Taking the battle to Ransomware with Sophos Intercept X
Download as PPTX, PDF1 like835 views
The document discusses Sophos Intercept X, a next-generation endpoint protection solution designed to combat various cyber threats, including advanced malware and ransomware. It highlights the evolution of security strategies from traditional anti-malware to comprehensive anti-exploit techniques, emphasizing features like behavior-based detection and automated incident response. Additionally, it outlines the importance of simplicity, comprehensive coverage, and the integration of machine learning for enhanced threat detection and prevention.
Taking the battle to Ransomware with Sophos Intercept X
- 1. INTERCEPT X THE NEXT STEP IN NEXT-GEN ENDPOINT PROTECTION Lars Putteneers Sales Engineer 23/03/2017
- 2. 1985 FOUNDED OXFORD, UK $450M IN FY15 BILLING (APPX.) 3,500 EMPLOYEES (APPX.) 200,000+ CUSTOMERS 100M+ USERS HQ OXFORD, UK 90+% BEST IN CLASS RENEWAL RATES 15,000+ CHANNEL PARTNERS OEM PARTNERS: KEY DEV CENTERS OFFICES Sophos snapshot
- 4. WHY
- 5. Melissa Virus 1999 $1.2B Love Letter Worm $15B 1998 $2.3B 2007 $800M 2014 Locky Ransomware $1.1B 2016 FinFischer Spyware 2003 $780M Exploit as a Service $500M 2015 Traditional Malware Advanced Threats The Evolution of Threats From Malware to Exploits
- 6. Traditional Malware Advanced Threats The Evolution of Security From Anti-Malware to Anti-Exploit Exposure Prevention URL Blocking Web/App/Dev Ctrl Download Rep Pre-Exec Analytics Generic Matching Heuristics Core Rules File Scanning Known Malware Malware Bits Run-Time Behavior Analytics Runtime Behavior Exploit Detection Technique Identification 80% 15% 5%
- 7. We believe 7 •Security must be: o Simple o Comprehensive oEasy to use o Single console •You need to have MORE SECURITY with LESS EFFORT
- 8. HOW
- 9. How we do it? 9 • Own worldwide Threat Research Center • Firewalls • Centrally managed endpoint protection • Sandboxing • Communication between endpoint & firewall
- 10. Heap Spray Use after Free Stack Pivot ROP Call OS function PREPARATION • Most exploit-based attacks consist of 2 or more exploit techniques • Exploit techniques do not change and are mandatory to exploit existing and future software vulnerabilities Intercepting Exploits Blocking Exploit Techniques vs Antivirus TRIGGERING GAIN CONTROL CIRCUMVENT (DEP) POST PAYLOAD DROP Memory Corruption /UaF In-Memory (Diskless) On Disk Ransomware Activity ! Sophos Intercept X Antivirus
- 11. WHAT
- 13. Cloud Endpoint Protection Advanced 13
- 14. Introducing
- 15. Introducing Sophos Intercept X ADVANCED MALWARE ZERO DAY EXPLOITS LIMITED VISIBILITY Anti-Exploit Prevent Exploit Techniques • Signatureless Exploit Prevention • Protects Patient-Zero / Zero-Day • Blocks Memory-Resident Attacks • Tiny Footprint & Low False Positives No User/Performance Impact No File Scanning No Signatures Automated Incident Response • IT Friendly Incident Response • Process Threat Chain Visualization • Prescriptive Remediation Guidance • Advanced Malware Clean Root-Cause Analysis Faster Incident Response Root-Cause Visualization Forensic Strength Clean Detect Next-Gen Threats • Stops Malicious Encryption • Behavior Based Conviction • Automatically Reverts Affected Files • Identifies source of Attack Anti-Ransomware Prevent Ransomware Attacks Roll-Back Changes Attack Chain Analysis
- 16. Intercepting Ransomware Monitor File Access • If suspicious file changes are detected, file copies are created Attack Detected • Malicious process is stopped and we investigate the process history Rollback Initiated • Original files restored • Malicious files removed Forensic Visibility • User message • Admin alert • Root cause analysis details available
- 17. Root Cause Analytics Understanding the Who, What, When, Where, Why and How 17
- 18. What we do differently 18 • Application Lockdown • Cryptoguard • Look at the complete chain/live of a process/application • Security heartbeat • Works besides other AV
- 19. What we do differently 19 Phishing Exploits Scripts Bad Devices Bad Apps Runtime (.exe) Office Docs Real Results
- 20. DEMO
- 21. Future?
- 22. Machine Learning: Pre-execution Malware Prevention & Detection 22
- 23. Complete Next-Gen Endpoint Protection Script-based Malware Malicious URLs Phishing Attacks Removable Media .exe Malware Non-.exe Malware Unauthorized Apps Exploits Invincea pre-execution malware prevention is highly scalable, fast, and effective, especially against zero-day threats. Invincea’s pioneering ML technology delivers high detection rates and very low FP rates, which is unique. Effective for run-time prevention of exploit-based malware such as ransomware. Sophos Intercept X thrives with next-gen exploit prevention capabilities. Heuristic detections based on the behaviors of execution to stop evasive malware before damage occurs. Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc. For server or locked-down endpoint environments, app control prevents unknown / unwanted apps from running. The only effective defense against in-memory malware. The only effective way to set policy to ensure removable media cannot put an organization at risk. Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants. Synchronized Security Sophos Central Mgmt..doc .xls .pdf 23 Root Cause Analytics
- 24. Questions?
Editor's Notes
- #6: Anti-M Better, so threats more adv, coord Virus/Sigs, Poly/Heuristics – Sandbox/Sleep Malware to Hacking Spray/Pray focus payload Creds/Remote Access – focus approach
- #7: Like threats, security had to evolve File scan, Heuristics, Limit Surface (Prevent) Good, but reactive, focus history, known, defense Move to proactive, unk, offense Why? The move to hacking What if legit creds, apps, systems…
- #11: Stopping the attack pre-execution of the malicious payload.
- #17: Monitor for distinct changes in the file headers