Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next-Generation Endpoint Protection Enduser Protection

Published byJeffery Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "Next-Generation Endpoint Protection Enduser Protection"— Presentation transcript:

1 Next-Generation Endpoint Protection Enduser Protection
Set up value Impact – of value Customer perspective Motivation , why do we end up in front of a customer Frustrated with complexity Poor results Cost? Upgrade cycle Vendor questions typically at renewal time Next gen vendor creating oppty… Also, getting attack, esp in North America, esp. Cylance Who are key competitors from field perspective? Offensive NOT defensive…why we solve more, NOT why we are so much better…smart, simple and synchronized

2 Secure the Endpoint (PC/Mac) Secure the Mobile Device
Sophos Portfolio Network Next-Gen Firewall /UTM Web Security Wireless Secure the Endpoint (PC/Mac) Next Gen Endpoint security to prevent, detect, investigate and remediate Secure the Mobile Device Secure smartphones and tablets just like any other endpoint Secure the Servers Protection optimized for server environment (physical or virtual): fast, effective, controlled Protect the Data Simple-to-use encryption for a highly effective last line of defense against data loss Secure the Perimeter Ultimate enterprise firewall performance, security, and control. Secure the Web Advanced protection, control, and insights that’s effective, affordable, and easy. Secure the threats and phishing attacks don’t stand a chance with transparent filtering. Secure the Wireless Super secure, super easy Wi-Fi. Sophos Central Enduser SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security

3 Secure the Endpoint (PC/Mac) Secure the Mobile Device
Agenda Network Next-Gen Firewall /UTM Web Security Wireless Secure the Endpoint (PC/Mac) Next Gen Endpoint security to prevent, detect, investigate and remediate Secure the Mobile Device Secure smartphones and tablets just like any other endpoint Secure the Servers Protection optimized for server environment (physical or virtual): fast, effective, controlled Protect the Data Simple-to-use encryption for a highly effective last line of defense against data loss Secure the Perimeter Ultimate enterprise firewall performance, security, and control. Secure the Web Advanced protection, control, and insights that’s effective, affordable, and easy. Secure the threats and phishing attacks don’t stand a chance with transparent filtering. Secure the Wireless Super secure, super easy Wi-Fi. Endpoint Protection Synchronized Security Security Landscape SafeGuard Encryption Server Security Sophos Central Enduser SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security

4 The world is changing Next-Generation
Attacks are more sophisticated than defenses Syndicated crime tools Zero day exploits Memory resident Polymorphic/metamorphic Network and endpoint integrated Advanced Persistent Threats Math AV is Dead Signatureless Next-Generation Behavior Analytics Attack surface exponentially larger Laptops/Desktops Phones/Tablets Virtual servers/desktops Cloud servers/storage Point Products Anti-virus IPS Firewall Sandbox Detonation Zero-Day Exploit Big Data Zero Trust Sandbox

5 Continued industrialization of malware
Diverse and sophisticated adversaries Criminal syndicates Nation states Hacktivists Growth in Malware 350, ,000 new malware programs per day Successful Attacks(2015 Cyber threat defense) Over 70% of organizations report having been compromised by a successful cyber attack in the last 12 months Cyber Crime Damages (Juniper report) $500 Billion WW damages Growing to $1.5T by 2019 New Cyber Security market defined Endpoint Detection and Remediation Emergence of new ‘Next Gen’ vendors Focused on detect and remediate Exploit detection / Runtime Analytics SEIM / Security Operations Center Malicious activity hunting/ High FP

6 Agenda Endpoint Protection Security Landscape Server Security
Sophos Central Enduser SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security Endpoint Protection Server Security Synchronized Security SafeGuard Encryption

7 What Sophos Endpoint Protection Does
Prevention Correlates threat indicators to block web and application exploits, dangerous URLs, potentially unwanted apps and malicious code Device control Sandboxing Reputation Patch Lockdown Static file analysis Detection Analyzes software behavior and network traffic in real time, alerting you to hidden threats that can be missed by traditional AV technology Dynamic file analysis Malicious Traffic Detection Behavior Analytics Sync Security Response Removes detected malware automatically or isolates compromised devices in order to prevent damage Encryption Key Shredding Sophos Clean Synchronized Security Network Lockdown Differentiation and value of the differentiation in each of these 3 functions Objective This slide will introduce the next three slides, we will talk about each in more detail

8 The Sophos Endpoint TODAY
Simple management Integration beyond the endpoint Seamless integrated agent Exposure prevention Execution prevention Prevention Runtime detection Detection Respond & remove Respond Comprehensive platform support Curated threat intelligence

9 How Sophos protects on the endpoint Beyond signature based protection
Prevent Detect Respond Exposure Prevention Web protection Web and App control Download reputation Device control Execution Prevention File analytics Heuristic evaluation On-device emulation Signature checking Runtime Detection Runtime behavior Exploit Detect & Prevent Data loss prevention Ransomware Prevent Incident Response Malware Removal Malware Quarantine Incident Response Report Automatic Root Cause determination 80% 15% 5% Threat Intelligence SOPHOSLABS BIG DATA AUTOMATION LEVERAGED EXPERTISE Runtime lookups and automated updates 24/7 threat monitoring and model curation Champion/Challenger model testing Automated Efficacy, Efficiency and False positive testing prior to publishing Driven by data science + threat analyst expertise

10 Sophos Central Endpoint Advanced
The ‘Kill Chain’ Breach Response Investigate Remediate Adjust Security Exposure Delivery Exploit Execute Command Control Action on Objective Prevent Detect Respond Exposure – Web Protection, Device Control Delivery – Download Reputation Exploit – Runtime Memory Analytics Execution – File Analytics / Heuristics Command & Control Malicious Traffic Action on Objective Data Loss Prevention File Encryption Investigate Alerting and Reports Remediate Malware Removal Malware Quarantine Sophos Central Endpoint Advanced Anti-Malware Sophos confidential

11 Traditional anti-malware
Anti-Hacking Traditional anti-malware Understand the malware Identify its components Block its delivery Detect its presence on the device through file, process, signal and attribute monitoring Lockdown the device to trusted applications only This method looks for malware Next Generation Understand objectives and methods used Detect the attack on the device and processes Stop the malicious activity Track the action to a root cause Provide answers to critical questions This method looks for hacking

12 Sophos Intercept/Ultimate
Core Capabilities Signatureless detection CryptoGuard – Detect and recover from ransomware Comprehensive Exploit Prevention Malicious Traffic Detection Synchronized Security Incident Response Report Automatic Identification of root cause IOC artifact list Visualization of the attack events Forensic Malware Removal Sophos Clean a 2nd opinion scanner Packaging Intercept Runs alongside competitive AV Ultimate is the most complete Sophos EP CryptoGuard Simple and Comprehensive Universally prevents spontaneous encryption of data Notifies end user on rapid encryption events Rollback to pre-encrypted state CRYPTOGUARD Exploit Protection Incident Response Sophos Clean

13 CryptoGuard Simple and Comprehensive Universally prevents spontaneous encryption of data Notifies end user on rapid encryption events Rollback to pre-encrypted state CRYPTOGUARD September 2016 Ransomware Over $1B in ransom payments projected for 2016 (source FBI) Cryptowall costs users $325M in 2015 2 out of 3 infections by phishing attack Delivered by drive by exploit kits 100’s of thousands of victims world wide Now for MAC and Windows users Targeting everyone

14 Data Breaches - The root of the problem
400,000 new malware per day Traditional Anti-Virus File Analytics Heuristics URL Blocking Black/White Lists Signatures Sandboxing >70% of companies breached >90% of data breaches use exploits More questions than answers SIEM, EDR, UEBA Anomaly Detection Security Operations Center Forensic breach assessment teams >6800 vulnerabilities per year Nearly 200 days from vulnerability to patch Patch Management Vulnerability Scanning Device Management Patch testing and deployment >30% increase from 2015 10’s Very few new exploit methods per year Sophos - Intercept Exploit and Ransomware prevention Incident Response Report Automatic Root Cause Attribution Available Exploit Methods Anti-Exploit – Targets the root of the problem

15 Why Is It So Challenging to Address New Threats?
Security 6,787 new vulnerabilities in 2015 31% increase from 2014 (Source: Gartner) 193 Days on average to fix vulnerabilities after initial discover (Source: WhiteHat Security) “More than 90% of all breaches are caused by a few hundred commercial exploit kits.”  (Source: NSSLabs) IT Ops

16 Exploit Prevention - Methods
Exploit Protection Signature-less Detect and Prevent Application Exploits

17 So the Endpoint found and removed malware.. What happened?
Where did it get in? Should we contact a Regulator? What damage has been done? Did they steal important data? How? When? Where? Who? What? Why?

18 Understanding the Root Cause of attack First – keep a log of what the endpoints has been doing
Sophos Data Recorder Operating Systems Windows MAC OS in early 2017 Capacity Up to 30 days of activity 100 MB Local to the device Under 0.5% CPU utilization Memory Registry Network File system Process activity

19 Datacollector.exe Created
Incident Response – Understanding the activity When an event happens automatically track back to the root cause Branched Threat Chains – Threat Chain includes suspect activity related to the root cause At Risk Assets – Identification of all productivity documents related to the complete threat chain Written by iExplore.exe From URL fred.com Datacollector.exe Created Copied from USB device Fred.pdf created Low rep site Accessed via acrobat.exe Fred.com accessed Written by iExplore.exe From URL fred.com Bob.exe Created Bob.exe reached out to C2 site HIPS cleaned Bob.exe File Infection Event Time Root Cause Attribution– PDF delivered from USB Recommended Action– Leverage Device Control Beacon Event Exploit Malicious Traffic Ransomware File analytics HIPS Scan Threat Chain – full list of IOCs from the Sophos Data Recorder including process, registry, file, network activity Timeline of events – View the chain of events from root cause to detection, filter out unrelated activities. This slide builds and shows what we expect to provide with V1 From the confirmed malware event on the right we show the taint chain. Note that multiple legitimate applications have been leveraged by the malware (Adobe, iexploreer) Note the recommended action (Device Control) Note the recommended action (Block a web site) With auto sample submission turned on the taint chain data has also reached labs and it is likely that the bad website is about to be put on the bad list by labs. Also the dangerous PDF will get flagged as well. Note the 3rd dialog shows the ability to explore the root cause chain in more detail this is where the identification of at risk files will be shown.

20 Our Incident Response engine automatically capture core data on an incident. Showing crisp summary data and details a human can understand. PLUS IT people can add comments and actions to each incident as its investigated. We AUTOMATICALLY add a priority depending on our analysis of the root cause and the chain itself. Obviously someone can add to this, for example here is an Exfiltrator that got caught as it attempted to reach out to a C2. …and I see that the IT guy recommended we also look at Synchronized Encryption (Show artifacts) Sophos confidential

21 Digging deeper we see that there are some business files involved in the attempted exfiltration….
 (Show RCA)

22 To learn more go see Russ session…it ROCKS
..and yes, we also create an RCA chain for review-  here you see the chain with us recording that one of the processes in the attach chain read the contents of the My Documents folder To learn more go see Russ session…it ROCKS Sophos confidential

23 Sophos Clean – How it works

24 Sophos Clean – Works with competitive AV

25 Sophos Central Endpoint Ultimate
The ‘Kill Chain’ Breach Response Investigate Remediate Adjust Security Exposure Delivery Exploit Execute Command Control Action on Objective Prevent Detect Respond Exposure – Web Protection, Device Control Delivery – Download Reputation Exploit – Runtime Memory Analytics Execution – File Analytics / Heuristics Command & Control Malicious Traffic Action on Objective Data Loss Prevention File Encryption Investigate Alerting and Reports Remediate Malware Removal Malware Quarantine Exploit – Exploit Prevention Execution – CryptoGuard Action – Event Recorder Investigate – Incident Report Remediate – Forensics Cleanup Adjust Sec – Recommended Actions Available September 2016 Sophos Central Endpoint Ultimate Anti-Malware Sophos confidential

26 Introducing Intercept and Ultimate
Product Name ENDPOINT PROTECTION INTERCEPT SKU CENTRAL ENDPOINT STANDARD CENTRAL ENDPOINT ADVANCED CENTRAL ENDPOINT ULTIMATE CENTRAL ENDPOINT INTERCEPT Pricing Per User PREVENT Web Security Download Reputation Web Control / URL Category Blocking Device Control (e.g. USB) Application Control Browser Exploit Prevention DETECT & STOP Anti-malware / Anti-virus Live Protection Pre-execution & Runtime Behavior Analysis / HIPS Potentially Unwanted Application (PUA) Detection Malicious Traffic Detection (MTD) Synchronized Security Heartbeat Cryptoguard Ransomware Protection Exploit Technique Prevention RESPOND Root Cause Analysis / Threat Analysis Sophos Clean Malware Removal

27 Agenda Server Security Security Landscape Endpoint Protection
Sophos Central Enduser SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security Endpoint Protection Server Security Synchronized Security SafeGuard Encryption

28 Lockdown: Stops known and unknown threats with a single click!
Default-deny: Lock down servers in a known-safe state Only authorized applications can run Anything else is blocked, including Zero day executables Whitelisting, without the complexity! One-click deployment Automatic trust rules (managed by Sophos) Simple per-server licensing – Server Protection Advanced

29 Protecting servers from Ransomware
MTD CryptoGuard COMING SOON Malicious Traffic Detection detects Command and Control communications CryptoGuard stops unsolicited file encryption TODAY Lockdown Anti-malware Lockdown prevents untrusted exes and scripts from running Anti-malware/HIPS detects ransomware on the server

30 Coming Soon to Server Advanced…
RECOMMENDED SERVER ADVANCED SERVER STANDARD Windows, Linux, Virtualization Anti-malware + Live Protection Automatic Exclusions One-Click Server Lockdown Next 12 Months Web Control Peripheral Control Application Control Malicious Traffic Detection Security Heartbeat™ CryptoGuard

31 Agenda Synchronized Security Security Landscape Endpoint Protection
Sophos Central Enduser SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security Endpoint Protection Server Security Synchronized Security SafeGuard Encryption

32 Integration at a different level
Synchronized Security Alternative Management SIEM Enduser Network Endpoint Mgmt Network Mgmt Endpoint Network System-level intelligence Automated correlation Faster decision-making Accelerated Threat Discovery Automated Incident Response Simple unified management Resource intensive Manual correlation Dependent upon human analysis Manual Threat/Incident response Extra products Endpoint/Network unaware of each other

33 Sophos Security Heartbeat
Accelerated Threat Discovery Next-gen endpoint and firewall communicate to rapidly find infected hosts across your company Active Source Identification Share security intelligence to positively identify infected users, systems and processes Automated Incident Response Automatically isolate, or limit the access, for compromised systems until they are cleaned up

34 Next Generation Threat Detection Advanced Cloud Endpoint with XG Firewall
Sophos Cloud Application Control Application Tracking Reputation Web Protection IoC Collector Routing Security Web Filtering Intrusion Prevention System Firewall heartbeat SOPHOS SYSTEM PROTECTOR SOPHOS FIREWALL OPERATING SYSTEM Threat Engine Security Heartbeat™ Security Heartbeat™ Threat Engine Live Protection Emulator Behaviour analytics Device Control Malicious Traffic Detection Proxy Selective Sandbox Application Control Data Loss Prevention ATP Detection User | System | File Compromise Isolate subnet and WAN access Block/remove malware Identify & clean other infected systems

35 Agenda SafeGuard Encryption Security Landscape Endpoint Protection
Sophos Central Enduser SafeGuard Encryption Mobile Control Next-Gen Endpoint Protection Server Security Endpoint Protection Server Security Synchronized Security SafeGuard Encryption

36 Access to Encrypted Data
in Trusted device Trusted User Trusted Process = Access to the key (user can work on both encrypted and unencrypted data -invisible to user) + + Data that is trusted (Office docs etc.) - Data is ‘encrypted’ by default out Non-Trusted Process Non-Trusted Device Non-Trusted Users = No key (cant read ‘IN’ docs) or or Data that is personal to the user Data that user explicitly CHOOSES to be unencrypted

37 SGN 8.0 - Device Trust with Synchronized Security
In SGN 8.0 Device trust is dynamic and will change if the endpoint detects malicious activity Trusted Devices If the user and application are trusted the device can read and create encrypted documents Untrusted Devices Cant read clear text form encrypted documents Cant write to documents that are encrypted Cant delete documents that are encrypted Security Advantage Devices with a ‘Red’ security health have encryption keys revoked Encryption key is restored when device heath recovers

38 SGN8.0 – Native Application/Process Trust
Application Trust In SGN 8.0 Application trust is static and determined by a whitelist Trusted Applications If the Device and User are also trusted then the application can read and create encrypted documents Untrusted Applications Cant read clear text form encrypted documents Security Advantage Prevents malware applications from stealing the clear text form of documents

39 A Proven Market Leader Endpoint Security Wave “Leader” Endpoint
Encryption Wave “Leader” Enterprise Mobility Mgmt. UTM Unified Threat Management EPP Endpoint Protection MDP Mobile Data Protection EMM Enterprise Mobility Management Endpoint Encryption “Champion” SEG Secure Gateway SWG Secure Web Gateway Next Gen. Firewall “Champion Endpoint Protection “Champion” ENF Enterprise Network Firewall Enterprise Mobility Mgmt. “Emerging” Secure Gateway “Pillar”

40

Download ppt "Next-Generation Endpoint Protection Enduser Protection"

Similar presentations

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Complete Security. Threats changing, still increasing Data everywhere, regulations growing Users everywhere, using everything We’re focused on protecting.

Complete Security. Threats changing, still increasing Data everywhere, regulations growing Users everywhere, using everything We’re focused on protecting.
Sophos Live Protection. Agenda 1.Before and After Scenarios 2.Minimum Required Capabilities 3.How we do it 4.How we do it better.

Sophos Live Protection. Agenda 1.Before and After Scenarios 2.Minimum Required Capabilities 3.How we do it 4.How we do it better.
The Changing World of Endpoint Protection

The Changing World of Endpoint Protection
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Synchronized Security Revolutionizing Advanced Threat Protection

Synchronized Security Revolutionizing Advanced Threat Protection
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.

©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
1 #UPAugusta2016. 2 3 Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

Similar presentations

Ads by Google