SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.
•Download as PPTX, PDF•
1 like•432 views
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.
Similar to SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016. (20)
More from SWITCHPOINT NV/SA
More from SWITCHPOINT NV/SA (7)
Recently uploaded
Recently uploaded (20)
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.
- 1. 1 Lars Putteneers 7 June 2015 SOPHOS Stopping Tomorrow’s Attacks Today: a next-gen approach for advanced threats
- 2. 2 Sophos Snapshot 1985 FOUNDED OXFORD, UK $450M IN FY15 BILLING (APPX.) 2,200 EMPLOYEES (APPX.) 200,000+ CUSTOMERS 100M+ USERS HQ OXFORD, UK 90+% BEST IN CLASS RENEWAL RATES 15,000+ CHANNEL PARTNERS OEM PARTNERS: KEY DEV CENTERS OFFICES
- 3. 3 AT HOME AND ON THE MOVE Mobile Control Endpoint Security SafeGuard Encryption HEADQUARTERS Endpoint Security SafeGuard Encryption REMOTE OFFICE 1 NextGen Firewall Secure Wi-Fi Endpoint Security SafeGuard Encryption Secure Wi-Fi Secure VPN Client Mobile Control Reputation Data • Active Protection SophosLabs Correlated intelligence • Content Classification Administration Web Application Firewall Secure Email Gateway Secure Web Gateway Mobile Control Network Storage Antivirus Server Security Guest Wi-Fi UTM NextGen Firewall Secure Web Gateway Secure Email Gateway Web Application Firewall REMOTE OFFICE 2 Secure Wi-Fi Endpoint Security SafeGuard Encryption Mobile Control Secure VPN RED Sophos Complete Security in an Enterprise SOPHOS CLOUD
- 5. 5 Anatomy of a ransomware attack And gone The ransomware will then delete itself leaving just the encrypted files and ransom notes behind. Ransom demand A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to. Encryption of assets Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery. Contact with the command & control server of the attacker The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer. Installation via an exploit kit or spam with an infected attachment Once installed the ransomware modifies the registry keys
- 6. 6 Angler: an all-too-well-known exploit kit • Grown in notoriety since mid 2014 ○ The payload is stored in memory and the disk file is deleted ○ Detects security products and virtual machines ○ Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware • Easy to use ○ Doesn’t require any particular technical competence ○ Available for a few thousand USD on the Dark Web
- 7. 7 Angler’s evolution into the dominant exploit kit Sep 2014 Jan 2015 May 2015
- 8. 8 • 350,000 new malware programs per day • 70% of organisations reported a compromise in the last 12 months • $500 billion WW damages • Estimated to rise to $1.5 trillion by 2019 Another one bites the dust
- 9. 99 The next-gen approach: Sophos Clean Hitman Pro Sophos Sandstorm
- 10. 10 Sophos Clean • All new business product • Removal complete part of Hitman Pro => standalone product
- 11. 11 Should I Stay Or Should I Go
- 12. 12 Bullet in the head
- 13. 13 Hitman Pro • Product of Surfright • For consumer and business market • Signature less protection • Will come in Cloud and on premise solutions
- 14. 14 Hitman Pro: Risk Reduction
- 15. 15 Hitman Pro: Risk Reduction
- 16. 16 Ransomware Cryptowall costs users $325M in 2015 ○ 2 out of 3 infections driven by phishing attack ○ Delivered by drive by exploit kits ○ 100’s of thousands of victims world wide More variants – Locky and Samas ○ Now for MAC and Windows users Targeting bigger Phish ○ $17K payment from California hospital CryptoGuard • Simple and Comprehensive • Universally prevents spontaneous encryption of data • Simple activation in Sophos Central CRYPTOGU ARD CryptoGuard – Say Goodbye to Ransomware
- 17. 17 CryptoGuard • 1. monitors file system activity • 2. when file is opened-for-write, create just-in-time backup of the file • 3. when the file is closed, compare contents • 4. when file is no longer a document, mark as suspicious • 5. if this happens on many files (3 or more), rollback files from above backup, revoke write-access from process (or client IP) that did the changes • 6. all modifications are tracked per process or per client-IP; so if a remote client modifies files, they are tracked, rolled back and blocked if needed
- 18. 18 Hitman Pro: Exploit Mitigation
- 19. 19 Hitman Pro: Exploit Mitigation
- 20. 20 Hitman Pro: Exploit Mitigation
- 21. 21 Hitman Pro: Exploit Mitigation
- 22. 22 Hitman Pro: Safe Browsing
- 23. 23 Hitman Pro: Safe Browsing
- 24. 24 Hitman Pro: Removal Complete
- 25. 25 Hitman Pro: Removal Complete
- 26. 26 Sophos Sandstorm How Sophos Sandstorm works 1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait. 2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete. 3. A detailed report is provided for each file analyzed. Advanced Threat Defense Made Simple Secure Web Gateway Secure Email Gateway Unified Threat Management Next-Gen Firewall
- 27. 2727 Summary
- 28. 28 TRADITIONALMALWARE Methods and techniques vary depending on device type and operating system (Windows, Mac, Linux/Unix variants, Android, iOS) And Sophos Labs never stops innovating and assessing new techniques ADVANCEDTHREATS I just want to be your everything Exposure prevention 80% malicious URL blocking, malicious web script detection download reputation Pre-execution analytics and heuristics 10% Generic matching using heuristics and component level rules Signatures 5% Signature match of malware or malware components (1-1) Run-time behavior analytics 3% Behavior matching and runtime analytics Exploit detection 2%
- 29. 29 More information • Sophos whitepaper on how to stay protected from ransomware https://www.sophos.com/en- us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprot ectionwpna.pdf?la=en • Sophos technical whitepaper on ransomware https://www.sophos.com/en- us/medialibrary/PDFs/technical%20papers/sophos-current-state-of- ransomware.pdf?la=en • Naked Security – regular stories on Locky and other ransomware attacks https://nakedsecurity.sophos.com/ • IT Security DOs and DON'Ts https://www.sophos.com/en- us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf? la=en • Threatsaurus https://www.sophos.com/en- us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en
- 30. 3030 Questions?
- 31. 31© Sophos Ltd. All rights reserved.
Editor's Notes
- Title slide.
- When we look at Ransom ware attacks, we see the following pattern. Step 1 the Ransomware needs to be installed on the target computer. Usualy this is done through and Expoit kit or through a Spam campain. Once installed it’s going to change some registry key on the target. Step 2 When the Ransomware is active on the target, It’s going to connect to a command and control server and sends information about the infected computer and downloads a publickey for this computer. Step 3 Now the Ransomware has the public key is going to Encrypt files on the local computer including the networks drives that are accessible from this computer. Often the shadow copies on the Windows machine are deleted to prevent you to recover the encrypted files. Step 4 When the Ransomware has finished messing with your files it will show the ransom note, with the instructions how to pay the Ransom, often this is in Bitoins. Step 5 After the Ransom note is shown the Ransomware will delete itself and leaves you with the ransom note and the encrypted files.
- One of the Well known exploit kits is Angles It is used to spead many infections. Payload is stored in memory and the local file is deleted. It is easy to use and you can buy it on the darkweb for few thousand Dollars. In the picture you see the revenue
- Angler is gained marketshare over the last few year. Is we look at 2014 it had around 23% Half a year later in januari of 2015 is was arount 39% A couple of month after that it increased to over 82 % Just last Sunday According to Fox-IT Security Operations Center, at least 288 websites were affected, and it is believed that a compromised ad network was responsible for so many sites being affected simultaneously. A lot of the popular news site in The Netherlands were hit… nu.nl marktplaats.nl sbs6.nl rtlnieuws.nl rtlz.nl startpagina.nl buienradar.nl Angler was used in this case
- It’s not just humans under attack from outside compromises, look at what is going on with our data
- If our DNA was identical , one virus could wipe us all out. We’d also look identical - like Donald Trump maybe Humans share over 50% of DNAs with bananas Diversity of our DNA keeps our race going. It prevents our extinction from disease – there are always survivors.
- More ammo for you to fight malware and clean up after it. Sophos Clean – On demand detect and clean up tool for Windows OS Find and remove known and early life/zero-hour malware 11Mb, no installation needed, run from anywhere No known conflicts with existing end point security software - we’ll have a tested list of 3rd party at release. And, yes, we did test against our own endpoint products. List is later on
- CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. It’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents. If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state.
- CryptoGuard is the anti-ransomware component and it works independently to provide another layer of defense against your data being held hostage by the Locky/Cryptowall type of malware. It’s a driver in the file filter stack that monitors the behaviors of the applications and processes that access your documents. If it detects that an application is encrypting a number of files it will automatically isolate that process from the file system such that it cannot do any more damage AND it will roll-back any files that have been impacted to their prior state. Lightweight and effective CryptoGuard provides another layer of defense for your endpoints and data. It: a. Stops local ransomware from attacking local data b. Stops local ransomware from attacking remote data (incl. mapped or unmapped shares) c. Stops remote ransomware from attacking local data Since most ransomware inject/run from legitimate trusted processes, or even consist of or only use trusted binaries, CryptoGuard is not shy revoking write-access from legitimate/trusted processes (or client IP).
- Another Feature you can use is Sophos Sandstrom. Sophos Sandstorm is cloudbased sandboxing. We can the feature with our Web and Email Appliance and with the Sophos UTM v9.4 How does it work? If we have suspicious file, we create a hash and check that hash with our sandstorm. If we have seen the file before we know if the file is good of bad. Is it a bad file it’s block immediately if it’s the, the user is receiving the file. If it’s a new file the file is send to the sandbox and is detonated. Then the behaviour is monitored. And the decision Allow or block is send back. There is also a detailed report for each file that is analyzed.
- Today Sophos already provides a diverse range of techniques to reduce the chance of your endpoints being compromised. Unlike cake, the more you have of this, the better you will be. The next slide shows why