sophos utm 9 - infinigate (schweiz)sophos sandstorm –0-day malware protectionverfügbar für...

36
XG Firewall “Cybergangster aufgepaßt: IQ-Push für Firewalls“

Upload: others

Post on 10-Feb-2020

27 views

Category:

Documents


0 download

TRANSCRIPT

XG Firewall“Cybergangster aufgepaßt: IQ-Push für Firewalls“

Sophos Sandstorm – 0-Day Malware ProtectionVerfügbar für

Sophos UTM / SG

Sophos XG Firewall

Sophos Email Appliance

Sophos Web Appliance

Sophos Central Mail

Sophos Data Center

Sandstorm and Deep Learning

4

New - Sandstorm Deep Threat PreventionYour best protection from zero day threats – way beyond normal behavioural analysis

Frequent & Aggressive Run-Time

Analysis

Sandbox EvasionTechniques,

API & File System Behavior

Intercept X Exploit Detection & CyrptoGuard

IPS detections coming soon

Continuously adaptive learning

model

Sophos Sandstorm

Deep Memory Analysis

Initial & Post Execution Memory

Inspection & Analysis

Deep Behavioural Analysis Deep Network Analysis Deep Learning Analysis

Sandstorm prevention goes beyond endpoint or firewall

Full port and protocol analysis

Analysis of all dropped

executables

Now Powered by Deep Learning

6

Sandstorm now has the same Deep Learning technology as Intercept X

~75,000 suspicious files submitted each

week

~10,000malware and PUA files stopped each

week

How Sandboxing with Deep Learning Beats Endpoint & Firewall Detection

✓More aggressive & frequent memory analysis✓Added behavioral analysis scrutiny✓More thorough network activity analysis

Deep Learning in Sandstorm is increasing conviction by 10%

Machine Learning Decision Boundary

7

Aggressive vendor models lead to high false positives

Sophos - Aggressive model with lower false positives

TRU

E P

OSI

TIV

E R

ATE

(TP

R)

1/100 1/1

0%

10

0%

Up

Is B

est

10-6 10-010-4 10-2

1/10,0001/1,000,000

Perfect Security

FALSE POSITIVE RATE (FPR)Left Is Best

Traditional Endpoint Security

Machine Learning Endpoint Security

Sophos Deep Learning

50

%

Source: SophosLabs analysis of malware found in the wild

Sophos Deep Learning Malware Detection Features

• Identifies both known and never-seen-before malware

• Classifies files as malicious, potentially unwanted apps (PUA), or benign

• Does not rely on signatures

• Engine idetiffies malware in approx. 20 milliseconds

• Extremely small footprint (under 20MB) with infrequent updates

• Stops threats before they get on the network

Sophos Deep Learning Advantages

• Performance• Stops unknown malware without signatures• Detects and stops threats in 20 milliseconds

• Experience• In development since 2010• Created by data scientists at SophosLabs with DARPA driven technology

• SophosLabs: • Trained on 100’s of millions of samples

• Proven• #1 malware detection rate in industry• Validated on VirusTotal since August 2016, 3rd party validated

One of the best performance scoreswe have ever seen in our tests“

Maik Morgenstern, CTO, AV-TEST

Powerful cloud-based next generation sandbox

11

• Cloud-based Sandbox

• Safe, isolated environment

• Does not impact firewall performance at all

• Executing untrusted programs (detonating in a virtual machine)

• Determine if programs contain malicious code

• Behavioral Detection + Deep Learning

• Including detection of several Sandbox evasion techniques

Cloud-sandboxing

Suspect Control Report

Sophos Sandstorm

Hash ?

Determine Behavior

with Machine Learning

Behavioral detection + deep learning

12

File Submission

• Detect suspicious files

• Pick execution environment

Attack Replay

• Event logging

• Payload extraction

• Anti-evasion

Behavior Analysis

• Rules

• Patterns

• Event correlations

Deep Learning

• Detect unknown executable threats

Detects threats with known malicious

behaviors

Stops

10%more of EXE

malware

Now even Deeper Protection – Powered by Deep Learning

13

SCRIPT1% ARCHIVE

19%

EXE15%

OTHER5%

OFFICE60%

FILES SUBMITTED

SCRIPT1%

ARCHIVE39%

EXE34%

OTHER6%

OFFICE20%

FILES DETECTED~75,000 suspicious files submitted each

week

~10,000malware and PUA files stopped each

week

File type breakdown

14

SCRIPT1% ARCHIVE

19%

EXE15%

OTHER5%

OFFICE60%

FILES SUBMITTED

SCRIPT1%

ARCHIVE39%

EXE34%

OTHER6%

OFFICE20%

FILES DETECTED

1334

4020

5

SCRIPTARCHIVE

EXEOTHEROFFICE

% CONVICTION

~75,000 suspicious files submitted each

week

Percent of submissions identified as malware or PUA and stopped,

per file type

Sandbox Analysis

~10,000malware and PUA files stopped each

week

New APX Series

15

What’s New in Wireless v2.0 - Highlights

16

APX Series

Security Heartbeat™ enabled next-gen access points

Synchronized Securityw/ Endpoint and Mobile

Health-based network access control and visibility

Enhanced Rogue AP Detection

Visibility into potential threats to your network

Easier Onboarding

Bulk provisioning - register up to 30 APs in a single step

Better performance Better visibility and control Better user experience

No firewall required for Security Heartbeat with Wireless

APX – Next Generation Access Points - 802.11ac Wave 2.0

17

• APX 740: Flagship 4x4:4 access point with high-density, high-capacity for the mid-market enterprise

• APX 530: High performance 3x3:3 access point for the carpeted enterprise of all sizes

• APX 320: 2x2:2 Dual 5 GHz based access point, perfect for tablets/phones, high-density environment in education, small retail scenarios

All APX Models have a 5-Year Warranty

Support in Central from July. Order from Aug 3 2018Support in XG from late 2018 (17.5 MR)

No support in SG UTM planned

APX will not be certified in all regions.No launch planned in China, Taiwan, Malaysia. Japan will be late 2018, as will Brazil.

BEST Indoor3 x 3 MIMODual radio

BETTER Indoor2 x 2 MIMODual radio

GOOD Indoor2 x 2 MIMOSingle radio

APX Hardware Positioning

18

TODAY – AP Series

AP 15 AP 15C

AP 55 AP 55C

AP 100 AP 100C

BEST Outdoor3 x 3 MIMODual radio

AP 100X

BEST Indoor/Ceiling/Wall3 x 3 MIMODual radio, 2.4 and 5 GHz, BLE

BETTER Indoor/Ceiling/Wall2 x 2 MIMODual radio, 2.4/5 and 5 GHz, BLE

APX 320

APX 530

80

2.1

1ac

Wav

e 1

80

2.1

1n

NEW – APX SeriesFlagship Indoor/Ceiling/Wall4 x 4 MIMODual radio, 2.4 and 5 GHz, BLE

APX 740

80

2.1

1ac

Wav

e 2

All other models TBC

GOOD Indoor2 x 2 MIMODual radio, details TBC

APX 120NOV

Understanding APX Naming

19

APX 3 2 0Next-gen, Security Heartbeat

enabled access point –described as APX Series

Legacy models will be referred to as AP Series

Range or model series

(think BMW)

MIMO capabilities

2 = 2x23 = 3x34 = 4x4

Product Generation, starts with ’0’

Next generation would be 1 (or at least that’s the plan…)

Example: APX 320

Wireless APX Buyer Persona vs. Positioning

20

MODEL APX 740MIMO: 4x4:4

APX 530MIMO: 3x3:3

APX 320MIMO: 2x2:2

APX 120MIMO: 2x2:2

DENSITYNumber of clients connecting

HIGH MEDIUMMEDIUM (2.4 GHz)

LOW to MEDIUMHIGH (Dual 5 GHz)

CAPACITYWhat load the APX can handle

HIGH HIGH MEDIUM LOW

PERFORMANCEBenefits for high performance clients

HIGH HIGH MEDIUM LOW

TYPICAL DEPLOYMENT

Larger offices, high-tech, high bandwidth consumption

Medium office environment, high performance clients connecting

Areas like schools, larger number of medium performance clients

Basic connectivity, small retail, budget conscious deployments

NOV

APX – Technical Specification

21

MODEL APX 320 APX 530 APX 740

MANAGEMENT Sophos CentralXG Firewall planned for late 2018

DEPLOYMENT Indoor; desktop, wall, or ceiling mount.

WLAN STANDARDS 802.11 a/b/g/n/ac

RADIOS1x 2.4 GHz/5 GHz dual-band

1x 5 GHz single band1x Bluetooth low energy (BLE)

1x 2.4 GHz single band1x 5 GHz single band

1x Bluetooth low energy (BLE)

ANTENNAS2x internal dual-band antenna for Radio-1

2x internal 5 GHz antenna for Radio-21x internal 2.4 GHz antenna for BLE

3x internal 2.4 GHz antenna for Radio-13x internal 5 GHz antenna for Radio-21x internal 2.4 GHz antenna for BLE

4x internal 2.4 GHz antenna for Radio-14x internal 5 GHz antenna for Radio-21x internal 2.4 GHz antenna for BLE

PERFORMANCE 2x2:2 MU-MIMO 3x3:3 MU-MIMO 4x4:4 MU-MIMO

INTERFACES1x RJ45 connector console serial port1x RJ45 10/100/1000 Ethernet w/PoE

1x RJ45 connector console serial port1x RJ45 10/100/1000 Ethernet port

1x RJ45 10/100/1000 Ethernet w/PoE

POWER (MAX.) 11.5 W 16.7 W 22.4 W

POWER-OVER-ETHERNET (MIN.) PoE 802.3af PoE+ 802.3at

DIMENSIONS 155x155x38 mm 183x183x39 mm 195x195x43 mm

WEIGHT 0.474 kg 0.922 kg 1.012 kg

Synchronized Security for Wireless- only for APX -

22

Synchronized Security: Wireless + Mobile

23

Security Heartbeat™

Mobile: Predefined ActionsSophos Mobile sees that there is a compliance violation and triggers the predefined actions

2

1 Compliance violationMobile user does something which is defined as a compliance violation

Wireless: Deny NetworkIf deny network rule is selected in Mobile, Sophos Wireless will receive a red heartbeat status and restrict internet access.

3

Mobile Client: AlertWhen the Mobile user tries to access the Web, they see a splash screen telling them that internet access has been restricted.

4b

YourWi-Fi access is restricted

1

Wireless: Dashboard StatusDashboard widget shows one device with red heartbeat

4a

Functionality with endpoint is similar

Synchronized Security: Wireless + Endpoint

24

Security Heartbeat™

Endpoint: Sends StatusEndpoint sends the health status to Sophos Wireless

2

1 Incident on EndpointEndpoint gets infected or does something which gives it a red health status

Wireless: Restricts AccessIf Sophos Wireless receives a red heartbeat status, Wi-Fi access is restricted.

3

Endpoint User: AlertUser sees splash screen telling them that Wi-Fi access has been restricted

4b

1

Wireless: Dashboard StatusDashboard widget shows one device with red heartbeat

4a

Yourinternet access is

restricted

Synchronized Security in Wireless

25

NEW: Dashboard Widget: Security Heartbeat™• Consolidated view of the health status of all devices

which are connected to an APX powered Wireless network managed in Central only

• If the customer has multiple Wi-Fi networks, also with legacy APs, it will not show ALL clients

• Only Mobile devices and Endpoints managed in Central can have a heartbeat

NEW: Client View with Heartbeat Status• Consolidated view of ALL clients connected to

any Wi-Fi network managed in Central

Expanding Synchronized Security Beyond Firewall + Endpoint

26

Important Note: Wireless Sync Security ≠ XG Firewall Sync Security

• Wireless is a consumer of the Security Heartbeat of a client.

• Initially, either XG Firewall OR Wireless owns the Heartbeat – that will eventually change so that both products can report on the health status of an EP

• Environments with XG + Central Wireless should switch it on in one product only, probably XG Firewall due to the more advanced feature-set.

• Functionality is (today) different between Wireless Sync Sec and XG Firewall. Wireless only limits web access at this time.

Synchronized Security: Advanced SSID Settings

27

Setup in Sophos Mobile

28

Network Access ControlSophos Mobile allows granular settings to restrict web access via Wi-Fi and perform other automated actions for devices with security compliance issues.

Security Heartbeat™A ‘Deny network’ setting translates as a red heartbeat. Upon violation, this relays the status back to any APX Series access point and so limits web connectivity.For an individual device, the automatic settings can be changed to always allow, always block.

Enhanced Rogue AP Detection

29

Enhanced Rogue AP Detection

30

NEW: Dashboard Widget: Threats• View of all visible Wi-Fi networks which the Central

managed access points can see• Automatic classification according to potential threat

level

NEW: Filter Option

NEW: On-demand scanNEW: Manual classification

Why Sophos Wireless?

31

The Ultimate Sales Opportunity

32

Low-hanging fruit/Sophos Central Customers• Add Wireless to existing accounts to increase share of wallet• Particularly Endpoint, Mobile as target customers – as connectivity topic• Sales pitch as simple as “What are you doing for Wi-Fi?”

Medium-hanging fruit - New Customers in ‘sweet spot’• Position Wi-Fi with new SMB prospects ≤500 users• Position Wi-Fi in K-12 education environments (20 to 100 APs distributed env.)

• No hard limits for scalability, but feature-set today suited to lower end of market

UTM Customers not ready for XG (e.g. in DACH, also some of APJ and WE)• Shift SG UTM customers to Central Wireless• Offers Sync Sec for SG UTM customers, also APX as newer technology• UTM Wi-Fi customers are often small or using additional Wi-Fi on top• Gets them onto Central = retention + cross-sell

Licensing

33

Licensing for APX – Order from August 3, 2018Phase 1: Adding the new APX SKU

EXISTING EXISTING NEW

Central Wireless Standard - Entry

Central Wireless Standard - Performance

Central Wireless Standard (for APX)

AP 15 / AP 15C✓

1Y = $50

AP 55 / AP 55C / AP 100 / AP 100C / AP 100X✓

1Y = $100

All APX models✓ NEW1Y = $75

Bundle SKU for APX onlyAPX + Central Wireless Standard Bundle

✓ NEW5% discount over individual

purchase

Fragen?