Business
Development
Plan
What is Business Development?
•Strategic Capital / Exit
• Venture Capital
• Private Investors / Strategic Investors
• Liquidity
• Tactical
• Sales and Sales Support
• Business Partnership Expansion
• Market Perception
• Positioning & Messaging
• Public Relations
• Thought Leadership
• Credible Threat to Incumbents
• Product Roadmap
• From Forensics to Next Generation “Anti-Virus
Deliverables
• Written “State of the Company” aka Confidential
Information Memorandum (CIM)
– CIM is needed for VC, Private Investors, Strategic Investors
or Liquidity Event
• Identify and contact targets (companies/entities,
contact names, reasons for contact, etc…)
–
–
–
–
Strategic Business Partners
VC or Private Investors
Liquidity
Press & Thought Leadership
• Marketing Roadmap
• Sales
HBGary R&D Funding
Air Force Research
Labs
• Next Generation Software Reverse Engineering Tools
(Phases I and II)
• Kernel Virtual Machine Host Analyzer (Phases I and II)
• Virtual Machine Debugger (Phase I)
Dept Homeland Security
(HSARPA)
• Botnet Detection and Mitigation (Phases I and II)
• H/W Assisted System Security Monitor (Phases I and
II)
• Subcontractor to AFCO Systems Development
Small Business Innovative Research (SBIR) Program
HBGary has grown into a full product company:
DoD
Civilian Agencies
Government Contractors &
Consulting
Fortune 500
Foreign Governments
Universities &
Law Enforcement
12,500 Nodes
31,000 Nodes
23 Customers
23 Customers *
15 Customers
16 Customers
* Multiple site license discussions in the pipeline
Memory
Forensics
Stand Alone
Enterprise
Responder Field Edition
Integrated with EnCase
Enterprise (Guidance)
Digital DNA for ePO (HBSS)
Enterprise
Malware
Detection
Response
Policy
Enforcement
and
Mitigation
Active Defense (Q1)
Responder Professional
w/ Digital DNA
Intrinsic to all Enterprise
products
Integrated with Verdasys Digital
Guardian
Why HBGary is Better
• Forensic Quality Approach
– Analysis is done 100% offline using 2+ years of
parsing technology developed under USAF grant
– Host-centric “Windows without relying on
Windows” RAM analysis
• Digital DNA™ detects zero-day threats
– 5+ years of reverse engineering technology
developed for multiple govt. agencies
– AUTOMATED !
Why HBGary is Better
• Physical memory is “Windows without
Windows”- it exposes everything about the OS
without actually using a potentially subverted
OS.
• Automatic decompilation of every software
object exposes true software behaviors – this
is not a signature. This catches unknown
malware with no prior knowledge. A few
traits will detect a great many variants, so it
scales.
Under the hood
These images show the volume of decompiled information
produced by the DDNA engine. Both malware use stealth to
hide on the system. To DDNA, they read like an open book.
Benefits
• Enterprise detection of zero-day threats
• Lowers the skill required for actionable
response
– What files, keys, and methods used for infection
– What URL’s, addresses, protocols, ports
• “At a glance” threat assessment
– What does it steal? Keystrokes? Bank Information?
Word documents and powerpoints?
= Better cyber defense
Today’s Cybercrime Problem
• There is a lot worth stealing
– Information is 100% digital and exposed
– Identities are digital
• Attackers are motivated and well-funded
– Funded Criminal and State-sponsored
• Malware is sophisticated and targeted
• Existing security isn’t stopping the attacks
Anti-virus Shortcomings
Top 3 AV companies don’t detect 80% of new malware
Source: “Eighty percent of new malware defeats antivirus”, ZDNet Australia, July 19, 2006
The sheer volume and complexity of computer viruses being
released on the Internet today has the anti-virus industry on
the defensive, experts say, underscoring the need for
consumers to avoid relying on anti-virus software alone to keep
their…computers safe and secure.
Source: “Anti-Virus Firms Scrambling to Keep Up ”, The Washington Post, March 19, 2008
Digital DNA™
Digital DNA
Ranking Software Modules by Threat Severity
0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21
8A C2
0F 51
0F 64
Software Behavioral Traits
5,000 Malware every 24 hours is sequenced
Over 5,000 Traits are
categorized into Factor,
Group, and Subgroup.
This is our “Genome”
What’s in a Trait?
04 0F 51
Unique hash code
Weight / Control flags
B[00 24 73 ??]k ANDS[>004]
C”QueueAPC”{arg0:0A,arg}
The rule is a specified like a regular expression, it
matches against automatically reverse engineered
details and contains boolean logic. These rules
are considered intellectual property and not
shown to the user.
The trait, description, and underlying
rule are held in a database
DDNA Sequence Weighting
02 82 78 02 D6 F7 07 CD E3 05 51 87 05 A8 F1 02 FB 99 02 45 5B 02 7C 9A 02 AC CF 00 9F…
This is a series of 3 octet trait codes
• Each trait can have a weight from -15 to +15.
• + means suspicious
• – means trusted
• The entire sequence is weighted by summing the weights of each trait.
• Discrete weight decay algorithm
• The summing of weights is performed using an algorithm known as the
• This algorithm will decay the effects of a repeated weight value over time.
• +40 points or more in weight = Suspicious or potentially “Evil”
Why Digital DNA?
• Detect Malware regardless of how it was
packaged or compiled
Does the same things = same malware
• Detect variants across the Enterprise
Digital DNA is FUZZY!
• It tells you what the threat is!
Traits are categorized and have descriptions
It really can’t get any easier than this
How Digital DNA goes beyond MD5 Checksums
• In memory, once executing, a file is
represented in a new way that cannot be
easily be back referenced to a file checksum
• Digital DNA™ does not change, even if the
underlying file does
– Digital DNA is calculated from what the software
DOES (it’s behavior), not how it was compiled or
packaged
DISK FILE
IN MEMORY IMAGE
100% dynamic
Copied in full
OS Loader
Copied in part
In memory,
traditional
checksums
don’t work
MD5
Checksum
reliable
MD5
Checksum
is not
consistent
Digital DNA
remains
consistent
IN MEMORY IMAGE
Internet Document
PDF, Active X, Flash
Office Document, Video, etc…
OS Loader
DISK FILE
Whitelisting on disk
doesn’t prevent
malware from being in
memory
MD5 Checksum
is whitelisted
Process is
trusted
Whitelisted code does
not mean secure code
DISK FILE
IN MEMORY IMAGE
OS Loader
Same
malware
compiled in
three
different
ways
MD5
Checksums
all different
Digital DNA
remains
consistent
IN MEMORY IMAGE
Packer #1
Packer #2
OS Loader
Decrypted
Original
Starting
Malware
Packed
Malware
Digital DNA
remains
consistent
Digital DNA
defeats
packers
OS Loader
IN MEMORY IMAGE
Malware
Tookit
Digital DNA
detects
toolkits
Different
Malware
Authors
Using
Same
Toolkit
Toolkit DNA
Detected
Packed
Digital DNA Screenshot
Integration with McAfee ePO
Next Year
Shipping
HBGary
Portal
ePO Console
Responder
Workstation
Schedule
ePO
Server
SQL
Threat Assessment
Engines
ePO
Agents
(Endpoints)
Events
HBG Extension
HBGary
Evidence
Processor (Q1)
HBG WPMA
WPMA = Windows Physical Memory Analysis
Fuzzy Search
New: REcon
REcon
Records the entire lifecycle of a software program, from first instruction to the last.
It records data samples at every step, including arguments to functions and pointers to
objects.