Sophos Next-Generation Enduser Protection

Editor's Notes

• #5: Number of breaches over the past few years Threats are more sophisticated/advanced Attacks are coordinated but defenses are not Attack surface exponentially larger Laptops/desktops Mobile phones/tablets Virtual servers/desktops There is no perimeter Hackers not in it for fun – these are professional businesses motivated by money % of Threats that are considered advanced % of Threats that are not signature based % of Threats that can evade a singular technology How quickly malware can evade a new signature/block
• #7: Number of breaches over the past few years Threats are more sophisticated/advanced Attacks are coordinated but defenses are not Attack surface exponentially larger Laptops/desktops Mobile phones/tablets Virtual servers/desktops There is no perimeter Hackers not in it for fun – these are professional businesses motivated by money % of Threats that are considered advanced % of Threats that are not signature based % of Threats that can evade a singular technology How quickly malware can evade a new signature/block
• #10: Over the past several years, the endpoint has changed. Endpoints used to be primarily Windows PCs housed on site, within a firewalled perimeter. Now endpoints include employee- and employer-owned PCs, Macs, Androids, iPhones and iPads. They access corporate servers and cloud services inside and outside the perimeter.
• #11: Endpoint security used to be about stopping malware from infecting Windows PCs on the network. Now it has to evolve to not only prevent malware, but also detect machines that are already compromised and help remediate detected threats on a variety of workstation and mobile platforms. Endpoint security also has to include a focus on the data, ensuring it is encrypted and accessible only to authorized users regardless of where the data lives.
• #12: Sophos Next-Generation Enduser Protection builds on our existing endpoint, mobile, and encryption protection. In addition to strengthening each component with innovative new technology, we’re connecting endpoint, mobile, and encryption via Sophos Cloud. This allows us to not only integrate the policy setting and management experience, but also to correlate data among devices over time to detect and respond to advanced threats that would be missed by traditional products. All of this is made possible by SophosLabs, which bakes global, cloud-based threat intelligence into the products. This means that Sophos, rather than the customer, is doing the hard work of staying on top of the latest threats, figuring out how to identify them, and knowing what to do about them.
• #13: One core component of NGEUP is the sophisticated endpoint agent used in our Windows and Mac endpoint security products. A streamlined version of it is also used in Sophos Mobile Security, our anti-malware product for Android. All of the components shown here work together to prevent, detect, and respond effectively to malware, even malware that we’ve never seen before. The items in orange are new components that will be added over the coming 12 months or so. Also within the next 12 months, the emulator, shown in teal, will be replaced with a complete update that is faster and more effective at detecting previously-unseen malware before it has a chance to execute.
• #14: Both botnets and targeted attacks make use of “command & control” servers operated by the attacker to send commands to tell the malware what to do. Traditional AV focuses on stopping the malware from running in the first place. Once it’s already running, it’s too late. If we can detect the malicious network traffic from the endpoint to the command and control server, we can see that the machine is infected and respond accordingly. We can do this today in our UTM. Soon, we’ll add the capability right into the endpoint.
• #15: Here we see a PC that’s infected and communicating with a C&C server. The Malicious Traffic Detector, which is just another component of the endpoint agent, compares the traffic to a set of rules provided by SophosLabs and detects that this traffic indicates a compromise. The endpoint agent notifies the management console, which alerts the admin. Because this is all happening within the endpoint, we can tell the admin which computer is infected, which application is causing the problem, and what user is currently logged in to the computer. In many cases, the console can instruct the endpoint agent to terminate the application causing the problem. This will stop the malware from running and end the communication with the C&C server.
• #16: One core component of NGEUP is the sophisticated endpoint agent used in our Windows and Mac endpoint security products. A streamlined version of it is also used in Sophos Mobile Security, our anti-malware product for Android. All of the components shown here work together to prevent, detect, and respond effectively to malware, even malware that we’ve never seen before. The items in orange are new components that will be added over the coming 12 months or so. Also within the next 12 months, the emulator, shown in teal, will be replaced with a complete update that is faster and more effective at detecting previously-unseen malware before it has a chance to execute.
• #17: Intro Galileo – a connected security system that is surprisingly simple to prevent, detect and respond malware APTs and targeted attacks. How – by sharing context between the Next Generation Endpoint and the Next Generation Firewall using the Galileo Heartbeat. Let’s go through an example about how this happens. Diagram orientation On the left we have our next gen endpoint with all the great features we already have and are adding. On the right we have our next gen firewall with all those great features. On the top Sophos Labs with all the rules and services that our products and customers use. Clicks In this example we’ll go through the green endpoint being compromised. Once it’s first comprised the attacker try and establish themselves on the system. The orange line represents the backdoor malware being downloaded through the system. From right to left (the outside to inside) going through the UTM and endpoint on the way in. Turning the corner on the left as it starts to execute, then reaching out to servers (left to right) for commands and controls, maybe downloading further malware. At this point the ATP feature on the UTM detects network traffic to a malicious server (say C&C) using Sophos Labs APT rules. This feature is already in UTM 9.2 and although a great feature, can only report to the console what it sees at the network level – source and destination addresses for example. Useful but not simple to work out exactly what sent the traffic. This is where Gailieo Heartbeat comes in. This is a secure communication mechanism between Next Gen Endpoint and the Next Gen Firewall. It tells the Next Gen Endpoint the relationship between the network addresses and the machine that sent the traffic. So when the ATP feature detects the malicious traffic, it knows which endpoint sent the traffic. It uses Heartbeat to check and ask the machine whether it did send it – to confirm. The machine could answer in two ways – no it didn’t or yes it did. If it didn’t you’ve got another problem on your network – a machine is spoofing an IP address on your network and sending malicious traffic. If it did, the machine, which is recording all the outbound network accesses, can report the full context of what was going on – confirm which machine it was, which user was logged in, the process and file that caused the malicious traffic. This gives much better visibility to the admin about the threat which you just can’t do with the Firewall working on it’s own. And now we’ve got the context of the source of the threat this opens up a realm of new possibilities. Because we can identify the machine we can isolate it on the network, both at the Next Gen Firewall and Next Gen Endpoint preventing further network access and potential data loss. And because we know the file and we track executables across every system, we can list out where else the file is on the customer’s network (possibly dormant), lock down those systems as well. Or give the admin an option to block the file on every machine it’s found, send to a Cloud Sandbox for evaluation by Sophos Labs or isolate those other machines from the network. There’s more. Sophos provides device encryption (encrypting the device in case the device is lost/stolen) and file encryption (automatically encrypting and decrypting the files shared between users, including shared with cloud drop box services). Because the malware is running on the machine and the user is logged in, the malware can see all the same files that the user can see – including their sensitive files they are sharing. What the Next Gen Firewall can tell the Next Gen Endpoint to do (using Heartbeat) is to remove the file encryption keys from the machine running the malware. The malware can no longer access unencrypted files on the machine or the Cloud drop box services stopping data loss. Other users can still see the data OK – they still have the keys – and of course once the machine is fixed we can put the keys back on the machine to decrypt the files once again.
• #18: And now because we expect Heartbeat from our protected machines, we can use it to identify compromised machines in a different way – the Heart Attack! This time the malware is not subtle and it tries to disable our software. The heartbeat disappears. The Next Gen Firewall sees the expected Heartbeat is gone but it still sees traffic coming from the machine. This is then alerted to the user as a potential compromise of that system. And because we know which machine it is, we can offer the administrator the same set of remediation steps as before.