View
218
Download
0
Category
Preview:
Citation preview
8/10/2019 3 Endpoint.pdf
1/70
Endpoint and web security
8/10/2019 3 Endpoint.pdf
2/70
What?
8/10/2019 3 Endpoint.pdf
3/70
Variants and volumes
8/10/2019 3 Endpoint.pdf
4/70
APT What does it mean?
Before Aurora Now
Custom Exploit Code Better than us
Multiple Entry/Exit points We didnt notice for a while
Diverse Actors Insert random foreign countryhere
8/10/2019 3 Endpoint.pdf
5/70
Hijacked trusted sitesTheres no such thing as a trusted site
8/10/2019 3 Endpoint.pdf
6/70
Fake anti-virus/scareware
Fake anti-virus Fake anti-spyware System optimizers
8/10/2019 3 Endpoint.pdf
7/70
Et tu, Mac?MacDefender, MacSecurity, and many more
8/10/2019 3 Endpoint.pdf
8/70
Social networking raises risks
8/10/2019 3 Endpoint.pdf
9/70
KoobfaceFeature rich and evolving
Steal software keys
Upload stored passwords Web server
DNS proxy
Search hijacking CAPTCHA busting
Pay Per Click (PPC) fraud
Fake anti-virus installs Social network spambot
Screenshot courtesy of abuse.ch
8/10/2019 3 Endpoint.pdf
10/70
Who?
8/10/2019 3 Endpoint.pdf
11/70
Affiliate marketing, Russian style
8/10/2019 3 Endpoint.pdf
12/70
Estdomains
8/10/2019 3 Endpoint.pdf
13/70
McColo
Botnet C&C Spam sites
Child abuse content
Malware
Fake anti-virus Identity Theft (500,000+ Bank accounts)
8/10/2019 3 Endpoint.pdf
14/70
Little penalty for great gains
150 Years$13-65 Billion
Probation and 30 hoursCommunity ServiceInfected Millions of PCs
8/10/2019 3 Endpoint.pdf
15/70
How?
8/10/2019 3 Endpoint.pdf
16/70
Spamming tools increase SEO
Multithreaded Web spam tool
Automatically creates forum/blog/webmail accounts
Uses proxies for IP diversity CAPTCHA busting
Content based on topic
$440
Supports PHPBB, PHPNuke,wikis, LiveJournal, Vbulletin,Facebook, Gmail, etc
8/10/2019 3 Endpoint.pdf
17/70
Server-side polymorphism
Obfuscation engine on the server(PHP)
JavaScript returned changeson each page request
Challenge to generic detection
Core AV engine needs tosee through obfuscation
Cannot afford performance
hit Large effort in building heuristics to
distinguish legitimate andmalicious JavaScript
8/10/2019 3 Endpoint.pdf
18/70
Web threat tree legitimate
sites
8/10/2019 3 Endpoint.pdf
19/70
Web threat tree redirects to
attacker
8/10/2019 3 Endpoint.pdf
20/70
Web threat tree attacks
vulnerabilities
8/10/2019 3 Endpoint.pdf
21/70
Web threat tree deliver
payload
8/10/2019 3 Endpoint.pdf
22/70
Why?
8/10/2019 3 Endpoint.pdf
23/70
MotivesYes!Stereotypes
8/10/2019 3 Endpoint.pdf
24/70
Zero day Flash vulnerability Inadequate monitoring Victims of their own success
Intellectual property is the new gold
8/10/2019 3 Endpoint.pdf
25/70
Pharma profitability
This affiliate used 66 uniquedomains referencinghis Affiliate ID
124 orders per dayAverage sale = $16040% commission
124*160 = $19840 * 40% =
$7936/day
Date Orders
01 30
02 74
03 216
04 193
05 23106 191
07 189
08 78
09 99
10 128
11 52
12 7
Average sales perday
124
8/10/2019 3 Endpoint.pdf
26/70
Fake anti-virus profitability
Statistics from topsale2.ru
8/10/2019 3 Endpoint.pdf
27/70
Whats it worth?
8/10/2019 3 Endpoint.pdf
28/70
Pirated software
8/10/2019 3 Endpoint.pdf
29/70
Endpoint protection
Access control
Firewall
Virtualization
ApplicationControl
Device Control
Encryption
Anti-malware
Intrusionprevention
Data Control
Patch assessment
WebProtection
ExchangeServer Protection
8/10/2019 3 Endpoint.pdf
30/70
Anti-malware
Sophos AV
A single engine to protect from all malware
Genotyping technology
Active Protection cloud technologies:! Live URL filter: Stops URLs we know are bad instantly
! Live anti-virus: Checks in seconds to see if a suspicious filemight be a real threat
Fast and low impact scanning
Small updates, frequently applied
Stop attacks and breaches
8/10/2019 3 Endpoint.pdf
31/70
Intrusion prevention
So reliable it's on by default
Stop attacks and breaches
Sophos HIPS
Behavioral detection
Suspicious file detection
Suspicious behavior detection
Buffer overflow detection
Rules create by SophosLabs via Active Protection
8/10/2019 3 Endpoint.pdf
32/70
Malware solved
http://www.sophos.com/support/knowledgebase/article/113342.html
Stop attacks and breaches
8/10/2019 3 Endpoint.pdf
33/70
Layered protectionStop attacks and breaches
8/10/2019 3 Endpoint.pdf
34/70
Active ProtectionStop attacks and breaches
Email DataEndpoint MobileWeb Network
8/10/2019 3 Endpoint.pdf
35/70
Not just a windows story
8/10/2019 3 Endpoint.pdf
36/70
The web: one stop (malware) shop
A threat network
The number one source of infection
Legitimate sites are regularly infected
Productivity filtering isnt enough
Many applications accessing the web
How people do web protection today Large scale deployments that focus on the gateway
Back-hauling traffic to appliances
None or limited protection for users not connecting to the gateway
Protect everywhere
8/10/2019 3 Endpoint.pdf
37/70
Web protection
Basic Endpoint Active Protection from malware and bad sites Works in any browser
Web Filtering in Endpoint
Low-cost add-on integrated into the Endpoint/SEC Reduce surface area of attack from risky parts of the web (porn, hate,
p2p, etc.) Essential compliance and liability coverage for inappropriate sites
Web Protection Suite
Complete protection everywhere users go with Sophos LiveConnect Full coverage of threats, compliance, productivity, liability, and visibility
Reduce investment & complexity in back-hauling/VPN/Gateway HW
Protect everywhere
8/10/2019 3 Endpoint.pdf
38/70
Inside Sophos LiveConnect
Sophos Web Protection Suite
Enables full visibility and control
Policy and reporting synchronization
Immediate and automatic
Secure end-to-end encryption
Protect everywhere
8/10/2019 3 Endpoint.pdf
39/70
Sophos Web Protection
8/10/2019 3 Endpoint.pdf
40/70
Sophos Web ProtectionKeep people working
8/10/2019 3 Endpoint.pdf
41/70
Sophos Web ProtectionKeep people working
8/10/2019 3 Endpoint.pdf
42/70
Sophos Web ProtectionKeep people working
8/10/2019 3 Endpoint.pdf
43/70
Sophos Web ProtectionKeep people working
8/10/2019 3 Endpoint.pdf
44/70
Sophos Web Protection
8/10/2019 3 Endpoint.pdf
45/70
NEW! Virtual Web Appliance (VMware)
Secure web gateway in a virtual appliance
NEW! Web Appliances (4 models)
Secure web gateway appliances
Sophos Web ProtectionNEW! Web Protection Suite
Complete web protection everywhere
8/10/2019 3 Endpoint.pdf
46/70
Anti-virus
Current
Out of
date
None
Patch Status
Patched
Unpatched
Patches as important as ever
Firewall
Disabled
None
Enabled
Reduce attack surface
8/10/2019 3 Endpoint.pdf
47/70
MSRC August 2012
8/10/2019 3 Endpoint.pdf
48/70
MSRC August 2012
8/10/2019 3 Endpoint.pdf
49/70
The problem with patching
No visibility of exposure level
Have users installed vulnerable applications?
Have users disabled automatic updates?
Is Microsoft WSUS/SCCM working correctly?
Dont know which patches to worry about!
Compliance audits become a real headache
Machines get compromised Gartner: 90% of situations where machines got compromised, a patch or
configuration change existed that could have prevented it!
Reduce attack surface
8/10/2019 3 Endpoint.pdf
50/70
Patch assessment
We assess all the key exploited applications Checking for patches from 11 vendors
We accurately assess each endpoint
Local scans on every managed endpoint
Complex fingerprintingensures patches accurately detected
Centralizedreporting of relevant missingpatches
Simple: no end-user interaction or messaging
We prioritize patches to make life easier Sophos rates patch criticality via Active Protection
Sophos shows any malware associated with patches
Creates a focus on the patches that reallymatter!
Reduce attack surface
8/10/2019 3 Endpoint.pdf
51/70
Application control
Malware exploits vulnerabilities inapplications
Exploit packs are sold on the black market
Specifically designed to exploit your applications
LupitMpack
Mushroom/unknownOpen Source Exploit (Metapack)
Papka
Phoenix 2.0Phoenix 2.1
Phoenix 2.2Phoenix 2.3
Phoenix 2.4Phoenix 2.5
Phoenix 2.7RobopakSEO Sploit packSiberia
T-IframerUnique Pack Sploit 2.1
WebattackYes Exploit 3.0RC
Zombie Infection kit
Zopack
Some Common Exploit Packs:
Blackhole Exploit 1.0
Blackhole Exploit 1.1Bleeding Life 2.0
BombaCRIMEPACK 2.2.1CRIMEPACK 2.2.8
CRIMEPACK 3.0CRIMEPACK 3.1.3DloaderEL FiiestaEleonore 1.3.2
Eleonore 1.4.1Eleonore 1.4.4 Moded
Eleonore 1.6.3a
Eleonore 1.6.4Fragus 1
IcepackImpassioned Framework 1.0
Incognito
iPackJustExploitKatrinLiberty 1.0.7Liberty 2.1.0*
Reduce attack surface
Applications wrongly applied:
Users trying to install and run unauthorized
applications
Some applications are risky
Unwanted applications might use bandwidth
Version control isnt easy
8/10/2019 3 Endpoint.pdf
52/70
Application control
Over 40 categories including:! Online storage
! Browsers
! P2P File sharing
! Instant messaging! Virtualization tools
! Remote access
! USB program launchers
! Games
! Toolbars
Applications created and updated via Active Protection
Reduce attack surface
8/10/2019 3 Endpoint.pdf
53/70
But I need all of these!
8/10/2019 3 Endpoint.pdf
54/70
Device control
Plugging the device gap:
Devices can carry malware
They take data everywhere
If theyre lost can you be sure theyre secure?
People will plug them in anywhere
Reduce attack surface
8/10/2019 3 Endpoint.pdf
55/70
Device control
Control devices connected to computers
Granular control of:! Removable storage - USB keys, removable hard disks
!
Optical / disk drives - CD / DVD / HD-DVD / Blu-ray
Network devices:! Wi-Fi / Modems
!
Bluetooth! Infra-red
Reduce attack surface
8/10/2019 3 Endpoint.pdf
56/70
Data control
Fully integrated endpoint DLP solution
Designed to prevent accidental data loss
Monitor and enforce on all common data exit points
Train staff through use of desktop prompts
Data types provided from Sophos via Active Protection
Integrated with email protection
Stop attacks and breaches
PII
8/10/2019 3 Endpoint.pdf
57/70
Client firewall
Problem:! Open ports on PCs and Laptops are open doors to hackers! A computer without a firewall and connected to the internet is a target! Worms often target particular ports and protocols! Laptops can connect anywhere, you need different rules when theyre
outside your network
Solution: Location aware policies
Identifies apps by checksum
Rollout invisible to users
Interactive management alerts to create rules
Stealth mode prevents unauthorized network access by hackers
Stop attacks and breaches
8/10/2019 3 Endpoint.pdf
58/70
Virtualization
We protect virtual environments. At no extra cost
Our lighter-weight agent is better than other traditionalEndpoint security solutions
Stagger scanning for virtual machines
No compromise on protection
Citrix Receiver plugin
Developing VMware vShield scanner
8/10/2019 3 Endpoint.pdf
59/70
Encryption
Industrial strength full disk encryption
Deployed and managed from your endpoint console
Fast initial encryption
Full password recovery options
Protect everywhere
8/10/2019 3 Endpoint.pdf
60/70
Deploy and manage
A single deployment wizard for all features
Single agent for:Anti malware
HIPS
Device ControlData Control
Web protection Widest platform support
Console built for usability
Keep people working
8/10/2019 3 Endpoint.pdf
61/70
Report
8/10/2019 3 Endpoint.pdf
62/70
Report
8/10/2019 3 Endpoint.pdf
63/70
Proof pointsCRN: IT Buying Behaviors.
What are middle market CIOs saying?
Adjusting To The New Normal.Middle market CIOs face the same day-to-day fightthey need to do more with less.Small budgets and limited resources demand ROI on IT investments.
Different Opinions, Similar Consensus
Smaller budgets and limited IT resources definey buying behaviors. Its all about findingall-in-one solutions and riding out current technology to its maximum lifeline.
Bradley Burns, Technology Director, Duncan/Channon!..We are also looking for really good valuewhat kind of support we are going to
get, the product features. We look for all-in-one solutions with overall value.
Tony Diaz, Director of Information Technology, Montgomery & Co.
!.CIOs have to take things in-house and choose vendor partners who offer more
all-in-one solutions for cheaper costs.
8/10/2019 3 Endpoint.pdf
64/70
In B2B End-to-End Security
Sophos is leading the way
Security as anadd-on to a
platform
Partial security Security portfolio
Completesecuritywithout
complexity
8/10/2019 3 Endpoint.pdf
65/70
Complete Security
8/10/2019 3 Endpoint.pdf
66/70
Learning ExercisesEndpoint & Web SecurityScenario #1
School Town of Munster has 4,000 student with over 3,200 notebook computers inuse across the network
Business Challenges
CostMunster faced $3 million cut in state aid on top of previous cuts
PerformanceSymantec's Endpoint Client put so much overhead on machines
ProtectionMunster needed to protect 2800 notebook computers for school andhome use
Which Sophos fit?
They consolidated their protection with Sophos in 2012 with the Complete SecuritySuite
Includes endpoint protection, advanced web protection, full-disk encryption, emailsecurity, and data protection
8/10/2019 3 Endpoint.pdf
67/70
Learning ExercisesEndpoint & Web SecurityScenario #2
Investors Savings Bank 500 users, 52 locations across 8 countries
Business Challenges
Need more control protecting network and data from rapidly evolving securitythreats
Also wanted to ensure compliance with tighter industry standards and governmentregulations
Which Sophos fit?
Sophos web appliance is protecting the bank against malware, phishing threats andunwanted applications
Sophos email appliance is stopping spam, phishing, malware and data leakage
Sophos Endpoint Security and Control is providing tight, proactive security
8/10/2019 3 Endpoint.pdf
68/70
Learning ExercisesEndpoint & Web SecurityScenario #3
Taco Bueno restaurant franchise has over 1,000 users across nine states
Business Challenges
Gain greater control over users' access to VoIP, games, social networking and otherapplications that threaten security as well as productivity/
Strengthen its PCI compliance measures to further protect its customers' credit carddata
D
Which Sophos fit?
Sophoss professional services team helped upgrade all machines on its network for190 restaurants across nine states
Upgrading the existing Sophos endpoint solution took the IT team less than twohours
Taco Bueno chose Sophos Email Security, Sophos Web Security and SophosEndpoint Security and Control
8/10/2019 3 Endpoint.pdf
69/70
Learning ExercisesEndpoint & Web SecurityScenario #4
Hitachi Medical Systems has 2 locations with 450 Users that include a large mobileworkforce
Business Challenges
Road-warriors were consistently bringing their infected laptops for IT to fix
Infected laptops are regularly returned to IT to repair the same problems
IT would like to monitor and report on what these users are doing
While controlling the sites they visit is not critical!understanding whats going on is
Which Sophos fit?
Sophos Endpoint Protection
Sophos Web Protection
8/10/2019 3 Endpoint.pdf
70/70
Complete Security
Recommended