2. Why Advanced Threat
Protection and Containment?
Percent of breaches that remain
undiscovered for months or more
“There is widespread agreement that advanced attacks are
bypassing traditional signature-based security… The threat
is real. You are compromised; you just don't know it.”
– Gartner, Inc., 2012
69% of breaches
were spotted by an
external party –
9% were spotted
by customers. 69%
“Prevention is crucial, and we can’t lose sight of that goal.
But we must accept the fact that no barrier is
impenetrable, and detection/response represents an
extremely critical line of defense. Let’s stop treating
itlike a backup plan if things go wrong and start
making it a core part of the plan.”
– Verizon Data Breach Study 2013
3. How big is the problem in terms of dollars?
3
32 days
Average time to resolve a
known cyber attack
$1.04M
Average total cost to the
organization over 32 days
63%
Of enterprises say it’s only a
matter of time until they’re
targeted by APT
4. How big is the problem in terms of resources?
4
86%
Of CISOs say lack of confidence
in ability to manage risk is due to
staffing
81%
Of security leaders say staffing
challenges will remain the same
or get worse over next 5-10 years
2/3’s
Of CISOs say they are short-
staffed and therefore
vulnerable to breaches
5. The Old Security Stack
Prevention DetectionATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
Firewall
IDS/IPS
Web Security
Email Security
Sandboxing
Host AV/IPS/FW
Resource intensive, inefficient manual
investigation efforts.
“Is this alert real or a false positive?”
ALERT & LOGS
SOC
SIEM
Single Pane of Glass
6. The New Security Stack
Prevention DetectionATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
NGFW
Endpoint
Containment
Sandboxing
Email Gateway
ALERT & LOGS
SOC
SIEM
Single Pane of Glass
LEGACY
Host AV/IPS/FW
Damballa fills the
security gap
between failed
prevention and
your incident
response
7. Damballa: Automated Breach Defense
› Automatically
identify active
threats
› With certainty
Regardless of
prior visibility or
knowledge of
malware sample,
infection vector
or source
Focus on true,
active infections
Confidently
prioritize response
Proactively block
infections you
haven’t gotten to
Enabling A
Breach Resistant Organization
8. Predictive Security Analytics Platform
Case Analyzer
Platform
Connection
Query
• Indicators of
Compromise
• Threat Actors / Intent
File
Request
• Zero Day Files
• Suspicious HTTP
Content
Domain Fluxing
Automation
Execution
Peer-To-Peer
• Automated Malicious Activity
• Observed Evasion Tactics
Data Transferred
PCAPs
Communication Success
Malicious File Availability
Sequence of Events
Importance of Endpoint
Malware Family Intent
Severity
AV Coverage
Damage Potential
•Observed Activity
•Device Properties
•Threat Sophistication
•Threat Intent
9 Risk
Profilers
Prioritized Risk
of Confirmed
Infections
8 Detection
Engines
Rapid Discovery &
Validation
of Infections
8
9. Damballa Failsafe Architecture
Hub & Spoke | 1 U Appliances | Out of Band
Damballa Failsafe
Data Center Corporate HQ
Data Center Remote Office
Data Center / Office
Sensor Sensor
Backhaul
Sensor
Management
Console
Egress
Proxy
DNS
Proxy
DNS
Egress
Traffic Monitored by Sensor
10. Our Formula – Delivering Predictive
Security Analytics
11. Visibility for Security
and Risk Professionals
Infographics styled
dashboards,
presenting critical
information upon login.
Dashboard Assets Files Reports System Threats
Damballa Failsafe 5.2
Welcome Admin
My Account | Help | Logout
14. Damballa Customer Success:
Breach Defense = Lower Risk
› Augment client teams
before, during,
or install
› Provide threat
analysis & research
Professional
Services
Customer
Support
Customer
Advocacy
Education
& Training
Ensure adoption
& value realization
Provide tech &
functional support
Manage updates &
upgrades
Teach customers
how to use Failsafe
Provide industry
knowledge
16. Global Family Entertainment Company
Saves $2.0M Over 18 Months
Challenge
A major entertainment company suspected persistent threats on their network and
brought in a well-known incident response firm to help. The firm’s evidence was
hard to corroborate and lack of visibility forced IT to constantly perform bare-metal
restores to machines that may or may not have actually been a risk to the
organization.
Solution
The company, which operates many non-Windows devices (Macs, iOS, Android
and even embedded systems), purchased Damballa Failsafe because the solution
is platform-agnostic. “The ability to cover multiple platforms and operating systems
across the enterprise separated Damballa Failsafe from the others.” The company
currently protects over 100,000 enterprise devices throughout the organization.
Result
The company has saved $2.0M in 18 months from improved response capabilities.
“ We’re not wasting
money and time
for truck rolls on
things that aren’t
actually infected.
One hundred percent
of the machines that
Damballa Failsafe
has identified as
infected have in
fact been infected.”
17. Fortune 500 Entertainment Company
Plugs Gaps in Defense
Challenge
A major media company knew their network was slow, and they were spending a lot of
time troubleshooting users systems, related to security. None of their solutions were
alerting them to malicious traffic, so infections remained hidden.
Solution
The company selected Damballa Failsafe to fill the gaps resulting from signature-based
defenses.“Within 48 hours, we saw a clear difference with Damballa Failsafe. We
understood what, where and how the threat activity was occurring, blocked the threat and
triaged that information into an actionable task such as patch management or cleaning up
other security instrumentation.”
Result
The IT team reduced the number of monthly incidents by over 99%.
“ Everybody does
signatures and
sandboxing. Failsafe
does behavior
detection, and that’s
the right ingredient for
our network security
sandwich. Damballa
is the secret sauce we
were missing,” said
their information
security director. ”
18. Major Tech Company Fights APTs
with Lean Security Staff
Challenge
A major technology company needed additional visibility into threats on their network. They
were spending 4-5 days responding to a single malware incident, meaning higher-priority
projects were not getting completed by their small team.
Solution
“We were interested in a company that was focused on researching APTs and innovating in
this space. We wanted strong focus on detection, not a one-box-does-all solution,” said
their Senior IT Security Specialist. The company began its Damballa Failsafe deployment
with one sensor and immediately realized benefits as a result of the added visibility
provided by the product.
Result
Damballa saved more than a week, reducing the time to resolve a threat from hours/days to
less than 20 minutes, depending on the criticality of the threat. Damballa also accelerated
incident response decisions and reactions due to the accurate data and the ability to
pinpoint threats early and easily remediate them.
“ I love the product –
it is extremely easy
to set up and deploy.
In just five to ten
minutes I can have a
new sensor up and
running and see
what’s on the network.”
19. The University of Tampa
Increases Visibility
Challenge
Fostering freedom of learning and exchange of knowledge while protecting the school’s
research and information. “I have two challenges,” said Tammy Clark, CISO. “Protecting
these environments in a manner that allows us to maintain that open culture and being
able to see what the bad guys are doing.”
Solution
The University of Tampa purchased Damballa for its ability to identify active threats and
level of intelligence it provides on command-and-control behavior sets it apart from other
advanced threat detection solutions. “Other technologies don’t provide the same level of
intelligence. Failsafe is like having a pair of eyes on the network that let you see what is
otherwise invisible to the naked eye,” said Clark.
Result
Clark credits Damballa for enabling her team to reduce the time required to respond to an
incident while improving overall network security.
“ Damballa lets us be
highly proactive in
detecting advanced
threats. When we see
network activity in
Failsafe, we can quickly
pivot to other security
controls to see if that
activity is also showing
up somewhere else and
shut it down. There is
a high confidence factor
in the solution being
able to find a threat and
show it to us quickly,
so we can take action
to contain and remediate
it effectively.”
Notas del editor
More effective discovery is important
Not more alerts
Your problem is not finding more advanced malware; it’s finding the really infected devices
SOURCE #1: 63% - ISACA, “Advanced Persistent Threat Awareness Report” 2013
SOURCE #2: Ponemon Institute, “2013 Costs of Cyber Crime Study,” October 2013
SOURCE #1: 63% - (ISC)2, sixth “Global Information Security Workforce Study (GISWS),” February 2013
SOURCE #2: 86% - Forrester, “Surviving the Technical Security Skills Crisis,” May 2013
SOURCE #3: 81%Forrester, “Surviving the Technical Security Skills Crisis,” May 2013
Damballa Enables Organizations to:
Rapidly identify active threats
With 100% certainty
Without triage efforts or delays
Independent of having a malware sample
Regardless of malware type, infection vector or source
As a Breach Resistant Organization You Can:
Quickly and efficiently stop real losses
Find previously undetected threats
Remove the threats that can cause losses NOW
Increase efficiency, and effectiveness by eliminating alert chasing
Dramatically reduce overall risk
Damballa Enables Organizations to:
Rapidly identify active threats
With 100% certainty
Without triage efforts or delays
Independent of having a malware sample
Regardless of malware type, infection vector or source
As a Breach Resistant Organization You Can:
Quickly and efficiently stop real losses
Find previously undetected threats
Remove the threats that can cause losses NOW
Increase efficiency, and effectiveness by eliminating alert chasing
Dramatically reduce overall risk
Damballa Failsafe uses a hub and spoke distributed computing system architecture. Sensors are placed in key locations within the network to observe all ports of traffic in both directions (Egress, Proxy, and DNS). The Sensors and their Deep Packet Inspections engines listen to traffic passively off a tap or span. The sensors all talk to each other so they can track a devices activity over time. Suspicious evidence is brought back to the management console to be examined by the Case Analyzer and then a verdict is passed. All evidence is presented through the MC.
Because of Our Formula. Damballa has unique access to a very large data set of unfiltered, unstructured and unbiased internet and enterprise network data.
While most security company’s “Labs” are filled with Reverse Malware Engineers, ours is filled with PhD’s, research scientist and Machine Learning experts that apply mathematical algorithms that reveal techniques and infrastructure being used by threat actors…and we’ve been doing this for seven years.
No other security company that has the unique, Big Data that Damballa has…much less that has been applying leading-edge security research and related machine learning for as long as Damballa.
Big Data
-8 trillion records per year
-200GB-300GB of internet and enterprise network data each day
-Malware Samples Analyzed: 100K/day; / 36.5M yr.
-Unique DNS Records: 22B/day; 8T/yr.
-7 Years of Machine Learning Refinement
Machine Learning/Data Science
-7 years
-13 Patents Filed, 2 already granted
-8 Detection Profilers & Expanding
-9 Risk Profilers & Expanding
-Partnerships pivoting from Damballa Discoveries
Engines Leverage Big Data
-Fortune 2000 Enterprises
-Global ISPs & Telcos
-Academic and Industry Partnerships
-Future Proof
-Behavioral
-Example: Domain Fluxing (DGA)
-Example: Peer-To-Peer
Visibility into current security posture for advanced threats
Rapid knowledge of active infections
Which infections are under successful control of an adversary
Which infections pose the highest risk to the organization and which devices have been re-infected.
Dashboards: Average Infection Age, Riskiest Infected Assets, Maliciously Controlled Assets, Infected Assets Over Time,…
Robust reporting, relaying important information regarding the state of your network
Reports: Infection Lifecycle, Malware in Motion, System Health, Incident, Malware Trace…
Robust reporting, relaying important information regarding the state of your network
Reports: Infection Lifecycle, Malware in Motion, System Health, Incident, Malware Trace…