event holding slide - edist.itedist.it/wp-content/uploads/2018/02/soluzioni-sophos-sgn-mobile... ·...
TRANSCRIPT
Walter NarisoniSales Engineer Manager
Sophos HistoryEvolution to complete security
1985
Founded in Abingdon (Oxford), UK
Peter Lammer c1985
Jan Hruskac1985
Divested non-core Cyber business
Acquired DIALOGS
Acquired Astaro
2011 2012 2013
Acquired UtimacoSafeware AG
20081988
First checksum-
based antivirus software
1989
First signature-based antivirus software
1996
US presence established in Boston
Voted best small/medium sized company in UK
Acquired ActiveState
2014
Acquired Cyberoam
Acquired Mojave
Networks
AcquiredBarricade
IPO London Stock Exchange
Launched Synchronized Security with Security Heartbeat
2003 2015
Acquired Surfright
2017
AcquiredInvincea
2016
AcquiredPhishThreat
AcquiredReflexion
2
Next-Gen Firewall
Wireless
Web
Next-Gen Endpoint
Mobile
Server
EncryptionSophos Central
Security Heartbeat™
Sophos Synchronized Security
The Threat Landscape Has Shifted
Ransomware26%
Advanced Malware 20%
Email Malware20%
Web Malware
12%
Generic Malware
12%
Cryptocurrency/Financial Malware
8%
Privilege Escalation
1%Bots1%
Exploits
Most organizations have no exploit prevention^
83% agree it has become more difficult to stop threats ^
Advanced Threats
Ransomware
54% of organizations hit twice on average in 2017^
^Source: The State of Endpoint Security Today SurveySource: SophosLabs
75%
75% of the malicious files SophosLabs detects are found
only within a single organization.
400,000
SophosLabs receives and processes 400,000 previously unseen malware
samples each day.
Threats are unknown, making them harder to detect
Source: SophosLabs
CRYPTO
RANSOMWARE
The most comprehensive endpoint protection
EVASIVE
ATTACKER
UNKNOWN
THREATS
Crypto-Ransomware
Stop Ransomware
• Behavioral Based Conviction
• Blocks Encryption and Boot Attacks
• Automatically Reverts Affected Files
• Identifies Source of Attack
Prevent Ransomware AttacksRoll-Back Changes
Attack Chain Analysis
Deny the Hacker
• Protects against Real-Time Breaches
• Stops Credential Harvesting Attacks
• Prevents Persistence Techniques
• Blocks APC and Process Attacks
Real-Time Attacks
Prevent ‘Land and Expand’Protect Login Credentials
Expose Hackers in plain sight
Protect Against the Unknown
• Deep Learning Behavior Model
• Signatureless Exploit Prevention
• Malicious and Benign identification
• Tiny Footprint & Low False Positives
Unknown Threats
No User / Performance ImpactNo File Scanning
No Signatures
Root Cause AnalyticsUnderstanding the Who, What, When, Where, Why and How
Complete Next-Gen Endpoint Protection
Script-based Malware
Malicious URLs
Phishing Attacks
RemovableMedia
.exe Malware
Non-.exe Malware
UnauthorizedApps
Exploits
Via Invincea, pre-execution malware prevention that is highly scalable, fast, and effective, especially against zero-day threats. Invincea’spioneering ML technology delivers high detection rates and very low FP rates, which is unique.
Effective for run-time prevention of exploit-based
malware such as ransomware. Sophos Intercept X delivers
highly-effective next-gen exploit prevention capabilities.
Heuristic detections based on the behaviors of execution to stop evasive malware before damage occurs.
Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.
For server or locked-down endpoint environments, app control prevents
unknown / unwanted apps from running.
The only effective defense against in-memory malware.
The only effective way to set policy to ensure removable
media cannot put an organization at risk.
Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.
Synchronized Security
Sophos Central Mgmt..doc.xls.pdf
DEEP LEARNING NEURAL NETWORK
CONVENTIONAL MACHINE LEARNING
Introducing the ultimate in Machine Learning
Higher proactive detection rates
Better Performance –smaller model sizes
Better Accuracy –fewer False Positives
Pre-designed model, trained on data
Neural network model based on human brain, model adapts as it
learns
INPUT OUTPUT
ATTR
IBU
TE
ATTR
IBU
TE
ATTR
IBU
TE
ATTR
IBU
TE
Predictive Security: Detecting Unknown Malware
TRU
E P
OSI
TIV
E R
ATE
(TP
R)
1/100 1/1
0%
10
0%
Up
Is B
est
10-6 10-010-4 10-2
1/100,0001/1,000,000
Perfect Security
FALSE POSITIVE RATE (FPR)Left Is Best
Traditional Endpoint Security
Machine Learning Endpoint Security
Sophos
50
%
Endpoint Technologies
Bank
BehaviourMonitoring
Machine Learning
Verdächtig
Synchronized Security
Pre-execution Post-execution
Anti-Virus
WANTED
ExploitPrevention
Endpoint Technologien
BankSynchronized Security
InterceptX V2
22
Part I - Active Adversaryo Credential theft protection
o New process protection techniques- Code cave utilization
- Malicious process migration
- Process privilege escalation
- APC protection (Atom bombing)
o New registry protections- Sticky key protection
- Application verifier protection
o Improved process lockdown- Browser behaviour lockdown
- HTA application lockdown
Part II – Deep Learningo Deep Learning Model
- Detect malicious and potentially unwanted executables
o False positive mitigations- Whitelisting
o Directed Clean-up- Quarantine and restore capability
Documentso Active Adversary Mitigationso Deep Learning explainedo Intercept X Features explained
Videoso Demonstrations of product in action
Some of the Exploit and Active Adversary Techniques Stopped by Intercept X
Enforce data execution
prevention
Mandatory address space
layout randomization
Bottom-up ASLRNull page deference
Heap spray allocation
Dynamic heap spray
Stack pivot and stack exec (memory
protection)
Stack-based ROP (caller)
Structured exception handling
overwrite (SEHOP)
Import address table faltering
(IAF)Load library
Reflective DLL injection
Malicious shellcode
VBScript god mode
WOW64 Syscall Hollow process DLL hijackingSquiblydooApplocker
bypass
APC protection (Double Pulsar / Atom Bombing)
Process privilege
escalation
Credential theft protection
Code cave mitigation
MITB protection (Safe Browsing)
Malicious traffic detection
Meterpreter shell detection
SOPHOS INTERCEPT X: THE POWER OF THE PLUS
KNOWN
THREATS
RANSOMWARE
UNKNOWN
EXECUTABLES
EXPLOITS &FILE-LESS
FOUNDATIONAL
CRYPTOGUARD
DEEPLEARNING
ANTI-EXPLOITTECHNIQUES
The World’s Best Endpoint Protection
Stop unknown threats with deep learning
Detects new and unknown malware using advanced
machine learning
Prevent ransomware with CryptoGuard
Stops ransomware, and rolls back files to their safe
states
Deny the attacker with exploit prevention
Blocks the exploit techniques hackers use to
carry out their attacks
Intercept X stopped every complex, advanced attack we threw at it.
“ESG Labs
“
ESG Labs
Intercept X stopped all ransomware attacks we tested against it – in seconds.
“
Maik Morgenstern, CTO, AV-TEST
One of the best performance scores we have ever seen in our tests.
“
“ “
Complete Next-Gen Endpoint Security
PeripheralControl *
ApplicationControl *
Firewall Control *#
Coming Soon
Web Control *
Data Loss Prevention *
Web Security *#
Download Reputation *#
Genotype Behaviors *#
Deep Learning File Scanning X
Signature File Scanning *#
Live Cloud Lookup *#
Code Behavior Analysis *#
HIPS Behavior Analysis *#
CryptoGuard X WipeGuard X Malicious Traffic Detection X*
Active AdversaryMitigation X
Anti-Exploit XMan-in-the-browser Protection X
Synchronized Security Heartbeat X*
Synchronized Application ID X*
Synchronized Encryption X*
Block X*# Quarantine X*# Clean X
Roll Back X
Root Cause Analysis X
Dashboard X*#
Alerts X*#
Logs & Reports X*#
Data sharing API X*#
Central Management X*#
CONTROL PRE-EXECUTION CODE EXECUTION
RESPONSE VISIBILITY
X Intercept X* Endpoint Protection Advanced# Endpoint Protection Standard
Sophos CentralManage Multiple Sophos Products from a Single Dashboard
Next-Gen Protection
Analytics
Next-Gen Firewall
Wireless
Web
Disk Encryption
UTM
File Encryption
Endpoint
Next-Gen Endpoint
Mobile
Server
Cloud Intelligence
Centralized Policy Management
Sophos Sandstorm
How Sophos Sandstorm works
1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait.
2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete.
3. A detailed report is provided for each file analyzed.
Advanced Threat Defense Made Simple
Secure Web Gateway
Secure Email Gateway
Unified Threat Management
Next-GenFirewall
Next-Gen Data Protection
Sophos SafeGuard Enterprise
Protecting Data wherever it goes!
Multi-Platform Support
Mac/PC Computer
Phone
Tablet
File Encryption by Default
Synchronized Encryption
BY DEFAULT
EVERYWHERE
ALWAYS ON
35
Enforcement of Trusted Applications
User Trust Application Trust Device Trust
Cloud Collaboration
5
Prevent hackers from accessing data stored
in the Cloud
Content shared via email and from the Cloud
Content stored in the Cloud
External Sharing of Encrypted Documents
4
Sophos Mobile Control 7
Sophos Mobile in brief
44
• Sophos Mobile is a complete EMM solution
• Mobile device management, data protection, containers, easy-to-use management console, mobile security
• Manage iOS, Android, Windows 10 Mobile, Windows 10 desktops
• Either hosted in Sophos Central or available on-premise
EMM – Enterprise Mobility Management
MDMMobile Device Management
MAMMobile Application
Management
MSMMobile Security Management
MCMMobile Content Management
Mobile Device Management
45
• Easy to use management UI and dashboard
• Inventory and asset management
• Remote device configuration
• Loss and theft protection
• Compliance checks and enforcement
• Self Service Portal
• Apple DEP support
• Control build in containerisation from iOS,Android Enterprise and Samsung Knox
• iOS, Android, Windows 10 Mobile, Windows 10 desktopso Includes extended MDM support for
Samsung, LG and Sony Android devices
Mobile Application Management
46
• Remote app installation and removal
• Enterprise App Store
• Apple VPP and Google Play for Work support
• View installed apps on device
• White-listing/Black-listing
• Block apps from running
• Control App Store access
• Network usage rules for apps
Mobile Content Management
47
• Securely allow access to data and contento Publish corporate documents from Sophos Mobileo Access via cloud storage or enterprise file systems
• Award-winning data protection keeps documents on the device secure
• Documents stored encrypted in the secure container
• View, edit and annotate documents for collaboration
• Data Leak Prevention rules control sharing
Mobile Security Management
48
• Award-winning mobile malware protection
• Jailbreak or Rooting detection
• Device attestation
• OS version control and patch level visibility
• Web Filtering
• Spam Protection
• Additional security tools and advisorso Privacy Advisor
o Authenticator
o Secure QR Code Scanner
Mobile Email Management
49
• Native email client configuration
• Compliance-based email access
• Certificate deployment
• Corporate wipe of mail
• Supported email systemso Exchange
o Lotus Domino, Zimbra
o IMAP/POP, CardDAV, CalDAV (iOS)
Containers – Separate Business and Personal Data
50
PERSONALBUSINESS
Samsung Knox Container
51
Manage Samsung Knox Container
• License management
• Provisioning
• Configuration
• App management
• Decommissioning
• Lock
Container Overview
52
• Sophos Secure Emailo Corporate Email
o Corporate Contacts
o Corporate Calendar
• Sophos Secure Workspaceo Corporate Documents
o Corporate Browser
o Seamless encrypted content
Container Apps
53
SGN Shared Keyring (in SSW)
SMC Server SGN Server
SSW
• SSW requests keys from an SGN user• If user has proper authentication and the device is
compliant, the keys are provided This gives seamless access to encrpyted documents
Request keys foruser
Synchronized Security
Lateral Movement Detection and Prevention
Credential Theft Attempt – Detected By Intercept X
Security Heartbeat™
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Lateral Movement Detection and Prevention
Security Heartbeat™
Detection and Isolation
Internet
XG Firewall Endpoints
Servers
Lateral Movement Detection and Prevention
Detection and Isolation – Destination Based Rules
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Synchronized App Control
60
Taking Application Visibility and Control to a whole new level with Synchronized Security
What Firewalls See Today What XG Firewall Sees
All firewalls today depend on static application signatures to identify apps. But those don’t work for most custom, obscure, evasive, or any apps using generic HTTP or HTTPS. You can’t control what you can’t see.
XG Firewall utilizes Synchronized Security to automatically identify, classify, and control all unknown applications. Easily blocking the apps you don’t want and prioritizing the ones you do.
Three Winning XG Sales Plays
1. Aggressive Firewall Replacement
2. Opportunistically pursue Pragmatic Enterprise
3. Cross-Sell to Intercept X Install Base
Who to target… and how…
Replace SonicWALL, WatchGuard, and Legacy UTM Primary <100 Users , Secondary <500 Users, UTM Deployments, Lite Campus Edge (NGFW) Lead with Industry Accolades, Key Differentiators, Sync Security
Inline Deployment (for Synchronized Security) Opportunistically pursue Pragmatic Enterprise, SE validation needed Cisco/PAN/Checkpoint/Fortinet Lead with enabling Synchronized Security Be prepared to pivot between firewall replacement and inline deployment
Discover Mode (off to the side) deployment, no impact or risk to network Enables Synchronized Security reporting and visibility only Piggyback off of huge Intercept X demand/growth (Central EP Install base)Get into the rack
Security Heartbeat™
Lateral Movement Detection and Prevention
Security Heartbeat™
Detection and Isolation – Endpoint Stonewalling
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Lateral Movement Detection and Prevention
Detection and Isolation – Wireless Heartbeat
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Security Heartbeat™
Malware, unauth. access
Lost or stolen
laptops/ drives
Lost or stolen
phones/tablets
Loss via email
Loss via cloud
storage
Human error
Malicious insider
65
Hacking or malware Physical loss Portable devices Unintended disclosure
How far do you want to go to manage the risk?
Other
57% 7% 10% 22% 4%
DATA SECURITY SCALE
Sophos Central Sophos SafeGuard