Anatomy of an Attack - Sophos Day Belux 2014
•Download as PPTX, PDF•
2 likes•2,325 views
Anatomy of an Attack - Next Generation Endpoint, presentation given by Vincent Vanbiervliet at Sophos Day Belux on November 25th, 2014.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Anatomy of an Attack - Sophos Day Belux 2014
Similar to Anatomy of an Attack - Sophos Day Belux 2014 (20)
More from Sophos Benelux
More from Sophos Benelux (15)
Recently uploaded
Recently uploaded (20)
Anatomy of an Attack - Sophos Day Belux 2014
- 1. 1 Next Generation Endpoint Sophos Security Day – 25/11/2014 Vincent Vanbiervliet Senior Sales Engineer
- 2. 2
- 3. 3 The perception of endpoint security “Antivirus software is now so ineffective “Conventional “The current antivirus anti-virus software method is of an at detecting new malware threats most outmoded way of protecting computers enterprises are probably wasting their detecting and blocking known samples is no longer effective.” against malware.” money buying it.”
- 4. 4 Some vendors overcompensate • Sophisticated functionality • Endless add-ons • Requires major time investment • Not simple
- 5. 5 Our products are sophisticated and simple Malicious Attack Perimeter Malware Spam Web behavior surface protection detection blocking defense prevention reduction
- 6. 6 SophosLabs makes it possible Threat intelligence
- 7. 7 Big data 2–3 TB of threat data per week 5 million spam emails per day 600 million live lookups per day 150,000 suspicious URLs per day 300,000 new files per day
- 8. 8 Automation Malware analysis Decision making Analytics New identity every 4–5 seconds Live Protection
- 9. 9 Leveraged expertise Web security — bad URLs Web security — exploit code Signatures Unpacking Static code analysis Emulation Live Protection HIPS Buffer Overflow Protection Exploit patterns 19 identities account for Multi-factor identities 50% of detections Behavior-based rules
- 10. 10 • Zero day malware protection • Tuned by SophosLabs • Over 80% adoption • No one else makes it this simple HIPS for everyone This doesn’t look right!
- 11. 11 Effortless application control Them: Complex, manual rule sets Us: Simple point and click
- 12. 12 What simple, effective security means IT Department Support Threat Intelligence & Response Software development Infrastructure • Less time managing protection • Fewer security incidents • More time to focus on business priorities
- 13. 13 Building next gen endpoint security Web security — bad URLs Web security — exploit code Signatures Unpacking Static code analysis Emulation Live Protection HIPS Buffer Overflow Protection Download reputation File tracking New emulator C&C traffic detection
- 14. 14 Advanced Persistent Threat: Protection Advanced Threat Protection: Detects Botnets, stops outbound traffic, selective analysis Firewall Antivirus IPS Web Email WAF Social media Events Other websites ….. Phishing Spoof calls USB sticks ….. Lay low Do nothing ‘low & slow’ …. Collate data Encrypt Extract …. 1 Gather information 2 Find a way in 3 Avoid being discovered 4 data Get out with the data Layered protection is the best defense against targeted attacks
- 15. 15 Advanced Threat Protection in Sophos UTM
- 16. 16 Advanced Threat Protection in Sophos UTM Alerts to infected clients Provides: • Consolidated reporting • Threat information • Link to SophosLabs Threat Center
- 17. 17 Context-Aware Security A coordinated threat sensing system The traditional way: One point in time and space The new way: Many points in time and space How? • We watch all points • We correlate intelligence • We coordinate protection • We strengthen every point • We build a stronger system Laptop Network Server App Mobile Cloud Another Suspicious outbound traffic Suspicious runtime behavior Indicators of Compromise: alert & respond Application reputation Application categorization and tracking Mal/sus attributes pre-execution IPS/IDS events System events
- 18. 18 What if robots could work together? Looks like your PC is infected. Let’s isolate it from the network. Oops, you’re right. I’ll clean it up. Tell the others to watch out for badfile.exe.
- 19. 19 • Simple, effective protection • SophosLabs does the work, so customers don’t have to • Ongoing innovation – here comes next gen endpoint security Summary
- 20. 20 © Sophos Ltd. All rights reserved.
Editor's Notes
- McAfee is the Lego Mindstorms of security software: it can do anything (though not necessarily well), if you put enough blood, sweat and tears into it.
- Examples/stats: Troj/JsRedir-NN: detects malicious JavaScript redirects, like those found in BlackHole exploit kit – detected on over 45,000 different web pages accessed from over 20,000 different customer computers in less than two months CXweb/FkFlsh-B: pattern to detect download of fake Flash Player – detected nearly 40,000 unique files (variants) across over 17,000 customer PCs over the same period
- What makes it next gen? Integration of features typically found on next-gen firewalls into endpoint Emphasis on detecting zero days and APTs Ability to correlate information across layers (and products — see next slide) to increase detection rates
- Advanced Threats have a few common characteristics: they gather information to find a point of entry into the target organization, then often lay low to avoid being discovered until they discover the assets their looking for. This may mean they have to move throughout the network. Once they’ve localized the data they find a way to get out with it – often in small bite sized pieces and often encrypted to remain undiscovered. Until now, we offered a number of layers of protection which would catch many of those attacks in their early stages – the techniques being used are not necessarily so advanced – and now with 9.2 we’re adding an additional layer of defense which brings together various technologies to detect infected clients within the network and allow them to be isolated before doing further damage. This includes Advanced Threat Protection – combines ATP, IPS and Web detection reporting to give an instant view of infected clients with automatic admin alerts Network Protection Command-and-Control Detection blocks communication with known C+C/Botnet servers stopping the infected client from calling home for further instructions or updates to the malware. Cloud-based Selective Sandbox. Uses Sophos Live Protection to analyze suspicious content. If detected as malicious, protection is updated. Web Protection Web malware protection. Protects against the number one source of threats with new JavaScript emulation and live anti-virus lookups to the cloud, stops threats before they reach the browser and infect your systems.
- Project Galileo