Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intercept X Early Access Program July 2017

Published bySamson Doyle Modified over 7 years ago

Similar presentations

Presentation on theme: "Intercept X Early Access Program July 2017"— Presentation transcript:

1 Intercept X Early Access Program July 2017
Karl Ackerman Principal Product Manager – Endpoint Security Group July 2017

2 Joining the Early Access Program
Open to ALL Sophos Central Customers including Trial Accounts Supports Windows 7 Devices and above

3 Community Forum Join the Sophos Community
Post questions to Sophos product experts Access additional demonstration videos Articles explaining features in depth Testing tools

4 Early Access Program Feature Summary
Phase I - Active Adversary Phase II – Deep Learning Credential Theft Protection Process Protection New Registry Protections Improved Process Lockdown Deep Learning Model False Positive Mitigations Directed Clean-Up

5 Credential Theft Protection
Phase I - Active Adversary Credential Theft Protection Adversary is attempting to steal passwords Impersonate the end user Move laterally through the network Establish persistence Exfiltration of data available to the compromised account Multiple hacking/penetration tools available Mimikatz, Hashdump Adversary can steal password hashes and crack them on-line Adversary can extract clear text PWs from memory Target the technique not the tool Protect LSASS runtime memory Protect SAM DB Registry Protect Disk sectors with hash information

6 Phase I - Active Adversary
Code Cave Utilization Adversary hides malware in a legitimate application Tricks user to think they have good software Can be used to replace business applications with tampered versions Malware can hide in “plain sight” and can even get whitelisted by traditional security Common practice in penetration and hacking Multiple tools available to inject into target applications; Shelter, back door factory, etc Target the technique not the tools Detect unauthorized code cave content

7 Process Protection – Malicious Process Migration
Phase I - Active Adversary Process Protection – Malicious Process Migration Adversary “stays on the move” and avoids detection Process migration allows the adversary to move from one compromised process to another Maintains connection even when user terminates the browser session Common practice in penetration and hacking Basic capability in Metasploit and other pen test tools Typically leverages DLL injection exploits Target the technique not the tools Detect unauthorized process migration

8 Process Protection – Process Privilege Escalation
Phase I - Active Adversary Process Protection – Process Privilege Escalation Adversary hijacks machine to gain privilege escalation and elevated access to resources Escalation of a process privilege or changing process owner Gain access to restricted files/folder or devices Multiple Kernel vulnerabilities Allow process ticket theft and reuse Easily run from scripts in penetration test tools Often just a step in a process to reach a more sophisticated objective Target the technique not the tools Detect kernel token theft and reuse

9 Process Protection – APC Violation
Phase I - Active Adversary Process Protection – APC Violation *NEW* Exploit Techniques Leverages malicious Asynchronous Procedure Calls Develop a worm to propagate between unprotected machines Exploit vulnerability to run arbitrary code Multiple hacking/penetration tools available Fully weaponized by criminal syndicates Available in multiple exploit kits WanaCry and Petya ransom attacks Target the technique not the tools Detect malicious APC usage

10 Process Protection – Registry Protection
Phase I - Active Adversary Process Protection – Registry Protection Modification of Registry to run arbitrary code Uses legitimate registry options to launch code Application Verifier registry option Sticky key attack (Old school) Often used to establish persistence Well documented and easy to use Simple registry modifications are easily deployed on compromised machines Tools to make it even easier are online Target the technique not the tools Prevent arbitrary code launch via common registry modification techniques

11 Process Protection – Process Lockdown
Phase I - Active Adversary Process Protection – Process Lockdown Adversary uses legitimate capabilities for malicious intent NO MALWARE needed in the attack “Live off the land” attacks leverage existing system features Commonly used on locked down systems Extremely common (i.e., Enable Macros, etc) Trick user to allow risky behavior Target the known malicious behaviors Extending an existing feature in intercept X Prevent malicious launch of powershell from browser Enforce browser lockdown feature to HTML applications run through the browser

12 Invincea – Machine Learning Experts
Phase II – Deep Learning Invincea – Machine Learning Experts Created by the data scientists at Invincea with DARPA driven technology Patented Deep Learning neural networks trained on 50+ million samples (and counting) which can also automatically learn to extract the features that provide optimal detection Stops unknown malware without signatures Some of the highest performance scores ever seen in third party testing with lowest FP’s in class Detects and stops threats within 20 milliseconds Deep Learning Detection Engine Poll audience understanding of ML – if weak talk to section 1, if not jump to 2 1: Machine learning is the science of getting computers to act without being explicitly programmed. Artificial Intelligence that leverages pattern recognition, machines can learn from inputs and make predictions on data as opposed to static algorithms. Resulting in the ability to make real-time data driven predictions or decisions through building a model from comprehensive real-time input. How does this apply to Security? Higher detection & prevention Faster performance 2: Machine Learning, Neural Networks and AI; is it really just the math? No – it’s about teaching the right ML systems with the right data (features)... …and creating systems that can go beyond features themselves Patented Deep Learning neural networks trained on 50+ million samples (and counting) Which can also automatically learn to extract the features that provide optimal detection Created by the data scientists at Invincea with DARPA driven technology Detects and stops threats within 20 milliseconds Low footprint and infrequent model updates (once every ~50 days) With the right SNR By adding Invincea’s world-class pre-execution machine learning, with Sophos’ post-execution exploit protection, Ransomware behavior detection and analytics features we will have the most complete endpoint offering

13

14 Early Access Program Feature Summary
Phase I - Active Adversary Phase II – Deep Learning Credential Theft Protection Process Protection Code cave utilization Malicious process migration Process privilege escalation APC protection (Atom bombing) New Registry Protections Sticky key protection Application verifier protection Improved Process Lockdown Browser behaviour lockdown HTA application lockdown Deep Learning Model Detect malicious and potentially unwanted executables False Positive Mitigations Whitelisting Directed Clean-Up Quarantine and restore capability

15 Intercept X EAP – Phase One: Active Adversary
Credential Theft Protection Active Adversary protections Code Cave prevention Malicious Process Migration Process privilege escalation APC Filter (prevent Atom Bombing exploit variants) Improved Application Lockdown Powershell abuse from browsers HTA apps Prevent dumping of credentials from memory Protect the credential database on Disk and Registry Additional Registry Protections Sticky Key Mitigation Application Verifier Protection (Double Agent)

Download ppt "Intercept X Early Access Program July 2017"

Similar presentations

XProtect ® Express Integration made easy. With support for up to 48 cameras, XProtect Express is easy and affordable IP video surveillance software with.

XProtect ® Express Integration made easy. With support for up to 48 cameras, XProtect Express is easy and affordable IP video surveillance software with.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.

Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.

Computer Security and Penetration Testing Chapter 16 Windows Vulnerabilities.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Determina DARPA PI meeting 1-9-2007. Page 2Confidential © Determina, Inc. Agenda LiveShield –Product and Technology –Current Status Applications to Application.

Determina DARPA PI meeting Page 2Confidential © Determina, Inc. Agenda LiveShield –Product and Technology –Current Status Applications to Application.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam
Copyright © 2015 Cyberlight Global Associates Cyberlight GEORGIAN CYBER SECURITY & ICT INNOVATION EVENT 2015 Tbilisi, Georgia19-20 November 2015 Hardware.

Copyright © 2015 Cyberlight Global Associates Cyberlight GEORGIAN CYBER SECURITY & ICT INNOVATION EVENT 2015 Tbilisi, Georgia19-20 November 2015 Hardware.
Computer Security By Duncan Hall.

Computer Security By Duncan Hall.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.

14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
Kaspersky Small Office Security INTRODUCING New for 2014!

Kaspersky Small Office Security INTRODUCING New for 2014!
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.

Similar presentations

Ads by Google