3 Endpoint.pdf

8/10/2019 3 Endpoint.pdf

1/70

Endpoint and web security


2/70

What?


3/70

Variants and volumes


4/70

APT What does it mean?

Before Aurora Now

Custom Exploit Code Better than us

Multiple Entry/Exit points We didnt notice for a while

Diverse Actors Insert random foreign countryhere


5/70

Hijacked trusted sitesTheres no such thing as a trusted site


6/70

Fake anti-virus/scareware

Fake anti-virus Fake anti-spyware System optimizers


7/70

Et tu, Mac?MacDefender, MacSecurity, and many more


8/70

Social networking raises risks


9/70

KoobfaceFeature rich and evolving

Steal software keys

Upload stored passwords Web server

DNS proxy

Search hijacking CAPTCHA busting

Pay Per Click (PPC) fraud

Fake anti-virus installs Social network spambot

Screenshot courtesy of abuse.ch


10/70

Who?


11/70

Affiliate marketing, Russian style


12/70

Estdomains


13/70

McColo

Botnet C&C Spam sites

Child abuse content

Malware

Fake anti-virus Identity Theft (500,000+ Bank accounts)


14/70

Little penalty for great gains

150 Years$13-65 Billion

Probation and 30 hoursCommunity ServiceInfected Millions of PCs


15/70

How?


16/70

Spamming tools increase SEO

Multithreaded Web spam tool

Automatically creates forum/blog/webmail accounts

Uses proxies for IP diversity CAPTCHA busting

Content based on topic

$440

Supports PHPBB, PHPNuke,wikis, LiveJournal, Vbulletin,Facebook, Gmail, etc


17/70

Server-side polymorphism

Obfuscation engine on the server(PHP)

JavaScript returned changeson each page request

Challenge to generic detection

Core AV engine needs tosee through obfuscation

Cannot afford performance

hit Large effort in building heuristics to

distinguish legitimate andmalicious JavaScript


18/70

Web threat tree legitimate

sites


19/70

Web threat tree redirects to

attacker


20/70

Web threat tree attacks

vulnerabilities


21/70

Web threat tree deliver

payload


22/70

Why?


23/70

MotivesYes!Stereotypes


24/70

Zero day Flash vulnerability Inadequate monitoring Victims of their own success

Intellectual property is the new gold


25/70

Pharma profitability

This affiliate used 66 uniquedomains referencinghis Affiliate ID

124 orders per dayAverage sale = $16040% commission

124*160 = $19840 * 40% =

$7936/day

Date Orders

01 30

02 74

03 216

04 193

05 23106 191

07 189

08 78

09 99

10 128

11 52

12 7

Average sales perday

124


26/70

Fake anti-virus profitability

Statistics from topsale2.ru


27/70

Whats it worth?


28/70

Pirated software


29/70

Endpoint protection

Access control

Firewall

Virtualization

ApplicationControl

Device Control

Encryption

Anti-malware

Intrusionprevention

Data Control

Patch assessment

WebProtection

ExchangeServer Protection


30/70

Anti-malware

Sophos AV

A single engine to protect from all malware

Genotyping technology

Active Protection cloud technologies:! Live URL filter: Stops URLs we know are bad instantly

! Live anti-virus: Checks in seconds to see if a suspicious filemight be a real threat

Fast and low impact scanning

Small updates, frequently applied

Stop attacks and breaches


31/70

Intrusion prevention

So reliable it's on by default


Sophos HIPS

Behavioral detection

Suspicious file detection

Suspicious behavior detection

Buffer overflow detection

Rules create by SophosLabs via Active Protection


32/70

Malware solved

http://www.sophos.com/support/knowledgebase/article/113342.html



33/70

Layered protectionStop attacks and breaches


34/70

Active ProtectionStop attacks and breaches

Email DataEndpoint MobileWeb Network


35/70

Not just a windows story


36/70

The web: one stop (malware) shop

A threat network

The number one source of infection

Legitimate sites are regularly infected

Productivity filtering isnt enough

Many applications accessing the web

How people do web protection today Large scale deployments that focus on the gateway

Back-hauling traffic to appliances

None or limited protection for users not connecting to the gateway

Protect everywhere


37/70

Web protection

Basic Endpoint Active Protection from malware and bad sites Works in any browser

Web Filtering in Endpoint

Low-cost add-on integrated into the Endpoint/SEC Reduce surface area of attack from risky parts of the web (porn, hate,

p2p, etc.) Essential compliance and liability coverage for inappropriate sites

Web Protection Suite

Complete protection everywhere users go with Sophos LiveConnect Full coverage of threats, compliance, productivity, liability, and visibility

Reduce investment & complexity in back-hauling/VPN/Gateway HW

Protect everywhere


38/70

Inside Sophos LiveConnect

Sophos Web Protection Suite

Enables full visibility and control

Policy and reporting synchronization

Immediate and automatic

Secure end-to-end encryption

Protect everywhere


39/70

Sophos Web Protection


40/70

Sophos Web ProtectionKeep people working


41/70



42/70



43/70



44/70



45/70

NEW! Virtual Web Appliance (VMware)

Secure web gateway in a virtual appliance

NEW! Web Appliances (4 models)

Secure web gateway appliances

Sophos Web ProtectionNEW! Web Protection Suite

Complete web protection everywhere


46/70

Anti-virus

Current

Out of

date

None

Patch Status

Patched

Unpatched

Patches as important as ever

Firewall

Disabled

None

Enabled

Reduce attack surface


47/70

MSRC August 2012


48/70

MSRC August 2012


49/70

The problem with patching

No visibility of exposure level

Have users installed vulnerable applications?

Have users disabled automatic updates?

Is Microsoft WSUS/SCCM working correctly?

Dont know which patches to worry about!

Compliance audits become a real headache

Machines get compromised Gartner: 90% of situations where machines got compromised, a patch or

configuration change existed that could have prevented it!



50/70

Patch assessment

We assess all the key exploited applications Checking for patches from 11 vendors

We accurately assess each endpoint

Local scans on every managed endpoint

Complex fingerprintingensures patches accurately detected

Centralizedreporting of relevant missingpatches

Simple: no end-user interaction or messaging

We prioritize patches to make life easier Sophos rates patch criticality via Active Protection

Sophos shows any malware associated with patches

Creates a focus on the patches that reallymatter!



51/70

Application control

Malware exploits vulnerabilities inapplications

Exploit packs are sold on the black market

Specifically designed to exploit your applications

LupitMpack

Mushroom/unknownOpen Source Exploit (Metapack)

Papka

Phoenix 2.0Phoenix 2.1



Phoenix 2.7RobopakSEO Sploit packSiberia

T-IframerUnique Pack Sploit 2.1

WebattackYes Exploit 3.0RC

Zombie Infection kit

Zopack

Some Common Exploit Packs:

Blackhole Exploit 1.0

Blackhole Exploit 1.1Bleeding Life 2.0

BombaCRIMEPACK 2.2.1CRIMEPACK 2.2.8

CRIMEPACK 3.0CRIMEPACK 3.1.3DloaderEL FiiestaEleonore 1.3.2

Eleonore 1.4.1Eleonore 1.4.4 Moded

Eleonore 1.6.3a

Eleonore 1.6.4Fragus 1

IcepackImpassioned Framework 1.0

Incognito

iPackJustExploitKatrinLiberty 1.0.7Liberty 2.1.0*


Applications wrongly applied:

Users trying to install and run unauthorized

applications

Some applications are risky

Unwanted applications might use bandwidth

Version control isnt easy


52/70

Application control

Over 40 categories including:! Online storage

! Browsers

! P2P File sharing

! Instant messaging! Virtualization tools

! Remote access

! USB program launchers

! Games

! Toolbars

Applications created and updated via Active Protection



53/70

But I need all of these!


54/70

Device control

Plugging the device gap:

Devices can carry malware

They take data everywhere

If theyre lost can you be sure theyre secure?

People will plug them in anywhere



55/70

Device control

Control devices connected to computers

Granular control of:! Removable storage - USB keys, removable hard disks

!

Optical / disk drives - CD / DVD / HD-DVD / Blu-ray

Network devices:! Wi-Fi / Modems

!

Bluetooth! Infra-red



56/70

Data control

Fully integrated endpoint DLP solution

Designed to prevent accidental data loss

Monitor and enforce on all common data exit points

Train staff through use of desktop prompts

Data types provided from Sophos via Active Protection

Integrated with email protection


PII


57/70

Client firewall

Problem:! Open ports on PCs and Laptops are open doors to hackers! A computer without a firewall and connected to the internet is a target! Worms often target particular ports and protocols! Laptops can connect anywhere, you need different rules when theyre

outside your network

Solution: Location aware policies

Identifies apps by checksum

Rollout invisible to users

Interactive management alerts to create rules

Stealth mode prevents unauthorized network access by hackers



58/70

Virtualization

We protect virtual environments. At no extra cost

Our lighter-weight agent is better than other traditionalEndpoint security solutions

Stagger scanning for virtual machines

No compromise on protection

Citrix Receiver plugin

Developing VMware vShield scanner


59/70

Encryption

Industrial strength full disk encryption

Deployed and managed from your endpoint console

Fast initial encryption

Full password recovery options

Protect everywhere


60/70

Deploy and manage

A single deployment wizard for all features

Single agent for:Anti malware

HIPS

Device ControlData Control

Web protection Widest platform support

Console built for usability

Keep people working


61/70

Report


62/70

Report


63/70

Proof pointsCRN: IT Buying Behaviors.

What are middle market CIOs saying?

Adjusting To The New Normal.Middle market CIOs face the same day-to-day fightthey need to do more with less.Small budgets and limited resources demand ROI on IT investments.

Different Opinions, Similar Consensus

Smaller budgets and limited IT resources definey buying behaviors. Its all about findingall-in-one solutions and riding out current technology to its maximum lifeline.

Bradley Burns, Technology Director, Duncan/Channon!..We are also looking for really good valuewhat kind of support we are going to

get, the product features. We look for all-in-one solutions with overall value.

Tony Diaz, Director of Information Technology, Montgomery & Co.

!.CIOs have to take things in-house and choose vendor partners who offer more

all-in-one solutions for cheaper costs.


64/70

In B2B End-to-End Security

Sophos is leading the way

Security as anadd-on to a

platform

Partial security Security portfolio

Completesecuritywithout

complexity


65/70

Complete Security


66/70

Learning ExercisesEndpoint & Web SecurityScenario #1

School Town of Munster has 4,000 student with over 3,200 notebook computers inuse across the network

Business Challenges

CostMunster faced $3 million cut in state aid on top of previous cuts

PerformanceSymantec's Endpoint Client put so much overhead on machines

ProtectionMunster needed to protect 2800 notebook computers for school andhome use

Which Sophos fit?

They consolidated their protection with Sophos in 2012 with the Complete SecuritySuite

Includes endpoint protection, advanced web protection, full-disk encryption, emailsecurity, and data protection


67/70


Investors Savings Bank 500 users, 52 locations across 8 countries

Business Challenges

Need more control protecting network and data from rapidly evolving securitythreats

Also wanted to ensure compliance with tighter industry standards and governmentregulations

Which Sophos fit?

Sophos web appliance is protecting the bank against malware, phishing threats andunwanted applications

Sophos email appliance is stopping spam, phishing, malware and data leakage

Sophos Endpoint Security and Control is providing tight, proactive security


68/70


Taco Bueno restaurant franchise has over 1,000 users across nine states

Business Challenges

Gain greater control over users' access to VoIP, games, social networking and otherapplications that threaten security as well as productivity/

Strengthen its PCI compliance measures to further protect its customers' credit carddata

D

Which Sophos fit?

Sophoss professional services team helped upgrade all machines on its network for190 restaurants across nine states

Upgrading the existing Sophos endpoint solution took the IT team less than twohours

Taco Bueno chose Sophos Email Security, Sophos Web Security and SophosEndpoint Security and Control


69/70


Hitachi Medical Systems has 2 locations with 450 Users that include a large mobileworkforce

Business Challenges

Road-warriors were consistently bringing their infected laptops for IT to fix

Infected laptops are regularly returned to IT to repair the same problems

IT would like to monitor and report on what these users are doing

While controlling the sites they visit is not critical!understanding whats going on is

Which Sophos fit?

Sophos Endpoint Protection



70/70

Complete Security

Documents

3 Endpoint.pdf