Adapting Your Board to an Adaptive Defense - …...Sophistication of the Threat Security Capability/Agility to Respond Conventional Threats Cybercrime Cyber Espionage (APT) Nation

1Copyright © 2015, FireEye, Inc. All rights reserved. Copyright © 2015, FireEye, Inc. All rights reserved.

Adapting Your Board to an Adaptive DefenseCraig Rosen – Vice President & Chief Security Officer

2Copyright © 2015, FireEye, Inc. All rights reserved.

“Cybersecurity is now a persistent business risk…

The impact has extended to the C-suite and boardroom.”

Source: PwC 2015 Global State of Information Security Survey


The Tide Has Changed

Home Depot Data Breach Could Be The Largest Yet

- New York Times, September 2014

JP Morgan And Other Banks Struck By Hackers

- New York Times, August 2014

Russian Hackers Amass Over A Billion Internet Passwords

- New York Times, August 2014

UK Prime Cyber Attack Target of Europe and Middle East

Financial Times, October 2014

FBI Probes Possible Computer Hacking At JP Morgan

- The Wall St. Journal, August 2014

Russia Attacks U.S. Oil And Gas Companies In Massive Hack

- CNN Money, July 2014

Report: Cybercrime And Espionage Costs $445 Billion Annually

- The Washington Post, June 2014

The €30k Data Takeaway:Domino’s Pizza Faces RansomDemand After Hack

- CNN Money, Aug 2014

Hackers Target Belgian Press Group, days after French Cyber Attack - Deutsche-Welle, April 2015

Hackers Target Information OnMH370 Probe: Report

- The Straits Times, August 2014

Community Health Says Data Stolen In Cyber Attack From China

- BusinessWeek, August 2014

Monsanto Confirms Security Breach- The Wall St. Journal, May 2014

For years, we have argued that there is no such thing as perfect security. The events of 2014 should put any lingering doubts to rest.”- Mandiant 2015 M-Trends Report

- CNN Money, June 16 2014


EU Cyber Risk On The Rise


Cybercrime is rising significantly in Europe.


This Is A Board Level IssueThe cost of cyber incidents have increased and demonstrated the substantial impact that cyber attacks can have on shareholder value. After the Target breach:

• Profits fell 46 percent in Q4 2013.• Spent ~$61 million addressing the breach.• Facing more than 100 lawsuits and some analysts

forecast breach-related losses could top $1 billion.Shareholders have responded sighting fiduciary irresponsibility with derivative suits:

• TJX Companies (2007)• Heartland Payment Systems, Inc. (2009)• Wyndham Worldwide Corporation (2014)• Target Corporation (2014)

“Some estimates predict that between $9 and $21 trillion of global economic value creation could be at risk if companies and governments are unable to successfully combat cyber threats.”

Source: Cyber-Risk Oversight NACD Director’s Handbook Series 2014


Your Board Will Care

SEC Commissioner

Luis Aguilar

June 10, 2014: Cyber Risks and the Boardroom Conference Speech

Corporate boards need to ensure that management is fully engaged in developing defense and response plans as

sophisticated as the attack methods, or otherwise put their company’s core assets at considerable risk.

“Good boards also recognize the need to adapt to new circumstances such as the increasing risks of cyber-attacks.”

Also June 2014: New Directors “Handbook”


But You Will Need To Help Them Care

“It is incumbent upon the executive team to take ownership of cyber risk

and ensure that the Board understands how the organization will defend against and respond to

cyber risks.”



LACK OF HYGIENE

What Keeps Me Up At Night?And Translate Your Concerns To Make The Case

THREAT UNDETECTED

205 Days

Initial Breach

REMEDIATION

Median number of days threat groups were present on a victim’s network before detection.

Mandiant 2015 M-Trends

Report

24 Days

2982 DaysLess than 2013

Longest PresencePERS

ISTE

NCE

• Credential Protection• Privilege Escalation• Lateral Movement• Remote Access• Poor Process / Slow Response• Flat Networks• Basic Vulnerability Management

TOO MUCH NOISE

OTHER VECTORS

• Cloud• Mobile

• People• Supply Chain

400KUNIQUEMALWARE SAMPLES REVIEWED AND PROCESSED DAILY

“Security breaches are inevitable.”- Mandiant 2015 M-Trends

Report


Decide How Good You Need To BeSo

phis

ticat

ion

of th

e Th

reat

Security Capability/Agility to Respond

Conventional Threats

Cybercrime

Cyber Espionage (APT)

Nation State Attacks

D

C

B

A

Minimalist

Reactive

Concerned

Advanced


Understand GAPS You Must Close To Get There


TECHNOLOGYIDENTIFIES KNOWN, UNKNOWN, AND NON MALWARE BASED THREATS

INTEGRATED TO PROTECT ACROSS ALL MAJOR ATTACK VECTORS

PATENTED VIRTUAL MACHINE TECHNOLOGY

EXPERTISE“GO-TO” RESPONDERS FOR SECURITY INCIDENTS

HUNDREDS OF CONSULTANTS AND ANALYSTS

UNMATCHED EXPERIENCE WITH ADVANCED ATTACKERS

INTELLIGENCE50 BILLION+ OBJECTS ANALYZED PER DAY

FRONT LINE INTEL FROM HUNDREDS OF INCIDENTS

MILLIONS OF NETWORK & ENDPOINT SENSORS

HUNDREDS OF INTEL AND MALWARE EXPERTS

HUNDREDS OF THREAT ACTOR PROFILES

DISCOVERED 16 OF THE LAST 22 ZERO-DAYS

FireEye Adaptive Defense: Close The Gaps


FireEye Adaptive Defense Components

SECURITY CONSULTING

SERVICES


Don’t Just Listen To Me

“Accelerating investments is not enough … You have to mature your organization, your people, and your technologies, and that can be a more restraining factor than the availability of capital.”

(Gary Hayes, CIO of CenterPoint Energy - PWC Global State of Information Security)

Survey 2015)

15Copyright © 2015, FireEye, Inc. All rights reserved. Copyright © 2014, FireEye, Inc. All rights reserved. CONFIDENTIAL

THANK YOU!

Documents

Adapting Your Board to an Adaptive Defense - …...Sophistication of the Threat Security Capability/Agility to Respond Conventional Threats Cybercrime Cyber Espionage (APT) Nation