sophos presentation used during the switchpoint nv/sa quarterly experience day on 7th june 2016
TRANSCRIPT
![Page 1: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/1.jpg)
1
Lars Putteneers7 June 2015
SOPHOSStopping Tomorrow’s Attacks Today: a next-gen approach for advanced threats
![Page 2: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/2.jpg)
2
Sophos Snapshot1985FOUNDEDOXFORD, UK
$450MIN FY15 BILLING(APPX.)
2,200EMPLOYEES(APPX.)
200,000+CUSTOMERS
100M+USERS
HQOXFORD, UK
90+%BEST IN CLASSRENEWAL RATES
15,000+CHANNEL PARTNERS
OEM PARTNERS:
KEY DEV CENTERSOFFICES
![Page 3: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/3.jpg)
3
AT HOME AND ON THE MOVE
Mobile Control Endpoint SecuritySafeGuard Encryption
HEADQUARTERS
Endpoint SecuritySafeGuard Encryption
REMOTE OFFICE 1
NextGen Firewall
Secure Wi-Fi
Endpoint SecuritySafeGuard Encryption
Secure Wi-Fi
Secure VPN Client
Mobile Control
Reputation Data • Active Protection SophosLabs Correlated intelligence • Content Classification
Administration
Web Application Firewall
Secure Email Gateway
Secure Web Gateway
Mobile Control
Network Storage AntivirusServer Security
Guest Wi-Fi
UTMNextGen Firewall
Secure Web GatewaySecure Email Gateway
Web Application Firewall
REMOTE OFFICE 2
Secure Wi-Fi
Endpoint SecuritySafeGuard Encryption
Mobile Control
Secure VPN RED
Sophos Complete Security in an Enterprise
SOPHOS CLOUD
![Page 4: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/4.jpg)
44
Tomorrow’s attacks
![Page 5: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/5.jpg)
5
Anatomy of a ransomware attack
And gone
The ransomware will then delete itself leaving just the encrypted files and ransom notes behind.
Ransom demandA message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of
e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to.
Encryption of assetsCertain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of
the Windows OS (shadow copies) are often deleted to prevent data recovery.
Contact with the command & control server of the attackerThe ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this
computer.
Installation via an exploit kit or spam with an infected attachmentOnce installed the ransomware modifies the registry keys
![Page 6: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/6.jpg)
6
Angler: an all-too-well-known exploit kit
• Grown in notoriety since mid 2014○ The payload is stored in memory
and the disk file is deleted○ Detects security products and
virtual machines○ Ability to spread many
infections: banking Trojans, backdoor, rootkits, ransomware
• Easy to use○ Doesn’t require any particular
technical competence○ Available for a few thousand
USD on the Dark Web
![Page 7: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/7.jpg)
7
Angler’s evolution into the dominant exploit kit
Sep 2014 Jan 2015 May 2015
![Page 8: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/8.jpg)
8
• 350,000 new malware programs per day
• 70% of organisations reported a compromise in the last 12 months
• $500 billion WW damages
• Estimated to rise to $1.5 trillion by 2019
Another one bites the dust
![Page 9: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/9.jpg)
99
The next-gen approach:Sophos CleanHitman ProSophos Sandstorm
![Page 10: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/10.jpg)
10
Sophos Clean• All new business product• Removal complete part of Hitman Pro => standalone product
![Page 11: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/11.jpg)
11
Should I Stay Or Should I Go
![Page 12: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/12.jpg)
12
Bullet in the head
![Page 13: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/13.jpg)
13
Hitman Pro• Product of Surfright• For consumer and business market• Signature less protection• Will come in Cloud and on premise solutions
![Page 14: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/14.jpg)
14
Hitman Pro: Risk Reduction
![Page 15: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/15.jpg)
15
Hitman Pro: Risk Reduction
![Page 16: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/16.jpg)
16
Ransomware
Cryptowall costs users $325M in 2015○ 2 out of 3 infections driven by
phishing attack○ Delivered by drive by exploit kits○ 100’s of thousands of victims world
wide
More variants – Locky and Samas○ Now for MAC and Windows users
Targeting bigger Phish ○ $17K payment from California
hospital
CryptoGuard
• Simple and Comprehensive• Universally prevents
spontaneous encryption of data
• Simple activation in Sophos Central
CRYPTOGUARD
CryptoGuard – Say Goodbye to Ransomware
![Page 17: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/17.jpg)
17
CryptoGuard
• 1. monitors file system activity• 2. when file is opened-for-write, create just-in-time backup of
the file• 3. when the file is closed, compare contents• 4. when file is no longer a document, mark as suspicious• 5. if this happens on many files (3 or more), rollback files from
above backup, revoke write-access from process (or client IP) that did the changes
• 6. all modifications are tracked per process or per client-IP; so if a remote client modifies files, they are tracked, rolled back and blocked if needed
![Page 18: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/18.jpg)
18
Hitman Pro: Exploit Mitigation
![Page 19: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/19.jpg)
19
Hitman Pro: Exploit Mitigation
![Page 20: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/20.jpg)
20
Hitman Pro: Exploit Mitigation
![Page 21: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/21.jpg)
21
Hitman Pro: Exploit Mitigation
![Page 22: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/22.jpg)
22
Hitman Pro: Safe Browsing
![Page 23: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/23.jpg)
23
Hitman Pro: Safe Browsing
![Page 24: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/24.jpg)
24
Hitman Pro: Removal Complete
![Page 25: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/25.jpg)
25
Hitman Pro: Removal Complete
![Page 26: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/26.jpg)
26
Sophos SandstormHow Sophos Sandstorm works
1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait.
2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete.
3. A detailed report is provided for each file analyzed.
Advanced Threat Defense Made Simple
Secure Web Gateway
Secure Email Gateway
Unified Threat Management
Next-GenFirewall
![Page 27: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/27.jpg)
2727
Summary
![Page 28: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/28.jpg)
28
TRADITION
AL MALW
ARE
Methods and techniques vary depending on device type and operating system (Windows, Mac, Linux/Unix variants, Android, iOS)
And Sophos Labs never stops innovating and assessing new techniques
ADVANCED THREATS
I just want to be your everything
Exposure prevention80% malicious URL blocking, malicious web script detection
download reputation
Pre-execution analytics and heuristics10% Generic matching using heuristics and
component level rules
Signatures5% Signature match of malware or
malware components (1-1)
Run-time behavior analytics
3% Behavior matching and runtime analytics Explo
it detection2%
![Page 29: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/29.jpg)
29
More information
• Sophos whitepaper on how to stay protected from ransomwarehttps://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprotectionwpna.pdf?la=en
• Sophos technical whitepaper on ransomwarehttps://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf?la=en
• Naked Security – regular stories on Locky and other ransomware attackshttps://nakedsecurity.sophos.com/
• IT Security DOs and DON'Tshttps://www.sophos.com/en-us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf?la=en
• Threatsaurushttps://www.sophos.com/en-us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en
• Sophos free toolshttps://www.sophos.com/fr-fr/products/free-tools.aspx
![Page 30: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/30.jpg)
3030
Questions?
![Page 31: SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016](https://reader035.vdocuments.site/reader035/viewer/2022062823/587742ea1a28ab342e8b73ef/html5/thumbnails/31.jpg)
31© Sophos Ltd. All rights reserved.