combatti le nuove minacce con il sistema di sicurezza ... · combatti le nuove minacce con il...
TRANSCRIPT
Combatti le nuove minacce con il sistema di sicurezza
completo, innovativo e sincronizzato di Sophos
Walter Narisoni Sales Engineers Manager
Sophos History Evolution to complete security
1985
Founded in Abingdon (Oxford), UK
Peter Lammer c1985
Jan Hruska c1985
Divested non-core Cyber business
Acquired DIALOGS
Acquired Astaro
2011 2012 2013
Acquired Utimaco Safeware AG
2008 1988
First checksum-
based antivirus software
1989
First signature-based antivirus software
1996
US presence established in Boston
Voted best small/medium sized company in UK
Acquired ActiveState
2014
Acquired Cyberoam
Acquired Mojave
Networks
Acquired Barricade
IPO London Stock Exchange
Launched Synchronized Security with Security Heartbeat
2003 2015
Acquired Surfright
2017
Acquired Invincea
2016
Acquired PhishThreat
Acquired Reflexion
2
Synchronized Security
Sophos Central
Cloud Intelligence
Sophos Labs
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
| 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
Admin Self Service Partner | Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
UTM/Next-Gen Firewall
Wireless
Web
In Cloud On Prem
Lateral Movement Detection and Prevention
Credential Theft Attempt – Detected By Intercept X
Security Heartbeat™
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Lateral Movement Detection and Prevention
Security Heartbeat™
Detection and Isolation
Internet
XG Firewall Endpoints
Servers
Lateral Movement Detection and Prevention
Detection and Isolation – Destination Based Rules
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Security Heartbeat™
Lateral Movement Detection and Prevention
Security Heartbeat™
Detection and Isolation – Endpoint Stonewalling
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Lateral Movement Detection and Prevention
Detection and Isolation – Wireless Heartbeat
Internet
XG Firewall Endpoints
Servers
Security Heartbeat™
Security Heartbeat™
Synchronized App Control
Security Heartbeat™ Synchronized App Control
Works with: • Intercept X v2 EAP0 • CEA (soon) • Both Windows & Mac (soon)
Unknown Application XG Firewall sees app traffic that does not match a signature
Endpoint Shares App Info Sophos Endpoint passes app name, path and even category to XG Firewall for classification
Internet
XG Firewall Sophos
Endpoints
1 2
Application is Classified & Controlled Automatically categorize and control where possible or admin can manually set category or policy to apply.
3
Intercepting Exploits Vulnerabilities vs Exploits vs Exploit Techniques
time
tota
l co
un
t
vulnerabilities
public exploits
exploit techniques
Prior knowledge of public attacks (signatures / behaviors)
Patching
1,000s/yr
100s/yr
10s
Introducing Sophos Intercept X
ADVANCED MALWARE
ZERO DAY EXPLOITS
LIMITED VISIBILITY
Anti-Exploit
Prevent Exploit Techniques
• Signatureless Exploit Prevention
• Protects Patient-Zero / Zero-Day
• Blocks Memory-Resident Attacks
• Tiny Footprint & Low False Positives
No User/Performance Impact No File Scanning
No Signatures
Automated Incident Response
• IT Friendly Incident Response
• Process Threat Chain Visualization
• Prescriptive Remediation Guidance
• Advanced Malware Clean
Root-Cause Analysis
Faster Incident Response Root-Cause Visualization Forensic Strength Clean
Detect Next-Gen Threats
• Stops Malicious Encryption
• Behavior Based Conviction
• Automatically Reverts Affected Files
• Identifies source of Attack
Anti-Ransomware
Prevent Ransomware Attacks Roll-Back Changes
Attack Chain Analysis
Example Code Execution Flow
time
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
System DLL
User Space
Kernel
Processor
System call API call
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
time
User Space
System DLL
Kernel
Processor
Check File on Disk (signature check) when Process is created No attention to machine code that called CreateProcess
System call (e.g. CreateProcess) API call
On Execute File Scanning Antivirus
01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101
System DLL
User Space
Kernel
Processor
API call
time Software Stack and Hardware-traced Branch Analysis (manipulation resistant) Leverages and repurposes a previously unused feature in mainstream Intel® processors
System call
Branch-based ROP Mitigations (Hardware Augmented) Sophos Intercept X
Intercepting Exploit Techniques (Overview) • Stack Pivot
Stops abuse of the stack pointer
• Stack Exec Stops attacker’ code on the stack
• Stack-based ROP Mitigations Stops standard Return-Oriented Programming attacks
• Branch-based ROP Mitigations (Hardware Augmented) Stops advanced Return-Oriented Programming attacks
• Import Address Table Filtering (IAF) (Hardware Augmented) Stops attackers that lookup API addresses in the IAT
• SEHOP Protects against overwriting of the structured exception handler
• Load Library Prevents loading of libraries from UNC paths
• Reflective DLL Injection Prevents loading of a library from memory into a host process
• Shellcode Stops code execution in the presence of exploit shellcode
• VBScript God Mode Prevents abuse of VBScript in IE to execute malicious code
• WoW64 Stops attacks that address 64-bit function from WoW64 (32-bit) process
• Syscall Stops attackers that attempt to bypass security hooks
• Enforce Data Execution Prevention (DEP) Prevents abuse of buffer overflows
• Mandatory Address Space Layout Randomization (ASLR) Prevents predictable code locations
• Bottom Up ASLR Improved code location randomization
• Null Page (Null Dereference Protection) Stops exploits that jump via page 0
• Heap Spray Allocation Pre-allocated common memory areas to block example attacks
• Dynamic Heap Spray Stops attacks that spray suspicious sequences on the heap
• VTable Hijacking Helps to stop attacks that exploit virtual tables in Adobe Flash Player
• Hollow Process Stops attacks that use legitimate processes to hide hostile code
• DLL Hijacking Gives priority to system libraries for downloaded applications
• Application Lockdown Stops logic-flaw attacks that bypass mitigations
• Java Lockdown Prevents attacks that abuse Java to launch Windows executables
• AppLocker Bypass Prevents regsvr32 from running remote scripts and code
Intercepting Ransomware
Monitor File Access
• If files are opened for write, copies are created (just before ransomware encrypts)
Attack Detected
• Malicious process is stopped and we investigate the process history
Rollback Initiated
• Original files restored
• Malicious files removed
Forensic Visibility
• User message
• Admin alert
• Root cause analysis details available
Complete Next-Gen Endpoint Protection
Script-based Malware
Malicious URLs
Phishing Attacks
Removable Media
.exe Malware
Non-.exe Malware
Unauthorized Apps
Exploits
Via Invincea, pre-execution malware prevention that is highly scalable, fast, and effective, especially against zero-day threats. Invincea’s pioneering ML technology delivers high detection rates and very low FP rates, which is unique.
Effective for run-time prevention of exploit-based
malware such as ransomware. Sophos Intercept X delivers
highly-effective next-gen exploit prevention capabilities.
Heuristic detections based on the behaviors of execution to stop evasive malware before damage occurs.
Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.
For server or locked-down endpoint environments, app control prevents
unknown / unwanted apps from running.
The only effective defense against in-memory malware.
The only effective way to set policy to ensure removable
media cannot put an organization at risk.
Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.
Synchronized Security
Sophos Central Mgmt. .doc .xls .pdf
Early Access Program (GA Q4 2017)
28
Part I - Active Adversary o Credential theft protection
o New process protection techniques - Code cave utilization
- Malicious process migration
- Process privilege escalation
- APC protection (Atom bombing)
o New registry protections - Sticky key protection
- Application verifier protection
o Improved process lockdown - Browser behaviour lockdown
- HTA application lockdown
Part II – Deep Learning o Deep Learning Model
- Detect malicious and potentially unwanted executables
o False positive mitigations - Whitelisting
o Directed Clean-up - Quarantine and restore capability
Documents o Active Adversary Mitigations o Deep Learning explained o Intercept X Features explained
Videos o Demonstrations of product in action
July September
Cloud Intelligence
Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions
Sophos Labs | 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere
UTM/Next-Gen Firewall
Admin Self Service Partner | Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations
Wireless
Web
Synchronized Encryption
Endpoint/Next-Gen Endpoint
Mobile
Server
Encryption
Sophos Central In Cloud On Prem
Synchronized Encryption