Automated Breach Defense

CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA

Why Advanced Threat Protection and Containment?

Percent of breaches that remain undiscovered for months or more

“There is widespread agreement that advanced attacks are bypassing traditional signature-based security… The threat is real. You are compromised; you just don't know it.” – Gartner, Inc., 2012

69% of breaches were spotted by an external party – 9% were spotted by customers. 69%

“Prevention is crucial, and we can’t lose sight of that goal. But we must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Let’s stop treating itlike a backup plan if things go wrong and start making it a core part of the plan.”

– Verizon Data Breach Study 2013

How big is the problem in terms of dollars?

3

32 daysAverage time to resolve a

known cyber attack

$1.04MAverage total cost to the

organization over 32 days

63%Of enterprises say it’s only a matter of time until they’re

targeted by APT

How big is the problem in terms of resources?

4

86%Of CISOs say lack of confidence in ability to manage risk is due to

staffing

81% Of security leaders say staffing challenges will remain the same

or get worse over next 5-10 years

2/3’sOf CISOs say they are short-

staffed and therefore vulnerable to breaches

The Old Security Stack

Prevention DetectionATTACK INFECTION DAMAGE

INFECTION RISK BUSINESS RISK

Firewall

IDS/IPS

Web Security

Email Security

Sandboxing

Host AV/IPS/FW

Resource intensive, inefficient manual investigation efforts.

“Is this alert real or a false positive?”

ALERT & LOGS

SOC

SIEMSingle Pane of Glass

The New Security Stack

Prevention DetectionATTACK INFECTION DAMAGE

INFECTION RISK BUSINESS RISK

NGFW

Endpoint Containment

Sandboxing

Email Gateway

ALERT & LOGS

SOC

SIEMSingle Pane of Glass

LEGACY

Host AV/IPS/FW

Damballa fills the security gap

between failed prevention and your incident

response

Damballa: Automated Breach Defense

› Automatically identify active threats

› With certainty

Regardless of prior visibility or knowledge of malware sample,

infection vector or source

Focus on true, active infections

Confidently prioritize response

Proactively block infections you haven’t gotten to

Enabling A Breach Resistant Organization

Predictive Security Analytics Platform

Case Analyzer Platform

Connection Query

• Indicators of Compromise

• Threat Actors / Intent

File Request

• Zero Day Files• Suspicious HTTP

Content

Domain Fluxing Automation Execution Peer-To-Peer

• Automated Malicious Activity• Observed Evasion Tactics

Data Transferred PCAPs Communication Success Malicious File Availability Sequence of Events Importance of Endpoint Malware Family Intent Severity AV Coverage

Damage Potential•Observed Activity•Device Properties•Threat Sophistication•Threat Intent

9 Risk Profilers

Prioritized Risk of Confirmed Infections

8 DetectionEngines

Rapid Discovery & Validation of Infections

8

Damballa Failsafe Architecture

9Hub & Spoke | 1 U Appliances | Out of Band

Damballa Failsafe

Data Center Corporate HQ

Data Center Remote Office

Data Center / Office

Sensor Sensor

BackhaulSensor

Management Console

EgressProxyDNS

Pro

xy DN

S

Eg

ress

Traffic Monitored by Sensor

Our Formula – Delivering Predictive Security Analytics

Visibility for Security and Risk Professionals

Infographics styled dashboards, presenting critical information upon login.

Dashboard Assets Files Reports System Threats

Damballa Failsafe 5.2Welcome Admin

My Account | Help | Logout

Incident Reports for Security Managers

Assurance for Executives

Damballa Customer Success:Breach Defense = Lower Risk

› Augment client teams before, during, or install

› Provide threat analysis & research

Professional Services

CustomerSupport

Customer Advocacy

Education& Training

Ensure adoption & value realization

Provide tech & functional support

Manage updates & upgrades

Teach customers how to use Failsafe

Provide industry knowledge

Automated Breach DefenseCustomer Case Studies

Global Family Entertainment CompanySaves $2.0M Over 18 Months

Challenge A major entertainment company suspected persistent threats on their network and brought in a well-known incident response firm to help.  The firm’s evidence was hard to corroborate and lack of visibility forced IT to constantly perform bare-metal restores to machines that may or may not have actually been a risk to the organization. 

SolutionThe company, which operates many non-Windows devices (Macs, iOS, Android and even embedded systems), purchased Damballa Failsafe because the solution is platform-agnostic. “The ability to cover multiple platforms and operating systems across the enterprise separated Damballa Failsafe from the others.” The company currently protects over 100,000 enterprise devices throughout the organization.

ResultThe company has saved $2.0M in 18 months from improved response capabilities. 

“ We’re not wasting money and time for truck rolls on things that aren’t actually infected. One hundred percent of the machines that Damballa Failsafe has identified as infected have in fact been infected.”

Fortune 500 Entertainment Company Plugs Gaps in Defense

Challenge A major media company knew their network was slow, and they were spending a lot of time troubleshooting users systems, related to security. None of their solutions were alerting them to malicious traffic, so infections remained hidden.

SolutionThe company selected Damballa Failsafe to fill the gaps resulting from signature-based defenses.“Within 48 hours, we saw a clear difference with Damballa Failsafe. We understood what, where and how the threat activity was occurring, blocked the threat and triaged that information into an actionable task such as patch management or cleaning up other security instrumentation.”

ResultThe IT team reduced the number of monthly incidents by over 99%.

“ Everybody does signatures and sandboxing. Failsafe does behavior detection, and that’s the right ingredient for our network security sandwich. Damballais the secret sauce we were missing,” said their information security director. ”

Major Tech Company Fights APTs with Lean Security Staff

Challenge A major technology company needed additional visibility into threats on their network. They were spending 4-5 days responding to a single malware incident, meaning higher-priority projects were not getting completed by their small team.

Solution“We were interested in a company that was focused on researching APTs and innovating in this space. We wanted strong focus on detection, not a one-box-does-all solution,” said their Senior IT Security Specialist. The company began its Damballa Failsafe deployment with one sensor and immediately realized benefits as a result of the added visibility provided by the product.

ResultDamballa saved more than a week, reducing the time to resolve a threat from hours/days to less than 20 minutes, depending on the criticality of the threat.  Damballa also accelerated incident response decisions and reactions due to the accurate data and the ability to pinpoint threats early and easily remediate them. 

“ I love the product –it is extremely easy to set up and deploy. In just five to ten minutes I can have a new sensor up and running and see what’s on the network.”

The University of Tampa Increases Visibility

Challenge Fostering freedom of learning and exchange of knowledge while protecting the school’s research and information. “I have two challenges,” said Tammy Clark, CISO. “Protecting these environments in a manner that allows us to maintain that open culture and being able to see what the bad guys are doing.”

SolutionThe University of Tampa purchased Damballa for its ability to identify active threats and level of intelligence it provides on command-and-control behavior sets it apart from other advanced threat detection solutions. “Other technologies don’t provide the same level of intelligence. Failsafe is like having a pair of eyes on the network that let you see what is otherwise invisible to the naked eye,” said Clark.

ResultClark credits Damballa for enabling her team to reduce the time required to respond to an incident while improving overall network security.

“ Damballa lets us be highly proactive in detecting advanced threats. When we see network activity in Failsafe, we can quickly pivot to other security controls to see if that activity is also showing up somewhere else and shut it down. There is a high confidence factor in the solution being able to find a threat and show it to us quickly, so we can take action to contain and remediate it effectively.”