3 Endpoint.pdf

Embed Size (px)

Citation preview

  • 8/10/2019 3 Endpoint.pdf

    1/70

    Endpoint and web security

  • 8/10/2019 3 Endpoint.pdf

    2/70

    What?

  • 8/10/2019 3 Endpoint.pdf

    3/70

    Variants and volumes

  • 8/10/2019 3 Endpoint.pdf

    4/70

    APT What does it mean?

    Before Aurora Now

    Custom Exploit Code Better than us

    Multiple Entry/Exit points We didnt notice for a while

    Diverse Actors Insert random foreign countryhere

  • 8/10/2019 3 Endpoint.pdf

    5/70

    Hijacked trusted sitesTheres no such thing as a trusted site

  • 8/10/2019 3 Endpoint.pdf

    6/70

    Fake anti-virus/scareware

    Fake anti-virus Fake anti-spyware System optimizers

  • 8/10/2019 3 Endpoint.pdf

    7/70

    Et tu, Mac?MacDefender, MacSecurity, and many more

  • 8/10/2019 3 Endpoint.pdf

    8/70

    Social networking raises risks

  • 8/10/2019 3 Endpoint.pdf

    9/70

    KoobfaceFeature rich and evolving

    Steal software keys

    Upload stored passwords Web server

    DNS proxy

    Search hijacking CAPTCHA busting

    Pay Per Click (PPC) fraud

    Fake anti-virus installs Social network spambot

    Screenshot courtesy of abuse.ch

  • 8/10/2019 3 Endpoint.pdf

    10/70

    Who?

  • 8/10/2019 3 Endpoint.pdf

    11/70

    Affiliate marketing, Russian style

  • 8/10/2019 3 Endpoint.pdf

    12/70

    Estdomains

  • 8/10/2019 3 Endpoint.pdf

    13/70

    McColo

    Botnet C&C Spam sites

    Child abuse content

    Malware

    Fake anti-virus Identity Theft (500,000+ Bank accounts)

  • 8/10/2019 3 Endpoint.pdf

    14/70

    Little penalty for great gains

    150 Years$13-65 Billion

    Probation and 30 hoursCommunity ServiceInfected Millions of PCs

  • 8/10/2019 3 Endpoint.pdf

    15/70

    How?

  • 8/10/2019 3 Endpoint.pdf

    16/70

    Spamming tools increase SEO

    Multithreaded Web spam tool

    Automatically creates forum/blog/webmail accounts

    Uses proxies for IP diversity CAPTCHA busting

    Content based on topic

    $440

    Supports PHPBB, PHPNuke,wikis, LiveJournal, Vbulletin,Facebook, Gmail, etc

  • 8/10/2019 3 Endpoint.pdf

    17/70

    Server-side polymorphism

    Obfuscation engine on the server(PHP)

    JavaScript returned changeson each page request

    Challenge to generic detection

    Core AV engine needs tosee through obfuscation

    Cannot afford performance

    hit Large effort in building heuristics to

    distinguish legitimate andmalicious JavaScript

  • 8/10/2019 3 Endpoint.pdf

    18/70

    Web threat tree legitimate

    sites

  • 8/10/2019 3 Endpoint.pdf

    19/70

    Web threat tree redirects to

    attacker

  • 8/10/2019 3 Endpoint.pdf

    20/70

    Web threat tree attacks

    vulnerabilities

  • 8/10/2019 3 Endpoint.pdf

    21/70

    Web threat tree deliver

    payload

  • 8/10/2019 3 Endpoint.pdf

    22/70

    Why?

  • 8/10/2019 3 Endpoint.pdf

    23/70

    MotivesYes!Stereotypes

  • 8/10/2019 3 Endpoint.pdf

    24/70

    Zero day Flash vulnerability Inadequate monitoring Victims of their own success

    Intellectual property is the new gold

  • 8/10/2019 3 Endpoint.pdf

    25/70

    Pharma profitability

    This affiliate used 66 uniquedomains referencinghis Affiliate ID

    124 orders per dayAverage sale = $16040% commission

    124*160 = $19840 * 40% =

    $7936/day

    Date Orders

    01 30

    02 74

    03 216

    04 193

    05 23106 191

    07 189

    08 78

    09 99

    10 128

    11 52

    12 7

    Average sales perday

    124

  • 8/10/2019 3 Endpoint.pdf

    26/70

    Fake anti-virus profitability

    Statistics from topsale2.ru

  • 8/10/2019 3 Endpoint.pdf

    27/70

    Whats it worth?

  • 8/10/2019 3 Endpoint.pdf

    28/70

    Pirated software

  • 8/10/2019 3 Endpoint.pdf

    29/70

    Endpoint protection

    Access control

    Firewall

    Virtualization

    ApplicationControl

    Device Control

    Encryption

    Anti-malware

    Intrusionprevention

    Data Control

    Patch assessment

    WebProtection

    ExchangeServer Protection

  • 8/10/2019 3 Endpoint.pdf

    30/70

    Anti-malware

    Sophos AV

    A single engine to protect from all malware

    Genotyping technology

    Active Protection cloud technologies:! Live URL filter: Stops URLs we know are bad instantly

    ! Live anti-virus: Checks in seconds to see if a suspicious filemight be a real threat

    Fast and low impact scanning

    Small updates, frequently applied

    Stop attacks and breaches

  • 8/10/2019 3 Endpoint.pdf

    31/70

    Intrusion prevention

    So reliable it's on by default

    Stop attacks and breaches

    Sophos HIPS

    Behavioral detection

    Suspicious file detection

    Suspicious behavior detection

    Buffer overflow detection

    Rules create by SophosLabs via Active Protection

  • 8/10/2019 3 Endpoint.pdf

    32/70

    Malware solved

    http://www.sophos.com/support/knowledgebase/article/113342.html

    Stop attacks and breaches

  • 8/10/2019 3 Endpoint.pdf

    33/70

    Layered protectionStop attacks and breaches

  • 8/10/2019 3 Endpoint.pdf

    34/70

    Active ProtectionStop attacks and breaches

    Email DataEndpoint MobileWeb Network

  • 8/10/2019 3 Endpoint.pdf

    35/70

    Not just a windows story

  • 8/10/2019 3 Endpoint.pdf

    36/70

    The web: one stop (malware) shop

    A threat network

    The number one source of infection

    Legitimate sites are regularly infected

    Productivity filtering isnt enough

    Many applications accessing the web

    How people do web protection today Large scale deployments that focus on the gateway

    Back-hauling traffic to appliances

    None or limited protection for users not connecting to the gateway

    Protect everywhere

  • 8/10/2019 3 Endpoint.pdf

    37/70

    Web protection

    Basic Endpoint Active Protection from malware and bad sites Works in any browser

    Web Filtering in Endpoint

    Low-cost add-on integrated into the Endpoint/SEC Reduce surface area of attack from risky parts of the web (porn, hate,

    p2p, etc.) Essential compliance and liability coverage for inappropriate sites

    Web Protection Suite

    Complete protection everywhere users go with Sophos LiveConnect Full coverage of threats, compliance, productivity, liability, and visibility

    Reduce investment & complexity in back-hauling/VPN/Gateway HW

    Protect everywhere

  • 8/10/2019 3 Endpoint.pdf

    38/70

    Inside Sophos LiveConnect

    Sophos Web Protection Suite

    Enables full visibility and control

    Policy and reporting synchronization

    Immediate and automatic

    Secure end-to-end encryption

    Protect everywhere

  • 8/10/2019 3 Endpoint.pdf

    39/70

    Sophos Web Protection

  • 8/10/2019 3 Endpoint.pdf

    40/70

    Sophos Web ProtectionKeep people working

  • 8/10/2019 3 Endpoint.pdf

    41/70

    Sophos Web ProtectionKeep people working

  • 8/10/2019 3 Endpoint.pdf

    42/70

    Sophos Web ProtectionKeep people working

  • 8/10/2019 3 Endpoint.pdf

    43/70

    Sophos Web ProtectionKeep people working

  • 8/10/2019 3 Endpoint.pdf

    44/70

    Sophos Web Protection

  • 8/10/2019 3 Endpoint.pdf

    45/70

    NEW! Virtual Web Appliance (VMware)

    Secure web gateway in a virtual appliance

    NEW! Web Appliances (4 models)

    Secure web gateway appliances

    Sophos Web ProtectionNEW! Web Protection Suite

    Complete web protection everywhere

  • 8/10/2019 3 Endpoint.pdf

    46/70

    Anti-virus

    Current

    Out of

    date

    None

    Patch Status

    Patched

    Unpatched

    Patches as important as ever

    Firewall

    Disabled

    None

    Enabled

    Reduce attack surface

  • 8/10/2019 3 Endpoint.pdf

    47/70

    MSRC August 2012

  • 8/10/2019 3 Endpoint.pdf

    48/70

    MSRC August 2012

  • 8/10/2019 3 Endpoint.pdf

    49/70

    The problem with patching

    No visibility of exposure level

    Have users installed vulnerable applications?

    Have users disabled automatic updates?

    Is Microsoft WSUS/SCCM working correctly?

    Dont know which patches to worry about!

    Compliance audits become a real headache

    Machines get compromised Gartner: 90% of situations where machines got compromised, a patch or

    configuration change existed that could have prevented it!

    Reduce attack surface

  • 8/10/2019 3 Endpoint.pdf

    50/70

    Patch assessment

    We assess all the key exploited applications Checking for patches from 11 vendors

    We accurately assess each endpoint

    Local scans on every managed endpoint

    Complex fingerprintingensures patches accurately detected

    Centralizedreporting of relevant missingpatches

    Simple: no end-user interaction or messaging

    We prioritize patches to make life easier Sophos rates patch criticality via Active Protection

    Sophos shows any malware associated with patches

    Creates a focus on the patches that reallymatter!

    Reduce attack surface

  • 8/10/2019 3 Endpoint.pdf

    51/70

    Application control

    Malware exploits vulnerabilities inapplications

    Exploit packs are sold on the black market

    Specifically designed to exploit your applications

    LupitMpack

    Mushroom/unknownOpen Source Exploit (Metapack)

    Papka

    Phoenix 2.0Phoenix 2.1

    Phoenix 2.2Phoenix 2.3

    Phoenix 2.4Phoenix 2.5

    Phoenix 2.7RobopakSEO Sploit packSiberia

    T-IframerUnique Pack Sploit 2.1

    WebattackYes Exploit 3.0RC

    Zombie Infection kit

    Zopack

    Some Common Exploit Packs:

    Blackhole Exploit 1.0

    Blackhole Exploit 1.1Bleeding Life 2.0

    BombaCRIMEPACK 2.2.1CRIMEPACK 2.2.8

    CRIMEPACK 3.0CRIMEPACK 3.1.3DloaderEL FiiestaEleonore 1.3.2

    Eleonore 1.4.1Eleonore 1.4.4 Moded

    Eleonore 1.6.3a

    Eleonore 1.6.4Fragus 1

    IcepackImpassioned Framework 1.0

    Incognito

    iPackJustExploitKatrinLiberty 1.0.7Liberty 2.1.0*

    Reduce attack surface

    Applications wrongly applied:

    Users trying to install and run unauthorized

    applications

    Some applications are risky

    Unwanted applications might use bandwidth

    Version control isnt easy

  • 8/10/2019 3 Endpoint.pdf

    52/70

    Application control

    Over 40 categories including:! Online storage

    ! Browsers

    ! P2P File sharing

    ! Instant messaging! Virtualization tools

    ! Remote access

    ! USB program launchers

    ! Games

    ! Toolbars

    Applications created and updated via Active Protection

    Reduce attack surface

  • 8/10/2019 3 Endpoint.pdf

    53/70

    But I need all of these!

  • 8/10/2019 3 Endpoint.pdf

    54/70

    Device control

    Plugging the device gap:

    Devices can carry malware

    They take data everywhere

    If theyre lost can you be sure theyre secure?

    People will plug them in anywhere

    Reduce attack surface

  • 8/10/2019 3 Endpoint.pdf

    55/70

    Device control

    Control devices connected to computers

    Granular control of:! Removable storage - USB keys, removable hard disks

    !

    Optical / disk drives - CD / DVD / HD-DVD / Blu-ray

    Network devices:! Wi-Fi / Modems

    !

    Bluetooth! Infra-red

    Reduce attack surface

  • 8/10/2019 3 Endpoint.pdf

    56/70

    Data control

    Fully integrated endpoint DLP solution

    Designed to prevent accidental data loss

    Monitor and enforce on all common data exit points

    Train staff through use of desktop prompts

    Data types provided from Sophos via Active Protection

    Integrated with email protection

    Stop attacks and breaches

    PII

  • 8/10/2019 3 Endpoint.pdf

    57/70

    Client firewall

    Problem:! Open ports on PCs and Laptops are open doors to hackers! A computer without a firewall and connected to the internet is a target! Worms often target particular ports and protocols! Laptops can connect anywhere, you need different rules when theyre

    outside your network

    Solution: Location aware policies

    Identifies apps by checksum

    Rollout invisible to users

    Interactive management alerts to create rules

    Stealth mode prevents unauthorized network access by hackers

    Stop attacks and breaches

  • 8/10/2019 3 Endpoint.pdf

    58/70

    Virtualization

    We protect virtual environments. At no extra cost

    Our lighter-weight agent is better than other traditionalEndpoint security solutions

    Stagger scanning for virtual machines

    No compromise on protection

    Citrix Receiver plugin

    Developing VMware vShield scanner

  • 8/10/2019 3 Endpoint.pdf

    59/70

    Encryption

    Industrial strength full disk encryption

    Deployed and managed from your endpoint console

    Fast initial encryption

    Full password recovery options

    Protect everywhere

  • 8/10/2019 3 Endpoint.pdf

    60/70

    Deploy and manage

    A single deployment wizard for all features

    Single agent for:Anti malware

    HIPS

    Device ControlData Control

    Web protection Widest platform support

    Console built for usability

    Keep people working

  • 8/10/2019 3 Endpoint.pdf

    61/70

    Report

  • 8/10/2019 3 Endpoint.pdf

    62/70

    Report

  • 8/10/2019 3 Endpoint.pdf

    63/70

    Proof pointsCRN: IT Buying Behaviors.

    What are middle market CIOs saying?

    Adjusting To The New Normal.Middle market CIOs face the same day-to-day fightthey need to do more with less.Small budgets and limited resources demand ROI on IT investments.

    Different Opinions, Similar Consensus

    Smaller budgets and limited IT resources definey buying behaviors. Its all about findingall-in-one solutions and riding out current technology to its maximum lifeline.

    Bradley Burns, Technology Director, Duncan/Channon!..We are also looking for really good valuewhat kind of support we are going to

    get, the product features. We look for all-in-one solutions with overall value.

    Tony Diaz, Director of Information Technology, Montgomery & Co.

    !.CIOs have to take things in-house and choose vendor partners who offer more

    all-in-one solutions for cheaper costs.

  • 8/10/2019 3 Endpoint.pdf

    64/70

    In B2B End-to-End Security

    Sophos is leading the way

    Security as anadd-on to a

    platform

    Partial security Security portfolio

    Completesecuritywithout

    complexity

  • 8/10/2019 3 Endpoint.pdf

    65/70

    Complete Security

  • 8/10/2019 3 Endpoint.pdf

    66/70

    Learning ExercisesEndpoint & Web SecurityScenario #1

    School Town of Munster has 4,000 student with over 3,200 notebook computers inuse across the network

    Business Challenges

    CostMunster faced $3 million cut in state aid on top of previous cuts

    PerformanceSymantec's Endpoint Client put so much overhead on machines

    ProtectionMunster needed to protect 2800 notebook computers for school andhome use

    Which Sophos fit?

    They consolidated their protection with Sophos in 2012 with the Complete SecuritySuite

    Includes endpoint protection, advanced web protection, full-disk encryption, emailsecurity, and data protection

  • 8/10/2019 3 Endpoint.pdf

    67/70

    Learning ExercisesEndpoint & Web SecurityScenario #2

    Investors Savings Bank 500 users, 52 locations across 8 countries

    Business Challenges

    Need more control protecting network and data from rapidly evolving securitythreats

    Also wanted to ensure compliance with tighter industry standards and governmentregulations

    Which Sophos fit?

    Sophos web appliance is protecting the bank against malware, phishing threats andunwanted applications

    Sophos email appliance is stopping spam, phishing, malware and data leakage

    Sophos Endpoint Security and Control is providing tight, proactive security

  • 8/10/2019 3 Endpoint.pdf

    68/70

    Learning ExercisesEndpoint & Web SecurityScenario #3

    Taco Bueno restaurant franchise has over 1,000 users across nine states

    Business Challenges

    Gain greater control over users' access to VoIP, games, social networking and otherapplications that threaten security as well as productivity/

    Strengthen its PCI compliance measures to further protect its customers' credit carddata

    D

    Which Sophos fit?

    Sophoss professional services team helped upgrade all machines on its network for190 restaurants across nine states

    Upgrading the existing Sophos endpoint solution took the IT team less than twohours

    Taco Bueno chose Sophos Email Security, Sophos Web Security and SophosEndpoint Security and Control

  • 8/10/2019 3 Endpoint.pdf

    69/70

    Learning ExercisesEndpoint & Web SecurityScenario #4

    Hitachi Medical Systems has 2 locations with 450 Users that include a large mobileworkforce

    Business Challenges

    Road-warriors were consistently bringing their infected laptops for IT to fix

    Infected laptops are regularly returned to IT to repair the same problems

    IT would like to monitor and report on what these users are doing

    While controlling the sites they visit is not critical!understanding whats going on is

    Which Sophos fit?

    Sophos Endpoint Protection

    Sophos Web Protection

  • 8/10/2019 3 Endpoint.pdf

    70/70

    Complete Security