taking the battle to ransomware with sophos intercept x

INTERCEPT XTHE NEXT STEP IN NEXT-GEN

ENDPOINT PROTECTIONLars PutteneersSales Engineer

23/03/2017

1985FOUNDEDOXFORD, UK

$450MIN FY15 BILLING(APPX.)

3,500EMPLOYEES(APPX.)

200,000+CUSTOMERS

100M+USERS

HQOXFORD, UK

90+%BEST IN CLASSRENEWAL RATES

15,000+CHANNEL PARTNERS

OEM PARTNERS:

KEY DEV CENTERSOFFICES

Sophos snapshot

WHY

Melissa Virus

1999

$1.2B

Love LetterWorm

$15B

1998

Zeus Trojan

$2.3B

2007

JSocket RATs

$800M

2014

LockyRansomware

$1.1B

2016

FinFischerSpyware

2003

$780M

Exploit as aService

$500M

2015

Traditional Malware Advanced Threats

The Evolution of ThreatsFrom Malware to Exploits

Traditional Malware Advanced Threats

The Evolution of SecurityFrom Anti-Malware to Anti-Exploit

Exposure Prevention

URL BlockingWeb/App/Dev Ctrl

Download Rep

Pre-Exec Analytics

Generic MatchingHeuristicsCore Rules

File Scanning

Known MalwareMalware Bits

TrojanSpywareVirus Worm

Run-Time

Behavior AnalyticsRuntime Behavior

Exploit Detection

Technique Identification

RATs RansomwareExploit Kits

80% 15% 5%

7

We believe

•Security must be:oSimpleoComprehensiveoEasy to useoSingle console

•You need to have MORE SECURITY with LESS EFFORT

HOW

9

How we do it?

• Own worldwide Threat Research Center

• Firewalls

• Centrally managed endpoint protection

• Sandboxing

• Communication between endpoint & firewall

Heap Spray Use after Free Stack Pivot ROP Call OS function

PREPARATION

• Most exploit-based attacks consist of 2 or more exploit techniques• Exploit techniques do not change and are mandatory to exploit existing and future

software vulnerabilities

Intercepting Exploits Blocking Exploit Techniques vs Antivirus

TRIGGERING GAIN CONTROLCIRCUMVENT (DEP) POST PAYLOAD DROP

Memory Corruption/UaF

In-Memory(Diskless)

On Disk

Ransomware Activity

!

Sophos Intercept X

Antivirus

WHAT

Endpoint protection

13

Cloud Endpoint Protection Advanced

Introducing

Introducing Sophos Intercept X

ADVANCEDMALWARE

ZERO DAYEXPLOITS

LIMITEDVISIBILITY

Anti-Exploit

Prevent Exploit Techniques• Signatureless Exploit Prevention• Protects Patient-Zero / Zero-Day• Blocks Memory-Resident Attacks• Tiny Footprint & Low False Positives

No User/Performance ImpactNo File Scanning

No Signatures

Automated Incident Response• IT Friendly Incident Response• Process Threat Chain Visualization• Prescriptive Remediation Guidance• Advanced Malware Clean

Root-Cause Analysis

Faster Incident ResponseRoot-Cause VisualizationForensic Strength Clean

Detect Next-Gen Threats• Stops Malicious Encryption• Behavior Based Conviction• Automatically Reverts Affected Files• Identifies source of Attack

Anti-Ransomware

Prevent Ransomware AttacksRoll-Back Changes

Attack Chain Analysis

Intercepting Ransomware

Monitor File Access• If suspicious file

changes are detected, file copies are created

Attack Detected• Malicious process is

stopped and we investigate the process history

Rollback Initiated• Original files restored• Malicious files removed

Forensic Visibility• User message• Admin alert• Root cause analysis

details available

Root Cause AnalyticsUnderstanding the Who, What, When, Where, Why and How

17

18

What we do differently

• Application Lockdown

• Cryptoguard

• Look at the complete chain/live of a process/application

• Security heartbeat

•Works besides other AV

19

What we do differently

Phishing Exploits Scripts Bad Devices

Bad Apps

Runtime (.exe)

Office Docs

Real Results

DEMO

Future?

22

Machine Learning:Pre-execution Malware Prevention & Detection

23

Complete Next-Gen Endpoint Protection

Script-based Malware

Malicious URLs

Phishing Attacks

RemovableMedia

.exe Malware

Non-.exe Malware

UnauthorizedApps

Exploits

Invincea pre-execution malware prevention is highly scalable, fast, and effective, especially against zero-day threats. Invincea’s pioneering ML technology delivers high detection rates and very low FP rates, which is unique.

Effective for run-time prevention of exploit-based

malware such as ransomware. Sophos Intercept X thrives with

next-gen exploit prevention capabilities.

Heuristic detections based on the behaviors of execution to stop evasive malware before damage occurs.

Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.

For server or locked-down endpoint environments, app control prevents

unknown / unwanted apps from running.

The only effective defense against in-memory malware.

The only effective way to set policy to ensure removable

media cannot put an organization at risk.

Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.

Synchronized Security

Sophos Central Mgmt..doc.xls.pdf

Root Cause Analytics

Questions?