cloud security best practices - amazon s3 · cloud security best practices william fletcher...

1Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 1Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information

Cloud Security Best Practices

William Fletcher

Strategic Alliances Manager, Webroot Inc.


Agenda

» Common methods for attacks

» Impact on users and businesses

» Benefits and challenges of cloud-based

solutions

» Webroot’s cloud-based solutions

» Q&A


Common Methods for Attacks


Breaking in with Social Engineering: Phishing

» Spear Phishing

– As few as 12 targeted emails for

99%+ chance of tricking one user

– Links to web exploit kits

– Document exploits

» Phishing

– Over 4M unique phishing site

visits by Webroot’s 8M

customers during 2015

– Credential theft leads to

compromise


Breaking in with Social Engineering: Watering Hole

» Attacks websites known to be

commonly used by targets

– Compromised website redirects

to web exploit site for malware

delivery

– Popular for gaining credentials

to highly secured targets

– Evades detection, as targeted

websites are often highly

reputable

– Increasingly difficult as

websites become more secure


Explosion in Malware

Source: AV-Test

There were more

new malware

variants reported

in the first 6 weeks

of 2016 as in all

of 2011.

2015 143 Million New Malware Variants

…or over 16,000 every hour of

every day




2007 5.5 Million New Malware Variants

2006 ~1 Million New Malware Variants


Polymorphic Malware on the Rise

Executable

threats continue

to emerge quickly

and are highly

customized

and targeted

97% of new

malware seen on

only a single

endpoint!*

Malware and

PUAs circumvent

traditional

detection by using

polymorphic

distribution

models and rapid

variant generation


Threat Delivery and Functionality

» Web exploit kits responsible for

~80% of malware delivery

» New wave of fileless infections

– Poweliks, Gootkit, Kovter

– Persistent through reboots with

no binary component

» Multi-function trojans

– Backdoor

– Keylogger

– Man-in-the-middle/browser Angler Delivery – April 2015 – Source: Sophos


Impact on Users and

Businesses


Damage to

business

reputation,

customer trust,

legal liability

In 2015 the

average total

cost of a data

breach was

$3.8M

Impacts of a Security Breach

Identity theft

and fraud

– 23% increase since 2013

– Average of $154 per compromised record


Benefits and Challenges of

Cloud-based Solutions


Very easy to

deploy and

manage

Pros of Cloud-based Solutions

Endpoints are

connected to the

cloud and report

encounter data

Extremely

lightweight in

size/CPU/memory

consumption

Visibility and popularity of

application landscape--------------

Rapid time detection--------------

Scanning isn’t needed for

detection and remediation--------------

Perpetual state of

awareness

No hardware or network

configuration needed--------------

Admin console access

from anywhere

Offloads analytics from

devices to the cloud


Cons of Cloud-based Solutions

Must have

an offline

protection mode

Requires internet

connected to

transmit threat data

to cloud for analysis

If behavior of the

malware is new,

there will always be

a patient zero

Rollback remediation and

outbound firewall are

important for protection--------------

Restricting execution of

untrusted applications can

also mitigate damage


Webroot’s Cloud-based

Solutions


Smarter Detection

Behavior-based, not signature-based. One of

its kind, cloud-based, predictive protection.

Smarter Cybersecurity™ Solutions

Smarter Protection

Any time a threat is encountered by one

customer, all other customers are

protected from that threat in real time.

Smarter Management

Automatic software updates. Minimal user

performance impact. Industry’s best

performance.

Smarter Support

One-click support. Most problems are

resolved in <10 minutes. Customer

satisfaction rating of over 96%.

Smarter Remediation

Remediation automatically returns infected

devices to their uninfected state. No need to

reimage or wipe devices.

Smarter Incident Response

Integrates into SIEM, NGFW, access

points and MDMs.

Smarter Threat Intelligence

Real-time analysis of URLs, IPs, files,

applications, and phishing sites.

Smarter Future

Ready for the next generation of devices:

Internet of Everything.

A Smarter Approach to Cybersecurity


SecureAnywhere™

Business & Enterprise» Web Security

Web

Security

What Webroot Offers

Driven by BrightCloud® Threat Intelligence

SecureAnywhere™

Business» Mobile Protection for

Android™ and iOS®

OEM & Enterprise» Mobile Security SDK

» SecureWeb™ Browser SDK

Consumer» Mobile protection for

Android

» Secure browsing for iOS

Mobile

Protection

SecureAnywhere™

Business» Endpoint Protection

Enterprise» Endpoint Protection

» WAI Fraud Solution

» Identity Shield

Consumer» Antivirus

» Antivirus Suites

» Antivirus for PC Gamers

Endpoint

Protection

BrightCloud®

OEM & Enterprise

» Web Classification

» Web Reputation

» IP Reputation

» File Reputation

» Real-Time Anti-Phishing

» Mobile App Reputation

» Threat Intelligence Server

» Connectors to SIEMs,

Splunk, NGFWs, UTMs and

other security products

Threat

Intelligence

Services


Webroot® Threat Intelligence Platform


Webroot Threat Intelligence by the Numbers

Webroot BrightCloud® services continuously classify and score 95% of

the internet, and monitor the entire IPv4 space and in-use IPv6

27+Billion URLs

600+Million Domains

9+Billion File Behavior Records

20+Million Mobile Apps

4+Billion IP Address

10+Million Connected Sensors

Source: Stats from Webroot BrightCloud® Threat Intelligence Services January 2016


Exponential Growth of New Unknown Threats

25kNew malicious URLs

10kNew phishing sites

100kNew malicious IPs

New malware

& PUA

101k1M+New file

encounters

Source: Stats from Webroot BrightCloud® Threat Intelligence Services January 2016


Webroot SecureAnywhere® Business Endpoint Protection

Better

Protection

Next-gen

behavioral

analysis is

effective against

zero-day attacks

Tiny Client,

Fast Scans,

No Conflicts

<1 MB agent

installs & scans

in seconds,

won’t conflict

with existing

security

No Signatures,

Always Up

to Date

No bulky

signature

updates or

definition files,

protection is

always current

No Reimaging

Rollback

remediation

restores

systems to their

uninfected state

Simplified

Management

Manage

endpoints on or

off the network

with an intuitive

cloud-based

console


Multivector Protection via Built-in Shields

Infrared Shield

Automatically adjusts

security heuristics

based upon individual

user behavior

Offline Shield

Protects against

persistent threats if

the cloud is

unavailable

Zero-day Shield

Identifies and blocks

new polymorphic

threats entering via

exploits

Real-Time

Anti-Phishing Shield

Delivers 99%+

accuracy in

identifying new

phishing sites

Real-Time

System Shield

Protects the endpoint

from threats of

infection

Behavior Shield

Analyzes behaviors

and with the cloud,

identifies malicious

ones

Identity Shield

Protects sensitive

information by

limiting access to

unknown files

USB Shield

Blocks malicious

activity from

removable media

drives


Endpoint Behavioral Analysis + Cloud Threat Intelligence

1) If new file is unknown and

doesn’t match an existing

classification rule, allow to

execute but in a controlled

environment

2) Collect behaviors of unknown

file and compare with cloud-

based classification rules

3) Continue monitoring until

determination is made; if bad,

add to known threat database

4) Block and remove file from

local endpoint device

5) Invoke remediation of any

changes to restore host to

clean state

Has cloud-based

threat intelligence

seen this file before?

Known File

Hash DB

Behaviors

DB

Other Threat

DBs

New File Endpoint

File HashBlock

Behavioral Analysis &

Categorization

1

Monitored pseudo execution on local machine.

Analyze categories of behaviors

Pseudo execution

Has cloud-based

threat intelligence

seen this file before?Yes! Bad.

2

No! Unknown.


Agent Tightly Controls Actions of Unknown Files

A new file enters the system

One-to-one and one-to-many signatures are calculated locally. The cloud is queried and matching malicious files are blocked.

Untrusted files are run in an emulated environment where system changes are observed and virtualized but fully blocked.

Cloud is queried again with new data. The Infrared engine blocks based on the intent, manner of entry, and reputation.

If still untrusted, the file is now permitted to execute but is closely watched

Webroot agent sits in kernel mode, between the suspicious application and the operating system,

vetting all changes it attempts to make or data it tries to access.

– Any attempt to access the user’s identity or private data is blocked immediately

– All changes made to the system or data are journaled, ie. a pre-change snapshot of the file/registry entry/etc. is taken

All system changes are bundled and submitted in packets to be analyzed against all other files in the cloud

Operating System (user data, registry, applications, processes, network, etc.)


Webroot Standard Business Management Console

» Single organization focus

» Flat management

» Group to User policy levels

» Granular administration

» Full remote endpoint

management via Agent

Commands and Overrides

» Advanced dashboard and

‘dwell-time’ reporting

» Designed for up to 1,000 devices


» Multi-location/admin focus

» Hierarchical management

» Global to User policy levels

» Granular local administration

» Full remote endpoint

management via Agent

Commands and Overrides

» Advanced dashboard and

reporting, Dwell-Time

» Highly scalable, up to 100,000

devices

Webroot Global Site Manager

Business Management Console


Unique Dwell Time: Infection Visibility

» Only vendor to show Dwell Time protection periods –

via agent monitoring, journaling and rollback

remediation functions

» Full visibility of infections and their removal

» Comprehensive drill-down into file infection information

» Identity and Privacy Shield assumes the endpoint is

already subject to undetectable malware and locks

down OS & browser to protect user info and

credentials from mount man-in-the-browser or man-

in-the-middle attacks


BrightCloud® Threat Intelligence Services

Web ClassificationProvides content classification for billions of web pages to keep your customers safe from

online threats.

Web ReputationForecasts the security risk of visiting a website and enables administrators to finely tune

security settings.

IP ReputationPublishes dynamic intelligence of high-risk IP addresses and insight into inbound and

outbound communications.

Real-Time

Anti-Phishing

Catches advanced phishing attacks by providing time-of-need protection through real-time

scans before sites are visited.

File ReputationProvides dynamic file reputation intelligence of known malicious and whitelisted files to

stop the distribution of malware.

Mobile App ReputationCategorizes and scores apps using multi-stage analysis and advanced algorithms to

ensure they are safe and compliant.

Mobile Security SDKProvides industry-leading protection against mobile threats through antivirus, antimalware,

and secure web browsing.

SecureWeb™

Browser SDK

This standalone Android® browser ensures both users and networks are protected from

malicious sites.


Provides IP/URL/file/mobile app threat history & context for investigation

BrightCloud Threat Investigator

Identifies all related

IP/URL/file/mobile

app (malicious or not)

of any internet object

in a contextual map to

help investigate &

identify potential

future attackers

Gets geo, WhoIS &

detailed threat history

of each malicious

IP/URL/file/mobile

app in a single pane

of glass for

investigation

Gets reputation score

& classification of

threats for policy

setting in NGFW,

SIEM & other security

infrastructure

Complements

BrightCloud Threat

Intelligence for

NGFW (e.g. Palo Alto

Networks) & SIEM

(e.g. ArcSight,

LogRhythm, &

Splunk)


Awards & Accolades

Edison Award for

Innovation

Frost & Sullivan

Innovation Award

Gartner “Visionary”{Endpoint Security Platform}

PassMark ValidationFastest, Lightest, Least

Disruptive Endpoint

Named “Trailblazer”

by Radicati Group

Insight Cloud

Partner of the Year

Denver Post

Top Workplaces 2014

PC Mag

16-Time Award Winner


Q&A

William Fletcher

Strategic Alliances Manager, Webroot Inc.

cloud security best practices - amazon s3 · cloud security best practices william fletcher...

Documents