endpoint security evasion

Endpoint Security Evasion

JASON SHUPP, SENIOR SYSTEMS

ENGINEER

INVINCEA, INC.

Meet the Presenter

Jason Shupp is a Senior Systems Engineer at Invincea, Inc. located in Fairfax, Virginia. Jason is a cyber-security expert with 14 years’ experience in the industry. His career started in the United States Marine Corps as a Tactical Network Specialist. Since that time, he has worked for various companies including Symantec, ArcSight and HP. Jason enjoys spending time with his family, sports and most outdoor activities.

Jason

Shupp

Agenda

1. Endpoint Security Evasion

2. Current Endpoint Security Challenges

3. Invincea FreeSpace™ – How it Works

4. Endpoint Security Portrayed in “Real Life”

5. Demonstration


• Hundreds of thousands of variants daily

– It only takes one…

• There is no safe – no barriers

– Failed detection = compromise

• Malware running with elevated privileges

– Stop running processes

– Stop/disable services

• Install more malware!

• Tampering protection

• It sounds all so easy

– And you’re right, it is…

Current Endpoint Security

Challenges

Antivirus Software

• Created in the late 1980’s

• Prevent, detect and remove malicious software

• Detection methodology

1. Signature – known bad file

2. Heuristic – characteristics of known bad

3. Behavioral – actions at run-time

• Protection built solely upon “known” threats

• 450K new variants per day

– (McAfee Labs Threats Report: November 2014)

• Have you read the media?

Other Solutions

• Whitelisting Solutions

– Trust Java.exe – right?

– CNN.com is not compromised today

• Network Based Endpoint Security

– HUH?

– Not at work – secure your computer and turn it off

• Continuous Monitoring Solutions

– SIEM’s have been doing this for years

– There is a needle in that haystack

• Usability, scalability, resource consumption, false positives, etc.

Invincea FreeSpace™

How it Works

Invincea FreeSpace™

Endpoint Innovation

Protect the UserEnterprise Endpoint Application & Data Collection

Application Requirements:

<90 MB RAM, 150 MB free disk

space, Intel/AMD x-86 chipset

Supported Operating Systems:

Windows XP,

Windows 7 32 and 64-bit

Windows 8.1

Invincea Management Server • Threat Data Server Module

• Optional integration to other

technologies

• Config Management Module• Track deployments

• Manage groups

• Maintain audit trail

• Schedule software updates

• Reporting

• Multiple deployment options • Virtual appliance

• Physical appliance

(1u rack-mounted)

• Cloud hosted

Invincea FreeSpace™• Endpoint application

• Priced per seat

• Subscription license

Protection options:

• Browsers (IE, Firefox,

Chrome)

• PDF

• Office Suite

• PPT

• XLS

• DOC

- Leverages detection

- Automatic termination of suspect activity

Detection

- Automatically created on user login

- Isolated environment to run applications

How it Works

Containment

- No signatures

- Patented behavioral-based detection

Prevention

- Collection upon detection

- File system, process, registry, network…

Intelligence

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=tx7NzXYd2JnVVM&tbnid=F38BgeDerBZbNM:&ved=0CAUQjRw&url=http://www.wisegeek.com/what-are-the-different-types-of-hazardous-waste-transportation.htm&ei=q6XdUa2QBdD54APH3oHwAQ&psig=AFQjCNGuKl3O0-QjF4TgQbhbdT7CPHmYCg&ust=1373566563064574

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=tx7NzXYd2JnVVM&tbnid=F38BgeDerBZbNM:&ved=0CAUQjRw&url=http://www.wisegeek.com/what-are-the-different-types-of-hazardous-waste-transportation.htm&ei=q6XdUa2QBdD54APH3oHwAQ&psig=AFQjCNGuKl3O0-QjF4TgQbhbdT7CPHmYCg&ust=1373566563064574

Endpoint Security in Real Life

Real Life Security - Your Home

Recap

• Front Door = Vulnerable Applications

– Entry point to the Endpoint

• Vulnerable Applications

– Web browsers, Office applications, PDF, Media

players, ZIP

• We’re all running them!

• And the bad guys know it!

• These applications are all vulnerable

– Have been breached

– Will continue to be breached

• So how is Invincea any different?

Invincea Difference

• Traditional security applications are installed side by side

to the vulnerable applications

– They can be broken, disabled or simply not working

• Invincea forces vulnerable applications inside the

product

– Container is the first layer of security

• Breaching the vulnerable application is no longer a

breach

• There will always be vulnerabilities

• Vulnerabilities leading to compromise is thwarted

Demonstration

Demonstration

• Environment

– Virtual Machine - Windows Defender & No Invincea

– Production Laptop - Invincea only

• Demonstration

– Open 2 separate Weaponized Word documents

• Download & execute malware

• Disable Windows Defender

– Download & execute malware

Questions?

Webinar Recording : http://www.invincea.com/2015/01/endpoint-security-evasion/

Demo Request: http://www.invincea.com/get-protected/enterprise-request-form

Invincea Research Edition: www.invincea.com/research-edition

Cynomix: www.cynomix.org

http://www.invincea.com/2015/01/endpoint-security-evasion/

http://www.invincea.com/get-protected/enterprise-request-form

http://www.invincea.com/research-edition

http://www.cynomix.org/

Thank you!

Invincea @Invincea

Jason Shupp

@JasonShuppLearn more about Invincea’s solutions or visit our website at www.invincea.com

Contact us at 1-855-511-5967

http://www.invincea.com/