Anatomy of an Attack - Sophos Day Belux 2014

1

Vincent VanbiervlietSenior Sales Engineer

Next Generation EndpointSophos Security Day – 25/11/2014

2

3

“Conventional antivirus software is an outmoded way of protecting computers

against malware.”

The perception of endpoint security

“The current anti-virus method of detecting and blocking known samples is

no longer effective.”

“Antivirus software is now so ineffective at detecting new malware threats most enterprises are probably wasting their

money buying it.”

4

Some vendors overcompensate

• Sophisticated functionality

• Endless add-ons

• Requires major time investment

• Not simple

5

Malicious behavior

prevention

Perimeter defenseMalware detection

Web protection

Spam blocking

Attack surface

reduction

Our products are sophisticated and simple

6

SophosLabs makes it possible

Threat intelligence

7

Big data

2–3TB

of threat data per week

5 million spam emails per day

600million

live lookups per day

150,000 suspicious URLs per day

300,000new files per day

8

Automation

Malware analysisDecision making

Analytics

New identityevery 4–5 seconds

Live Protection

9

Leveraged expertise

Buffer Overflow Protection

HIPS

Live Protection

Emulation

Static code analysis

Unpacking

Signatures

Web security — exploit code

Web security — bad URLsExploit

patterns

Multi-factor identities

Behavior-based rules

19 identitiesaccount for

50% of detections

10

• Zero day malware protection

• Tuned by SophosLabs

• Over 80% adoption

• No one else makes it this simple

HIPS for everyone

This doesn’t look right!

11

Them: Complex, manual rule sets

Effortless application control

Us: Simple point and click

12

IT Department

Support Threat Intelligence & Response

Software development

Infrastructure

• Less time managing protection

• Fewer security incidents

• More time to focus on business priorities

What simple, effective security means

13

Building next gen endpoint security

Buffer Overflow Protection

HIPS

Live Protection

Emulation

Static code analysis

Unpacking

Signatures

Web security — exploit code

Web security — bad URLs

C&C traffic detection

Download reputation

New emulator

File tracking

14

Social mediaEvents

Other websites…..

PhishingSpoof callsUSB sticks

…..

Lay lowDo nothing

‘low & slow’….

Collate dataEncryptExtract

….

Advanced Persistent Threat: Protection

1

Gather information

2

Find a way in

3

Avoid being discovered

4data

Get out with the data

Layered protection is the best defense against targeted attacks

Advanced Threat Protection: Detects Botnets, stops outbound traffic, selective analysis

Firewall Antivirus IPS Web Email WAF

15

Advanced Threat Protection in Sophos UTM

16

Advanced Threat Protection in Sophos UTM

Alerts to infected clients

Provides:• Consolidated

reporting• Threat information• Link to SophosLabs

Threat Center

17

Context-Aware SecurityA coordinated threat sensing system

The traditional way:One point in time and space

The new way:Many points in time and space

How?• We watch all points• We correlate intelligence • We coordinate protection• We strengthen every point• We build a stronger system

Laptop

Network

Server

App

Mobile

CloudAnother

Suspicious outbound traffic

Suspicious runtime behavior

Indicators of Compromise:

alert & respond Application reputation

Application categorization and

trackingMal/sus attributes pre-

execution

IPS/IDS events

System events

18

What if robots could work together?

Looks like your PC is infected. Let’s isolate it from the network.

Oops, you’re right. I’ll clean it up. Tell the others to watch out for badfile.exe.

19

• Simple, effective protection

• SophosLabs does the work, so customers don’t have to

• Ongoing innovation – here comes next gen endpoint security

Summary

20© Sophos Ltd. All rights reserved.