taking the battle to ransomware with sophos intercept x
Embed Size (px)
TRANSCRIPT
INTERCEPT XTHE NEXT STEP IN NEXT-GEN
ENDPOINT PROTECTIONLars PutteneersSales Engineer
23/03/2017
1985FOUNDEDOXFORD, UK
$450MIN FY15 BILLING(APPX.)
3,500EMPLOYEES(APPX.)
200,000+CUSTOMERS
100M+USERS
HQOXFORD, UK
90+%BEST IN CLASSRENEWAL RATES
15,000+CHANNEL PARTNERS
OEM PARTNERS:
KEY DEV CENTERSOFFICES
Sophos snapshot
WHY
Melissa Virus
1999
$1.2B
Love LetterWorm
$15B
1998
Zeus Trojan
$2.3B
2007
JSocket RATs
$800M
2014
LockyRansomware
$1.1B
2016
FinFischerSpyware
2003
$780M
Exploit as aService
$500M
2015
Traditional Malware Advanced Threats
The Evolution of ThreatsFrom Malware to Exploits
Traditional Malware Advanced Threats
The Evolution of SecurityFrom Anti-Malware to Anti-Exploit
Exposure Prevention
URL BlockingWeb/App/Dev Ctrl
Download Rep
Pre-Exec Analytics
Generic MatchingHeuristicsCore Rules
File Scanning
Known MalwareMalware Bits
TrojanSpywareVirus Worm
Run-Time
Behavior AnalyticsRuntime Behavior
Exploit Detection
Technique Identification
RATs RansomwareExploit Kits
80% 15% 5%
7
We believe
•Security must be:oSimpleoComprehensiveoEasy to useoSingle console
•You need to have MORE SECURITY with LESS EFFORT
HOW
9
How we do it?
• Own worldwide Threat Research Center
• Firewalls
• Centrally managed endpoint protection
• Sandboxing
• Communication between endpoint & firewall
Heap Spray Use after Free Stack Pivot ROP Call OS function
PREPARATION
• Most exploit-based attacks consist of 2 or more exploit techniques• Exploit techniques do not change and are mandatory to exploit existing and future
software vulnerabilities
Intercepting Exploits Blocking Exploit Techniques vs Antivirus
TRIGGERING GAIN CONTROLCIRCUMVENT (DEP) POST PAYLOAD DROP
Memory Corruption/UaF
In-Memory(Diskless)
On Disk
Ransomware Activity
!
Sophos Intercept X
Antivirus
WHAT
Endpoint protection
13
Cloud Endpoint Protection Advanced
Introducing
Introducing Sophos Intercept X
ADVANCEDMALWARE
ZERO DAYEXPLOITS
LIMITEDVISIBILITY
Anti-Exploit
Prevent Exploit Techniques• Signatureless Exploit Prevention• Protects Patient-Zero / Zero-Day• Blocks Memory-Resident Attacks• Tiny Footprint & Low False Positives
No User/Performance ImpactNo File Scanning
No Signatures
Automated Incident Response• IT Friendly Incident Response• Process Threat Chain Visualization• Prescriptive Remediation Guidance• Advanced Malware Clean
Root-Cause Analysis
Faster Incident ResponseRoot-Cause VisualizationForensic Strength Clean
Detect Next-Gen Threats• Stops Malicious Encryption• Behavior Based Conviction• Automatically Reverts Affected Files• Identifies source of Attack
Anti-Ransomware
Prevent Ransomware AttacksRoll-Back Changes
Attack Chain Analysis
Intercepting Ransomware
Monitor File Access• If suspicious file
changes are detected, file copies are created
Attack Detected• Malicious process is
stopped and we investigate the process history
Rollback Initiated• Original files restored• Malicious files removed
Forensic Visibility• User message• Admin alert• Root cause analysis
details available
Root Cause AnalyticsUnderstanding the Who, What, When, Where, Why and How
17
18
What we do differently
• Application Lockdown
• Cryptoguard
• Look at the complete chain/live of a process/application
• Security heartbeat
•Works besides other AV
19
What we do differently
Phishing Exploits Scripts Bad Devices
Bad Apps
Runtime (.exe)
Office Docs
Real Results
DEMO
Future?
22
Machine Learning:Pre-execution Malware Prevention & Detection
23
Complete Next-Gen Endpoint Protection
Script-based Malware
Malicious URLs
Phishing Attacks
RemovableMedia
.exe Malware
Non-.exe Malware
UnauthorizedApps
Exploits
Invincea pre-execution malware prevention is highly scalable, fast, and effective, especially against zero-day threats. Invincea’s pioneering ML technology delivers high detection rates and very low FP rates, which is unique.
Effective for run-time prevention of exploit-based
malware such as ransomware. Sophos Intercept X thrives with
next-gen exploit prevention capabilities.
Heuristic detections based on the behaviors of execution to stop evasive malware before damage occurs.
Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.
For server or locked-down endpoint environments, app control prevents
unknown / unwanted apps from running.
The only effective defense against in-memory malware.
The only effective way to set policy to ensure removable
media cannot put an organization at risk.
Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.
Synchronized Security
Sophos Central Mgmt..doc.xls.pdf
Root Cause Analytics
Questions?
