This is Next-Gen IT Security - Introducing Intercept X
Download as PPTX, PDF3 likes661 views
The document discusses the evolution of IT security threats, highlighting the shift from traditional malware to advanced threats, and the increased use of exploit kits and ransomware. It introduces Sophos Intercept X, which employs signatureless exploit prevention techniques, automated incident response, and advanced analytics to combat these threats efficiently. The document emphasizes the significance of understanding and addressing unique vulnerabilities and the need for synchronized security to enhance data protection.
This is Next-Gen IT Security - Introducing Intercept X
- 1. This Is Next-Gen IT Security Mark Loman Director of Engineering Next-Gen Technologies
- 2. Melissa Virus 1999 $1.2B Love Letter Worm $15B 1998 $2.3B 2007 $800M 2014 Locky Ransomware $1.1B 2016 FinFischer Spyware 2003 $780M Exploit as a Service $500M 2015 Traditional Malware Advanced Threats The Evolution of Threats From Malware to Exploits
- 3. Traditional Malware Advanced Threats The Evolution of Security From Anti-Malware to Anti-Exploit Exposure Prevention URL Blocking Web/App/Dev Ctrl Download Rep Pre-Exec Analytics Generic Matching Heuristics Core Rules File Scanning Known Malware Malware Bits Run-Time Behavior Analytics Runtime Behavior Exploit Detection Technique Identification
- 5. THIRD PARTY Malvertising Threat Chain AD NETWORK RTB
- 6. No Site Is Immune
- 7. Exploits As a Service Initial Request Victims Exploit Kit Customers Redirection Malicious Payloads Stats Landing Page Tor Exploit Kit Admin Exploits Payloads Get Current Domain Get Stats Update payloads Management Panel Malware Distribution Servers Gateway Servers
- 8. Ransomware
- 10. Known to Unknown 75% of malware inside an organization is unique to that organization Evolutionary Threat Trends Large to Small Business 70% of all organizations reported a compromise in the last 12 months. Simple to Industrialized As Malware-as-a-Service platforms evolve, payloads are being monetized on the Dark Web with the same market pressures we see govern any industry Volume to Targeted Exploit kits cause over 90% of all data breaches Malware to Hacking 63% of data breaches involve stolen credentials Everyone to Weakest Average time to fix vulnerabilities is 193 days Threats Targets (Source: Sophos Labs) (Source: NSS Labs) (Source: WhiteHat Security)(Source: Verizon DBIR) (Source: Sophos Labs) (Source: FBI / InfoSec London)
- 11. Anatomy of an Advanced Attack
- 12. Introducing
- 13. Introducing Sophos Intercept X ADVANCED MALWARE ZERO DAY EXPLOITS LIMITED VISIBILITY Anti-Exploit Prevent Exploit Techniques • Signatureless Exploit Prevention • Protects Patient-Zero / Zero-Day • Blocks Memory-Resident Attacks • Tiny Footprint & Low False Positives No User/Performance Impact No File Scanning No Signatures Automated Incident Response • IT Friendly Incident Response • Process Threat Chain Visualization • Prescriptive Remediation Guidance • Advanced Malware Clean Root-Cause Analysis Faster Incident Response Root-Cause Visualization Forensic Strength Clean Detect Next-Gen Threats • Stops Malicious Encryption • Behavior Based Conviction • Automatically Reverts Affected Files • Identifies source of Attack Anti-Ransomware Prevent Ransomware Attacks Roll-Back Changes Attack Chain Analysis
- 14. Intercepting Exploits Vulnerabilities vs Exploits vs Exploit Techniques time totalcount vulnerabilities public exploits exploit techniques Prior knowledge of public attacks (signatures / behaviors) Patching 1,000s/yr 100s/yr 10s
- 15. Intercepting Exploits Vulnerabilities vs Exploits vs Exploit Techniques time totalcount vulnerabilities public exploits exploit techniques Prior knowledge of public attacks (signatures / behaviors) Patching 1,000s/yr 100s/yr 10s 100,000,000+ new malware each year
- 16. Heap Spray Use after Free Stack Pivot ROP Call OS function Ransomware activity PREPARATION TRIGGERING GAIN CONTROL CIRCUMVENT (DEP) POST Exploit Techniques Antivirus Sophos Intercept X • Most exploit-based attacks consist of 2 or more exploit techniques • Exploit techniques do not change and are mandatory to exploit existing and future software vulnerabilities Intercepting Exploits Blocking Exploit Techniques vs Antivirus
- 17. Example Code Execution Flow time 01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101 System DLL User Space Kernel Processor System callAPI call
- 18. 01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101 time User Space System DLL Kernel Processor Check File on Disk (signature check) when Process is created No attention to machine code that called CreateProcess System call (e.g. CreateProcess)API call On Execute File Scanning Antivirus
- 19. 01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101 timeDuring ROP attacks, stack contains no reliable data Attacker has control over steps (stack), can manipulate defender System DLL User Space Kernel Processor System callAPI call (VirtualProtect) Stack-based ROP Mitigations Microsoft EMET
- 20. 01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101 System DLL User Space Kernel Processor VirtualProtect timeSoftware Stack and Hardware-traced Branch Analysis (manipulation resistant) Leverages and repurposes a previously unused feature in mainstream Intel® processors CreateProcess Branch-based ROP Mitigations (Hardware Assisted) Sophos Intercept X
- 21. Intercepting Exploit Techniques (Overview) Stack Pivot Stops abuse of the stack pointer Stack Exec Stops attacker’ code on the stack Stack-based ROP Mitigations Stops standard Return-Oriented Programming attacks Branch-based ROP Mitigations (Hardware Assisted) Stops advanced Return-Oriented Programming attacks Import Address Table Filtering (IAF) (Hardware Assisted) Stops attackers that lookup API addresses in the IAT SEHOP Protects against overwriting of the structured exception handler Load Library Prevents loading of libraries from UNC paths Reflective DLL Injection Prevents loading of a library from memory into a host process Shellcode Stops code execution in the presence of exploit shellcode VBScript God Mode Prevents abuse of VBScript in IE to execute malicious code WoW64 Stops attacks that address 64-bit function from WoW64 (32-bit) process Syscall Stops attackers that attempt to bypass security hooks Enforce Data Execution Prevention (DEP) Prevents abuse of buffer overflows Mandatory Address Space Layout Randomization (ASLR) Prevents predictable code locations Bottom Up ASLR Improved code location randomization Null Page (Null Dereference Protection) Stops exploits that jump via page 0 Heap Spray Allocation Pre-allocated common memory areas to block example attacks Dynamic Heap Spray Stops attacks that spray suspicious sequences on the heap VTable Hijacking Helps to stop attacks that exploit virtual tables in Adobe Flash Player Hollow Process Stops attacks that use legitimate processes to hide hostile code DLL Hijacking Gives priority to system libraries for downloaded applications Application Lockdown Stops logic-flaw attacks that bypass mitigations Java Lockdown Prevents attacks that abuse Java to launch Windows executables AppLocker Bypass Prevents regsvr32 from running remote scripts and code
- 22. Intercepting Ransomware Monitor File Access • If suspicious file changes are detected, file copies are created Attack Detected • Malicious process is stopped and we investigate the process history Rollback Initiated • Original files restored • Malicious files removed Forensic Visibility • User message • Admin alert • Root cause analysis details available
- 23. Root Cause Analytics Understanding the Who, What, When, Where, Why and How 23
- 24. Sophos Clean Malware Removal. Vulnerability Assessment. Works with existing AV • Signatureless, on-demand scanner • Does not need to be installed • Shows what the others missed • 30-Day Free License Removes Threats • Deep System Inspection • Removes Malware Remnants • Full Quarantine / Removal • Effective Breach Remediation On-Demand Assessment • Identifies Risky Files / Processes • Constantly Refreshed Database • Provides Additional Confidence • Command-Line Capable
- 25. Cloud Intelligence Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions Sophos Labs | 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere UTM/Next-Gen Firewall Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations Wireless Email Web Synchronized Encryption Endpoint/Next-Gen Endpoint Mobile Server Encryption Sophos Central In Cloud On Prem Synchronized Encryption
- 26. Synchronized Encryption: A New Paradigm in Data Protection User Integrity App Integrity System Integrity Encrypt Everything, Everywhere, Automatically Synchronized with Endpoint Protection “By 2019, 25% of security spend will be driven by EU data protection regulation and privacy concerns.” - IDC
- 27. Intercepting Threats with Synchronized Security Demo
- 28. Synchronized Security Sophos Central Cloud Intelligence Sophos Labs Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions | 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere Admin Self Service Partner| Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations Endpoint/Next-Gen Endpoint Mobile Server Encryption UTM/Next-Gen Firewall Wireless Email Web In Cloud On Prem
Editor's Notes
- #3: Anti-M Better, so threats more adv, coord Virus/Sigs, Poly/Heuristics – Sandbox/Sleep Malware to Hacking Spray/Pray focus payload Creds/Remote Access – focus approach
- #4: Like threats, security had to evolve File scan, Heuristics, Limit Surface (Prevent) Good, but reactive, focus history, known, defense Move to proactive, unk, offense Why? The move to hacking What if legit creds, apps, systems…
- #6: You won a gift certificate
- #8: Sophisticated/Coordinated Targets – 25-50, IT, Mumbail India – Banking, IT (Bangalore)
- #10: https://www.cryptowalltracker.org/cryptowall-4.html#targetfileextensions
- #11: When considering our product R&D strategies, it’s instructive to start with the trends that we see affecting information security. So here we have a list of what I consider to be some of the more influential forces. Let me spend just a few moments on each: First, let’s acknowledge the megatrends: cloud, mobile, and IaaS (infrastructure as a service). The effects that we’re seeing as a result of these are the growth of new classes of security controls, such as CASB (cloud access security brokers, which attempts to mediate and secure access to the estimated 16,000 cloud services available today); EMM (enterprise mobility management, which increasingly attempts not only to manage, but also to secure our ever growing number of mobile computing devices); and IaaS (infrastructure as a service) specific solutions, which seek to address the “shared security model” of providers such as Amazon AWS and Microsoft Azure, wherein they pledge to secure the infrastructure, but leave it to their customers to secure their compute instances and their data. Overall, we see all of these as great opportunities, and as you’ll hear, we’re already offering some exciting solutions in each area with more to come. Next, we have the tensions that have been brewing for months between the public and private sectors on the matter of encryption. While most of the headlines were captured by the battle between Apple and the FBI, any company that make use of encryption in their products (which is most every company that operated on the internet) is affected by this. First, as a leading vendor of encryption solutions, it was important to us to make it perfectly clear to our customers and partners that we would never introduce backdoors of any kind into our products, or otherwise compromise the integrity of the security of our products. We made this statement prominently available on our site at Sophos.com/nobackdoors. Second, we believe that some of the legislation that is being proposed and passed, such as the EU’s GDPR (general data protection regulation) will drive significant growth in data security as businesses seek to comply with customer data protection laws. In fact, the analyst firm IDC estimates that GDRP alone will drive $1.8B in security software investment by 2019. IoT (the internet of things) is something that’s also been in the new a lot. Gartner estimates that we’ll see an estimated 6.4B connected devices in 2016 grow to over 20B by 2020. Most of these devices are wireless, creating enormous demands for additional wireless capacity and scalability, something that Bryan will be talking to you about a little later. But IoT also presents a massive new attack surface, and it’s not possible, or at least not straightforward, to protect these devices with any kind of client software. Instead, the security must come from the network, creating an opportunity for new kinds of IoT specific network security controls. The lack of defender coordination describes a condition which has long been understood but never well addressed. It’s probably best understood in contrast: if we had perfect defender coordination, then the moment an attack was successfully used against a single victim, that victim would be able to share all of the salient details of the attack, and subsequent attacks of the same sort would be immediately identifiable and defendable. Clearly, we’re far from that. The reason is because, as an industry, we’ve historically lacked the ability to instantaneously share information. That was one of the key driving influences behind Synchronized Security – we wanted to provide our customers with a framework to effortlessly share security information, first within their enterprises, but ultimately across the entire population of Sophos protected customers as we continue to develop our analytics platform. I’ll be talking more about some interesting Synchronized Security use-cases later. C-Level spear phishing, also known as Whaling has also been the news a lot this past year. The wireless networking company Ubiquiti disclosed last year that they fell victim to $46.7M in CEO wire fraud last year, and the FBI estimates that the total exposure has been over $2.3B over the past 3 years. We see this as an opportunity for better training, as well as better phishing security controls. In particular, we think that by applying analytics to the problem, beyond just traditional Bayesian filters, we can more effectively detect this kind of email threat. The paradox of encryption describes the condition whereby the internet simultaneously becomes more secure as more and more of its traffic moves to encryption (SSL/TLS/HTTPS), and less secure because it becomes increasingly expensive and difficult to perform inspection on the encrypted content. In fact, some forms of encryption simply cannot be decrypted, even for legitimate security purposes such as content inspection. For this reason, we expect that there will need to be a collaboration between the network and the endpoints in order to continue to provide any measure of content inspection, and we think that our balanced product portfolio and our SyncSec strategy position us well for this. Ransomware and Cryptoware describes a class of malware that holds files on a victim’s system hostage, seeking payment in the amount of hundreds or thousands of dollars to release the files from their encypted prisons. According to the Cyber Threat Alliance, Cryptowall, a single instance of cryptoware netted criminals in excess of $325M last year. To date, the best advice of the industry has been to update your AV software, don’t click on strange links or open unusual attachments, make sure you have good backups, and even just pay the ransom. While most of this is sound advice, it’s clear that the industry needs better solutions. We are about to introduce such a solution as part of our upcoming NGEP release, which John will be talking to you about shortly. Common-mode failures refers to the fact that the entire internet is built on a common set of components, Linux, OpenSSL, bash, MySQL, redis, etc. and when there is an exploitable vulnerability in one of these components, the effects spread through the entire internet like wildfire. Even if a patch is immediately made available by the software vendor or the open-source project, it still requires that users patch, which is something that can take weeks or even months. During this window of exposure, these systems are sitting ducks, unless they have something else in place to mitigate the attacks. Again, we see this as a great opportunity to provide general exploit protection at the endpoint, which will be part of the Intercept product that John will talk about, as well as better exploit controls on the network through more comprehensive intrusion prevention signatures. The Cybersecurity skills gap is the scarcity of skilled security professionals to help businesses deal with the ever-evolving threat landscape. According to Frost and Sullivan, 62% of 14,000 interview respondents stated that their organizations have too few information security professionals, up from 56% in 2013. It’s a situation where we must do more with less, and we think the best way to achieve that is to simplify security, which has long been a tenet of how design our products, and one of our company’s distinguishing traits. Finally, on the positive side, we are observing that more and more organizations are beginning to take a risk-based approach to security. They are more systematically assessing their attack surfaces, calculating the business criticality of their systems, quantifying their risk, and designing their controls appropriately. It’s a welcome kind of maturation. And it’s also a major component of how we design our solutions. #5 - 22K international victims @$3B in exposed losses – (IC3 – Internet Crime Complaint Center) https://www.ic3.gov/media/2016/160614.aspx #9 – “62% of the survey respondents (14,000) stated that their organizations have too few information security professionals. This compares to 56% in the 2013 survey” https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)²-Global-Information-Security-Workforce-Study-2015.pdf
- #20: You cannot trust the breadcrumbs on the stack, normally traversed to determine origin; the stack is under control of the attacker who can mislead the defender.
- #21: Level of confidence is significantly increased by leveraging and repurposing a previously unused feature in mainstream Intel® processors. Delivers manipulation resistant data from within the hardware. It’s like GPS data revealing the path an attacker has taken, all the way leading up to the malicious action.
- #23: Monitor for distinct changes in the file headers
- #25: Sophos Clean is a signatureless, on-demand malware scanner that's just 11 MB and does not need to be installed. You can run it from a USB flash drive, a cd/dvd, or from network attached storage, which is nice if malware is manipulating the installed antivirus software and its updates.
- #26: Joe’s notes on the synchronized security scenarios (for reference). • Heartbeat first (now) • Unknown AppID (soon) • Kepler – adding application and system integrity from EP (soon) • Shunning / lateral movement protection on endpoint/server (soon) • Phishing protection - reputation system, training, adaptive security based on assessment results (future) • Mobile devices as “continuous auth” solutions - using sensors for voice, image, fingerprinting, geolocation, gait measurement (way future)
- #27: Source for 25% of spend driven by data compliance source is IDC FutureScape: Worldwide IT Security Products and Services 2016 Predictions. Nov 2015. Doc # 259836