5 Habits of Highly Effective Endpoint Threat Protection

transcript

5 Habits of Highly Effective Endpoint Threat ProtectionNovember 18, 2015

tripwire.com/blog

@cindyv

cvalladares@tripwire.com

forrester.com

@rholland

rholland@forrester.com

Cindy Valladares Rick Holland

Endpoint security has been in drought conditions for years

But now the rain is finally coming!

Endpoint investment is increasing

Source: Forrester’s Business Technographics® Global Security Survey, 2015Note: Values may not equal 100% due to omission of “don’t know” responses

5 Habits of Highly Effective Endpoint Threat Protection1. Buyers must first live off the land

2. Prevention isn’t dead, but you must fall back to detection

3. This adversary isn’t going to hunt itself

4. Small footprint is required

5. Visibility isn’t enough, action is required

asdf› asdf

#1 Buyers must first live off the land

Expense in Depth

Where do you get diminishing returns on investments?

Living off the land› Before you invest in any capabilities

maximize all existing capabilities first› Look to existing vendors before adding

new vendors to your portfolio› Investment in new technologies and

vendors is legitimate, once appropriate due diligence is conducted first

#2 Prevention isn’t

dead, but you must

fall back to detection

Targeted-Attack Hierarchy of Needs

NIST Cybersecurity Framework

#3 The adversary isn’t going to hunt itself

Solutions must posses ability to hunt› Need the ability to ingest

Threat intelligence feeds

Internally sourced threat intelligence

› Proactively hunt for threat indicators› Manual hunting is bare minimum

requirement, programmatic ability to ingest bulk indicators via API is preferred

Hunting at scale, when one Vin Diesel isn’t enough

#4 A small footprint is required

When was the last time you heard anyone say that they have a “large footprint?”

Small footprint required › Transparent user experience required› Transparent administration experience

required › Be careful of “yet another agent

syndrome”› Look at the size of the agent and the

percentage of CPU utilized› Kernel or user space? Operating within

the kernel can be dangerous

#5 Visibility isn’t enough, action is required

Automate as much as possible

Crawl, walk, run with automation › Automation doesn’t have to sacrifice

legitimate traffic› Human intervention required for

automation until confidence is built› Enrichment can be automated› Automation from endpoint, to identity

to network devices

Wrap up – vendor selection

5 Habits of Highly Effective Endpoint Threat Protection1. Buyers must first live off the land

2. Prevention isn’t dead, but you must fall back to detection

3. This adversary isn’t going to hunt itself

4. Small footprint is required

5. Visibility isn’t enough, action is required

Habit #1: Buyers Must Live Off the LandBe the Bear Grylls of Infosec

More than 10 Million Endpoints Deployed The most comprehensive data collection capabilities on the planet

Every change on every asset, including who made the change

Comprehensive asset, application and vulnerability discovery

Secure and reliable log collection

Asset tagging, automated actions, correlation

What Could You Build?

Habit #2: Prevention Isn’t Dead, Fall Back to DetectionPrevention and Detection

Shrink the Attack Surface

Identify Suspicious Changes

Habit #3: This Adversary Isn’t Going to Hunt ItselfSupport for Hunting

Custom IoCs

Habit #4: Small Footprint is RequiredThe Smallest Footprint is The Agent You Already Have

9,000+ Customers

10,000,000Assets

96+ Countries

Tripwire is used by: 90% of the Top 10 Utilities 80% of the Top 10 Global Retailers 70% of the Top 10 Global

Telecommunications Firms More than 50% of the Fortune 500

Habit #5: Visibility Isn’t Enough, Action is RequiredFrom Visibility to Action

Integrate to Enterprise Workflow

Increase/Decrease Monitoring

Run an Executable

Investigate