anatomy of an attack - sophos day belux 2014
DESCRIPTION
Anatomy of an Attack - Next Generation Endpoint, presentation given by Vincent Vanbiervliet at Sophos Day Belux on November 25th, 2014.TRANSCRIPT
1
Vincent VanbiervlietSenior Sales Engineer
Next Generation EndpointSophos Security Day – 25/11/2014
2
3
“Conventional antivirus software is an outmoded way of protecting computers
against malware.”
The perception of endpoint security
“The current anti-virus method of detecting and blocking known samples is
no longer effective.”
“Antivirus software is now so ineffective at detecting new malware threats most enterprises are probably wasting their
money buying it.”
4
Some vendors overcompensate
• Sophisticated functionality
• Endless add-ons
• Requires major time investment
• Not simple
5
Malicious behavior
prevention
Perimeter defenseMalware detection
Web protection
Spam blocking
Attack surface
reduction
Our products are sophisticated and simple
6
SophosLabs makes it possible
Threat intelligence
7
Big data
2–3TB
of threat data per week
5 million spam emails per day
600million
live lookups per day
150,000 suspicious URLs per day
300,000new files per day
8
Automation
Malware analysisDecision making
Analytics
New identityevery 4–5 seconds
Live Protection
9
Leveraged expertise
Buffer Overflow Protection
HIPS
Live Protection
Emulation
Static code analysis
Unpacking
Signatures
Web security — exploit code
Web security — bad URLsExploit
patterns
Multi-factor identities
Behavior-based rules
19 identitiesaccount for
50% of detections
10
• Zero day malware protection
• Tuned by SophosLabs
• Over 80% adoption
• No one else makes it this simple
HIPS for everyone
This doesn’t look right!
11
Them: Complex, manual rule sets
Effortless application control
Us: Simple point and click
12
IT Department
Support Threat Intelligence & Response
Software development
Infrastructure
• Less time managing protection
• Fewer security incidents
• More time to focus on business priorities
What simple, effective security means
13
Building next gen endpoint security
Buffer Overflow Protection
HIPS
Live Protection
Emulation
Static code analysis
Unpacking
Signatures
Web security — exploit code
Web security — bad URLs
C&C traffic detection
Download reputation
New emulator
File tracking
14
Social mediaEvents
Other websites…..
PhishingSpoof callsUSB sticks
…..
Lay lowDo nothing
‘low & slow’….
Collate dataEncryptExtract
….
Advanced Persistent Threat: Protection
1
Gather information
2
Find a way in
3
Avoid being discovered
4data
Get out with the data
Layered protection is the best defense against targeted attacks
Advanced Threat Protection: Detects Botnets, stops outbound traffic, selective analysis
Firewall Antivirus IPS Web Email WAF
15
Advanced Threat Protection in Sophos UTM
16
Advanced Threat Protection in Sophos UTM
Alerts to infected clients
Provides:• Consolidated
reporting• Threat information• Link to SophosLabs
Threat Center
17
Context-Aware SecurityA coordinated threat sensing system
The traditional way:One point in time and space
The new way:Many points in time and space
How?• We watch all points• We correlate intelligence • We coordinate protection• We strengthen every point• We build a stronger system
Laptop
Network
Server
App
Mobile
CloudAnother
Suspicious outbound traffic
Suspicious runtime behavior
Indicators of Compromise:
alert & respond Application reputation
Application categorization and
trackingMal/sus attributes pre-
execution
IPS/IDS events
System events
18
What if robots could work together?
Looks like your PC is infected. Let’s isolate it from the network.
Oops, you’re right. I’ll clean it up. Tell the others to watch out for badfile.exe.
19
• Simple, effective protection
• SophosLabs does the work, so customers don’t have to
• Ongoing innovation – here comes next gen endpoint security
Summary
20© Sophos Ltd. All rights reserved.