3. 3
The perception of endpoint security
“Antivirus software is now so ineffective
“Conventional “The current antivirus anti-virus software method is of
an
at detecting new malware threats most
outmoded way of protecting computers
enterprises are probably wasting their
detecting and blocking known samples is
no longer effective.”
against malware.”
money buying it.”
4. 4
Some vendors overcompensate
• Sophisticated
functionality
• Endless add-ons
• Requires major
time investment
• Not simple
5. 5
Our products are sophisticated and simple
Malicious
Attack
Perimeter
Malware
Spam
Web
behavior
surface
protection
detection
blocking
defense
prevention
reduction
7. 7
Big data
2–3
TB
of threat
data per
week
5 million spam emails
per day
600
million
live lookups
per day
150,000 suspicious
URLs per day
300,000 new files
per day
8. 8
Automation
Malware analysis
Decision making
Analytics
New identity
every 4–5 seconds
Live Protection
9. 9
Leveraged expertise
Web security — bad URLs
Web security — exploit code
Signatures
Unpacking
Static code analysis
Emulation
Live Protection
HIPS
Buffer Overflow Protection
Exploit
patterns
19 identities
account for
Multi-factor
identities
50% of
detections
Behavior-based
rules
10. 10
• Zero day malware protection
• Tuned by SophosLabs
• Over 80% adoption
• No one else makes it this
simple
HIPS for everyone
This doesn’t
look right!
12. 12
What simple, effective security means
IT Department
Support Threat Intelligence
& Response
Software
development
Infrastructure
• Less time managing
protection
• Fewer security incidents
• More time to focus on
business priorities
13. 13
Building next gen endpoint security
Web security — bad URLs
Web security — exploit code
Signatures
Unpacking
Static code analysis
Emulation
Live Protection
HIPS
Buffer Overflow Protection
Download reputation
File tracking
New emulator
C&C traffic detection
14. 14
Advanced Persistent Threat: Protection
Advanced Threat Protection: Detects Botnets, stops outbound traffic, selective analysis
Firewall Antivirus IPS Web Email WAF
Social media
Events
Other websites
…..
Phishing
Spoof calls
USB sticks
…..
Lay low
Do nothing
‘low & slow’
….
Collate data
Encrypt
Extract
….
1
Gather information
2
Find a way in
3
Avoid being discovered
4
data
Get out with the data
Layered protection is the best defense against targeted attacks
16. 16
Advanced Threat Protection in Sophos UTM
Alerts to infected clients
Provides:
• Consolidated
reporting
• Threat information
• Link to SophosLabs
Threat Center
17. 17
Context-Aware Security
A coordinated threat sensing system
The traditional way:
One point in time and space
The new way:
Many points in time and space
How?
• We watch all points
• We correlate intelligence
• We coordinate protection
• We strengthen every point
• We build a stronger system
Laptop
Network
Server
App
Mobile
Cloud
Another
Suspicious outbound
traffic
Suspicious runtime
behavior
Indicators of
Compromise:
alert & respond Application
reputation
Application
categorization and
tracking
Mal/sus attributes pre-execution
IPS/IDS events
System events
18. 18
What if robots could work together?
Looks like your PC is infected.
Let’s isolate it from the network.
Oops, you’re right. I’ll clean it up. Tell
the others to watch out for badfile.exe.
19. 19
• Simple, effective protection
• SophosLabs does the work, so
customers don’t have to
• Ongoing innovation – here
comes next gen endpoint
security
Summary
McAfee is the Lego Mindstorms of security software: it can do anything (though not necessarily well), if you put enough blood, sweat and tears into it.
Examples/stats:
Troj/JsRedir-NN: detects malicious JavaScript redirects, like those found in BlackHole exploit kit – detected on over 45,000 different web pages accessed from over 20,000 different customer computers in less than two months
CXweb/FkFlsh-B: pattern to detect download of fake Flash Player – detected nearly 40,000 unique files (variants) across over 17,000 customer PCs over the same period
What makes it next gen?
Integration of features typically found on next-gen firewalls into endpoint
Emphasis on detecting zero days and APTs
Ability to correlate information across layers (and products — see next slide) to increase detection rates
Advanced Threats have a few common characteristics: they gather information to find a point of entry into the target organization, then often lay low to avoid being discovered until they discover the assets their looking for. This may mean they have to move throughout the network. Once they’ve localized the data they find a way to get out with it – often in small bite sized pieces and often encrypted to remain undiscovered.
Until now, we offered a number of layers of protection which would catch many of those attacks in their early stages – the techniques being used are not necessarily so advanced – and now with 9.2 we’re adding an additional layer of defense which brings together various technologies to detect infected clients within the network and allow them to be isolated before doing further damage. This includes
Advanced Threat Protection – combines ATP, IPS and Web detection reporting to give an instant view of infected clients with automatic admin alerts
Network Protection
Command-and-Control Detection blocks communication with known C+C/Botnet servers stopping the infected client from calling home for further instructions or updates to the malware.
Cloud-based Selective Sandbox. Uses Sophos Live Protection to analyze suspicious content. If detected as malicious, protection is updated.
Web Protection
Web malware protection. Protects against the number one source of threats with new JavaScript emulation and live anti-virus lookups to the cloud, stops threats before they reach the browser and infect your systems.