a packet is malicious, Seculerts big data approach can apply multiple and parallel offline scans to ensure a comprehensive search is conducted. Each scan takes a different layer of perspective to detect advanced malware. This approach of correlating enterprise-supplied (internal) data with live botnet (external) intelligence allows Seculert to provide industry-leading forensics investigation and real-time detection of APTs, alerting users to compromised endpoints, while drastically improving threat detection rates and reducing false positives.

The Lockheed Martin breach underscores the fact that the BYOD environment has created challenges for the traditional approach to cyber-security, which is based on the constraint that the organization can only control what it owns. The Seculert product is unique in the marketplace in that it can determine compromised devices externally. Seculert will detect any kind of malware on any environment, which includes both malware running within the enterprise network and malware infecting remote employees on any device. Seculerts botnet interception system gathers botnet traffic into a big data pile and enables customers to search for infections on both internal and remote devices via a web-based dashboard. You simply enter keywords, such as the external IP addresses of the enterprise and any web interface domain that customers have opened up internally, for example sharepoint.mycompany.com or externally by remote employees, such as owa.mycompany.com, or by partners, such as partnersport.mycompany.com. When Seculert identifies malicious activity in any data source, it automatically detects similar activities in other sources, even if the data originates from different companies. This enables discovery of targeted attacks across distributed enterprise environments, or even across multiple organizations and industries. Seculert users are provided with forensic information detailing detected attacks in reports available in the Seculert Web dashboard. This includes the ability to view specific APT attacks, infected endpoints (including mobile) and phone-home calls to ever-changing criminal servers. The Web dashboard provides drill-down capability to the raw botnet traffic logs that hold the evidence for the APT or unknown malware. As more and more applications and other digital assets move to the cloud, securing the network in traditional ways is insufficient. Using a cloud-based approach makes it easier to run sophisticated detection across devices both inside and outside the network.

Beyond the Enterprise - BYOD

Employees are increasingly using mobile devices to do their work, and these devices are often not property of the corporation, but belong to the employees themselves. Remote connection to the enterprisefrom home, while traveling, via WiFi at a cafis on the rise. It is clear that todays security solution needs to reach beyond the corporate network. And the bring-your-owndevice (BYOD) trend has accelerated this need. Lockheed Martin stepped up measures to protect its data after a hacker attack in early 2011 affected remote access to Lockheed systems. Lockheed had to send 90,000 replacement SecurIDs to employees, and employees had to reset all of their passwords company-wide.

Share this

white paper Combating Advanced Persistent Threats Through Detection

| 5

Seculert: The Best Bet for your Budget

When determining your security strategy, budget considerations are as important as effectiveness. Says Art Coviello, executive chairman of RSA, Roughly 70% to 80% of the budget is spent on prevention; only 15% to 20% on the detection; and, inexplicably, only 5% to 10% on response. According to Coviello, organizations often make the error of directing too large a percentage of their budget towards prevention rather than detection. Instead of investing in suboptimal prevention tactics, the smarter investment is to invest in a bullet-proof detection strategy. Seculerts cloud service is non-intrusive and designed to complement any existing security infrastructure. By utilizing Seculerts API, our customers are provided with additional unique cloud-based malware detection capabilities, on top of the on-premises security products in which they have already invested. An added advantage is that there is no need for the client organization to manage and maintain boxes, nor to worry about hardware components, storage, and other physical network concerns. And when it comes time to scale up? With Seculerts cloud-based approach, it is a non-issuean organization can scale from one month of logs to one years worth in an hour. Without the need for new hardware, software or changes to the corporate network, deployment of the Seculert solution is instantaneous and extremely cost-effective, and the customer receives immediate detection results.

Summary
This document has provided an overview of the technology, frameworks and concepts on which the Seculert solution is based. Seculert is an elastic, scalable, cloud-based malware detection service that is designed to meet the needs of organizations of any size. Corporations are realizing a rapid return on their Seculert investment through increased threat detection, reduced false positives, and less impact on their IT infrastructure. For more information on Seculert solutions, call +1-718-305-7067 or visit www.seculert.com.

Share this white paper

For a Free Trial click here: http://www.seculert.com/freetrial.html

SECULERT Mota Gur 7, Petach-Tikva, Israel. Tel: +972-3-9193366 Tel (US): +1-718-305-7067 Email: info@seculert.com http://www.seculert.com Share this

Follow us white paper Combating Advanced Persistent Threats Through Detection

| 6