1-855-511-5967
Invincea.com
@invincea
Executive Summary
The news over the past 18 to 24 months proves one alarming fact - the single largest threat your
organization faces today is network breach. Your employees have become the primary target of a
diverse set of motivated adversaries bent on one objective: penetrating your network in order to gain
access to sensitive information including financial data, research and development activities, intellectual
property, and personally identifiable information on your clients and employees. Todays most successful
and common attack vectors involve tricking your users into opening the door to your network. Spearphishing, watering hole attacks and drive-by downloads are the new normal. The adversary is gaining
entry into your network by enticing your employees to click on links and open document attachments
and every time they go to the Internet or open the email client, they put your company at risk.
The techniques used by your adversaries include:
Spear-phishing emails that deliver the employee to malicious websites that run drive-by
download exploits or include weaponized document attachments
Watering hole attacks that involve hijacking legitimate, trusted sites to push malware to
unsuspecting users
Poisoning search results behind trending news items on popular engines, such as Google,
Yahoo!, and Bing
Pushing malware through popular social networks such as Twitter and Facebook
Your organization is under a state of constant and sustained attack, and every employee represents a
potential point of weakness in your security strategy. Innovation in endpoint security is a critical need.
New approaches to insulate the employee against these attacks are required and Invincea is the solution.
Cyber-crimes estimated cost is more than that of cocaine, heroin, and marijuana trafficking put
together.
Khoo Boon Hui President, Interpol
Page 2
No One is Immune
The question from business leaders to their security teams was once Can this happen to us? The news
over the past 18-24 months has answered that question with an emphatic Yesno one is immune.
Every organization is at risk for cyber breach. Depending on the size of the organization, the industry,
and the geographic footprint, the adversarial focus may vary. Small and medium sized businesses are
most at risk from organized cyber criminals. Enterprises and governments face threats from all three of
the main adversarial categories nation states, cyber-crime, and hacktivists. The Hackmageddon blog
covers the motives of adversaries, their targets, and includes a detailed graphic timeline of hacking
incidents categorized by month in 2012. Below are a few real-world examples of recent attacks against a
wide cross section of industries. The sad reality is that this list is not all-inclusive as there are simply too
many examples to cite.
Page 3
Trade secrets developed over thousands of working hoursare stolen in a split second.
Robert Bear Bryan National Counterintelligence Executive
Page 4
55,153
8,236
6,795
9,652
7,927
6,635
3,527
51.20%
7.70%
6.30%
9%
7.40%
6.20%
3.30%
Attempted Access
Social Engineering
Others
Total
863
2,573
6,294
107,655
0.80%
2.40%
5.80%
100%
Page 5
2. Dollars spent on remediation reach into the millions, meaning unbudgeted costs for the organization
that impact the bottom line and add to the overall cost of network breach. Moreover, these millions
are spent after the damage is done they do nothing to protect your organization.
3. While your teams are fighting the newly discovered fire, the adversary continues to attack other parts
of the organization. This is where the Whac-A-Mole analogy comes into play. Your adversaries are
persistent while you clean up one attack, theyve already pivoted and are launching others against
you.
Page 6
Malware authors are producing roughly 80,000 new variants per day (McAfee).
The endpoint has effectively become the new perimeter and Anti-Virus (AV) is the primary
endpoint security solution, yet an alarming (though somewhat dated) Cyveillance study shows
that AV vendors detect less than 19% of attacks on average.
Malware authors are increasingly utilizing polymorphic techniques in which malware mutates
itself to evade signatures.
Page 7
Page 8
Consider the complexity of maintaining an accurate whitelist and blacklist for your Web gateway when
taking into account some of this recent news:
Page 9
ActiveX controls
PDF documents
Office documents
Shellcode injection
Java
Javascript
Browser exploits
Browser extensions
Scripting
Not surprisingly, these attacks involve exploiting both the extant vulnerabilities and the extensions and
plug-ins of whitelisted applications including the browser and document readers and editors. This
includes scripting languages, shellcode, Java, interpreters, and vulnerabilities in the applications
themselves. Unfortunately, these are the most common real-world exploits. Most exploits work by
either using a spear-phish to direct the user to click on a link or directing the user to open an
attachment. Users also get infected using more opportunistic methods like poisoned search engine
results or simply browsing the Web. Its not unusual for malware to leverage a browser vulnerability to
directly inject itself into the memory of a running process, such as an operating system service. In all of
these cases, the exploited or infected process has been whitelisted and therefore is allowed to run with
full and normal privileges.
Page 10
Page 11
A final point to consider with network boundary devices is the case of the mobile user outside of the
network. When this user is simply online on the road or at home, not VPNd into the corporate
network, they are essentially bypassing any protection provided by network perimeter devices. With the
expansion of the mobile work force and personal email services, this is becoming a significant risk for
enterprise security managers.
Page 12
How it Works
Containment
Invincea takes the most highly targeted applications in your network (the Web browser, PDF reader,
Office suite, .zip files, executables) and seamlessly runs them in secure virtual containers. Every time the
Web browser is opened, or anytime an attachment comes from outside the network, Invincea creates a
segregated environment for these applications to operate. By creating this specialized virtual
environment, Invincea contains all malware whether zero-day or known and prevents it from
attacking the host operating system as a pathway for breach and lateral movement in your network.
Detection
Unlike other solutions, Invincea does not rely on malware signatures for detection. Instead, it
automatically identifies malware attacks based on behaviors and actions inside the contained, controlled,
and isolated environment. As a result, Invincea can detect zero-day attacks in real-time and thwart those
attacks with ease.
Page 13
Prevention
Over the past few years, weve been taught by repeated assertion from those that benefit from
remediation and network forensic professional services that the breach cannot be stopped and that post
facto detection is the new prevention. We cant blame our fellow security professionals for their cynicism
because the truth is that the prevention security industry has utterly failed us, our governments,
corporations, and citizens. Reactive list-based approaches can no longer stop the threat; therefore
the logical conclusion drawn and promulgated is that you can only attempt to detect the intruder in
your network. Perhaps this conclusion was accurate at that point in time, but with the innovations
delivered by Invinceas breach prevention platform this is no longer a reality. When we detect an
infection inside our contained environment, we immediately alert the user, discard the tainted
environment, and rebuild to a gold-clean state inside 20 seconds. We also capture rich forensic detail
related to the attack and feed it on to your broader security infrastructure.
Page 14
Infection Source: We identify the URL, PDF attachment, Office attachment, .zip, or .exe file
that triggered the infection
Timeline of Attack: We dissect the actions of the malware what it did when it opened,
unpacked, how it cleaned up after itself, etc.
Registry Changes: We capture all changes the malware attempted to make to the registry
Connections: We identify any and all connections whether inbound or outbound showing
you the command and control channels the adversary attempted to create
This information is fed to the Invincea Threat Data Server where it is integrated with your Security
Information and Event Management (SIEM) and presented for your teams in a single interface.
Understanding that you need a method to push this information on to the rest of your infrastructure,
we have integrated with a number of other leading security technologies such as:
McAfee ePO
ArcSight
Splunk
Q1 Radar
NetWitness
ThreatGrid
The threat information, including command and control server IPs and domain names, combined with
indicators of compromise including file names, hashes, and registry values are matched against Invincea
partners threat intelligence feed to provide adversarial attribution and cross-vendor intelligence on
adversarial motives.
Invincea protects the new perimeter the endpoint with an innovative solution that requires
no signatures and keeps malware in an airlock
Invincea addresses zero-days and APTs and stops them dead in their tracks
Invinceas threat data feeds extend the power and life of your current investments
Page 15
Breaks the Security Insanity Cycle eliminating costly detection, remediation, and patching cycles
Every employee in the organization is protected wherever they go
A single user virtual infection protects the entire enterprise by feeding rich forensic data to the
rest of your security infrastructure to block requests from all users to URLs that infected the
user that clicked on the link
Every enterprise license agreement includes licenses for home use, meaning your employees are
protected both at work and at home
Learn More
Visit our website at www.invincea.com for product summaries, video demonstrations, Invincea news
stories, and much more. While you are there, check out the Invincea Blog for breakdowns of trending
security news articles and why they are important to you and your organization at
https://www.invincea.com/newsroom/blog/.
Where to Find Us
For information security news and updates follow us on Twitter @Invincea. To catch a glimpse of life at
Invincea, like our Invincea, Inc Facebook page. Or, check out what we are talking about on our
Invincea YouTube channel. You can also find us here:
Invincea, Inc.
3975 University Drive, Suite 460
Fairfax, VA 22030
Page 16