Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Copy of Copy of Unbelievable Tour Presentation

General Presentation to be used at each Tour location - Change Partner Logo
by

on 28 June 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Copy of Copy of Unbelievable Tour Presentation

The
UNBELIEVABLE

Tour 2015

THE CYLANCE TEAM
TESTING PROCESS
Download 100 Samples
Update AV Engines

File Mutation - Example
Mutate Downloaded Samples
Run all samples against AV

Observe - Dormant Detection
Observe - Execution Stopped
OUR LINEAGE
1. AV Engines are ‘old’ & shared
2.
Humans required
3. Too many alerts
4. Mutations evade detection
5. 3rd party tests rigged
6. Encryption
7. Network is just a segment
8. Network security is not Endpoint security
9. White lists & PUPs
10.Start and
end
with the endpoint






SECURITY IS BROKEN
NO
signatures
NO
heuristics
NO
sandboxing
NO
micro-virtualization
NO
dynamic detonation
NO
humans analysts
NO UPDATES REQUIRED






PROTECTION WITHOUT WORRY
Artificial Intelligence
and
Machine Learning
Unlock the DNA of
Advanced Threats
A CURE FOR MALWARE
ALL MALWARE MUST EXECUTE!
1. COLLECT
2. CLASSIFY
3. EXTRACT FEATURES
4. TRAIN
5. COLLECT
6. CLASSIFY
7. REPEAT

MATH & MACHINE LEARNING APPLIED
Scientific
Algorithms
Neural Networks
Random Forests
Decision Trees
Support Vectors
K-means
Logistic Regression

Threat
Indicators
Anomalies
Collection
Data Loss
Deception
Destruction
Misc

1. FEATURES
2. CONTEXT
3. MODELS




4.
ENDPOINT AGENT

POWERING THE ENDPOINT
Vulnerability & Penetration Testing
Compromise Assessments
Emergency Incident Response
Critical Infrastructure Security
Industrial Control Systems Security
Customized Services
Threat Zero

PROFESSIONAL SERVICES
High Performance Agent
Low Memory | Low CPU

System & Memory Defense
Exploit Protection

Context Aware
OS | Application | Network | File |
Registry | Memory | Process Execution

Flexible & Secure
Cloud based management | Integrateable
Self-Protection | Threat Blocking

Artificial Intelligence
No Signatures | No Heuristics | No Behavior
No File Updates | No Humans







AGENDA
Introduction
Why Security is Broken
Live Demonstration
Q & A

BOTTOM LINE:
ANALYZING MALWARE DNA
BIG DATA
The
UNBELIEVABLE
Tour 2016
The Rise of Advanced Threats
Stuart McClure, CEO
Ryan Permeh, Chief Scientist
Glenn Chisholm, CTO

Greg Fitzgerald, CMO
Jeff Ishmael, CFO
Corey White, VP Professional Services

Joel Bauman, VP Business Development
Jon Miller, VP Strategy
Nick Warner, VP Sales
Microsoft AV Certified
Microsoft Virus Initiative (MVI)
Virus Information Alliance (VIA)
PCI Section 8 Compliant
HIPAA recognized rule 164.308


Ecosystem Integration
Splunk
LogRhythm
HP Arcsight
IBM QRadar
McAfee ePO
BigFix
Altiris

Malware
Companies cannot detect zero-day malware BlackPOS (Target,HomeDepot), CryptoLocker, Destover (Sony)

PUPS & RATS
Hackers use common tools too.
PSEXEC, VNC, TeamViewer, GotoMYPC, SCP,
WinSCP, Pskill, Psshutdown, 7zip, RAR

Compromised Usernames and Passwords
Bad guys want to stay persistent and move around
undetected.


WHAT DO ALL HACKS HAVE IN COMMON?
compiled 11/24/2014 00:06:54 UTC other wiper variant

supports switches:
-i installs as a service WinsSchMgmt with exe path -k
-k wipe routine
-s makes network callbacks and attempts to wipe
also creates service named brmgmtsvc with display name "Backup and Restore Management Service" as well as the usbdrv3 service described above

creates the files:
igfxtrayex.exe in folder where executed (e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a )
taskhostes.exe in folder where executed copy of above
net_ver.dat in folder where executed
%windows%\iisvr.exe
%temp%\usbdrv3.sys

net_ver.dat contains additional hosts
USSDIXMSG30|43.130.141.22|2
43.130.141.94|2
43.130.141.28|2

Destover – New Variant 2 days later

supports several additional switches including:
-a only works on x64 creates %temp%\ams.exe and a batch script to delete it named %temp%\zawq.bat Anti-AV module seems mcafee specific
mcshield.exe,UdaterUI.exe,McTray.exe,shstat.exe,FrameworkSErvice.exe,VstskMgr.exemfeann.exe,naPrdMgr.exe process kill as well as delete the mcafee service: McSheild
-m decrypts usbdrv3.sys from resource ICON_PACKAGES and creates the associated service
-d deletes all files except exe,dll in system
-s attempts to spread via net use to the above systems

Files stored in Icon_Packages in resource section directory use their own custom XOR scheme

Destover – Killin McAfee 

Attempts connections to the following internal systems with above creds to spread and wipe:
\\la_data
\\la_apps
\\la_users
\\172.20.10.117
\\SPE-BU1
\\SPE-CP2
\\SPE-CP3
\\SPE-CPDEV1
\\SPE-CS1
\\SPE-CS2
\\SPE-da1
\\SPE-FTO
\\SPE-HYDN1
\\SPE-KE1…..


Destover – Spreading and Wiping

Creates Several Services:
PmSvc with Display name of "Performance Manager" points to igfxtrayex.exe -k
usbdrv3 with Display name of "USB 3.0 Host Controller" points to the Eldos driver file (usbdrv3.sys) used for raw access
WinsSchMgmt with a Display name of "Windows Schedule Management Service" pointing to the binary with the "-k" option

Destover – Creating Services

Secure third party vendors
Block all zero day malware and PUPs
Perform regular assessments looking for credential misuse
Stay Diligent. Threat Actors Do NOT Stop

Summary

Tightly control egress traffic
Stop using outdated operating systems
Use two factor authentication when using remote access
Proper training in recognizing and avoiding phishing attacks
Secure and monitor PUP use
NOT: Make sure everything is according to PCI DSS standards


Defending against BlackPOS

FireEye: Malware detection appliance. Labeled BlackPOS under the generic name of “malware.binary”, presumably leading to the warning being dismissed as inconsequential.

Symantec Endpoint Protection: Antivirus software. Detected BlackPOS around the same time as FireEye (Nov. 30). Warnings also went unheeded.

Bit9: Endpoint protection for Target’s internal windows servers. Creates a “whitelist” of programs allowed to run. Hackers just modified the whitelist to include BlackPOS.



Security Fails

Authorization data temporarily stored in clear text system Memory
Threat actors attack memory space because it is the easiest path to the credit card data
No Traditional AV detects BlackPOS variants
RAM scrapers generally use logic to identify track 1 and 2 Data
Some malware known to use Luhn algorithm to validate
Captured data is pulled out of memory as it passes through
Data is often briefly stored on the system, encrypted

POS Primer

What Really Happened at Target & Home Depot?

Breakdown of the Sony Malware

Open Discussion, Q & A


Overview

Too Much Noise –SIEM And Other Alerting Tools
Untrained Staff – Looking For The Wrong IOCs
Using Yesterdays Tools & Approaches To Solve Today’s Problems
Most Companies Are Already Compromised But Don’t Have The Tools To “Detect And Respond”
Current Tools Not Operationalized


What Is Everyone Doing Wrong?

also attempts SMB connections to the following hosts/ip's which are stored xor encoded near the end of the file: will use both the $IPC and $ADMIN shares with the credentials above
43.130.141.10
USSDIRIM18|43.130.141.11
USSDIXCAS23|43.130.141.13
43.130.141.14
USSDIBKP04|43.130.141.15
USSDINARC10|43.130.141.16
43.130.141.20
USSDIXCAS26|43.130.141.21
USSDIXMSG30|43.130.141.22
USSDIXMSG30A|43.130.141.23
USSDIXMSG30B|43.130.141.24
USSDIXMSG30C|43.130.141.25
43.130.141.28

Destover – More Spreading…

network callback to 203.131.222.102, 217.96.33.164, 88.53.215.64 on port 8080 or 8000
contains hardcoded credentials for:
_SPE\Dayals-1:LondXXXX
SPE\JHKim4-1:!TomoXXXX
SPE\KManku-1:M@ndaXXXX
SPE\MMcLean3-1:@SmiXXXX

Destover – New Hardcoded Creds

Supports two command line options -i and -k:
-i is default
-k starts the wiping/spreading process

Hardcoded Credentials for SMB Network Spreading via net use:
SPE\ADutta2-1:P@ssw0rd123
cmd.exe /c net use \\la_users "P@ssw0rd123" /u:"SPE\ADutta2-1" > 3057000_684

Destover – Commands and Creds

compiled 11/22/2014 5:02 UTC - dropper for the wiper
connects back to 212.31.102.100:8080 and reports the hostname
can also connect to 58.185.154.99 and 200.87.126.116 using either port 8080 or 8000
Drops:
C:\WINDOWS\temp\usbdrv3.sys
igfxtrayex.exe to folder where exe is run (0753f8a7ae38fdb830484d0d737f975884499b9335e70b7d22b7d4ab149c01b5) this is the main binary
igfxtraysoe.exe to folder where exe is run copy of igfxtrayex

Will drop %temp%\kph.sys and %temp%\ams.exe on x64
also possible to write %WINDOWS%\walls.bmp

Destover – C2 Comms

Citadel Trojan: Botnet controlled malware, sent through phishing emails. Used to discover login credentials via keylogger to supplier portal in both cases. Difficult to detect, as it blocks access to security sites and updates with aggressive DNS filtering.






Attacking the Third Party Vendors

Compromised Usernames and Passwords
How would you detect if a user’s credentials are being misused?

PUPS & RATS
Can you detect if a hacker is using tools like? VNC, TeamViewer, GotoMYPC, SCP, WinSCP, PSEXEC, Pskill, Psshutdown, 7zip, RAR

Malware
How do you currently detect zero day malware? BlackPOS (Target,HomeDepot), CryptoLocker, Destover (Sony)

What Did All The Hacks Have In Common?

FrameworkPOS(Home Depot) Features:
Uses DNS requests to exfiltrate data

Kaptoxa(Target) Features:
Disguises itself as part of the antivirus software
Improved search routines, including process exclusion list

BlackPOS Core Features:
Self installation
Self removal
Data encryption
Data exfiltration
Memory Scraping
Anti-forensics suite


BlackPOS and its Variants

Presenter: Corey White


Analysis of the 2013 Target Data Breach and the 2014 Home Depot Data Breach

Home Depot

Target

Home Depot’s operating system for their POS machines was 10 years old. Vulnerability easily found.
Home Depot’s endpoint security and antivirus failed to detect the malware for five months.

Target failed to segregate networks. Supplier portal technically had access to billing network.
FireEye failed to detect BlackPOS infecting POS systems. Target failed to respond in a timely manner when it did.
Whitelist ineffective. Hackers modified whitelist to include BlackPOS.
Target failed to notice a parallel data stream sending stolen data to compromised server.

Internal Security Failures

SOURCE: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

)
August
U.S. Investigations Services (services)
Community Health Services (health care)
UPS (services)
Defense Industries (defense)
September
Home Depot (retail)
Google (communications)
Apple iCloud (technology)
Goodwill Industries International (retail)
Bartell Hotels (hotel)
October
J.P. Morgan Chase (financial)
Dairy Queen International (restaurant)
Snapsave (communications)
December
Sony 


January
Target (retail)
Neiman Marcus (retail)
Michaels (retail)
Yahoo! Mail (communications)
Aaron Brothers (retail)
AT&T (communications)
May
eBay (retail) 
June
Feedly (communications)
Evernote (technology)
P.F. Chang’s China Bistro (restaurant)
 


Last Years Big Hacks

Total Damage: 56 million credit cards stolen

Prior to May 2014:
Thieves attack third party vendor with phishing email. Gain access to Home Depot Network. Install malware.

Sep. 2:
Breach discovered.

Ongoing:
Home Depot investigates data breach

Sep. 7:
Malware removed from POS systems.

May 2014 – Sep. 7:
Cyberattack on Home Depot(!)

Home Depot Data Breach

Total Damage: 40 million credit cards stolen

Nov. 30:
FireEye and Symantec AV detect malware. Nothing done.

Dec. 11 – Dec. 15:
Target discovers malware, hires team to remove it.

Nov. 27 – Dec. 15:
Infected POS machines collect credit card information, exfiltrate to Russian server.

Nov.12 – Nov. 27:
Thieves gain access to Target network, install BlackPOS on Target systems

At Least Two Months Prior:
Thieves perform recon of Target vendors.

September 2013:
Fazio Mechanical hit with phishing email

Target Data Breach

DO NOT DISTRIBUTE

PROPRIETARY AND CONFIDENTIAL

Big Math and Machine Learning
Applied to Security

Method of attack for both companies are extremely similar. Differences in attack can be attributed to differences in vulnerabilities in security.

Send data from compromised server to remote server in Russia/Eastern Europe. Sell info for profit.

Encrypt stolen data. Send to compromised servers within the network.

Infect all POS systems inside of billing network with BlackPOS. Use BlackPOS to steal credit card info.

Exploit weakness in Windows Xpe to gain access to internal billing network. (Home Depot)

Gain access to internal billing network directly (Target)

Steal login information to supplier portal from third party vendor

`

Process of Attack

network callback to 203.131.222.102, 217.96.33.164, 88.53.215.64 on port 8080 or 8000
contains hardcoded credentials for:
_SPE\Dayals-1:LondXXXX
SPE\JHKim4-1:!TomoXXXX
SPE\KManku-1:M@ndaXXXX
SPE\MMcLean3-1:@SmiXXXX

Destover – New Hardcoded Creds

supports several additional switches including:
-a only works on x64 creates %temp%\ams.exe and a batch script to delete it named %temp%\zawq.bat Anti-AV module seems mcafee specific
mcshield.exe,UdaterUI.exe,McTray.exe,shstat.exe,FrameworkSErvice.exe,VstskMgr.exemfeann.exe,naPrdMgr.exe process kill as well as delete the mcafee service: McSheild
-m decrypts usbdrv3.sys from resource ICON_PACKAGES and creates the associated service
-d deletes all files except exe,dll in system
-s attempts to spread via net use to the above systems

Files stored in Icon_Packages in resource section directory use their own custom XOR scheme

Destover – Killin McAfee 

Supports two command line options -i and -k:
-i is default
-k starts the wiping/spreading process

Hardcoded Credentials for SMB Network Spreading via net use:
SPE\ADutta2-1:P@ssw0rd123
cmd.exe /c net use \\la_users "P@ssw0rd123" /u:"SPE\ADutta2-1" > 3057000_684

Destover – Commands and Creds

Creates Several Services:
PmSvc with Display name of "Performance Manager" points to igfxtrayex.exe -k
usbdrv3 with Display name of "USB 3.0 Host Controller" points to the Eldos driver file (usbdrv3.sys) used for raw access
WinsSchMgmt with a Display name of "Windows Schedule Management Service" pointing to the binary with the "-k" option

Destover – Creating Services

Secure third party vendors
Block all zero day malware and PUPs
Perform regular assessments looking for credential misuse
Stay Diligent. Threat Actors Do NOT Stop

Summary

FireEye: Malware detection appliance. Labeled BlackPOS under the generic name of “malware.binary”, presumably leading to the warning being dismissed as inconsequential.

Symantec Endpoint Protection: Antivirus software. Detected BlackPOS around the same time as FireEye (Nov. 30). Warnings also went unheeded.

Bit9: Endpoint protection for Target’s internal windows servers. Creates a “whitelist” of programs allowed to run. Hackers just modified the whitelist to include BlackPOS.



Security Fails

What Really Happened at Target & Home Depot?

Breakdown of the Sony Malware

Open Discussion, Q & A


Overview

Compromised Usernames and Passwords
How would you detect if a user’s credentials are being misused?

PUPS & RATS
Can you detect if a hacker is using tools like? VNC, TeamViewer, GotoMYPC, SCP, WinSCP, PSEXEC, Pskill, Psshutdown, 7zip, RAR

Malware
How do you currently detect zero day malware? BlackPOS (Target,HomeDepot), CryptoLocker, Destover (Sony)

What Did All The Hacks Have In Common?

also attempts SMB connections to the following hosts/ip's which are stored xor encoded near the end of the file: will use both the $IPC and $ADMIN shares with the credentials above
43.130.141.10
USSDIRIM18|43.130.141.11
USSDIXCAS23|43.130.141.13
43.130.141.14
USSDIBKP04|43.130.141.15
USSDINARC10|43.130.141.16
43.130.141.20
USSDIXCAS26|43.130.141.21
USSDIXMSG30|43.130.141.22
USSDIXMSG30A|43.130.141.23
USSDIXMSG30B|43.130.141.24
USSDIXMSG30C|43.130.141.25
43.130.141.28

Destover – More Spreading…

compiled 11/24/2014 00:06:54 UTC other wiper variant

supports switches:
-i installs as a service WinsSchMgmt with exe path -k
-k wipe routine
-s makes network callbacks and attempts to wipe
also creates service named brmgmtsvc with display name "Backup and Restore Management Service" as well as the usbdrv3 service described above

creates the files:
igfxtrayex.exe in folder where executed (e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a )
taskhostes.exe in folder where executed copy of above
net_ver.dat in folder where executed
%windows%\iisvr.exe
%temp%\usbdrv3.sys

net_ver.dat contains additional hosts
USSDIXMSG30|43.130.141.22|2
43.130.141.94|2
43.130.141.28|2

Destover – New Variant 2 days later

Attempts connections to the following internal systems with above creds to spread and wipe:
\\la_data
\\la_apps
\\la_users
\\172.20.10.117
\\SPE-BU1
\\SPE-CP2
\\SPE-CP3
\\SPE-CPDEV1
\\SPE-CS1
\\SPE-CS2
\\SPE-da1
\\SPE-FTO
\\SPE-HYDN1
\\SPE-KE1…..


Destover – Spreading and Wiping

compiled 11/22/2014 5:02 UTC - dropper for the wiper
connects back to 212.31.102.100:8080 and reports the hostname
can also connect to 58.185.154.99 and 200.87.126.116 using either port 8080 or 8000
Drops:
C:\WINDOWS\temp\usbdrv3.sys
igfxtrayex.exe to folder where exe is run (0753f8a7ae38fdb830484d0d737f975884499b9335e70b7d22b7d4ab149c01b5) this is the main binary
igfxtraysoe.exe to folder where exe is run copy of igfxtrayex

Will drop %temp%\kph.sys and %temp%\ams.exe on x64
also possible to write %WINDOWS%\walls.bmp

Destover – C2 Comms

Tightly control egress traffic
Stop using outdated operating systems
Use two factor authentication when using remote access
Proper training in recognizing and avoiding phishing attacks
Secure and monitor PUP use
NOT: Make sure everything is according to PCI DSS standards


Defending against BlackPOS

Citadel Trojan: Botnet controlled malware, sent through phishing emails. Used to discover login credentials via keylogger to supplier portal in both cases. Difficult to detect, as it blocks access to security sites and updates with aggressive DNS filtering.






Attacking the Third Party Vendors

Authorization data temporarily stored in clear text system Memory
Threat actors attack memory space because it is the easiest path to the credit card data
No Traditional AV detects BlackPOS variants
RAM scrapers generally use logic to identify track 1 and 2 Data
Some malware known to use Luhn algorithm to validate
Captured data is pulled out of memory as it passes through
Data is often briefly stored on the system, encrypted

POS Primer

Too Much Noise –SIEM And Other Alerting Tools
Untrained Staff – Looking For The Wrong IOCs
Using Yesterdays Tools & Approaches To Solve Today’s Problems
Most Companies Are Already Compromised But Don’t Have The Tools To “Detect And Respond”
Current Tools Not Operationalized


What Is Everyone Doing Wrong?

Presenter: Corey White


Analysis of the 2013 Target Data Breach and the 2014 Home Depot Data Breach

Home Depot

Target

Home Depot’s operating system for their POS machines was 10 years old. Vulnerability easily found.
Home Depot’s endpoint security and antivirus failed to detect the malware for five months.

Target failed to segregate networks. Supplier portal technically had access to billing network.
FireEye failed to detect BlackPOS infecting POS systems. Target failed to respond in a timely manner when it did.
Whitelist ineffective. Hackers modified whitelist to include BlackPOS.
Target failed to notice a parallel data stream sending stolen data to compromised server.

Internal Security Failures

FrameworkPOS(Home Depot) Features:
Uses DNS requests to exfiltrate data

Kaptoxa(Target) Features:
Disguises itself as part of the antivirus software
Improved search routines, including process exclusion list

BlackPOS Core Features:
Self installation
Self removal
Data encryption
Data exfiltration
Memory Scraping
Anti-forensics suite


BlackPOS and its Variants

SOURCE: http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

)
August
U.S. Investigations Services (services)
Community Health Services (health care)
UPS (services)
Defense Industries (defense)
September
Home Depot (retail)
Google (communications)
Apple iCloud (technology)
Goodwill Industries International (retail)
Bartell Hotels (hotel)
October
J.P. Morgan Chase (financial)
Dairy Queen International (restaurant)
Snapsave (communications)
December
Sony 


January
Target (retail)
Neiman Marcus (retail)
Michaels (retail)
Yahoo! Mail (communications)
Aaron Brothers (retail)
AT&T (communications)
May
eBay (retail) 
June
Feedly (communications)
Evernote (technology)
P.F. Chang’s China Bistro (restaurant)
 


Last Years Big Hacks

DO NOT DISTRIBUTE

PROPRIETARY AND CONFIDENTIAL

Big Math and Machine Learning
Applied to Security

Total Damage: 56 million credit cards stolen

Prior to May 2014:
Thieves attack third party vendor with phishing email. Gain access to Home Depot Network. Install malware.

Sep. 2:
Breach discovered.

Ongoing:
Home Depot investigates data breach

Sep. 7:
Malware removed from POS systems.

May 2014 – Sep. 7:
Cyberattack on Home Depot(!)

Home Depot Data Breach

Total Damage: 40 million credit cards stolen

Nov. 30:
FireEye and Symantec AV detect malware. Nothing done.

Dec. 11 – Dec. 15:
Target discovers malware, hires team to remove it.

Nov. 27 – Dec. 15:
Infected POS machines collect credit card information, exfiltrate to Russian server.

Nov.12 – Nov. 27:
Thieves gain access to Target network, install BlackPOS on Target systems

At Least Two Months Prior:
Thieves perform recon of Target vendors.

September 2013:
Fazio Mechanical hit with phishing email

Target Data Breach

Method of attack for both companies are extremely similar. Differences in attack can be attributed to differences in vulnerabilities in security.

Send data from compromised server to remote server in Russia/Eastern Europe. Sell info for profit.

Encrypt stolen data. Send to compromised servers within the network.

Infect all POS systems inside of billing network with BlackPOS. Use BlackPOS to steal credit card info.

Exploit weakness in Windows Xpe to gain access to internal billing network. (Home Depot)

Gain access to internal billing network directly (Target)

Steal login information to supplier portal from third party vendor

`

Process of Attack

FOR MALWARE HUNTERS, IT, HELPDESK, FORENSICS, AND INCIDENT RESPONDERS

Agentless Malware Detection
Automated
Scalable
Whitelist Validation
No Internet Needed
Command-line & GUI

IMPACT

Reputation

Morale

Legal Liability

Stock Value

Business Interruption

Financial & Data Loss

HOW

Malware

PUPs (Potentially Unwanted)

Targeted Vulnerabilities

Credentials

Lateral movement

Persistence
CYBER ATTACK SUCCESS
People clicking on links
Phishing emails
Too many alerts
Unknown malware
Not knowing what's wrong
Not enough insight
Always chasing threats
Agents slowing down computers
Malware
Web site malware
PUPs
Help desk calls
Full transcript