Threat Research

Q&A Webinar Follow-Up - Tools of Engagement: Minding The (Security) Gap

As a follow-up to our recently held Tools of Engagement: Minding the (Security) Gap webinar, questions answered by presenters Dave Merkel and Lucas Zaichkowsky are listed below. To view the archived webinar, please click here.

  1. What happens at 2:00am on a Sunday when there isn't anyone on duty?
    Dave Merkel: Well I'll speak on the workflow of this particular product. The workflow that Lucas showed you with a product like FireEye where FireEye is detecting events on the network, sending events to Mandiant for Security Operations and Mandiant for Security Operations is distributing indicators and identifying hits.All that is actually zero click workflow that's completely automated. The parts that are not automated is an analyst going in, taking a look at the hits and deciding whether or not they would like to contain an endpoint. It's something we're looking at. Of course sometimes customers say, "Hey, could you expose that via an API," they realize what they just asked and the fact that a shell script, written poorly, could contain their entire enterprise and then they usually rescind the request to do that.One of the other really common things to automate is SIEM workflow. You may want to automatically collect host-based triage data when certain events occur. By linking your SIEM with to Mandiant for Security Operations, those collections can occur automatically, without analyst intervention. When someone is back on duty the data is right there at their fingertips.
  2. What formats or protocols does Mandiant for Security Operations accept?
    Dave Merkel: In this case today we're accepting CEF-formatted events so SIEM Solutions and related technologies supporting CEF can easily integrate. We also have done a direct integration with FireEye so we're able to directly consume their malware reports. We have announced a forthcoming integration with Palo Alto Networks doing the same thing with their Wildfire add-on to their firewall product.
  3. Can Mandiant for Security Operations leverage a near MIR® agent deploy base, Mandiant for Intelligent Response® agent deploy base? What about systems without the agent? Does this need its own agent?
    Dave Merkel: The Mandiant for Security Operations product is using the same agent that the upcoming MIR 3.0 release will use. Both products will use the same agent for their operations. We do not currently have an agentless solution. A lot of the interesting value and insight to a system we can provide is via advanced forensics capabilities. It's impossible to do that without running software on a system. There's no way to get direct access to memory structures, things of that nature, from outside a system.
  4. If multiple endpoints have the same problem can they be remediated concurrently?
    Lucas Zaichkowsky: It's a really good question. There may be a situation where you have a product that identifies malware landing on a system. Let's say in this FireEye example, it saw a binary drop. We're getting host based indicators and pushing that out to all the endpoints so if there were multiple endpoints that got that same malware or even if it was different variants but the host-based indicators still lined up then Mandiant for Security Operations will begin to identify more comprised hosts. You can then concurrently contain them on the network. In that screen where I went in and did the containment I only checked in the box on the one host, but if you had multiple hosts you could check in all of them and contain them all at once. If you'd like, you could then get triage packages from them all at once. So this allows you to handle larger outbreaks.
  5. Is Mandiant for Intelligent Response and then, by proxy, Mandiant for Security Operations still Windows only?
    Dave Merkel: The agents that we use today are still current, but both Mac and Linux on the roadmap for later this year.
  6. How do you value intellectual property for a return on investments argument? Do you have any thoughts on that?
    Dave Merkel: I've seen a couple of things in a couple different conversations that different folks have used but maybe you've run into a couple things with some prospects and customers.
    Lucas Zaichkowsky: Frequently, I'll be working with the security staff or the IT staff that's dual hatting and they really need to get executive support and to do that they have to be able to show what it would mean to the company to lose intellectual property. Really, the best way to answer that would be to look for incidents that have happened with peers in your industry and see all the damage that it caused them, not just from the intellectual property loss but also from fallout. How did the shareholders perceive value? Maybe get in conversations with peer security groups and get relationship going or even have us come out and do a threat brief. We would be happy in a lot of cases to come out, talk with your executive team and tell them exactly what our customers went through when they suffered a massive breach and lost intellectual property.
  7. What is the footprint of the agent?
    Dave Merkel: When we're on disc fully expanded, I believe we're still sitting around the ten-meg size and when we're running in memory it's sitting at about a meg, so not terribly large when initially installed.
  8. Does your system understand where the value is within a system, in other words to identify intellectual property and whether or not it was affected by malware?
    Dave Merkel: In this case, no, we are not classifying any content on the system. We're not looking at the contents of documents or things of that nature. What the product's really doing is providing the ability to forensically inspect what's going on an endpoint, ask it questions about what's happened in the past, what's currently happening, and continue looking into the future for other potential suspicious events.
    Lucas Zaichkowsky: And there's a second half to the story too. When you're dealing with a really bad targeted intrusion, if you looked at our M-Trends from last year only about half the systems even saw malware. So you get these alerts, you follow up on them, you check it out. If it looks like it's something nasty, you escalate to people that have an incident response skillsets. That leads them to follow the use of the stolen credentials and built-in system commands which in turn leads them to systems where the assets are or to workstations where assets were pulled from. That's where activity is occurring so it doesn't entirely make sense to prioritize based off of how close malware was to the assets that you're protecting.
  9. What do you think is holding companies back from using the likes of FireEye or Palo Alto?
    Dave Merkel: I think if we go back to our Top 10 List and look at what are the kinds of things that lead companies to disbelieve that they have a security gap.We've actually seen a pretty large investment in some of those next-generation technologies in a wide variety of organizations - small, medium, large. It's actually becoming rather common. I don't know how much market penetration those technologies have but I'm always in a dialog with people about, "Oh, what do you know about some of these other detection technologies?" The other dialog we end up having, though, is when someone goes and they buy one of these technologies, they buy FireEye or Palo Alto and turn on the Wildfire feature in the product, and it starts turning red and it is finding stuff, then what they say is, "Now what?" And that's an interesting conversation because the answer to that really is you're starting to respond to security incidents and that's somewhat the point of what we're talking about today. You need to put the proper processes and technologies in place to take the next step. If you see something happening on the network, now you need to get to the host, examine it, and identify if you really have a problem.