What's cooking at Sophos - an introduction to Synchronized Security
Download as PPTX, PDF2 likes1,967 views
The document outlines the concept of synchronized security, highlighting the challenges in today's threat landscape and the need for a revolutionary approach in cybersecurity. It details how synchronized security integrates advanced threat protection through real-time data sharing between endpoints and network devices for improved detection, response, and remediation of threats. The focus is on providing comprehensive protection against sophisticated attacks while simplifying management and operational processes.
What's cooking at Sophos - an introduction to Synchronized Security
- 1. 1 Vincent Vanbiervliet Product Manager Synchronized Security Revolutionizing Advanced Threat Protection
- 2. 2 What we’re going to cover • What’s the problem? • It’s time for a security revolution • How it works • Synchronized Security 2015-2016 • Your path to synchronized Security
- 5. 5 Increasing attacks, increasing sophistication Attack surface exponentially larger Laptops/Desktops Phones/Tablets Virtual servers/desktops Cloud servers/storage Threats more sophisticated Attacks are more coordinated than defenses
- 6. 6 Security industry 2D view
- 7. 77 It’s time for a security revolution
- 8. 8 Generations of security Point Products Anti-virus IPS Firewall Sandbox Layers Bundles Suites UTM EMM Synchronized Security Security Heartbeat™
- 9. 9 Comprehensive protection • Prevent Malware • Detect Compromises • Remediate Threats • Investigate Issues • Encrypt Data MAC ANDROID WINDOWS iOS CORPORATE DATA WINDOWS PHONE LINUX Synchronized Security
- 10. 10 Integration at a different level Synchronized Security Alternative • System-level intelligence • Automated correlation • Faster decision-making • Accelerated Threat Discovery • Automated Incident Response • Simple unified management • Resource intensive • Manual correlation • Dependent upon human analysis • Manual Threat/Incident response • Extra products • Endpoint/Network unaware of each other Management Enduser Network SIEM Endpoint Mgmt NW Mgmt Endpoint Network
- 11. 11 Synchronized Security Security must be comprehensive The capabilities required to fully satisfy customer need Security can be made simple Platform, deployment, licensing, user experience Security is more effective as a system New possibilities through technology cooperation Synchronized Security Integrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection. SOPHOS LABS Sophos Cloud Next Gen Network Security Next Gen Enduser Security heartbeat
- 13. 13 3 pillars of advanced threat protection By device identification reduces time taken to manually identify infected or at risk device or host by IP address alone Compromised endpoints are isolated by the firewall automatically, while the endpoint terminates and removes malicious software. Endpoint and network protection combine to identify unknown threats faster. Sophos Security Heartbeat™ pulses real- time information on suspicious behaviors Security Heartbeat™ Accelerated Threat Discovery Active Source Identification Automated Incident Response Faster, better decisions Quicker, easier investigation Reduced threat impact
- 14. 14 System Initialization Registration NGEP & NGFW register with Sophos Cloud which sends certificate/sec info to both Connection Endpoints initiate connection to the trusted Firewall Validation Firewall and Endpoints check sec info sent to them by Cloud to verify they are valid SOPHOS LABS Sophos Cloud Next Gen Network Security Next Gen Enduser Security heartbeat Support of multiple locations Endpoints can establish connection to Firewalls at any customer’s location as the Sophos Cloud registry can be shared among all Galileo-enabled Firewalls
- 15. 15 Accelerated Threat Discovery Security Heartbeat A few bytes of information are shared every 15 seconds from Endpoint to Network Events Upon discovery, security information like Malware, PUA is shared between Endpoints and Network Health Endpoint sends Red, Yellow, Green health status to Network SOPHOS LABS Sophos Cloud Next Gen Network Security Next Gen Enduser Security heartbeat VPN support Galileo supports endpoints connected within the local network as well as those connected via VPN as long as they are connecting to the Firewall.
- 16. 16 Active Source Identification Security Heartbeat Positively identifying the machine. Associating the IP address with a particular Endpoint Advanced Attack If Network Firewall detects an advanced attack but can’t determine source, it requests details from endpoints Source Identification Endpoint sends details of machine name, user, process, and IP address SOPHOS LABS Sophos Cloud Next Gen Network Security Next Gen Enduser Security heartbeat
- 17. 17 Automated Incident Response Green Endpoints have full access to internal applications and data as well as internet Yellow Affected endpoints can be isolated from internal/sensitive applications and data while maintaining access to internet Red Affected endpoints are isolated from the network and have no access to internal systems or external internet SOPHOS LABS Sophos Cloud Next Gen Network Security Next Gen Enduser Security heartbeat Defaults and customization There are no default policies based on health status so admins can customize responses as needed. We are developing a best practices guide to assist customers in recommended policy setup.
- 19. 19 Comprehensive Next-Gen Endpoint SOPHOS SYSTEM PROTECTOR Application Tracking Threat Engine Application Control Reputation Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Web Protection IoC Collector Live Protection Security Heartbeat™
- 20. 20 Comprehensive Next-Gen Network SOPHOS FIREWALL OPERATING SYSTEM Web Filtering Intrusion Prevention System Routing Email Security Security Heartbeat™ Selective Sandbox Application Control Data Loss Prevention ATP Detection Proxy Threat Engine Firewall
- 21. 21 SOPHOS SYSTEM PROTECTOR Sophos Cloud Next Generation Threat Detection heartbeat SOPHOS FIREWALL OPERATING SYSTEM Application Tracking Threat Engine Application Control Reputation Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Web Protection IoC Collector Live Protection Security Heartbeat™ Web Filtering Intrusion Prevention System Routing Email Security Security Heartbeat™ Selective Sandbox Application Control Data Loss Prevention ATP Detection Proxy Threat Engine Isolate subnet and WAN access Block/remove malware Identify & clean other infected systems User | System | File Compromise Firewall
- 23. 23 SOPHOS SYSTEM PROTECTOR Sophos Cloud Improved Threat Detection heartbeat SOPHOS FIREWALL OPERATING SYSTEM Application Tracking Threat Engine Application Control Reputation Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Web Protection IoC Collector Live Protection Security Heartbeat™ Web Filtering Intrusion Prevention System Routing Email Security Security Heartbeat™ Selective Sandbox Application Control Data Loss Prevention ATP Detection Proxy Threat Engine Lockdown local network access Remove file encryption keys Terminate/remove malware Identify & clean other infected systems User | System | File Compromise Firewall
- 24. 24 SOPHOS SYSTEM PROTECTOR Sophos Cloud Automated Protection of Endpoints heartbeat SOPHOS FIREWALL OPERATING SYSTEM Application Tracking Threat Engine Application Control Reputation Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Web Protection IoC Collector Live Protection Security Heartbeat™ Web Filtering Intrusion Prevention System Routing Email Security Security Heartbeat™ Selective Sandbox Application Control Data Loss Prevention ATP Detection Proxy Threat Engine Discover unmanaged Endpoints Could it be managed? Self-service portal setup User authentication Distribute security profile Win | Mac | Mobile Endpoint Firewall
- 25. 25 SOPHOS SYSTEM PROTECTOR Sophos Cloud Detect and Remediate Compromises heartbeat SOPHOS FIREWALL OPERATING SYSTEM Application Tracking Threat Engine Application Control Reputation Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Web Protection IoC Collector Live Protection Security Heartbeat™ Web Filtering Intrusion Prevention System Routing Email Security Security Heartbeat™ Selective Sandbox Application Control Data Loss Prevention ATP Detection Proxy Threat Engine Identify compromise Detect source Assess impact Block/remove malware Identify & clean other infected systems User | System | File Compromise Firewall
- 27. 27 NEXT-GEN ENDUSER SECURITY NEXT-GEN NETWORK SECURITY SOPHOS UTM • NETWORK PROTECTION MODULE SOPHOS CLOUD ENDPOINT • CLOUD ENDUSER PROTECTION • CLOUD ENDPOINT ADVANCED Endpoint and Network working together • FULLGUARD LICENSE • TOTALPROTECT BUNDLE NEXT-GEN FIREWALL • NETWORK PROTECTION MODULE • NEXT-GENGUARD LICENSE • NEXT-GENPROTECT BUNDLE
- 28. 28 Already using Sophos * Cloud Endpoint requires Sophos Cloud Endpoint Protection Advanced or Sophos Cloud Enduser Protection subscriptions
- 29. 3030 Conclusion
- 30. 31 The Synchronized Security difference Sophos Competition Synchronized Security Point Products Simple Complex Comprehensive Incomplete Prevention, Detection, Investigation, Remediation, Encryption Prevention Enduser, Network, Server, Mobile, Web, Email, Encryption Endpoint or Network Automated Manual Block the known, unknown, advanced, coordinated attacks Partial Prevention
- 31. 32 Revolutionizing advanced threat protection Synchronized Security Accelerated Threat Discovery Positive Source Identification Automated Incident Response Faster, better decisions Quicker, easier investigation Reduced threat impact
- 32. 33© Sophos Ltd. All rights reserved.
Editor's Notes
- #7: Each product FW, AV, Dev control, App Control, Mobile – has a unique way of looking at the network. You are looking at it from a sideview, not a top-down 3D view. This is just the nature of the beast. FW just looks at the network. If it’s designed to let port 80 through, I craft my malware to use port 80. We’re left with competent products, but only a 2D view (un-integrated).
- #10: Endpoint security used to be about stopping malware from infecting Windows PCs on the network. Now it has to evolve to not only prevent malware, but also detect machines that are already compromised and help remediate detected threats on a variety of workstation and mobile platforms. Endpoint security also has to include a focus on the data, ensuring it is encrypted and accessible only to authorized users regardless of where the data lives.
- #25: NGFW notes if EP is sending Heartbeat (if it is, it is definitely managed) If not, NGFW characterizes EP by inspecting traffic (e.g. is it a Windows, MAC, printer, IP phone, mobile device etc) NGFW queries Cloud EP management to ask two questions 1) Could it be managed (true for Windows, MAC, mobile; false for printer, IP phone etc) ? 2) Is it managed already (to cover the case we don't support Heartbeat on that platform yet) ? If the device is one which could be managed but isn't, NGFW redirects device to a Self Service portal defined by Administrator to become managed NGFW restricts network traffic from that device to that portal to protect customer network. Also an incentive for device owner to make device compliant. Portal authenticates user (username / password) Portal will present device dependent information e.g. will contain installers for Cloud EP (Windows, MAC), registration page for mobiles etc. Portal can also contain security profile information for that customer e.g. certificates to be installed to access customers WiFi and network resources
- #30: Alternative slide option to slide 28 in case you prefer this version.