Combatti le nuove minacce con il sistema di sicurezza ... · Combatti le nuove minacce con il sistema di sicurezza completo, innovativo e sincronizzato di Sophos Walter Narisoni Sales

Combatti le nuove minacce con il sistema di sicurezza

completo, innovativo e sincronizzato di Sophos

Walter Narisoni Sales Engineers Manager

Sophos History Evolution to complete security

1985

Founded in Abingdon (Oxford), UK

Peter Lammer c1985

Jan Hruska c1985

Divested non-core Cyber business

Acquired DIALOGS

Acquired Astaro

2011 2012 2013

Acquired Utimaco Safeware AG

2008 1988

First checksum-

based antivirus software

1989

First signature-based antivirus software

1996

US presence established in Boston

Voted best small/medium sized company in UK

Acquired ActiveState

2014

Acquired Cyberoam

Acquired Mojave

Networks

Acquired Barricade

IPO London Stock Exchange

Launched Synchronized Security with Security Heartbeat

2003 2015

Acquired Surfright

2017

Acquired Invincea

2016

Acquired PhishThreat

Acquired Reflexion

2

Synchronized Security

Sophos Central

Cloud Intelligence

Sophos Labs

Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions

| 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere

Admin Self Service Partner | Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations

Endpoint/Next-Gen Endpoint

Mobile

Server

Encryption

UTM/Next-Gen Firewall

Wireless

Email

Web

In Cloud On Prem

Lateral Movement Detection and Prevention

Credential Theft Attempt – Detected By Intercept X

Security Heartbeat™

Internet

XG Firewall Endpoints

Servers




Detection and Isolation

Internet


Servers


Detection and Isolation – Destination Based Rules

Internet


Servers





Detection and Isolation – Endpoint Stonewalling

Internet


Servers



Detection and Isolation – Wireless Heartbeat

Internet


Servers



Synchronized App Control

Security Heartbeat™ Synchronized App Control

Works with: • Intercept X v2 EAP0 • CEA (soon) • Both Windows & Mac (soon)

Unknown Application XG Firewall sees app traffic that does not match a signature

Endpoint Shares App Info Sophos Endpoint passes app name, path and even category to XG Firewall for classification

Internet

XG Firewall Sophos

Endpoints

1 2

Application is Classified & Controlled Automatically categorize and control where possible or admin can manually set category or policy to apply.

3

Introducing

Intercepting Exploits Vulnerabilities vs Exploits vs Exploit Techniques

time

tota

l co

un

t

vulnerabilities

public exploits

exploit techniques

Prior knowledge of public attacks (signatures / behaviors)

Patching

1,000s/yr

100s/yr

10s

Introducing Sophos Intercept X

ADVANCED MALWARE

ZERO DAY EXPLOITS

LIMITED VISIBILITY

Anti-Exploit

Prevent Exploit Techniques

• Signatureless Exploit Prevention

• Protects Patient-Zero / Zero-Day

• Blocks Memory-Resident Attacks

• Tiny Footprint & Low False Positives

No User/Performance Impact No File Scanning

No Signatures

Automated Incident Response

• IT Friendly Incident Response

• Process Threat Chain Visualization

• Prescriptive Remediation Guidance

• Advanced Malware Clean

Root-Cause Analysis

Faster Incident Response Root-Cause Visualization Forensic Strength Clean

Detect Next-Gen Threats

• Stops Malicious Encryption

• Behavior Based Conviction

• Automatically Reverts Affected Files

• Identifies source of Attack

Anti-Ransomware

Prevent Ransomware Attacks Roll-Back Changes

Attack Chain Analysis

Example Code Execution Flow

time

01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101

System DLL

User Space

Kernel

Processor

System call API call

01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101

time

User Space

System DLL

Kernel

Processor

Check File on Disk (signature check) when Process is created No attention to machine code that called CreateProcess

System call (e.g. CreateProcess) API call

On Execute File Scanning Antivirus

01101101 01110010 00101110 00100000 01110010 01101111 01100010 01101111 01110100 00100000 01110111 01100001 01110011 00100000 01101000 01100101 01110010 01100101

System DLL

User Space

Kernel

Processor

API call

time Software Stack and Hardware-traced Branch Analysis (manipulation resistant) Leverages and repurposes a previously unused feature in mainstream Intel® processors

System call

Branch-based ROP Mitigations (Hardware Augmented) Sophos Intercept X

Intercepting Exploit Techniques (Overview) • Stack Pivot

Stops abuse of the stack pointer

• Stack Exec Stops attacker’ code on the stack

• Stack-based ROP Mitigations Stops standard Return-Oriented Programming attacks

• Branch-based ROP Mitigations (Hardware Augmented) Stops advanced Return-Oriented Programming attacks

• Import Address Table Filtering (IAF) (Hardware Augmented) Stops attackers that lookup API addresses in the IAT

• SEHOP Protects against overwriting of the structured exception handler

• Load Library Prevents loading of libraries from UNC paths

• Reflective DLL Injection Prevents loading of a library from memory into a host process

• Shellcode Stops code execution in the presence of exploit shellcode

• VBScript God Mode Prevents abuse of VBScript in IE to execute malicious code

• WoW64 Stops attacks that address 64-bit function from WoW64 (32-bit) process

• Syscall Stops attackers that attempt to bypass security hooks

• Enforce Data Execution Prevention (DEP) Prevents abuse of buffer overflows

• Mandatory Address Space Layout Randomization (ASLR) Prevents predictable code locations

• Bottom Up ASLR Improved code location randomization

• Null Page (Null Dereference Protection) Stops exploits that jump via page 0

• Heap Spray Allocation Pre-allocated common memory areas to block example attacks

• Dynamic Heap Spray Stops attacks that spray suspicious sequences on the heap

• VTable Hijacking Helps to stop attacks that exploit virtual tables in Adobe Flash Player

• Hollow Process Stops attacks that use legitimate processes to hide hostile code

• DLL Hijacking Gives priority to system libraries for downloaded applications

• Application Lockdown Stops logic-flaw attacks that bypass mitigations

• Java Lockdown Prevents attacks that abuse Java to launch Windows executables

• AppLocker Bypass Prevents regsvr32 from running remote scripts and code

Intercepting Ransomware

Monitor File Access

• If files are opened for write, copies are created (just before ransomware encrypts)

Attack Detected

• Malicious process is stopped and we investigate the process history

Rollback Initiated

• Original files restored

• Malicious files removed

Forensic Visibility

• User message

• Admin alert

• Root cause analysis details available

Root Cause Analytics Understanding the Who, What, When, Where, Why and How

Complete Next-Gen Endpoint Protection

Script-based Malware

Malicious URLs

Phishing Attacks

Removable Media

.exe Malware

Non-.exe Malware

Unauthorized Apps

Exploits

Via Invincea, pre-execution malware prevention that is highly scalable, fast, and effective, especially against zero-day threats. Invincea’s pioneering ML technology delivers high detection rates and very low FP rates, which is unique.

Effective for run-time prevention of exploit-based

malware such as ransomware. Sophos Intercept X delivers

highly-effective next-gen exploit prevention capabilities.

Heuristic detections based on the behaviors of execution to stop evasive malware before damage occurs.

Knowing the source/reputation of a file, URL, email, etc. can prevent an attack before it happens. Includes technologies such as MTD, download reputation, URL filtering, secure email gateway, etc.

For server or locked-down endpoint environments, app control prevents

unknown / unwanted apps from running.

The only effective defense against in-memory malware.

The only effective way to set policy to ensure removable

media cannot put an organization at risk.

Provides reliable detection of script, document, and macro malware, and an efficient first line of defense against known executable variants.

Synchronized Security

Sophos Central Mgmt. .doc .xls .pdf

Early Access Program (GA Q4 2017)

28

Part I - Active Adversary o Credential theft protection

o New process protection techniques - Code cave utilization

- Malicious process migration

- Process privilege escalation

- APC protection (Atom bombing)

o New registry protections - Sticky key protection

- Application verifier protection

o Improved process lockdown - Browser behaviour lockdown

- HTA application lockdown

Part II – Deep Learning o Deep Learning Model

- Detect malicious and potentially unwanted executables

o False positive mitigations - Whitelisting

o Directed Clean-up - Quarantine and restore capability

Documents o Active Adversary Mitigations o Deep Learning explained o Intercept X Features explained

Videos o Demonstrations of product in action

July September

Cloud Intelligence

Analytics | Analyze data across all of Sophos’ products to create simple, actionable insights and automatic resolutions

Sophos Labs | 24x7x365, multi-continent operation | URL Database | Malware Identities | File Look-up | Genotypes | Reputation | Behavioural Rules | APT Rules Apps | Anti-Spam | Data Control | SophosID | Patches | Vulnerabilities | Sandboxing | API Everywhere

UTM/Next-Gen Firewall

Admin Self Service Partner | Manage All Sophos Products | User Customizable Alerts | Management of Customer Installations

Wireless

Email

Web

Synchronized Encryption

Endpoint/Next-Gen Endpoint

Mobile

Server

Encryption

Sophos Central In Cloud On Prem

Synchronized Encryption

30