Detection and Response with Splunk+FireEye

Editor's Notes

1. Of course “Detection to Response in Minutes” could sounds like just a slogan unless you put some substance to back it up. That’s what I will talk about next. First, as with most things you process is key – a continuous threat prevention process. It’s continuous because the attackers are always there. So if you were attacked today, and you manage to detect it and get the attacker out, there is no reason you will not be attacked tomorrow. This is a business process like everything else you do in your business. And it has to be continual to be effective. And that means it has to have the appropriate technology, the appropriate staff so it can operate like a regular part of your business and not some fire drill.   So what are the phases you need to care about? Well, you definitely care about detection. Can you identify as early as possible that you’re being attacked? And we’re absolutely providing that in our solution. We’ll talk about that in just a minute. You do want to have some prevention. When I say prevention, understand that you can’t prevent every attack outright. But there are many that you can. And if you can, and you’re slowing the attacker down because perhaps a piece of malicious software gets into the victim environment but it can’t communicate back to the bad guy, you prevented or blocked it, or contained it to the impacted system, fantastic. Now you’re reducing the attacker’s agility. That’s an important step in the process. You have to be able to analyze. So if you see that attack, you can’t just say “oh, I probably prevented it.” You need to go and look and find out for sure. And if you don’t go and look and find out for sure, you’re contributing to the 229-day statistic. You need to analyze and investigate to find out for sure, and scope whether you have problem. And if you do have a problem, you ultimately at the end of the day need to respond to it. You have to remediate. You need to contain the systems involved. You need to get the attacker off of your network. And you can only effectively do that when you understand the full scope of their activities. That’s why analysis is required before you can be effective at responding to the attack.   And then when you’re done, you’re right back into detection. And this is a forever cycle. The attacker doesn’t sleep. They’re not going away. You have to do the same thing. This is how FireEye is thinks about this problem. Our solutions then assist you in applying it in your environment as well as measuring it for effectiveness so you can improve it.
2. So what is the solution? Why FireEye? At the end of the day, you have to have technology – best-in-class products that can support each phase of that process and can scale to serve large organizations. It’s not a technology that’s based on just looking for signatures. It has to be one that’s based on looking at behaviors. And one that can find new attacks without having to know what they look like. So that’s a must-have to enter this space and be effective. You also have to have intelligence. You have to be close to the breach. In other words, when attackers are attacking companies, when they are having success, you have to have experience seeing how they behave. This is important because it gives an unparalleled view of what’s actually going on day-to-day. You also need that intelligence to span not just one organization, but a group of organizations all standing together so you can see trends across industries and geographies. And we, of course, have a fantastic track record there in terms of our number of customers, the way our products are built and architected and our track record in identifying new attacks. In 16 of the last 22 Zero-Days out in the public who identified them? FireEye. We have that track record. This is also where we have a significant differentiator in our Mandiant’s incident response and security consulting services. We use that frontline incident response experience to improve our products and to make our products more intelligent. Finally, you have to have expertise. I’ve talked all through this conversation about the need to have a person that is countering the attacker who is also a person. So that’s a human being. That’s knowledge. And whether that’s you, or you select a strategic partner that can provide that expertise for you, one way or another you have to have that part of the equation as well.   You can’t just be a product vendor. You have to be a security company if you’re going to be successful. And if we think about all the things that FireEye is across our entire portfolio, that’s us. We are that solution. This is Adaptive Defense.   Note: These past two slides are really important. And the specifics are important. So you’re going to want to keep the phrases technology, intelligence and expertise, at the core of the way you talk about your customers, because a lot of things will come from marketing and the CTOs office that use that. And you want us to be an amplifier for your message. Some customers want white papers and thought leadership pieces, and other stuff besides the sales materials about a product. You’re going to want that anchor. So what you say and what we say links. The other important concept is Detect  Prevent  Analyze  Respond. You will see different cycle loops out there like this. And some of them use different words. Make sure you use these words consistently.
3. In addition to the MVX engine, we’ve also enabled our products with something that we call DTI, or Dynamic Threat Intelligence. And what does that do? Well, we’re interconnecting the appliances in a customer’s environment with each other. And we’re also interconnecting them with FireEye. You can enable one-way sharing, which ensures FireEye will send intelligence updates to your MVX appliances. But you can also enable two-way sharing which allows us to move some of that intelligence around the FireEye global defense community. And protect not only you, but the entire FireEye universe. And as we’re continuing to evolve the intelligence offering, we’re now going to be able to do things like give you more context about an attack. We don’t want to tell you just, “hey, I got attacked”. We want to say “Here’s who it is. Here’s the risk, and here’s how active that threat is.” That’s the power of being part of a global defense community. And with our thousands of customers and millions of virtual machines you know we can give you access to a defense community that’s, frankly, more effective than anyone else’s.
4. Remember: a percentage of attacks will get through
5. Remember: a percentage of attacks will get through