event holding slide - edist.itedist.it/wp-content/uploads/2018/02/soluzioni-sophos-sgn-mobile... ·...

Walter NarisoniSales Engineer Manager

Sophos HistoryEvolution to complete security

1985

Founded in Abingdon (Oxford), UK

Peter Lammer c1985

Jan Hruskac1985

Divested non-core Cyber business

Acquired DIALOGS

Acquired Astaro

2011 2012 2013

Acquired UtimacoSafeware AG

20081988

First checksum-

based antivirus software

1989

First signature-based antivirus software

1996

US presence established in Boston

Voted best small/medium sized company in UK

Acquired ActiveState

2014

Acquired Cyberoam

Acquired Mojave

Networks

AcquiredBarricade

IPO London Stock Exchange

Launched Synchronized Security with Security Heartbeat

2003 2015

Acquired Surfright

2017

AcquiredInvincea

2016

AcquiredPhishThreat

AcquiredReflexion

2

Next-Gen Firewall

Wireless

Web

Email

Next-Gen Endpoint

Mobile

Server

EncryptionSophos Central

Security Heartbeat™

Sophos Synchronized Security

The Threat Landscape Has Shifted

Ransomware26%

Advanced Malware 20%

Email Malware20%

Web Malware

12%

Generic Malware

12%

Cryptocurrency/Financial Malware

8%

Privilege Escalation

1%Bots1%

Exploits

Most organizations have no exploit prevention^

83% agree it has become more difficult to stop threats ^

Advanced Threats

Ransomware

54% of organizations hit twice on average in 2017^

^Source: The State of Endpoint Security Today SurveySource: SophosLabs

75%

75% of the malicious files SophosLabs detects are found

only within a single organization.

400,000

SophosLabs receives and processes 400,000 previously unseen malware

samples each day.

Threats are unknown, making them harder to detect

Source: SophosLabs

CRYPTO

RANSOMWARE

The most comprehensive endpoint protection

EVASIVE

ATTACKER

UNKNOWN

THREATS

Crypto-Ransomware

Stop Ransomware

• Behavioral Based Conviction

• Blocks Encryption and Boot Attacks

• Automatically Reverts Affected Files

• Identifies Source of Attack

Prevent Ransomware AttacksRoll-Back Changes

Attack Chain Analysis

Deny the Hacker

• Protects against Real-Time Breaches

• Stops Credential Harvesting Attacks

• Prevents Persistence Techniques

• Blocks APC and Process Attacks

Real-Time Attacks

Prevent ‘Land and Expand’Protect Login Credentials

Expose Hackers in plain sight

Protect Against the Unknown

• Deep Learning Behavior Model

• Signatureless Exploit Prevention

• Malicious and Benign identification

• Tiny Footprint & Low False Positives

Unknown Threats

No User / Performance ImpactNo File Scanning

No Signatures

Root Cause AnalyticsUnderstanding the Who, What, When, Where, Why and How

Complete Next-Gen Endpoint Protection

Script-based Malware

Malicious URLs

Phishing Attacks

RemovableMedia

.exe Malware

Non-.exe Malware

UnauthorizedApps

Exploits

Via Invincea, pre-execution malware prevention that is highly scalable, fast, and effective, especially against zero-day threats. Invincea’spioneering ML technology delivers high detection rates and very low FP rates, which is unique.

Effective for run-time prevention of exploit-based

malware such as ransomware. Sophos Intercept X delivers

highly-effective next-gen exploit prevention capabilities.

Heuristic detections based on the behaviors of execution to stop evasive malware before damage occurs.

Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.

For server or locked-down endpoint environments, app control prevents

unknown / unwanted apps from running.

The only effective defense against in-memory malware.

The only effective way to set policy to ensure removable

media cannot put an organization at risk.

Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.

Synchronized Security

Sophos Central Mgmt..doc.xls.pdf

DEEP LEARNING NEURAL NETWORK

CONVENTIONAL MACHINE LEARNING

Introducing the ultimate in Machine Learning

Higher proactive detection rates

Better Performance –smaller model sizes

Better Accuracy –fewer False Positives

Pre-designed model, trained on data

Neural network model based on human brain, model adapts as it

learns

INPUT OUTPUT

ATTR

IBU

TE

ATTR

IBU

TE

ATTR

IBU

TE

ATTR

IBU

TE

Predictive Security: Detecting Unknown Malware

TRU

E P

OSI

TIV

E R

ATE

(TP

R)

1/100 1/1

0%

10

0%

Up

Is B

est

10-6 10-010-4 10-2

1/100,0001/1,000,000

Perfect Security

FALSE POSITIVE RATE (FPR)Left Is Best

Traditional Endpoint Security

Machine Learning Endpoint Security

Sophos

50

%

Endpoint Technologies

Bank

BehaviourMonitoring

Machine Learning

Verdächtig


Pre-execution Post-execution

Anti-Virus

WANTED

ExploitPrevention

Endpoint Technologien

BankSynchronized Security

InterceptX V2

22

Part I - Active Adversaryo Credential theft protection

o New process protection techniques- Code cave utilization

- Malicious process migration

- Process privilege escalation

- APC protection (Atom bombing)

o New registry protections- Sticky key protection

- Application verifier protection

o Improved process lockdown- Browser behaviour lockdown

- HTA application lockdown

Part II – Deep Learningo Deep Learning Model

- Detect malicious and potentially unwanted executables

o False positive mitigations- Whitelisting

o Directed Clean-up- Quarantine and restore capability

Documentso Active Adversary Mitigationso Deep Learning explainedo Intercept X Features explained

Videoso Demonstrations of product in action

Some of the Exploit and Active Adversary Techniques Stopped by Intercept X

Enforce data execution

prevention

Mandatory address space

layout randomization

Bottom-up ASLRNull page deference

Heap spray allocation

Dynamic heap spray

Stack pivot and stack exec (memory

protection)

Stack-based ROP (caller)

Structured exception handling

overwrite (SEHOP)

Import address table faltering

(IAF)Load library

Reflective DLL injection

Malicious shellcode

VBScript god mode

WOW64 Syscall Hollow process DLL hijackingSquiblydooApplocker

bypass

APC protection (Double Pulsar / Atom Bombing)

Process privilege

escalation

Credential theft protection

Code cave mitigation

MITB protection (Safe Browsing)

Malicious traffic detection

Meterpreter shell detection

SOPHOS INTERCEPT X: THE POWER OF THE PLUS

KNOWN

THREATS

RANSOMWARE

UNKNOWN

EXECUTABLES

EXPLOITS &FILE-LESS

FOUNDATIONAL

CRYPTOGUARD

DEEPLEARNING

ANTI-EXPLOITTECHNIQUES

The World’s Best Endpoint Protection

Stop unknown threats with deep learning

Detects new and unknown malware using advanced

machine learning

Prevent ransomware with CryptoGuard

Stops ransomware, and rolls back files to their safe

states

Deny the attacker with exploit prevention

Blocks the exploit techniques hackers use to

carry out their attacks

Intercept X stopped every complex, advanced attack we threw at it.

“ESG Labs

“

ESG Labs

Intercept X stopped all ransomware attacks we tested against it – in seconds.

“

Maik Morgenstern, CTO, AV-TEST

One of the best performance scores we have ever seen in our tests.

“

“ “

Complete Next-Gen Endpoint Security

PeripheralControl *

ApplicationControl *

Firewall Control *#

Coming Soon

Web Control *

Data Loss Prevention *

Web Security *#

Download Reputation *#

Genotype Behaviors *#

Deep Learning File Scanning X

Signature File Scanning *#

Live Cloud Lookup *#

Code Behavior Analysis *#

HIPS Behavior Analysis *#

CryptoGuard X WipeGuard X Malicious Traffic Detection X*

Active AdversaryMitigation X

Anti-Exploit XMan-in-the-browser Protection X

Synchronized Security Heartbeat X*

Synchronized Application ID X*

Synchronized Encryption X*

Block X*# Quarantine X*# Clean X

Roll Back X

Root Cause Analysis X

Dashboard X*#

Alerts X*#

Logs & Reports X*#

Data sharing API X*#

Central Management X*#

CONTROL PRE-EXECUTION CODE EXECUTION

RESPONSE VISIBILITY

X Intercept X* Endpoint Protection Advanced# Endpoint Protection Standard

Sophos CentralManage Multiple Sophos Products from a Single Dashboard

Next-Gen Protection

Analytics

Next-Gen Firewall

Wireless

Web

Email

Disk Encryption

UTM

File Encryption

Endpoint

Next-Gen Endpoint

Mobile

Server

Cloud Intelligence

Centralized Policy Management

Sophos Sandstorm

How Sophos Sandstorm works

1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait.

2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete.

3. A detailed report is provided for each file analyzed.

Advanced Threat Defense Made Simple

Secure Web Gateway

Secure Email Gateway

Unified Threat Management

Next-GenFirewall

Next-Gen Data Protection

Sophos SafeGuard Enterprise

Protecting Data wherever it goes!

Multi-Platform Support

Mac/PC Computer

Phone

Tablet

File Encryption by Default

Synchronized Encryption

BY DEFAULT

EVERYWHERE

ALWAYS ON

35

Enforcement of Trusted Applications

User Trust Application Trust Device Trust

Cloud Collaboration

5

Prevent hackers from accessing data stored

in the Cloud

Content shared via email and from the Cloud

Content stored in the Cloud

External Sharing of Encrypted Documents

4

Sophos Mobile Control 7

Sophos Mobile in brief

44

• Sophos Mobile is a complete EMM solution

• Mobile device management, data protection, containers, easy-to-use management console, mobile security

• Manage iOS, Android, Windows 10 Mobile, Windows 10 desktops

• Either hosted in Sophos Central or available on-premise

EMM – Enterprise Mobility Management

MDMMobile Device Management

MAMMobile Application

Management

MSMMobile Security Management

MCMMobile Content Management

Mobile Device Management

45

• Easy to use management UI and dashboard

• Inventory and asset management

• Remote device configuration

• Loss and theft protection

• Compliance checks and enforcement

• Self Service Portal

• Apple DEP support

• Control build in containerisation from iOS,Android Enterprise and Samsung Knox

• iOS, Android, Windows 10 Mobile, Windows 10 desktopso Includes extended MDM support for

Samsung, LG and Sony Android devices

Mobile Application Management

46

• Remote app installation and removal

• Enterprise App Store

• Apple VPP and Google Play for Work support

• View installed apps on device

• White-listing/Black-listing

• Block apps from running

• Control App Store access

• Network usage rules for apps

Mobile Content Management

47

• Securely allow access to data and contento Publish corporate documents from Sophos Mobileo Access via cloud storage or enterprise file systems

• Award-winning data protection keeps documents on the device secure

• Documents stored encrypted in the secure container

• View, edit and annotate documents for collaboration

• Data Leak Prevention rules control sharing

Mobile Security Management

48

• Award-winning mobile malware protection

• Jailbreak or Rooting detection

• Device attestation

• OS version control and patch level visibility

• Web Filtering

• Spam Protection

• Additional security tools and advisorso Privacy Advisor

o Authenticator

o Secure QR Code Scanner

Mobile Email Management

49

• Native email client configuration

• Compliance-based email access

• Certificate deployment

• Corporate wipe of mail

• Supported email systemso Exchange

o Lotus Domino, Zimbra

o IMAP/POP, CardDAV, CalDAV (iOS)

Containers – Separate Business and Personal Data

50

PERSONALBUSINESS

Samsung Knox Container

51

Manage Samsung Knox Container

• License management

• Provisioning

• Configuration

• App management

• Decommissioning

• Lock

Container Overview

52

• Sophos Secure Emailo Corporate Email

o Corporate Contacts

o Corporate Calendar

• Sophos Secure Workspaceo Corporate Documents

o Corporate Browser

o Seamless encrypted content

Container Apps

53

SGN Shared Keyring (in SSW)

SMC Server SGN Server

SSW

• SSW requests keys from an SGN user• If user has proper authentication and the device is

compliant, the keys are provided This gives seamless access to encrpyted documents

Request keys foruser

Lateral Movement Detection and Prevention

Credential Theft Attempt – Detected By Intercept X


Internet

XG Firewall Endpoints

Servers




Detection and Isolation

Internet


Servers


Detection and Isolation – Destination Based Rules

Internet


Servers


Synchronized App Control

60

Taking Application Visibility and Control to a whole new level with Synchronized Security

What Firewalls See Today What XG Firewall Sees

All firewalls today depend on static application signatures to identify apps. But those don’t work for most custom, obscure, evasive, or any apps using generic HTTP or HTTPS. You can’t control what you can’t see.

XG Firewall utilizes Synchronized Security to automatically identify, classify, and control all unknown applications. Easily blocking the apps you don’t want and prioritizing the ones you do.

Three Winning XG Sales Plays

1. Aggressive Firewall Replacement

2. Opportunistically pursue Pragmatic Enterprise

3. Cross-Sell to Intercept X Install Base

Who to target… and how…

Replace SonicWALL, WatchGuard, and Legacy UTM Primary <100 Users , Secondary <500 Users, UTM Deployments, Lite Campus Edge (NGFW) Lead with Industry Accolades, Key Differentiators, Sync Security

Inline Deployment (for Synchronized Security) Opportunistically pursue Pragmatic Enterprise, SE validation needed Cisco/PAN/Checkpoint/Fortinet Lead with enabling Synchronized Security Be prepared to pivot between firewall replacement and inline deployment

Discover Mode (off to the side) deployment, no impact or risk to network Enables Synchronized Security reporting and visibility only Piggyback off of huge Intercept X demand/growth (Central EP Install base)Get into the rack




Detection and Isolation – Endpoint Stonewalling

Internet


Servers



Detection and Isolation – Wireless Heartbeat

Internet


Servers



Malware, unauth. access

Lost or stolen

laptops/ drives

Lost or stolen

phones/tablets

Loss via email

Loss via cloud

storage

Human error

Malicious insider

65

Hacking or malware Physical loss Portable devices Unintended disclosure

How far do you want to go to manage the risk?

Other

57% 7% 10% 22% 4%

DATA SECURITY SCALE

Sophos Central Sophos SafeGuard