Sophos Next-Generation Enduser Protection
•Download as PPTX, PDF•
2 likes•2,767 views
Next-Generation Enduser Protection and Project Galileo are the new technologies that Sophos is developing to face new generation endpoint and network threats
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Viewers also liked
Viewers also liked (18)
Similar to Sophos Next-Generation Enduser Protection
Similar to Sophos Next-Generation Enduser Protection (20)
Recently uploaded
Recently uploaded (20)
Sophos Next-Generation Enduser Protection
- 1. 1 Giovanni Giovannelli Sales Engineer giovanni.giovannelli@sophos.com Next-Generation Enduser Protection
- 2. 2 Next-Gen Enduser Protection Integration of innovative endpoint, mobile and encryption technologies to deliver better, simpler to manage security for enduser devices and data. Galileo Connecting our next-gen network, server and enduser products to each other and to Sophos Cloud so the entire organization is better protected—simply. What’s the difference between Next-Gen Enduser Protection and Galileo?
- 3. 33 The pitch
- 4. 4 Increasing attacks, increasing sophistication Attack surface exponentially larger Laptops/Desktops Phones/Tablets Virtual servers/desktops Threats more sophisticated Attacks are more coordinated than defenses
- 5. 5 Today’s security approach is falling behind INCOMPLETE Always one more thing to deploy and manage COMPLICATED Too hard to configure, too much to monitor INEFFECTIVE Not keeping up with advanced threats
- 6. 6 Result: Compromises are growing 63,497 security incidents in 2013 1,367 confirmed data breaches Affected segments Banking, Credit, Financial Hospitality Government, Military Utilities Retail and other business Source: Verizon Data Breach Investigations Report 2014
- 7. 7 What we believe Security must be comprehensive The capabilities required to fully satisfy customer needs Security can be made simple Platform, deployment, licensing, user experience Security is more effective as a system New possibilities through technology cooperation
- 8. 8 Project Galileo Sophos Confidential Next-Gen Network Security Next-Gen Server Protection Next-Gen Enduser Protection Technology integration that enables complete, simple-to-manage security that works effectively as a system.
- 9. 9 The Endpoint Has Changed Corporate Perimeter VPN Corporate Perimeter Cloud Services
- 10. 10 “Prevention is ideal, but detection is a must.” Endpoint Security Needs to Change Prevent Malware Data Prevent Malware Detect Compromises Remediate Threats Encrypt Data
- 11. 11 Next-Generation Enduser Protection Policy & Management Endpoint Mobile Encryption THREATINTELLIGENCE Sophos Cloud SOPHOSLABS BIG DATA AUTOMATION LEVERAGED EXPERTISE Compromise Detection & Response
- 12. 12 Innovative Endpoint Security is Key to NGEUP It used to be that files got infected. Now systems get infected. Threat Engine Application Control Reputation Emulator HIPS/ Runtime Protection Malicious Traffic Detection SOPHOS SYSTEM PROTECTOR Web Protection Live Protection App Tracking Device Control
- 13. 13 Why Malicious Traffic Detection? 10011001011111011010100101011110100 Command and Control Traffic Without MTD: No visibility into compromised systems communicating with attackers MTD-like features on the firewall: Detection of a compromised system on the network; no remediation or info about the infection MTD in the endpoint: Detection on or off network, detailed info about the compromised system, potential remediation
- 14. 14 How Malicious Traffic Detection Works SophosLabs URL database Malware Identities HIPS rulesGenotypesFile look-up Reputation Apps SPAM Data Control Peripheral Types Anon. proxies Patches/ VulnerabilitiesWhitelist Admin alerted App terminated Malicious traffic detected i Compromise User | System | File MTD rules
- 15. 15 Threat Engine Application Control Reputation Emulator HIPS/ Runtime Protection Malicious Traffic Detection SOPHOS SYSTEM PROTECTOR Web Protection Live Protection App Tracking Device Control Example: Stopping a new variant of Cryptowall 1. User runs something they shouldn’t. It adds a new application to the startup folder. 2. The application runs and injects itself into explorer.exe. 3. Explorer.exe tries to fetch an encryption key from C&C. 4. Threat removed, admin alerted. 5. Malware and threat indicators shared with SophosLabs.
- 16. 16 SophosLabs URL database Malware Identities HIPS rulesGenotypesFile look-up Reputation MTD rules Apps SPAM Data Control Peripheral Types Anon. proxies Patches/ VulnerabilitiesWhitelist Galileo Heartbeat Firewall EMAIL THREAT EVENT RECEIVER Web Filtering Intrusion Prevention System App Control ATP Detection Selective Sandbox Threat Engine ROUTING COMPROMISE DETECTOR Galileo: Network + Endpoint = ATP PROXY Data Loss Protection THREAT EVENT COLLECTOR Tracking Threat Engine Application Control Application Reputation Emulator HIPS/Runti me Protection Malicious Traffic Detection DEVICE & FILE ENCRYPTION SOPHOS SYSTEM PROTECTOR DEVICE CONTROL THREAT EVENT COLLECTOR Web Filtering Live Protection i Compromise User | System | File • Isolate Subnet and WAN Access • Lockdown Local Network Access • Block Suspected Source • Remove File Encryption Keys INDICATOR OF COMPROMISE TRACKING
- 17. 17 Galileo Heartbeat Tracking Threat Engine Application Control Application Reputation Emulator HIPS/Runti me Protection Malicious Traffic Detection DEVICE & FILE ENCRYPTION SOPHOS SYSTEM PROTECTOR DEVICE CONTROL THREAT EVENT COLLECTOR Web Filtering Live Protection INDICATOR OF COMPROMISE TRACKING Firewall EMAIL THREAT EVENT RECEIVER Web Filtering Intrusion Prevention System App Control ATP Detection Selective Sandbox Threat Engine ROUTING COMPROMISE DETECTOR Galileo: Endpoint Heart Attack PROXY Data Loss Protection THREAT EVENT COLLECTOR i Compromise User | System | File X • Lockdown Local Network Access • Remove File Encryption Keys SophosLabs URL database Malware Identities HIPS rulesGenotypesFile look-up Reputation MTD rules Apps SPAM Data Control Peripheral Types Anon. proxies Patches/ VulnerabilitiesWhitelist
- 18. 18© Sophos Ltd. All rights reserved.
Editor's Notes
- Number of breaches over the past few years Threats are more sophisticated/advanced Attacks are coordinated but defenses are not Attack surface exponentially larger Laptops/desktops Mobile phones/tablets Virtual servers/desktops There is no perimeter Hackers not in it for fun – these are professional businesses motivated by money % of Threats that are considered advanced % of Threats that are not signature based % of Threats that can evade a singular technology How quickly malware can evade a new signature/block
- Number of breaches over the past few years Threats are more sophisticated/advanced Attacks are coordinated but defenses are not Attack surface exponentially larger Laptops/desktops Mobile phones/tablets Virtual servers/desktops There is no perimeter Hackers not in it for fun – these are professional businesses motivated by money % of Threats that are considered advanced % of Threats that are not signature based % of Threats that can evade a singular technology How quickly malware can evade a new signature/block
- Over the past several years, the endpoint has changed. Endpoints used to be primarily Windows PCs housed on site, within a firewalled perimeter. Now endpoints include employee- and employer-owned PCs, Macs, Androids, iPhones and iPads. They access corporate servers and cloud services inside and outside the perimeter.
- Endpoint security used to be about stopping malware from infecting Windows PCs on the network. Now it has to evolve to not only prevent malware, but also detect machines that are already compromised and help remediate detected threats on a variety of workstation and mobile platforms. Endpoint security also has to include a focus on the data, ensuring it is encrypted and accessible only to authorized users regardless of where the data lives.
- Sophos Next-Generation Enduser Protection builds on our existing endpoint, mobile, and encryption protection. In addition to strengthening each component with innovative new technology, we’re connecting endpoint, mobile, and encryption via Sophos Cloud. This allows us to not only integrate the policy setting and management experience, but also to correlate data among devices over time to detect and respond to advanced threats that would be missed by traditional products. All of this is made possible by SophosLabs, which bakes global, cloud-based threat intelligence into the products. This means that Sophos, rather than the customer, is doing the hard work of staying on top of the latest threats, figuring out how to identify them, and knowing what to do about them.
- One core component of NGEUP is the sophisticated endpoint agent used in our Windows and Mac endpoint security products. A streamlined version of it is also used in Sophos Mobile Security, our anti-malware product for Android. All of the components shown here work together to prevent, detect, and respond effectively to malware, even malware that we’ve never seen before. The items in orange are new components that will be added over the coming 12 months or so. Also within the next 12 months, the emulator, shown in teal, will be replaced with a complete update that is faster and more effective at detecting previously-unseen malware before it has a chance to execute.
- Both botnets and targeted attacks make use of “command & control” servers operated by the attacker to send commands to tell the malware what to do. Traditional AV focuses on stopping the malware from running in the first place. Once it’s already running, it’s too late. If we can detect the malicious network traffic from the endpoint to the command and control server, we can see that the machine is infected and respond accordingly. We can do this today in our UTM. Soon, we’ll add the capability right into the endpoint.
- Here we see a PC that’s infected and communicating with a C&C server. The Malicious Traffic Detector, which is just another component of the endpoint agent, compares the traffic to a set of rules provided by SophosLabs and detects that this traffic indicates a compromise. The endpoint agent notifies the management console, which alerts the admin. Because this is all happening within the endpoint, we can tell the admin which computer is infected, which application is causing the problem, and what user is currently logged in to the computer. In many cases, the console can instruct the endpoint agent to terminate the application causing the problem. This will stop the malware from running and end the communication with the C&C server.
- One core component of NGEUP is the sophisticated endpoint agent used in our Windows and Mac endpoint security products. A streamlined version of it is also used in Sophos Mobile Security, our anti-malware product for Android. All of the components shown here work together to prevent, detect, and respond effectively to malware, even malware that we’ve never seen before. The items in orange are new components that will be added over the coming 12 months or so. Also within the next 12 months, the emulator, shown in teal, will be replaced with a complete update that is faster and more effective at detecting previously-unseen malware before it has a chance to execute.
- Intro Galileo – a connected security system that is surprisingly simple to prevent, detect and respond malware APTs and targeted attacks. How – by sharing context between the Next Generation Endpoint and the Next Generation Firewall using the Galileo Heartbeat. Let’s go through an example about how this happens. Diagram orientation On the left we have our next gen endpoint with all the great features we already have and are adding. On the right we have our next gen firewall with all those great features. On the top Sophos Labs with all the rules and services that our products and customers use. Clicks In this example we’ll go through the green endpoint being compromised. Once it’s first comprised the attacker try and establish themselves on the system. The orange line represents the backdoor malware being downloaded through the system. From right to left (the outside to inside) going through the UTM and endpoint on the way in. Turning the corner on the left as it starts to execute, then reaching out to servers (left to right) for commands and controls, maybe downloading further malware. At this point the ATP feature on the UTM detects network traffic to a malicious server (say C&C) using Sophos Labs APT rules. This feature is already in UTM 9.2 and although a great feature, can only report to the console what it sees at the network level – source and destination addresses for example. Useful but not simple to work out exactly what sent the traffic. This is where Gailieo Heartbeat comes in. This is a secure communication mechanism between Next Gen Endpoint and the Next Gen Firewall. It tells the Next Gen Endpoint the relationship between the network addresses and the machine that sent the traffic. So when the ATP feature detects the malicious traffic, it knows which endpoint sent the traffic. It uses Heartbeat to check and ask the machine whether it did send it – to confirm. The machine could answer in two ways – no it didn’t or yes it did. If it didn’t you’ve got another problem on your network – a machine is spoofing an IP address on your network and sending malicious traffic. If it did, the machine, which is recording all the outbound network accesses, can report the full context of what was going on – confirm which machine it was, which user was logged in, the process and file that caused the malicious traffic. This gives much better visibility to the admin about the threat which you just can’t do with the Firewall working on it’s own. And now we’ve got the context of the source of the threat this opens up a realm of new possibilities. Because we can identify the machine we can isolate it on the network, both at the Next Gen Firewall and Next Gen Endpoint preventing further network access and potential data loss. And because we know the file and we track executables across every system, we can list out where else the file is on the customer’s network (possibly dormant), lock down those systems as well. Or give the admin an option to block the file on every machine it’s found, send to a Cloud Sandbox for evaluation by Sophos Labs or isolate those other machines from the network. There’s more. Sophos provides device encryption (encrypting the device in case the device is lost/stolen) and file encryption (automatically encrypting and decrypting the files shared between users, including shared with cloud drop box services). Because the malware is running on the machine and the user is logged in, the malware can see all the same files that the user can see – including their sensitive files they are sharing. What the Next Gen Firewall can tell the Next Gen Endpoint to do (using Heartbeat) is to remove the file encryption keys from the machine running the malware. The malware can no longer access unencrypted files on the machine or the Cloud drop box services stopping data loss. Other users can still see the data OK – they still have the keys – and of course once the machine is fixed we can put the keys back on the machine to decrypt the files once again.
- And now because we expect Heartbeat from our protected machines, we can use it to identify compromised machines in a different way – the Heart Attack! This time the malware is not subtle and it tries to disable our software. The heartbeat disappears. The Next Gen Firewall sees the expected Heartbeat is gone but it still sees traffic coming from the machine. This is then alerted to the user as a potential compromise of that system. And because we know which machine it is, we can offer the administrator the same set of remediation steps as before.