More Related Content

Slideshows for you(20)

Similar to Security O365 Using AI-based Advanced Threat Protection(20)


Security O365 Using AI-based Advanced Threat Protection

  1. STORYBOAR Total Data Protection Outside the Firewall total data protection CONFIDENTIAL
  2. Agenda 1. Cloud and mobile require new security strategy 2. Overview of CASB architecture 3. How malware infects O365? 4. Attack stages of Advanced Persistent Threat? 5. AI-based approach to Advanced Threat protection 6. O365 Advanced Threat Protection 7. Use cases protected by CASBs 8. Q & A
  3. The Perfect Storm exponential growth in malware samples and cloud app adoption source:
  4. cloud & mobile drive data outside the firewall... ...leaving traditional security technologies ineffective Problem
  5. CASB Security a data-centric approach the new data reality requires a new security architecture ■ cross-device, cross-platform data protection ■ granular controls for protecting data at rest and in motion ■ contextual access control ■ detailed logging for compliance and audit
  6. How Malware Infects O365 6
  7. Attack stages of Advanced Persistent Threat CASBs offer holistic protection Delivery • URL filtering: Block malicious sites and links Exploitation • Identify and block exploits Installation • Block known and zero-day malware • Block unwanted file types (e.g: executables) Command& Control • Block malware domains • Deny access to compromised Users and devices Actions on Objectives • Prevent malware spread • Prevent data exfiltration by enforcing DLP and access control policies CASB persistent threat detection and prevention capabilities
  8. Poll: How are you protecting your O365 instances from malware attacks? 1. Deployed 3rd party AV 2. O365 advanced threat protection 3. CASB/proxy-based solutions 4. No malware protection 5. Did not deploy O365
  9. O365 Advanced Threat Protection (ATP) reactive, slow, limited Sandbox-based detection adds significant latency E5 is required for ATP. 75% more expensive than E3. Requires a minimum deployment of 500 seats Protected by AV engines built on legacy detection technologies, such as signature and heuristics, that are reactive
  10. MALWARE’S VICIOUS INFINITE LOOP  Malware mutations are the norm  Malware authors use polymorphism, obfuscation and automation to create 390,000 new malicious programs per day  AV engines can’t keep up  Using signatures, whitelists, rules/heuristics or execution to detect malicious behavior doesn’t scale  Detection misses lead to…  Incident response  Increased hunting  More cleanup & re-imaging  More risk
  11. HUMANS ARE A FINITE RESOURCE It’s a question of scale, speed, breadth, and correlation. Which approach meets the modern challenge? • Linear ability to combat attacks • Human correlated feature sets • Algorithmic ability to combat attacks • Machine correlated feature sets make connections that humans can’t see
  12. Leverage the power of machines,not humans, to dissect malware’s DNA. Artificial intelligence then determines if the code is safe to run. Never have an unknown file threat because the AI prediction doesn’t change. AI IS NOTAI-BASED APPROACH IS Rely on AI and ML Analyze Malware at the DNA-level Advanced Threat Prevention Minimal Updates PredictiveAutonomous Decision Rely on Human Classifications Require Constant Updates Behavioral Analysis Require On-Premise Infrastructure Wait for Threats to Execute Signatures Micro- Virtualization Heuristics Sandboxing
  13. WHAT’S SO SPECIAL ABOUT PREDICTING ATTACKS? Predictive analysis provides highly effective detection and prevention of never before seen threats GLASSRAT • Undetected for Years • Human Discovered Nov 23, 2015 Cylance – Blocked as of April 2014: 18 months prior to human discovery ZCRYPTOR • Spear-Phishing • Human Discovered April 2016 Cylance – Blocked as of Oct 2015: 6 months prior to human discovery SAURON/STRIDER/ REMSEC • Espionage Backdoor dating back to 2011. Human Discovered August 2016 Cylance – Blocked as of Jan 2015: 18 months prior to human discovery GOLDENEYE RANSOMWARE • Weaponized Excel and PDF Files Cylance – Blocked as of Oct 2015: 14 months prior to human discovery GOLDENEYE RANSOMWARE • Weaponized Excel and PDF Files Cylance – Blocked as of Oct 2015: 14 months prior to human discovery WANNACRY/ WANNACRYPT • New ransomware variant exploiting MS vulnerability Cylance – Blocked as of Jan 2015: 17 months prior to discovery
  14. Business Areas Endpoint Security Consulting Services OEM / Technology Partnerships Unprecedented Market Acceptance 1,089% Year-Over-Year Growth 1,000+ Clients 4 Million+ Endpoints BUSINESS SNAPSHOT V E R T I C A L M A R K E T A G N O S T I C “ ” Cylance is easily the fastest-growing EPP startup in the last ten years…
  15. Use Cases 15
  16. Use Case 1: real-time malware protection ■ block malware before it reaches cloud app ■ leverage proxies to control access to any app from any device ■ quick detection with low-latency ■ whitelisting mechanism for false-positives
  17. Use Case 2: protect managed devices ■ block malware before it reaches end-point ■ prevent sync clients from downloading malicious content ■ Layered anti-malware strategy
  18. Use Case 3: protect unmanaged devices ■ protect unmanaged with no or poor EPP solutions ■ enable access to enterprise apps on BYOD ■ block malware on unmanaged devices spreading to cloud apps
  19. Use Case 4: prevent spread of malware via interconnected cloud apps ■ It is common to connect cloud apps to other apps (i.e: O365 and Box) ■ Interconnected cloud services provide new paths for malicious files to make their way into cloud services and devices ■ Delete or quarantine files that are deemed malicious
  20. Poll: What is your primary O365 use case that needs malware protection? 1. Protect unmanaged devices (PC/Mac) 2. Protect managed / corporate- owned devices 3. Protect mobile devices (iOS/Android) 4. Prevent spread of malware via interconnected cloud services
  21. STORYBOAR omni citadel harbor data protection on any device high-performance advanced DLP patented cloud encryption only bitglass agentless, cloud-based solution deploys in minutes threat known- and unknown- malware protection
  22. STORYBOAR total data protection

Editor's Notes

  1. Personal cloud apps are outside of the scope of IT monitoring via CASB due to privacy concerns, inability to monitor on BYOD, and the intractable nature of trying to chase tens of thousands of applications for a very small risk of corporate data leakage. These apps do, however, pose a threat risk via things like malware infecting managed devices. Enterprises should leverage existing tools - endpoint protection suites and perimeter controls (SWG, NGFW) to counter the threat risk posed by personal cloud apps.
  2. AV products use signatures, heuristics and hand crafted rules that do not scale well Using polymorphism and obfuscation, malware authors can circumvent signature and rules based detection techniques Signature-based tech does not address today’s problem of unique malware variants Customers are forced to detect then respond Resources are spread thin Risk to information disclosure is huge AV Engines Can’t Keep Up Signatures Don’t Scale Mutations are the Rule not the Exception Humans are Required Network Encryption Makes You Blind Cybercrime is easy Lacks extradition and attribution Anonymous currencies
  3. Using an AI-based approach means it doesn’t have to know something is bad to prevent it. The technology does not look for a signature or behavior match. We analyze ALL portable executables at the “DNA” level to extract 1000’s of features and combinations of features. The AI produces a confidence score. We map and classify these many features with our AI-powered math engine that sits on the device itself—no need to send the file anywhere. Works online or offline. We predict what’s bad and overly powerful. These are threats that can subvert the endpoint or be used against you in lateral movement. Neither signatures nor behaviors are used. We are able to identify the previously unseen (targeted) malware. Updates are minimal. Though we have monthly updates, many customers elect to only update every few months.
  4. Speaker Notes: Some examples: GLASSRAT: November 23, RSA discovered the presence of GlassRAT – it had been around for a LONG time before a human discovered it – Someone noticed some odd call backs and after many human hours/days they discovered what would become known as GlassRAT. Cylance is interesting because we took all of those hashes that were in the RSA report – some were as old as 2012. We took all those hashes and ran it against one of our oldest algorithms – from April 2014 – in this way Cylance is able to look back in time and say would we have been able to predict the presence of this threat or at least detect it – before humans could have. The answer is yes! In fact, by nearly 18months! This threat has been around longer than Cylance has been a company and that’s too bad for all of us. We were still 18 months ahead of the spear in this case and be able to block/prevent. ZCRYPTOR: Another example, Zcryptor – came out about mid this year. Ransomware is every where and this is a particularly bad one. Zcryptor was really bad because it would just blow through Microsoft’s EMET for the first time – EMET was supposed to be a saving grace. We ran these files against our October 2015 model – a full six months ahead of the rest of the human race’s discovery of Zcryptor. This was far enough ahead, before the code was even compiled, that Cylance may have even been ahead of the entire threat campaign itself in this case. This is what I call “dead on compile.” Cylance was able to detect and prevent Zcryptor before it was even compiled. 6 months might not sound like a lot, but in today’s malware it’s nearly a life time – especially when you consider the fact that the ”life time” of a specific malware file hash is only about 58 seconds - according to a report from Verizon’s Data Breach Investigation Report. SAURON/ STRIDER/ REMSEC: Last example because it’s a very powerful example – most advanced and evasive APTs that the human race has found in the last few years. Both reports break on the same day – 1 Symantec and and 1 from Kaspersky. Again, we took the files that came out in these reports and ran them against a Cylance model from January of 2015 – sure enough – we stopped every single one of them from the Symantec report. We were able to predict a full 18 months ahead of the rest of human race being able to discover the presence of this malware. Think about all the work that human researchers have to do when researching a new APT or threat actor campaign like this. It’s a TREMENDOUS amount of work – there’s all sorts of problems with the human approach to this IOC’a: PETYA: - A new variant of the notorious ransomware Petya is back, and with yet another James Bond reference for a name: Goldeneye. In this past week, the new ransomware variant has been almost exclusively attacking hosts in Germany. Numerous organizations have already been hit. - Presumably from the same author of Petya, first seen in December 2015, and the Petya-Mischa combo, which hit users back in July 2016, Goldeneye overwrites the master boot record (MBR) in order to block access to both the user’s files and operating system. - Goldeneye infects hosts primarily via malicious email attachments containing macros. Once the ransomware executes, the user’s machine will crash, restart, and show a skull-and-crossbones animation before displaying a ransom note asking for a payment in bitcoin of $1,000. - As with most malicious Microsoft Office documents, before the embedded macro can execute, user intervention is required. All MS Office documents since MS Office 2007 that contain macros present a security warning to the user as default, so the malware author provides some instructional text in an attempt to fool the user into clicking the “Enable Content” button. - Cylance’s Research team tested over 300 samples of the Goldeneye ransomware against our endpoint protection product, CylancePROTECT. Our artificial intelligence powered mathematical model was able to prevent the execution of Goldeneye right out of the gate, stopping it dead. - Watch CylancePROTECT® do battle with live Goldeneye ransomware and block it, pre-execution. - To make things more challenging, the Research team did not use a recent version of CylancePROTECT in our demo. We demonstrate the predictive nature of Cylance by using a version of CylancePROTECT created one full year before Goldeneye was released – built in October 2015. Even though the version of CylancePROTECT we used is a year old, it completely prevents Goldeneye from executing and protects the system from ransomware. - With most legacy AV solutions, it may take days to weeks to provide updated signature protection. In the meantime, many users will become victims of the Goldeneye ransomware. - Ask yourself this: would you trust your existing security solution to keep you fully protected after not updating it for a year? What about a week?
  5. Cylance, based in Irvine, CA, is fastest growing private cyber security company in the 2015 Inc. 5000 (#26 overall with >7000% growth over 3 years) The company has achieved $177M in funding (with $100M from series D). Investors include: Fairhaven Capital, Khosla ventures, BlackStone, DFJ, KKR, CapitalOne, Dell, In-Q-Tel, and BlackStone Tactical 1200+ customers; 2,500,000+ endpoints Cylance was selected as a Gartner Visionary: “Cylance is easily the fastest-growing EPP startup in the last ten years…” Cylance provides network OEMs with a unique machine learning based malware detection engine Competitors: Symantec/Blue Coat, McAfee, TrendMicro, SentinelOne, Crowdstrike Endpoint Prevention Platform (EPP) is Gartner’s term for AV and related security products Endpoint Detection and Response (EDR) is a related market. Unlike EPP, EDR is reactive. Gartner sees these two markets merging.
  6. At the core of our solution are three key technologies Omni - multimode proxies that enable data protection on any device, agentlessly. AJAX-VM means we’re futureproof. Can rapidly be adapted to support new apps. Citadel - native advanced, adaptive DLP for cloud and mobile. Results in faster inline inspection + remediation vs using external DLP Harbor - encryption / tokenization of data at rest within cloud applications. With patented preservation of frontend / backend application functionality and full strength encryption These technologies are packaged in an agentless, cloud-based solution that deploys rapidly and is used to protect mission critical applications in more enterprises than any other CASB.