Cybersecurity & Security as a Service Trends. SteakOut, August 1, 2017

Transcription

1 Cybersecurity & Security as a Service Trends SteakOut, August 1, 2017

2 AGENDA Speaker Intros Top Cybersecurity Trends Security as a Service Trends Anti-Ransomware Solutions

3 MARK DALLMEIER CSO/CMO, Terra Verde Senior Executive, Entrepreneur Board Advisor, Consultant to Cybersecurity & Tech Companies Management Consultant to Start Up & Fortune 50 Companies: HP Hitachi Verizon Business DELL Century Link XO ABOUT TERRA VERDE Founded in 2008 by Cyber Security, Risk, Compliance Executives & Experts Headquartered in Phoenix Arizona Security, Risk, Compliance Consulting One of the Largest PCI QSA in Arizona Hundreds of Engagements Performed Across Multiple Continents Annually Invested Millions of Dollars, Thousands of Hours Developing TruSOC and Breach Radar - Managed Security Services TruSOC utilized by customers across the U.S.

4 Cybersecurity & Security as a Service Trends

5 You are a target: Its not paranoia - they really are Out to Get You! Criminals are organized, focused: Targeting businesses & individuals. It takes more than technology: People and Process (Gaps) create vulnerabilities.

6 DarkReading.com: : No one is safe.

7 March 2017 / Your Data = $: They want your data no really, they really want your data.

8 June 2017 / Your Data = $: They want your data no really, they really want your data.

9 August 2017 / Your Data = $: They want your data no really, they really want your data.

10 Top Data Types Stolen 2016 (

11 1.6 points 54 points 8.6 points -20 points points Top Data Types Stolen June 2017 (

12 12.5 points 47 Point - 1,663,844 records in 40 Days 6.2 points -19 points points 600,000 records Top Data Types Stolen August 2017 (

13

14 Attack Trend 1: Ransomware - $1.8B+ (2016)

15 Ransomware Exploit Family Growth 2017

16 Ransomware 2017 Weaponized with NSA Tools

17 WannaCry 2.0 / EternalRocks When downloaded the tool downloads TOR browser and sends a signal to the tools server. Response delay set to 24 hours. It does not contain an attack command at this time however, leaves backdoor open for remote execution at any time. Renames itself to WannaCry once the callback is complete. Does not contain the KillSwitch that WannaCry does. Utilized 7 NSA Leaked Tools EternalBlue SMBv1 exploit tool EternalRomance SMBv1 exploit tool EternalChampion SMBv2 exploit tool EternalSynergy SMBv3 exploit tool SMBTouch SMB reconnaissance tool ArchTouch SMB reconnaissance tool DoublePulsar Backdoor Trojan

18 A large international company based in Asia Didn t know which of its devices and servers the hack had impacted, or even whether a hack had definitively occurred. Just a lot of weird stuff on their networks The company was already using security products like firewalls, network filters, and scanners, but none had detected an intrusion. After blocking the attackers from the network, they would resurge anywhere from 48 hours to four weeks later. In all, the attackers used over 70 different pieces of malware to carry out the various phases of the long-term attack.

19

20 Attack Trend 2: Business Compromise - $3B+ (2016)

21 Business Compromise Average Payout $140K

22 Attack Trend 3: Business Process Compromise - $3B+

23 Business Process Compromise Flow (Ave Payout - $1M+)

24 Business Trend 1: Compliance Investment, Enforcement

25 PCI DSS Compliance Average Fine: $5K-$50K+

26 HIPAA Compliance Average Fine: $1M+

27 Heath Record Data Breach Fine 2017: $115M

28 Consumer Financial Protection Bureau (CFPB) & Federal Trade Commission (FTC) Consumer Protection Average Fine & Penalty: $49M+

29 Telco MSPs Next Generation Security as a Service VARs Consulting Security as a Service Market Trend: Convergence

30 Market Trend: Telcos, IaaS, MSPs Entering The Market

31 Market Trend: Consolidation to Expand Services

32 Compliance PCI, HIPAA, SOX NIST, NERC-CIP COMBO Assessment Audit Pen Testing Vuln Scanning Prevention Social Engineering Risk Assessment Cyber Next Generation Security as a Service Ops SIEM IDS/IPS GRC Incident Response Detection Forensics Monitoring SIC vs SOC Threat Integration Big Data Analytics Risk Modeling Dark Web R/D R&D Market Trend: Security & GRC as a Service ( )

33 Top 10 Proactive Measures

34 Note: Utilize a maturity scale to identify what next steps are required to evolve your cybersecurity and compliance programs and your security defense posture, systems, tools, procedures. Cybersecurity Program development best practices resources and webinar can be found here: 1: Know Your Maturity Level & Define Future State

35 A. People B. Passwords C. Patching D. Backups 2-7: Deploy a Holistic Cyber-Hygiene Program

36 C Level Awareness Discussions Cyber Insurance Liability, Exposure Risk Management Process Disaster Recovery, Business Continuity 2016 SANS Cyber Insurance Survey Employee Awareness Campaigns Cyber-Hero & Cyber Squads: Internal Advocates. Cyber Minute: Ongoing Awareness. Cyber-Hygiene 101 Tips. SETA / LMS 8: Awareness Upstream & Downstream

37 9: Map Out & Align with Critical Security Controls

38 Research resources, partners. (ISACA, ISSA, ISC2, CSA) Utilize available tools, partners, resources. (MS-ISAC) Subscribe to cyber intelligence resources, feeds. (Infragard.org, ACTRA) Participate in various cybersecurity industry associations and events. Find a trusted partner(s) & subject matter expert(s). Review, assess, rank, prioritize partners and vendors by ability to assist with planning, response. 10: Find Strategic Partners

39 Top 10 Measures 1. Cybersecurity & Compliance Gap Analysis (Current State) 2. Cyber-Hygiene Program (People, Passwords, Patching) 3. Ongoing Discovery (What is, should not be on network) 4. Modernize BCDR Plans (Ransomware, Social Engineering) 5. Data Back Ups (Off network) & Encryption (At Rest In Flight) 6. Update Tech & End Point Protection (+ Usage Policies) 7. Ongoing Risk, Cyber, Compliance Assessments (Program) 8. Security Education Training & Awareness 9. Evaluate Managed Security Operations & Compliance Services Partners (Making Investments in Next Gen Tech) 10. Identify Strategic Partners (Pre-Post Planning, Response)

40 Next Generation Anti-Ransomware Technology Dave Fore, Territory Account Executive: Sophos

41 DAVE FORE Territory Account Executive, Sophos Business Builder Customer & Executive Advocate Sophos Lenovo IBM University of Georgia ABOUT SOPHOS Sophos began producing antivirus and encryption products nearly 30 years ago. Today our products help secure the networks used by 100 million people in 150 countries and 100,000 businesses, including Pixar, Under Armour, Northrop Grumman, Xerox, Ford, Avis, and Toshiba.

42 Security & Program Evolution Imperative Attacks from within the perimeter: focused on Human & Software Exploits Ransomware reaching $1.8B in damages Lack of Threat Intelligence after a Breach

43 Advanced Malware Evolving Zero Day Exploits Accelerating Limited Visibility Continuing

44

45 The Evolution of Endpoint Threats From Malware to Exploits Melissa Virus Love Letter Worm FinFischer Spyware Exploit as a Service Locky Ransomware $1.2B $15B $780M $2.3B $800M $500M $1.1B TRADITIONAL MALWARE ADVANCED THREATS 45

46 The Evolution of Sophos Endpoint Security From Anti-Malware to Anti-Exploit to Next-Generation Exposure Prevention Pre-Exec Analytics File- Scanning Run-Time Exploit Detection URL Blocking Web Scripts Download Rep Generic Matching Heuristics Core Rules Signatures Known Malware Malware Bits Signatureless Behavior Analytics Runtime Behavior Technique Identification TRADITIONAL MALWARE ADVANCED THREATS

47 } Where Malware Gets Stopped Note: Each Model Standalone is 80-95% Effective This 5% is the SCARY stuff 80% 10% 5% 3% 2% Exposure Prevention Pre-Exec Analytics Signatures Run-Time Exploit Detection URL Blocking Web Scripts Download Rep Generic Matching Heuristics Core Rules Known Malware Malware Bits Signatureless Behavior Analytics Technique Identification Traditional Malware Advanced Threats

48 ! MALICIOUS URLS UNAUTHORIZED APPS REMOVABLE MEDIA EXECUTABLE FILES MS FILES & PDF RANSOMWARE PREVENTION EXPLOIT PREVENTION ADVANCED CLEAN INCIDENT RESPONSE 90% OFDATA BREACHES ARE FROM EXPLOITS KITS 90% OF EXPLOIT KITS ARE BUILT FROM KNOWN VULNERABILITIES AND YET MORE THAN 60% OF IT STAFF LACK INCIDENT RESPONSE SKILLS BEFORE IT REACHES DEVICE PREVENT BEFORE IT RUNS ON DEVICE DETECT RESPOND SOPHOS NEXT GENERATION ENDPOINT DETECTION AND RESPONSE

49

50 Introducing Sophos Intercept X Anti-Ransomware Anti-Exploit Root-Cause Analysis Detect Next-Gen Threats Stops Malicious Encryption Behavior-based Conviction Automatically Reverts Affected Files Identifies source of Attack Prevent Exploit Techniques Signatureless Exploit Prevention Protects Patient-Zero / Zero-Day Blocks Memory-Resident Attacks Tiny Footprint & Low False Positives Automated Incident Response IT-friendly Incident Response Process Threat Chain Visualization Prescriptive Remediation Guidance Advanced Malware Clean ADVANCED MALWARE ZERO DAY EXPLOITS LIMITED VISIBILITY Prevent Ransomware Attacks Roll-Back Changes Attack Chain Analysis No User/Performance Impact No File Scanning No Signatures Faster Incident Response Root-Cause Visualization Forensic Strength Clean

51 Anatomy of a Ransomware Attack Exploit Kit or Spam with Infection CryptoGuard Command & Control Established Simple and Comprehensive Universally Prevents Spontaneous Encryption of Data Restores Files to Known State Simple Activation in Sophos Central Local Files are Encrypted CRYPTOGUARD Ransomware deleted, Ransom Instructions delivered

52 Updated EndUser Agent UI Updated Admin UI NEW Anti-Exploit Attack Prevention Provides advanced exploit protection by focusing on common techniques used by attackers Protects applications against zero-day exploits, malicious traffic, and process breaches

53 Security 6,787 new vulnerabilities in % increase from 2014 (Source: Gartner) Why Is It So Challenging to Address New Threats? 193 Days on average to fix vulnerabilities after discovery (Source: WhiteHat Security) IT Ops 90% of breaches are from known vulnerabilities (Source: Forrester)

54 Enforce Data Execution Prevention (DEP) Prevents exploit code running from data memory Mandatory Address Space Layout Randomization (ASLR) Prevents predictable code locations Bottom Up ASLR Improves code location randomization Null Page Prevents exploits that jump via page 0 Anti-HeapSpraying Pre-allocates common memory areas to block standard attacks Dynamic Heap Spray Stops attacks that spray suspicious sequences on the heap Import Address Table Filtering (IAF) Stops attackers that lookup API addresses in the IAT VTable Hijacking Helps to stop attacks that exploit virtual tables in Adobe Flash Stack Pivot Stops abuse of the stack pointer Stack Exec Stops attacker code on the stack SEHOP Stops abuse of the structured exception handler Stack-based ROP gadget detection Stops standard Return-Oriented Programming attacks Control-Flow Integrity (CFI) assisted by hardware Stops advanced Return-Oriented Programming attacks Syscall Stops attackers that attempt to bypass security hooks WOW64 Stops attacks that address a 64-bit function from Wow64 Load Library Blocks libraries that load reflectively or from UNC paths Shellcode Stops code execution in the presence of exploit shellcode VBScript God Mode Prevents abuse of VBScript in IE to execute malicious code Block Untrusted Fonts (Windows 10 only) Stops elevation of privilege (EOP) attacks via untrusted fonts Application Lockdown Stops logic-flaw attacks that bypass mitigations Process Protection Stops attacks that perform process hijacking or replacement Network Lockdown Helps to stop attacks that connect back to C&C

55 Root Cause Analysis Understanding the Who, What, When, Where, Why and How 55

56 Sophos Clean Advanced Malware Removal. Second opinion scan. Removes Threats Deep System Inspection Removes Malware Remnants Full Quarantine / Removal Effective Breach Remediation On-Demand Assessment Identifies Risky Files / Processes Constantly Refreshed Database Provides Additional Confidence Command-Line Capable 100% Automated with Intercept X Also available as a standalone Forensic Clean Utility

57 Sophos Intercept X Two Ways to Play The Ultimate Bundle Central Endpoint Advanced Add-On Product Ultimate Promo Bundle Contact re: Discount Upgrades the Endpoint to a Single Agent Existing AV? Better Together Compliments and enhances traditional AV Adds Levels of Protection currently lacking Provides a Forensic-Level Clean Purpose built to compliment and enhance traditional endpoint solutions Security focused on exploit techniques, not merely the tools used Designed for the IT Generalist. Powerful enough for the Info-Sec Professional

58 Machine Learning

59 Next-Gen Endpoint Higher Detection Rates Lower False Positives Best in Class Performance Trained on 100+ Million Samples Orders of Magnitude Better Accuracy in Decision Making

60 Innovation Continues Early Access Program Starts July 27 Credential Theft Protection Deep Machine Learning Stops Techniques that Harvest User Credentials Improved Process Protection The NEXT in Next-Gen Endpoint Technology Disk and Boot Record Protection Detect and Stop Bad Actors from Attacking Stops Advanced Attacks that attempt to Lock a device pre-os

61 THANK YOU! ASK ABOUT A DEMO & COMPLIMENTRY EXTERNAL VULNERABILITY SCAN!