cloud security best practices - amazon s3 · cloud security best practices william fletcher...
TRANSCRIPT
1Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 1Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Cloud Security Best Practices
William Fletcher
Strategic Alliances Manager, Webroot Inc.
2Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 2Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Agenda
» Common methods for attacks
» Impact on users and businesses
» Benefits and challenges of cloud-based
solutions
» Webroot’s cloud-based solutions
» Q&A
3Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 3Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Common Methods for Attacks
4Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 4Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Breaking in with Social Engineering: Phishing
» Spear Phishing
– As few as 12 targeted emails for
99%+ chance of tricking one user
– Links to web exploit kits
– Document exploits
» Phishing
– Over 4M unique phishing site
visits by Webroot’s 8M
customers during 2015
– Credential theft leads to
compromise
5Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 5Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Breaking in with Social Engineering: Watering Hole
» Attacks websites known to be
commonly used by targets
– Compromised website redirects
to web exploit site for malware
delivery
– Popular for gaining credentials
to highly secured targets
– Evades detection, as targeted
websites are often highly
reputable
– Increasingly difficult as
websites become more secure
6Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 6Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Explosion in Malware
Source: AV-Test
There were more
new malware
variants reported
in the first 6 weeks
of 2016 as in all
of 2011.
2015 143 Million New Malware Variants
…or over 16,000 every hour of
every day
2013 82 Million New Malware Variants
2011 19 Million New Malware Variants
2009 13 Million New Malware Variants
2007 5.5 Million New Malware Variants
2006 ~1 Million New Malware Variants
7Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 7Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Polymorphic Malware on the Rise
Executable
threats continue
to emerge quickly
and are highly
customized
and targeted
97% of new
malware seen on
only a single
endpoint!*
Malware and
PUAs circumvent
traditional
detection by using
polymorphic
distribution
models and rapid
variant generation
8Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 8Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Threat Delivery and Functionality
» Web exploit kits responsible for
~80% of malware delivery
» New wave of fileless infections
– Poweliks, Gootkit, Kovter
– Persistent through reboots with
no binary component
» Multi-function trojans
– Backdoor
– Keylogger
– Man-in-the-middle/browser Angler Delivery – April 2015 – Source: Sophos
9Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 9Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Impact on Users and
Businesses
10Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 10Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Damage to
business
reputation,
customer trust,
legal liability
In 2015 the
average total
cost of a data
breach was
$3.8M
Impacts of a Security Breach
Identity theft
and fraud
– 23% increase since 2013
– Average of $154 per compromised record
11Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 11Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Benefits and Challenges of
Cloud-based Solutions
12Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 12Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Very easy to
deploy and
manage
Pros of Cloud-based Solutions
Endpoints are
connected to the
cloud and report
encounter data
Extremely
lightweight in
size/CPU/memory
consumption
Visibility and popularity of
application landscape--------------
Rapid time detection--------------
Scanning isn’t needed for
detection and remediation--------------
Perpetual state of
awareness
No hardware or network
configuration needed--------------
Admin console access
from anywhere
Offloads analytics from
devices to the cloud
13Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 13Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Cons of Cloud-based Solutions
Must have
an offline
protection mode
Requires internet
connected to
transmit threat data
to cloud for analysis
If behavior of the
malware is new,
there will always be
a patient zero
Rollback remediation and
outbound firewall are
important for protection--------------
Restricting execution of
untrusted applications can
also mitigate damage
14Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 14Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot’s Cloud-based
Solutions
15Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 15Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Smarter Detection
Behavior-based, not signature-based. One of
its kind, cloud-based, predictive protection.
Smarter Cybersecurity™ Solutions
Smarter Protection
Any time a threat is encountered by one
customer, all other customers are
protected from that threat in real time.
Smarter Management
Automatic software updates. Minimal user
performance impact. Industry’s best
performance.
Smarter Support
One-click support. Most problems are
resolved in <10 minutes. Customer
satisfaction rating of over 96%.
Smarter Remediation
Remediation automatically returns infected
devices to their uninfected state. No need to
reimage or wipe devices.
Smarter Incident Response
Integrates into SIEM, NGFW, access
points and MDMs.
Smarter Threat Intelligence
Real-time analysis of URLs, IPs, files,
applications, and phishing sites.
Smarter Future
Ready for the next generation of devices:
Internet of Everything.
A Smarter Approach to Cybersecurity
16Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 16Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
SecureAnywhere™
Business & Enterprise» Web Security
Web
Security
What Webroot Offers
Driven by BrightCloud® Threat Intelligence
SecureAnywhere™
Business» Mobile Protection for
Android™ and iOS®
OEM & Enterprise» Mobile Security SDK
» SecureWeb™ Browser SDK
Consumer» Mobile protection for
Android
» Secure browsing for iOS
Mobile
Protection
SecureAnywhere™
Business» Endpoint Protection
Enterprise» Endpoint Protection
» WAI Fraud Solution
» Identity Shield
Consumer» Antivirus
» Antivirus Suites
» Antivirus for PC Gamers
Endpoint
Protection
BrightCloud®
OEM & Enterprise
» Web Classification
» Web Reputation
» IP Reputation
» File Reputation
» Real-Time Anti-Phishing
» Mobile App Reputation
» Threat Intelligence Server
» Connectors to SIEMs,
Splunk, NGFWs, UTMs and
other security products
Threat
Intelligence
Services
17Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 17Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot® Threat Intelligence Platform
18Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 18Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot Threat Intelligence by the Numbers
Webroot BrightCloud® services continuously classify and score 95% of
the internet, and monitor the entire IPv4 space and in-use IPv6
27+Billion URLs
600+Million Domains
9+Billion File Behavior Records
20+Million Mobile Apps
4+Billion IP Address
10+Million Connected Sensors
Source: Stats from Webroot BrightCloud® Threat Intelligence Services January 2016
19Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 19Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Exponential Growth of New Unknown Threats
25kNew malicious URLs
10kNew phishing sites
100kNew malicious IPs
New malware
& PUA
101k1M+New file
encounters
Source: Stats from Webroot BrightCloud® Threat Intelligence Services January 2016
20Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 20Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot SecureAnywhere® Business Endpoint Protection
Better
Protection
Next-gen
behavioral
analysis is
effective against
zero-day attacks
Tiny Client,
Fast Scans,
No Conflicts
<1 MB agent
installs & scans
in seconds,
won’t conflict
with existing
security
No Signatures,
Always Up
to Date
No bulky
signature
updates or
definition files,
protection is
always current
No Reimaging
Rollback
remediation
restores
systems to their
uninfected state
Simplified
Management
Manage
endpoints on or
off the network
with an intuitive
cloud-based
console
21Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 21Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Multivector Protection via Built-in Shields
Infrared Shield
Automatically adjusts
security heuristics
based upon individual
user behavior
Offline Shield
Protects against
persistent threats if
the cloud is
unavailable
Zero-day Shield
Identifies and blocks
new polymorphic
threats entering via
exploits
Real-Time
Anti-Phishing Shield
Delivers 99%+
accuracy in
identifying new
phishing sites
Real-Time
System Shield
Protects the endpoint
from threats of
infection
Behavior Shield
Analyzes behaviors
and with the cloud,
identifies malicious
ones
Identity Shield
Protects sensitive
information by
limiting access to
unknown files
USB Shield
Blocks malicious
activity from
removable media
drives
22Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 22Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Endpoint Behavioral Analysis + Cloud Threat Intelligence
1) If new file is unknown and
doesn’t match an existing
classification rule, allow to
execute but in a controlled
environment
2) Collect behaviors of unknown
file and compare with cloud-
based classification rules
3) Continue monitoring until
determination is made; if bad,
add to known threat database
4) Block and remove file from
local endpoint device
5) Invoke remediation of any
changes to restore host to
clean state
Has cloud-based
threat intelligence
seen this file before?
Known File
Hash DB
Behaviors
DB
Other Threat
DBs
New File Endpoint
File HashBlock
Behavioral Analysis &
Categorization
1
Monitored pseudo execution on local machine.
Analyze categories of behaviors
Pseudo execution
Has cloud-based
threat intelligence
seen this file before?Yes! Bad.
2
No! Unknown.
23Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 23Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Agent Tightly Controls Actions of Unknown Files
A new file enters the system
One-to-one and one-to-many signatures are calculated locally. The cloud is queried and matching malicious files are blocked.
Untrusted files are run in an emulated environment where system changes are observed and virtualized but fully blocked.
Cloud is queried again with new data. The Infrared engine blocks based on the intent, manner of entry, and reputation.
If still untrusted, the file is now permitted to execute but is closely watched
Webroot agent sits in kernel mode, between the suspicious application and the operating system,
vetting all changes it attempts to make or data it tries to access.
– Any attempt to access the user’s identity or private data is blocked immediately
– All changes made to the system or data are journaled, ie. a pre-change snapshot of the file/registry entry/etc. is taken
All system changes are bundled and submitted in packets to be analyzed against all other files in the cloud
Operating System (user data, registry, applications, processes, network, etc.)
24Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 24Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Webroot Standard Business Management Console
» Single organization focus
» Flat management
» Group to User policy levels
» Granular administration
» Full remote endpoint
management via Agent
Commands and Overrides
» Advanced dashboard and
‘dwell-time’ reporting
» Designed for up to 1,000 devices
25Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 25Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
» Multi-location/admin focus
» Hierarchical management
» Global to User policy levels
» Granular local administration
» Full remote endpoint
management via Agent
Commands and Overrides
» Advanced dashboard and
reporting, Dwell-Time
» Highly scalable, up to 100,000
devices
Webroot Global Site Manager
Business Management Console
26Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 26Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Unique Dwell Time: Infection Visibility
» Only vendor to show Dwell Time protection periods –
via agent monitoring, journaling and rollback
remediation functions
» Full visibility of infections and their removal
» Comprehensive drill-down into file infection information
» Identity and Privacy Shield assumes the endpoint is
already subject to undetectable malware and locks
down OS & browser to protect user info and
credentials from mount man-in-the-browser or man-
in-the-middle attacks
27Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 27Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
BrightCloud® Threat Intelligence Services
Web ClassificationProvides content classification for billions of web pages to keep your customers safe from
online threats.
Web ReputationForecasts the security risk of visiting a website and enables administrators to finely tune
security settings.
IP ReputationPublishes dynamic intelligence of high-risk IP addresses and insight into inbound and
outbound communications.
Real-Time
Anti-Phishing
Catches advanced phishing attacks by providing time-of-need protection through real-time
scans before sites are visited.
File ReputationProvides dynamic file reputation intelligence of known malicious and whitelisted files to
stop the distribution of malware.
Mobile App ReputationCategorizes and scores apps using multi-stage analysis and advanced algorithms to
ensure they are safe and compliant.
Mobile Security SDKProvides industry-leading protection against mobile threats through antivirus, antimalware,
and secure web browsing.
SecureWeb™
Browser SDK
This standalone Android® browser ensures both users and networks are protected from
malicious sites.
28Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 28Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Provides IP/URL/file/mobile app threat history & context for investigation
BrightCloud Threat Investigator
Identifies all related
IP/URL/file/mobile
app (malicious or not)
of any internet object
in a contextual map to
help investigate &
identify potential
future attackers
Gets geo, WhoIS &
detailed threat history
of each malicious
IP/URL/file/mobile
app in a single pane
of glass for
investigation
Gets reputation score
& classification of
threats for policy
setting in NGFW,
SIEM & other security
infrastructure
Complements
BrightCloud Threat
Intelligence for
NGFW (e.g. Palo Alto
Networks) & SIEM
(e.g. ArcSight,
LogRhythm, &
Splunk)
29Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 29Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Awards & Accolades
Edison Award for
Innovation
Frost & Sullivan
Innovation Award
Gartner “Visionary”{Endpoint Security Platform}
PassMark ValidationFastest, Lightest, Least
Disruptive Endpoint
Named “Trailblazer”
by Radicati Group
Insight Cloud
Partner of the Year
Denver Post
Top Workplaces 2014
PC Mag
16-Time Award Winner
30Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information 30Friday, March 17, 2017 | Webroot Inc. | Proprietary & Confidential Information
Q&A
William Fletcher
Strategic Alliances Manager, Webroot Inc.