SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.

Information about SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly...

Published on June 12, 2016

Author: michelnys



1. 1 Lars Putteneers 7 June 2015 SOPHOS Stopping Tomorrow’s Attacks Today: a next-gen approach for advanced threats


3. 3 AT HOME AND ON THE MOVE Mobile Control Endpoint Security SafeGuard Encryption HEADQUARTERS Endpoint Security SafeGuard Encryption REMOTE OFFICE 1 NextGen Firewall Secure Wi-Fi Endpoint Security SafeGuard Encryption Secure Wi-Fi Secure VPN Client Mobile Control Reputation Data • Active Protection SophosLabs Correlated intelligence • Content Classification Administration Web Application Firewall Secure Email Gateway Secure Web Gateway Mobile Control Network Storage Antivirus Server Security Guest Wi-Fi UTM NextGen Firewall Secure Web Gateway Secure Email Gateway Web Application Firewall REMOTE OFFICE 2 Secure Wi-Fi Endpoint Security SafeGuard Encryption Mobile Control Secure VPN RED Sophos Complete Security in an Enterprise SOPHOS CLOUD

4. 44 Tomorrow’s attacks

5. 5 Anatomy of a ransomware attack And gone The ransomware will then delete itself leaving just the encrypted files and ransom notes behind. Ransom demand A message appears on the user’s desktop, explaining how a ransom (often in the form of bitcoins) can be paid within a time frame of e.g. 72 hours to enable decryption of the data with the private key that only the attacker’s system has access to. Encryption of assets Certain files are then encrypted on the local computer and on all accessible network drives with this public key. Automatic backups of the Windows OS (shadow copies) are often deleted to prevent data recovery. Contact with the command & control server of the attacker The ransomware sends information about the infected computer to the C&C server and downloads an individual public key for this computer. Installation via an exploit kit or spam with an infected attachment Once installed the ransomware modifies the registry keys

6. 6 Angler: an all-too-well-known exploit kit • Grown in notoriety since mid 2014 ○ The payload is stored in memory and the disk file is deleted ○ Detects security products and virtual machines ○ Ability to spread many infections: banking Trojans, backdoor, rootkits, ransomware • Easy to use ○ Doesn’t require any particular technical competence ○ Available for a few thousand USD on the Dark Web

7. 7 Angler’s evolution into the dominant exploit kit Sep 2014 Jan 2015 May 2015

8. 8 • 350,000 new malware programs per day • 70% of organisations reported a compromise in the last 12 months • $500 billion WW damages • Estimated to rise to $1.5 trillion by 2019 Another one bites the dust

9. 99 The next-gen approach: Sophos Clean Hitman Pro Sophos Sandstorm

10. 10 Sophos Clean • All new business product • Removal complete part of Hitman Pro => standalone product

11. 11 Should I Stay Or Should I Go

12. 12 Bullet in the head

13. 13 Hitman Pro • Product of Surfright • For consumer and business market • Signature less protection • Will come in Cloud and on premise solutions

14. 14 Hitman Pro: Risk Reduction

15. 15 Hitman Pro: Risk Reduction

16. 16 Ransomware Cryptowall costs users $325M in 2015 ○ 2 out of 3 infections driven by phishing attack ○ Delivered by drive by exploit kits ○ 100’s of thousands of victims world wide More variants – Locky and Samas ○ Now for MAC and Windows users Targeting bigger Phish ○ $17K payment from California hospital CryptoGuard • Simple and Comprehensive • Universally prevents spontaneous encryption of data • Simple activation in Sophos Central CRYPTOGU ARD CryptoGuard – Say Goodbye to Ransomware

17. 17 CryptoGuard • 1. monitors file system activity • 2. when file is opened-for-write, create just-in-time backup of the file • 3. when the file is closed, compare contents • 4. when file is no longer a document, mark as suspicious • 5. if this happens on many files (3 or more), rollback files from above backup, revoke write-access from process (or client IP) that did the changes • 6. all modifications are tracked per process or per client-IP; so if a remote client modifies files, they are tracked, rolled back and blocked if needed

18. 18 Hitman Pro: Exploit Mitigation

19. 19 Hitman Pro: Exploit Mitigation

20. 20 Hitman Pro: Exploit Mitigation

21. 21 Hitman Pro: Exploit Mitigation

22. 22 Hitman Pro: Safe Browsing

23. 23 Hitman Pro: Safe Browsing

24. 24 Hitman Pro: Removal Complete

25. 25 Hitman Pro: Removal Complete

26. 26 Sophos Sandstorm How Sophos Sandstorm works 1. If the file has known malware it’s blocked immediately. If it’s otherwise suspicious, and hasn’t been seen before, it will be sent to the sandbox for further analysis. When web browsing, users see a patience message while they wait. 2. The file is detonated in the safe confines of the sandbox and monitored for malicious behaviour. A decision to allow or block the file will be sent to the security solution once the analysis is complete. 3. A detailed report is provided for each file analyzed. Advanced Threat Defense Made Simple Secure Web Gateway Secure Email Gateway Unified Threat Management Next-Gen Firewall

27. 2727 Summary

28. 28 TRADITIONALMALWARE Methods and techniques vary depending on device type and operating system (Windows, Mac, Linux/Unix variants, Android, iOS) And Sophos Labs never stops innovating and assessing new techniques ADVANCEDTHREATS I just want to be your everything Exposure prevention 80% malicious URL blocking, malicious web script detection download reputation Pre-execution analytics and heuristics 10% Generic matching using heuristics and component level rules Signatures 5% Signature match of malware or malware components (1-1) Run-time behavior analytics 3% Behavior matching and runtime analytics Exploit detection 2%

29. 29 More information • Sophos whitepaper on how to stay protected from ransomware us/medialibrary/Gated%20Assets/white%20papers/sophosransomwareprot ectionwpna.pdf?la=en • Sophos technical whitepaper on ransomware us/medialibrary/PDFs/technical%20papers/sophos-current-state-of- ransomware.pdf?la=en • Naked Security – regular stories on Locky and other ransomware attacks • IT Security DOs and DON'Ts us/medialibrary/PDFs/employeetraining/sophosdosanddontshandbook.pdf? la=en • Threatsaurus us/medialibrary/PDFs/other/sophosthreatsaurusaz.pdf?la=en

30. 3030 Questions?

31. 31© Sophos Ltd. All rights reserved.

Related presentations

Other presentations created by michelnys

Exablox powerpoint presentation
29. 04. 2015

Exablox powerpoint presentation