This document provides an agenda and overview for an information security workshop on defending endpoints with Windows tools and knowledge. The workshop covers why malware is difficult to defeat due to shifting attack surfaces and blind spots like endpoints. It discusses how most security investments go to perimeter defenses rather than endpoints. The document outlines strategies for improving endpoint visibility and resilience through detection tools like EDR and hardening. It also discusses using real malware samples in hands-on labs to understand ransomware behavior and opportunities for disruption. The goal is to demonstrate how to achieve security with only Windows tools by leveraging detection and resilience over reliance on prevention alone.

1. STRANDED ON INFOSEC ISLAND:
DEFENDING THE ENTERPRISE WITH NOTHING BUT
WINDOWS AND YOUR WITS
Adrian Sanabria
Director of Research,Threatcare
@sawaba

2. Help me better understand you and what you’re hoping
to get out of this workshop! (6 Questions)
https://bit.ly/InfoSecIslandSurvey
Grab the latest copy of the slides
• Use QR code to the right
• Email sawaba@SendYourSlides.com with
InfoSecWorld2018 as the Subject.
https://clients.amazonworkspaces.com/
GETTING STARTED
1
2
3

3. WHOAMI – ADRIAN SANABRIA
IT Practitioner
Security Practitioner
Security Consultant
Industry Analyst
Business Owner
$

4. 9:00am - PART1 (90min) Why Malware Wins
10:30am – BREAK1 (15min)
10:45am – PART2 (75min) Defensive Strategy
12:00pm – LUNCH (45min)
12:45pm – PART3 (105min) Windows Defenses  LABS
2:30pm – BREAK2 (15min)
2:45pm – PART4 (135min) Disrupting Malware  LABS
5:00pm – FINISHED
AGENDA

5. We’re going to play with some real malware. I’ve made efforts to
minimize the risk. If you’re not 100% comfortable with that, don’t
do it – look at a neighbor’s laptop or borrow a chromebook. I don’t
recommend doing this on a corporate laptop unless you have
permission or are planning on wiping it before putting it back on a
production network. Neither Adrian, Threatcare, nor MISTI are
responsible for any malware infections that occur.
YOU HAVE BEEN WARNED IN ALL CAPS (which makes lawyers
more comfortable)
WARNING

6. PART1: WHY
MALWARE
WINS

7. WHAT’S THE POINT HERE? WHY “INFOSEC ISLAND”?
Time
Underused
Resources
Expense in
Depth
Agility

8. WHAT’S THIS ALL ABOUT?
What if we already had everything we needed to stop attacks…
…but didn’t realize it?

9. WHY IS THE ENDPOINT IMPORTANT?
1. This is where work happens
2. One of the easiest paths into a company
3. BYOD and ShadowIT are unsolved problems

10. WHY IS MALWARE SO DIFFICULT TO DEFEAT?
1. We no longer have one perimeter: we have many
2. Endpoint is a blind spot
3. Shifting the blame (we get hacked because users click links)
4. Discarding solutions because they weren’t perfect
5. Bad guys can shift tactics much more quickly
10

11. YET MOST OF OUR INVESTMENTS GO INTO ONE PERIMETER
11
90%+ of the security
budget*
* - varies quite a bit from company to company

12. THE BIG 4 ENTERPRISE BLIND SPOTS
12
Endpoint East-West Traffic
Cloud/SaaS Data

13. PEBKAC
13
PWNED
NOT
PWNED
But… WHY?

14. RESILIENCE IS THE ULTIMATE GOAL
14
NGAV EDR Hardening

15. TODAY’S WORKSHOP, SUMMARIZED
Windows
Endpoints
Resilience Malware

16. AV FAILED.
WHY?

17. WHERE THE INDUSTRY FAILED
Products that only work at corporate HQ
Products that break the user
Assuming any one layer must achieve 100% efficacy
Products that bury the analyst in data
Making consumers a secondary priority
17

18. SHOCKER: KILLING AV SHOULD BE THE GOAL.
Thought: What if you could be secure without AV now?
Thought: What if using AV was more of a risk than not using it?

19. UNDERSTANDING THE ATTACK SURFACE AND VECTORS
3 ways to get malware or hacked
Direct: You run my code willingly
Indirect: I trick you into doing something
that results in you running my code
Exploit: I use vulnerabilities in your
software to get in…
…and vulns are EVERYWHERE
Malware delivery

20. SECURITY PRODUCTS ARE ATTACK SURFACE
Found while researching AV security
products:
• malware is unpacked in the kernel
• RCEs that give attacker SYSTEM/root
• 7yro vuln-ridden OSS baked in
Not just endpoint: AV engines are
embedded EVERYWHERE
Tavis Ormandy,
Google Project Zero

21. SECURITY SOFTWARE: THE LOWEST-HANGING
FRUIT?
“Because Symantec uses a filter driver to intercept
all system I/O, just emailing a file to a victim or
sending them a link to an exploit is enough to
trigger it - the victim does not need to open the file
or interact with it in anyway.”
21

22. WHERE DID WE GO WRONG?
22

23. WHERE DID WE GO WRONG?
1.Not enough root cause
analysis
2.Not enough process
improvement (if any)
3.Even when we do succeed,
we force the attacker to
change tactics.
Are we ready for that?

24. STORY TIME!
Advanced Malware Detection, Day 1:
ZEUS
Advanced Malware Detection, Day 2:
Advanced Malware Detection, Day 234:

25. STORY TIME!
The bad guys will find a way to evade preventative controls.

26. DEFENSE EXPENSE IN DEPTH HAS FAILED
Defense Attack
26
Phishing Email
Malware Link
C2 Comms
Pivoting
Exfiltration
Email Security
Security Awareness
URL/IP reputation;
Malware Sandbox
Endpoint
Security; IDS/IPS
East/West
Security Visibility
Data Loss
Prevention
Failures
User
clicks
Malicious link
not detected
AV misses malware,
Network Security misses C2
Enterprise
blind spot
Alert doesn’t
trigger, or is missed
Conclusion? Thorough testing
and configuration of defenses.

27. UNDERSTANDING
MALWARE
THROUGH
RANSOMWARE

28. RANSOMWARE – A BIT DIFFERENT FROM ANYTHING WE’VE SEEN

29. RANSOMWARE’S DEPENDENCIES
In order to work, ransomware must succeed in two tasks:
1. Create a situation of need
2. Enable the victim to pay
Take either of these away and it doesn’t work.
Ransomware wants needs to be seen.

30. RANSOMWARE’S DEPENDENCIES… DISRUPTED
In other words:
1. If you have real-time backups with quick, easy recovery
2. If you’re not a Windows-heavy shop
3. You use off-prem DaaS
Thought: what if malware was fragile and easily disrupted?
Thought: what if the criminals screw up and no one can pay?

31. HOW DOES RANSOMWARE WORK?
THE PAYLOAD
Campaign
Exploit
Dropper
Payload

32. HOW DOES THE PAYLOAD WORK?
EXTORTION AT THE CORE
Ransomware’s goal is to extort the victim into
paying a ransom.
First thing to check: is that really what you’re
dealing with?
Ransomware with no way to pay = WIPER

33. HOW DOES THE PAYLOAD WORK?
ENCRYPTION
Crypto ransomware uses encryption to hold all your files hostage.
kinda…
sometimes… some of

34. HOW DOES THE PAYLOAD WORK?
KEY MANAGEMENT; GETTING PAID
Ultimately, the decryption key is what you pay for – it’s everything
• How and where does it get created?
• Where is it stored?
Thought: How much of Bitcoin’s current value is due to the
success of ransomware?

35. THE DROPPER
Campaign
Exploit
Dropper
Payload

36. HOW DOES THE DROPPER WORK?
1. The C2 and Dropper work together
2. Register victim
3. Assign payment address
4. Download payload(s)
5. Execute payload(s)
6. (Optionally) spread to other victims

37. THE EXPLOIT
Campaign
Exploit
Dropper
Payload

38. HOW DOES THE EXPLOIT WORK?
1. Phishing is overwhelmingly most common
2. Wannacry/NotPetya are notable exceptions
3. Same way any other malware spreads

39. THE CAMPAIGN
Campaign
Exploit
Dropper
Payload

40. HOW DOES THE CAMPAIGN WORK?
Again, much like any other malware campaign:
1. Buy/create C2 infrastructure (hack a bunch of WordPress sites)
2. Ransomware works with C2 to manage victims much like a
botnet does, but with different goals
3. Set up scheme to cash out/launder payments
4. Set up phishing/exploit campaign

41. HOW DOES RANSOMWARE WORK FAIL: DISRUPTION
Campaign
Exploit
Dropper
Payload
Disrupt 
Disrupt 
Disrupt 
Disrupt 

42. OPPORTUNITIES FOR DISRUPTION
Campaign
Distribution
channels
DNS
Email
Security
Exploit
Patching
Virtual
Patching
Mitigations
Block
Attack
Vector
Dropper
EDR;
Behavior
Signature;
AV; IoC
DNS
Web
Proxy;
SWG
Payload
EDR;
Behavior
Signature;
AV; IoC
Outbound
Access
Control
Application
Control

43. EXAMPLES: RANSOMWARE PREVENTION
Prevention
Kill any process attempting to stop the
volume shadow service (VSS)
If a powershell or CMD process is
created shortly after opening an office
document, inspect and/or quarantine the
office document.
Create a folder sure to be the first in an
alphabetical list (__aardvarks). Trigger a
containment action (e.g., isolate
machine).
Recovery
Decryptors
PayBreak
https://eugenekolo.com/static/paybreak.pdf
https://github.com/BUseclab/paybreak
43

44. 1. How else could we disrupt crypto-ransomware?
2. Other than encrypting files, how else could ransomware work?
3. How many endpoint products do you have and how are you
using them?
DISCUSSION: RANSOMWARE

45. BREAK TIME! REST YOUR BRAIN, (EMPTY) REFILL YOUR BODY

46. PART2:
DEFENSE
STRATEGIES

47. LAB TIME - LET’S BREAK STUFF!

48. 1.Run Amazon Workspaces
2.Enter the registration code on the right
3.Log in with your assigned failuser
4.Double-click Install Amazon WorkDocs
5.Navigate to Shared With Me  InfectMe  Ransomwares
6.Brace yourself
7.Double-click Wannacry.exe
8.Watch the horror unfold, note the changes, play around
LAB INSTRUCTIONS
WORKSPACES
REG CODE:
SLiad+LXZ8KE

49. THE IMPORTANCE OF DETECTION

50. A HEALTHY, BALANCED DIET
Malware that bypassed AV
PUPs &
PUAs
Ransom-
ware
Exploit
kits
Filter out as much
as possible with
preventative controls
Detect the rest!
A prevention-only
approach is self-
imposed blindness

51. DETECTION: PROS AND CONS
Pros
• Endpoints: No longer
a blind spot
Cons
• Prevention vs detection
is a question of cost
• Labor-to-value ratio
• Time-to-value ratio
51

52. PREVENTION VS DETECTION: PROS AND CONS
Prevention (e.g.,
AV, NGAV)
Detection (e.g.,
EDR)
Required user input for normal
operations Low to none Generally higher
False positives Lower Higher
False negatives Higher Potentially lower
Detect/prevent non-malware threats Generally, no Yes
Labor-to-value Low High

53. NGAV
NEED: a better
malware
mousetrap
WHAT:
Automated
detection of
unknown threats
WHY: auto-
generated
malware gets
through
EDR
NEED: endpoint
visibility; serious
blind spot
otherwise
WHAT: Record
detailed endpoint
data
WHY: detect
attacks that
defeat 1st layers
of defense
Hardening
NEED: More
permanent,
resilient solutions
WHAT: Wide
variety of
approaches
WHY: Passive
defenses reduce
pressure on
frontline defenses
Remediation
NEED: Contain
and clean up
threats
WHAT:
Containment and
automated
remediation
WHY: Reduce
expense and
labor of dealing
with threats
ENDPOINT CATEGORIES: WHAT’S DRIVING THEM?

54. DO ENTERPRISES EVEN NEED BETTER AV?
Hardening Windows
▪ CIS benchmarks
(hardening)
▪ Ad-blocking
▪ Remove unnecessary
software/features
▪ Least privilege:
▪ flash click-to-run,
▪ disable/restrict java plugin
▪ selective whitelisting
Free/OSS Tools
• Microsoft EMET
• Microsoft AppLocker
• Artillery (Binary Defense)
• OSSEC (Trend Micro)
• Wazuh (OSSEC)
• El Jefe (Immunity)
• Cylance Detect
• Sandboxie (Invincea)
• AIDE (FIM)
• ROMAD
• 0Patch
54

55. MY ROADMAP FOR ENDPOINT SECURITY
1.Find a better malware mousetrap
2.Threat-driven hardening
3.Detect/Stop Non-Malware attacks
4.Full-system visibility (EDR)
5.Data visibility
6.More resilient host
55
WHAT IF...
malware
was solved?

56. WHAT ARE YOUR ENDPOINT SECURITY PAIN POINTS AND GOALS?
Pain Points
1. Cleaning up infections 24/7
2. Catch attacks that bypass preventative
controls
3. Catch/prevent non-malware threats
4. Catch insider threats
5. Did a breach actually occur?
Goals
1. Better prevention; hardening
2. Better detective controls, better
endpoint visibility
3. Better endpoint visibility; hardening
4. Better endpoint visibility
5. Visibility into file movement, data
exfiltration
56

57. MYTH #1: SOLVING MALWARE CHANGES EVERYTHING!
No, it just shifts the problem – attackers don’t give up, they just change
tactics to things like:
1. Interpreted languages (javascript, python, powershell)
2. Social engineering
3. Credential theft
4. Abuse of valid admin tools
5. Web attacks (SQL Injection, XSS, XSRF, etc.)
57

58. MYTH #2: ONCE THE BAD GUYS GET IN… GAME OVER!
Common perspective of getting hacked
(prevention only)
1. Attacker’s exploit succeeds.
2.
Reality
1. Attacker’s exploit succeeds
2. Attempts to escalate privileges
3. Begins exploring network
4. Sniffs network
5. Pivots to another host using an
exploit
6. Dumps and cracks credentials
7. Pivots with credentials
8. Creates domain admin account
= detection opportunity
Lesson: Layer detection with prevention

59. WHAT IS A RED FLAG?
• Something that’s always
bad, almost zero chance for
false positive
• Could be a combination of
events (e.g., endpoint +
network)
• Strategy for filtering noise
and addressing alert fatigue
Examples:
1. ARP Route Poisoning
2. Dumping SAM
3. Account creation from non-
admin systems
4. Pass-the-Hash
5. CryptAPI use not associated
with sanctioned/installed
app

60. Recon &
early ops
detection
Exfiltration
detection
Data loss
Detection
Threat
detection and
response
Threat Hunting
WHEN DOES INCIDENT BECOME BREACH?
60
Initial
Hacking
Attempts
Success!
Attacker gets in, pivots,
searches
Exfiltration
Days, Weeks Average of 146 99 days*
Sale & Profit
of stolen
data
Discovery
DEFENDER
Prevention
Isolation
Forensics IR Automation
Security
Analytics
Data loss
preventionDetection by
Deception
Fraud
detection by a
3rd party
Breach Occurs
Customer
Impact
Timeline
* Average dwell time, according to Mandiant’s M-Trends Reports

61. DETECTION CHALLENGES: FIGHTING THE NOISE
1. Have a baseline – otherwise everything will look suspicious!
2. Instead of tuning the default, consider starting from scratch
3. Explore other methods of alerting (ChatOps, sound, lighting)
4. Understand users/business and apply lessons to monitoring
5. Pick one very important scenario, and practice hard...

62. DETECTION CHALLENGES: FIGHTING THE FIRES
1. Get better prevention
1. Prevention is ‘free’
2. IR is expensive
3. Minimize need for IR
2. Get tools and processes in place to enable root cause analysis
3. Practice IR as much as possible  Process improvement
4. Automate IR workflows  Process improvement
5. Never, ever skip lessons learned

63. Design defenses as if critical vulnerabilities are always
present and as if patches will never come.
Visibility and root-cause analysis are the key to finding
red-flags which allow us to stop entire classes of attacks
instead of specific, individual attacks.
You don’t need a malware research lab – the work is
often already done by researchers!
KEY TO RESILIENCE IS VISIBILITY AND SIMPLICITY

64. SHAKING THINGS UP A BIT: WANNACRY
Notable Facts
• Spread as a worm, not via
phishing
• Patch was available 51 days prior
• ETERNALBLUE code was easily
discovered via binary analysis
• Many behavioral red flags
• Didn’t even try to hide
• Didn’t work on WinXP
Lessons Learned
• Can’t blame users for this one
• Patching IS part of basic hygiene,
• Patching should NOT be viewed or
depended on as a defensive
measure
• No AV vendor should have missed
it

65. RANSOMWARE EXAMPLES
Common Behaviors Mitigations
Disables Shadow Copy Services
(vssvc.exe)
if net stop VSS, kill requesting process
Use of CryptAPI from Win32 PE shim CryptAPI and save keys (see PayBreak)
Random, invalid file extensions
appended to files
1.create canary files/directories
2.kill any process using unrecognized file ext
Very long domains
Quarantine any system requesting DNS for
domains > 40 chars

66. PAYBREAK
Source: https://eugenekolo.com/static/paybreak.pdf

67. WHAT ABOUT REMEDIATION AND RESPONSE?
• Remediation = cleaning up after the attack
• Containment = isolating the incident
• Automated Endpoint Remediation: can we stop
reimaging PCs yet???
67

68. WHAT ABOUT REMEDIATION AND RESPONSE?
68

69. LUNCH TIME! REST YOUR BRAIN, (EMPTY AND) REFILL YOUR BODY

70. PART3:
WINDOWS
DEFENSES

71. PATCHING

72. LET’S TALK ABOUT PATCHING: PERSPECTIVE
• Patching is disruptive
• Patching is not defense
• Patching is not a security
control
• Patching is necessary
• Patch availability is beyond
our control
• Patching is hygiene

73. IS PATCHING REALLY THE ANSWER?

74. LET’S TALK ABOUT PATCHING: LOGISTICS
Credit: NopSec’s 2016 State of Vulnerability Risk Management report

75. LET’S TALK ABOUT PATCHING: LOGISTICS
Credit: Microsoft’s Security Intelligence Report, Volume 21

76. LET’S TALK ABOUT PATCHING: LOGISTICS
Credit: Microsoft’s Security Intelligence Report, Volume 21

77. LET’S TALK ABOUT PATCHING: ALTERNATIVES
Instead of emergency patching…
How about… emergency mitigation
Instead of waiting…
Simulate the attack; understand it
Instead of patch dependency…
Assume failure

78. LET’S TALK ABOUT PATCHING: RESILIENCE
“Build as if there is always a zero day and the
patch is never coming”

79. HANDLING THE NEXT VULNERABILITY ‘CRISIS’
Summarizing:
1. Deep calming breaths, don’t panic
2. Vulnerability analysis
3. Patch assessment
4. Exploit assessment
5. Attack simulation, testing, mitigation

80. HANDLING THE NEXT VULNERABILITY ‘CRISIS’
Deep breaths; don’t panic
https://www.wikihow.com/Breathe-Deeply

81. DON’T WORRY ABOUT THE MEDIA
Leverage them to get to the real details

82. BREACH
LESSONS

83. FORGET PATCHING FOR A MOMENT

84. HOW IT SEEMS LIKE IT HAPPENED
Struts Vuln
Sweet, sweet
data
Profit!

85. HOW MOST BREACHES ACTUALLY HAPPEN
Scanning/Probing
activity
Struts vuln was
exploited
Hours/days of
additional probing,
searching and
pivoting
Eventually find
sweet, sweet data
Profit!
Opportunities to
detect/disrupt!

86. 1. What other mitigations could we use when we can’t patch?
2. How much breach planning has your org done?
3. Consider
BONUS: Choose a breach and use it as a tabletop exercise in
your organization
DISCUSSION; QUESTIONS?

87. WINDOWS
FEATURES
AND TRICKS

88. HOW DOES MALWARE GET INTO WINDOWS?
From before: 3 ways
Direct: You run the code
Indirect: You’re tricked into running the code
Exploits: Your vulnerabilities get exploited
Sure, vampires use social engineering, but
they do respect access controls…
Key Attack surface
1. Browser
1. Image processing
2. HTML iFrame
2. Browser plugins
1. Flash
2. Java
3. Silverlight
4. ActiveX (really)
3. Files (via email, etc)
1. PDF
2. Office Docs
3. LNK files
4. Remote network exploit
(rare, but… NotPetya!)

89. WHY’S IT ALWAYS WINDOWS?
Hey operating systems, will you run my software?
iOS “Only if it’s in the App Store!”
MacOS “Only if it’s in the App Store*!”
Android “Only if it’s in the Google Play Store*!”
Windows “LOL, sure! YOLO!”
* Or you choose to install from untrusted sources

90. WHAT DO WE GET WITH WINDOWS THESE DAYS?
Built in or free from Microsoft
1. Win10 over Win7!
2. Windows Device Guard
3. Windows 10 S
4. Applocker
5. Sysmon
6. Event Viewer/Collector
7. Task Scheduler (really)
8. Controlled Folder Access
3rd party, but free (cheating is okay)
1. OSSEC
2. OSQuery
3. 0Patch

91. Trigger actions off EventIDs!
TASK MANAGER, AKA IFTTT FOR WINDOWS

92. WINDOWS 10 – OUT OF THE BOX – CIS BENCHMARK

93. FREE HOST-BASED IDS: OSSEC
• Monitors critical and sensitive files via integrity checks
• Detects rootkits
• Can monitor windows registry
• Alert on Changes

94. WHAT’S HAPPENING ON THE ENDPOINT?
•Facebook-developed osquery is effectively free EDR
•Agents for MacOS, Windows, Linux
•Deploy across your enterprise w/ Chef, Puppet, Ansible, or SCCM
•Do fun things like, search for IoCs (hashes, processes, etc.)
•Pipe the data into ElasticStack for visibility & searchability
•If you only need Windows clients, check out Microsoft Sysinternals Sysmon

95. SECURE CONFIGURATION
• Standards: CIS Benchmarks / DISA Stigs
• Configuration Management: Consistency is key
• Deploy configs using tools like GPO, Chef, Puppet, or Ansible
• Change Management is also important
• Alert on deviations and violations
• Use git repo for tracking changes to your config scripts

96. LOGGING AND MONITORING
•Central logging makes detection and analysis easier
•Many options here, such as Windows Event Subscription, rsyslog
•Can also pipe to one central location with dashboards, such as ElasticStack
•Good idea to include DNS logs!
•Greylog

97. LAB TIME!

98. What else could we do with triggers?
DISCUSSION

99. BREAK TIME! REST YOUR BRAIN, (EMPTY AND) REFILL YOUR BODY

100. PART4:
DISRUPTING
MALWARE

101. MALWARE BEYOND THE EXE – NEMUCOD-AES EXAMPLE

102. NEMUCOD-AES STEP1: PHISHING EMAIL
From:townofwi@cloudwebx4.newtekwebhosting.com
Sent: Thursday, July 6, 2017 02:41 PM
To: ask@knoxvegaslaw.com
Subject: Notification status of your delivery (UPS 006222692)
Attachments: UPS-Receipt-006222692.zip
Dear Customer,
Your item has arrived at the UPS Post Office at July 04, but the courier was unable to deliver parcel to
you.
Please check the attachment for complete details!
Thank you,
,
UPS Support Agent.

103. NEMUCOD-AES STEP2: PHISHING EMAIL ATTACHMENT
UPS-Receipt-006222692.zip  UPS-Receipt-006222692.doc.js

104. NEMUCOD-AES STEP3: C2 - LOADING THE NEXT STAGE
1. First Stage: UPS-Receipt-006222692.doc.js downloads 2nd stage
2. Second Stage: VBScript
1. Creates and runs Word Doc smokescreen
2. Downloads and runs Kovter, because… why not?
3. Downloads and creates php.exe
4. Downloads and creates php5.dll
5. See where this is going? ;)
3. Creates the php ransomware script (embedded in 2nd stage)
4. php.exe nemucod.php

105. NEMUCOD-AES LESSONS LEARNED
How could we have stopped this?

106. LAB TIME!

107. FINISHED! WE MADE IT!

108. Adrian Sanabria
Director of Research, Threatcare
@sawaba
THANK YOU
P L E A S E F I L L O U T Y O U R E V A L U A T I O N S !

109. PERCENTAGES DON’T MAKE SENSE
1. A percentage isn’t useful when we’re dealing with numbers at
this scale.
2. The number stopped isn’t nearly as important as stopping the
right ones.
3. Percentages can’t effectively measure threats that don’t exist
yet.
4. Persistent adversaries don’t give up because their initial
attempts hit the 99%.
Attacks simply don’t work this way.

110. PERCENTAGES DON’T MAKE SENSE: EXAMPLE
The dog is gone.

111. PERCENTAGES DON’T MAKE SENSE: EXAMPLE

112. Defense
C
confidentiality
A
availability
I
integrity
Offense
D
disclosure
D
denial & destruction
D
distrust
Credit: Terrance Lillard
ATTACKER GOALS
$$$
$$$
$$$Extortion
Extortion
Sell data

113. CHANGING MINDSET
1. Defeatist statements
2. That ‘dwell time’ has
become a metric
3. The 1m unfilled jobs
myth/rumor
114

114. INFORMATION ASYMMETRY
AV isn’t just protecting
against ‘known threats’
It is a known threat.
To the bad guys!
115
Conclusion? A detection engine will never stop determined adversaries.

115. MORE PRODUCTS, MORE PROBLEMS: THE 3RD PARTY DILEMMA
13% run one endpoint security product
26.9% run two
59% run three or more concurrently
Why?
67% using endpoint config mgmt
65% using HIDS/HIPS
59% using FDE
56% using NAC
49% using FIM
47% using Whitelisting
That’s a LOT of product to take care of and additional
attack surface!

116. HOW I SEE THE MARKET
Prevention
(pre-execution)
Detection and
Data Collection
(post-execution)
Platform
Hardening
90+ Vendors

117. BUZZWORD BINGO: NGAV AND EDR DEFINITIONS
NGAV: The ability to stop threats without prior
knowledge of them
EDR: Endpoint Data Recorder
(a slight acronym modification)

118. EXTRAS

119. CASB
SDN
VPC
IT’S 2018 – DO YOU KNOW WHERE YOUR DATA IS?
Traditional Data
Center
MDM
Mobile
SaaS
Host FW
Cloud

120. BECAUSE THIS IS WHERE YOUR EMPLOYEES ACTUALLY WORK
121
Conclusion: Security controls MUST travel with the asset.