Data Security for experts

1. Automated Breach
Defense
CONFIDENTIAL AND PROPRIETARY | ©2014 DAMBALLA

2. Why Advanced Threat
Protection and Containment?
Percent of breaches that remain
undiscovered for months or more
“There is widespread agreement that advanced attacks are
bypassing traditional signature-based security… The threat
is real. You are compromised; you just don't know it.”
– Gartner, Inc., 2012
69% of breaches
were spotted by an
external party –
9% were spotted
by customers. 69%
“Prevention is crucial, and we can’t lose sight of that goal.
But we must accept the fact that no barrier is
impenetrable, and detection/response represents an
extremely critical line of defense. Let’s stop treating
itlike a backup plan if things go wrong and start
making it a core part of the plan.”
– Verizon Data Breach Study 2013

3. How big is the problem in terms of dollars?
3
32 days
Average time to resolve a
known cyber attack
$1.04M
Average total cost to the
organization over 32 days
63%
Of enterprises say it’s only a
matter of time until they’re
targeted by APT

4. How big is the problem in terms of resources?
4
86%
Of CISOs say lack of confidence
in ability to manage risk is due to
staffing
81%
Of security leaders say staffing
challenges will remain the same
or get worse over next 5-10 years
2/3’s
Of CISOs say they are short-
staffed and therefore
vulnerable to breaches

5. The Old Security Stack
Prevention DetectionATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
Firewall
IDS/IPS
Web Security
Email Security
Sandboxing
Host AV/IPS/FW
Resource intensive, inefficient manual
investigation efforts.
“Is this alert real or a false positive?”
ALERT & LOGS
SOC
SIEM
Single Pane of Glass

6. The New Security Stack
Prevention DetectionATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
NGFW
Endpoint
Containment
Sandboxing
Email Gateway
ALERT & LOGS
SOC
SIEM
Single Pane of Glass
LEGACY
Host AV/IPS/FW
Damballa fills the
security gap
between failed
prevention and
your incident
response

7. Damballa: Automated Breach Defense
› Automatically
identify active
threats
› With certainty
Regardless of
prior visibility or
knowledge of
malware sample,
infection vector
or source
Focus on true,
active infections
Confidently
prioritize response
Proactively block
infections you
haven’t gotten to
Enabling A
Breach Resistant Organization

8. Predictive Security Analytics Platform
Case Analyzer
Platform
 Connection
 Query
• Indicators of
Compromise
• Threat Actors / Intent
 File
 Request
• Zero Day Files
• Suspicious HTTP
Content
 Domain Fluxing
 Automation
 Execution
 Peer-To-Peer
• Automated Malicious Activity
• Observed Evasion Tactics
 Data Transferred
 PCAPs
 Communication Success
 Malicious File Availability
 Sequence of Events
 Importance of Endpoint
 Malware Family Intent
 Severity
 AV Coverage
Damage Potential
•Observed Activity
•Device Properties
•Threat Sophistication
•Threat Intent
9 Risk
Profilers
Prioritized Risk
of Confirmed
Infections
8 Detection
Engines
Rapid Discovery &
Validation
of Infections
8

9. Damballa Failsafe Architecture
Hub & Spoke | 1 U Appliances | Out of Band
Damballa Failsafe
Data Center Corporate HQ
Data Center Remote Office
Data Center / Office
Sensor Sensor
Backhaul
Sensor
Management
Console
Egress
Proxy
DNS
Proxy
DNS
Egress
Traffic Monitored by Sensor

10. Our Formula – Delivering Predictive
Security Analytics

11. Visibility for Security
and Risk Professionals
Infographics styled
dashboards,
presenting critical
information upon login.
Dashboard Assets Files Reports System Threats
Damballa Failsafe 5.2
Welcome Admin
My Account | Help | Logout

12. Incident Reports for
Security Managers

13. Assurance for Executives

14. Damballa Customer Success:
Breach Defense = Lower Risk
› Augment client teams
before, during,
or install
› Provide threat
analysis & research
Professional
Services
Customer
Support
Customer
Advocacy
Education
& Training
Ensure adoption
& value realization
Provide tech &
functional support
Manage updates &
upgrades
Teach customers
how to use Failsafe
Provide industry
knowledge

15. Automated
Breach Defense
Customer
Case Studies

16. Global Family Entertainment Company
Saves $2.0M Over 18 Months
Challenge
A major entertainment company suspected persistent threats on their network and
brought in a well-known incident response firm to help. The firm’s evidence was
hard to corroborate and lack of visibility forced IT to constantly perform bare-metal
restores to machines that may or may not have actually been a risk to the
organization.
Solution
The company, which operates many non-Windows devices (Macs, iOS, Android
and even embedded systems), purchased Damballa Failsafe because the solution
is platform-agnostic. “The ability to cover multiple platforms and operating systems
across the enterprise separated Damballa Failsafe from the others.” The company
currently protects over 100,000 enterprise devices throughout the organization.
Result
The company has saved $2.0M in 18 months from improved response capabilities.
“ We’re not wasting
money and time
for truck rolls on
things that aren’t
actually infected.
One hundred percent
of the machines that
Damballa Failsafe
has identified as
infected have in
fact been infected.”

17. Fortune 500 Entertainment Company
Plugs Gaps in Defense
Challenge
A major media company knew their network was slow, and they were spending a lot of
time troubleshooting users systems, related to security. None of their solutions were
alerting them to malicious traffic, so infections remained hidden.
Solution
The company selected Damballa Failsafe to fill the gaps resulting from signature-based
defenses.“Within 48 hours, we saw a clear difference with Damballa Failsafe. We
understood what, where and how the threat activity was occurring, blocked the threat and
triaged that information into an actionable task such as patch management or cleaning up
other security instrumentation.”
Result
The IT team reduced the number of monthly incidents by over 99%.
“ Everybody does
signatures and
sandboxing. Failsafe
does behavior
detection, and that’s
the right ingredient for
our network security
sandwich. Damballa
is the secret sauce we
were missing,” said
their information
security director. ”

18. Major Tech Company Fights APTs
with Lean Security Staff
Challenge
A major technology company needed additional visibility into threats on their network. They
were spending 4-5 days responding to a single malware incident, meaning higher-priority
projects were not getting completed by their small team.
Solution
“We were interested in a company that was focused on researching APTs and innovating in
this space. We wanted strong focus on detection, not a one-box-does-all solution,” said
their Senior IT Security Specialist. The company began its Damballa Failsafe deployment
with one sensor and immediately realized benefits as a result of the added visibility
provided by the product.
Result
Damballa saved more than a week, reducing the time to resolve a threat from hours/days to
less than 20 minutes, depending on the criticality of the threat. Damballa also accelerated
incident response decisions and reactions due to the accurate data and the ability to
pinpoint threats early and easily remediate them.
“ I love the product –
it is extremely easy
to set up and deploy.
In just five to ten
minutes I can have a
new sensor up and
running and see
what’s on the network.”

19. The University of Tampa
Increases Visibility
Challenge
Fostering freedom of learning and exchange of knowledge while protecting the school’s
research and information. “I have two challenges,” said Tammy Clark, CISO. “Protecting
these environments in a manner that allows us to maintain that open culture and being
able to see what the bad guys are doing.”
Solution
The University of Tampa purchased Damballa for its ability to identify active threats and
level of intelligence it provides on command-and-control behavior sets it apart from other
advanced threat detection solutions. “Other technologies don’t provide the same level of
intelligence. Failsafe is like having a pair of eyes on the network that let you see what is
otherwise invisible to the naked eye,” said Clark.
Result
Clark credits Damballa for enabling her team to reduce the time required to respond to an
incident while improving overall network security.
“ Damballa lets us be
highly proactive in
detecting advanced
threats. When we see
network activity in
Failsafe, we can quickly
pivot to other security
controls to see if that
activity is also showing
up somewhere else and
shut it down. There is
a high confidence factor
in the solution being
able to find a threat and
show it to us quickly,
so we can take action
to contain and remediate
it effectively.”