Sustainable Security & Compliance Solutions
Ransomware Realities & Trends Top Data Types Impacted Top 10 Proactive Measures Sophos Next Gen Technologies TopGolf!
Core Team Experienced cyber, compliance, executive team Consultants to SMB & F500 Transformation, change management expertise 67+ industry certifications Industries Served Security Operations Center Expertise 6000 + SIEM Services hours delivered 300+ SIEM Services customers 60+ MSSP customers 500+ SIEM Platform Training customers Enabling, building national service provider cyber practices & MSSP offerings Ongoing Investments Building channel ecosystem Expanding MSSP portfolio Developing & commercializing IP
Its Not Paranoia if They Really Are Out to Get You! There Are No Silver Bullets. Change is Difficult. People and Process (Gaps) Create Vulnerabilities.
http://breachlevelindex.com/
Security & Program Evolution Imperative Attacks from within the perimeter: focused on Human & Software Exploits Ransomware reaching $1.2B in damages Lack of Threat Intelligence after a Breach
2016 TrendMicro The Reign of Ransomware Report
Advanced Malware Evolving Zero Day Exploits Accelerating Limited Visibility Continuing 9
2016 TrendMicro The Reign of Ransomware Report
RaaS is now Pervasive! 2016 TrendMicro The Reign of Ransomware Report
2016 TrendMicro The Reign of Ransomware Report
2017 Trend Micro Report
2016 TrendMicro The Reign of Ransomware Report
https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf?
Note: Utilize a maturity scale to identify what next steps are required to evolve your cybersecurity and compliance programs and your security defense posture, systems, tools, procedures. Cybersecurity Program development best practices resources and webinar can be found here: https://www.knowledgenet.com/cybersecurity-program-development-best-practices/
Wikipedia, the free encyclopedia Note: Cyber-Hygiene best practices resources and webinar can be found here: https://www.knowledgenet.com/cyberhygiene-best-practices/
Secure & Maintain Awareness & Support Among C Levels. CXO Discussion Topics: Cyber Insurance Liability, Exposure Risk Management Process Disaster Recovery, Business Continuity 2016 SANS Cyber Insurance Survey Develop & Implement Awareness Campaigns. Cyber-Hero & Cyber Squads: Internal Advocates. Cyber Minute: Ongoing Awareness.
https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf?
Research resources, partners. (ISACA, ISSA, ISC2, CSA) Utilize available tools, partners, resources. (MS-ISAC) Subscribe to cyber intelligence resources, feeds. (Infragard.org, ACTRA) Participate in various cybersecurity industry associations and events. Find a trusted partner(s) & subject matter expert(s). Review, assess, rank, prioritize partners and vendors by ability to assist with planning, response.
1. Cyber-Hygiene Program (People, Passwords, Patching) 2. Ongoing Discovery (What is, should be - should not be on network) 3. Update Business Continuity & Disaster Recovery Plan 4. Data Back Ups (Off network) 5. Data Encryption (At Rest and In Flight) 6. Update End Point Protection (Don t Just rely on technology) 7. Risk, Cyber, Compliance Assessments (Deploy a Program) 8. Security Education Training & Awareness (w/phishing Simulations) 9. Security Operations Center & 24 x 7 Monitoring (Deploy a Program) 10. Strategic Partners (Pre-Planning, Post Planning & Response) 11. BONUS: Make Ongoing Investments (Next Gen Tech) Note: Best Practices and Webinars on these topics can be found at: https://www.terraverdeservices.com/resources/
Dave Fore, Account Executive Dave.Fore@sophos.com www.sophos.com/central
Security & Program Evolution Imperative Attacks from within the perimeter: focused on Human & Software Exploits Ransomware reaching $1.2B in damages Lack of Threat Intelligence after a Breach
Advanced Malware Evolving Zero Day Exploits Accelerating Limited Visibility Continuing 29
The Evolution of Endpoint Threats From Malware to Exploits 1998 1999 2003 2007 2014 2015 2016 Melissa Virus Love Letter Worm FinFischer Spyware Exploit as a Service Locky Ransomware $1.2B $15B $780M $2.3B $800M $500M $1.1B TRADITIONAL MALWARE ADVANCED THREATS 31
The Evolution of Sophos Endpoint Security From Anti-Malware to Anti-Exploit to Next-Generation Exposure Prevention Pre-Exec Analytics File- Scanning Run-Time Exploit Detection URL Blocking Web Scripts Download Rep Generic Matching Heuristics Core Rules Signatures Known Malware Malware Bits Signatureless Behavior Analytics Runtime Behavior Technique Identification TRADITIONAL MALWARE ADVANCED THREATS
Where Malware Gets Stopped }Note: Each Model Standalone is 80-95% Effective This 5% is the SCARY stuff 80% 10% 5% 3% 2% Exposure Prevention Pre-Exec Analytics Signatures Run-Time Exploit Detection URL Blocking Web Scripts Download Rep Generic Matching Heuristics Core Rules Known Malware Malware Bits Signatureless Behavior Analytics Technique Identification Traditional Malware Advanced Threats
! MALICIOUS URLS UNAUTHORIZED APPS REMOVABLE MEDIA EXECUTABLE FILES MS FILES & PDF RANSOMWARE PREVENTION EXPLOIT PREVENTION ADVANCED CLEAN INCIDENT RESPONSE 90% OF DATA BREACHES ARE FROM EXPLOITS KITS 90% OF EXPLOIT KITS ARE BUILT FROM KNOWN VULNERABILITIES AND YET MORE THAN 60% OF IT STAFF LACK INCIDENT RESPONSE SKILLS BEFORE IT REACHES DEVICE PREVENT BEFORE IT RUNS ON DEVICE DETECT RESPOND SOPHOS NEXT GENERATION ENDPOINT DETECTION AND RESPONSE
Introducing
Introducing Sophos Intercept X Anti-Ransomware Anti-Exploit Root-Cause Analysis Detect Next-Gen Threats Stops Malicious Encryption Behavior-based Conviction Automatically Reverts Affected Files Identifies source of Attack Prevent Exploit Techniques Signatureless Exploit Prevention Protects Patient-Zero / Zero-Day Blocks Memory-Resident Attacks Tiny Footprint & Low False Positives Automated Incident Response IT-friendly Incident Response Process Threat Chain Visualization Prescriptive Remediation Guidance Advanced Malware Clean ADVANCED MALWARE ZERO DAY EXPLOITS LIMITED VISIBILITY Prevent Ransomware Attacks Roll-Back Changes Attack Chain Analysis No User/Performance Impact No File Scanning No Signatures Faster Incident Response Root-Cause Visualization Forensic Strength Clean
Anatomy of a Ransomware Attack Exploit Kit or Spam with Infection CryptoGuard Command & Control Established Simple and Comprehensive Universally Prevents Spontaneous Encryption of Data Restores Files to Known State Simple Activation in Sophos Central Local Files are Encrypted CRYPTOGUARD Ransomware deleted, Ransom Instructions delivered
Updated EndUser Agent UI Updated Admin UI NEW Anti-Exploit Attack Prevention Provides advanced exploit protection by focusing on common techniques used by attackers Protects applications against zero-day exploits, malicious traffic, and process breaches
Security 6,787 new vulnerabilities in 2015 31% increase from 2014 (Source: Gartner) Why Is It So Challenging to Address New Threats? 193 Days on average to fix vulnerabilities after discovery (Source: WhiteHat Security) IT Ops 80% of breaches are from known vulnerabilities (Source: Forrester)
Enforce Data Execution Prevention (DEP) Prevents exploit code running from data memory Mandatory Address Space Layout Randomization (ASLR) Prevents predictable code locations Bottom Up ASLR Improves code location randomization Null Page Prevents exploits that jump via page 0 Anti-HeapSpraying Pre-allocates common memory areas to block standard attacks Dynamic Heap Spray Stops attacks that spray suspicious sequences on the heap Import Address Table Filtering (IAF) Stops attackers that lookup API addresses in the IAT VTable Hijacking Helps to stop attacks that exploit virtual tables in Adobe Flash Stack Pivot Stops abuse of the stack pointer Stack Exec Stops attacker code on the stack SEHOP Stops abuse of the structured exception handler Stack-based ROP gadget detection Stops standard Return-Oriented Programming attacks Control-Flow Integrity (CFI) assisted by hardware Stops advanced Return-Oriented Programming attacks Syscall Stops attackers that attempt to bypass security hooks WOW64 Stops attacks that address a 64-bit function from Wow64 Load Library Blocks libraries that load reflectively or from UNC paths Shellcode Stops code execution in the presence of exploit shellcode VBScript God Mode Prevents abuse of VBScript in IE to execute malicious code Block Untrusted Fonts (Windows 10 only) Stops elevation of privilege (EOP) attacks via untrusted fonts Application Lockdown Stops logic-flaw attacks that bypass mitigations Process Protection Stops attacks that perform process hijacking or replacement Network Lockdown Helps to stop attacks that connect back to C&C
Root Cause Analysis Understanding the Who, What, When, Where, Why and How 41
Sophos Clean Advanced Malware Removal. Second opinion scan. Removes Threats Deep System Inspection Removes Malware Remnants Full Quarantine / Removal Effective Breach Remediation On-Demand Assessment Identifies Risky Files / Processes Constantly Refreshed Database Provides Additional Confidence Command-Line Capable 100% Automated with Intercept X Also available as a standalone Forensic Clean Utility
Sophos Intercept X Two Ways to Play The Ultimate Bundle Central Endpoint Advanced Add-On Product Ultimate Promo Bundle Contact re: Discount Upgrades the Endpoint to a Single Agent Existing AV? Better Together Compliments and enhances traditional AV Adds Levels of Protection currently lacking Provides a Forensic-Level Clean Purpose built to compliment and enhance traditional endpoint solutions Security focused on exploit techniques, not merely the tools used Designed for the IT Generalist. Powerful enough for the Info-Sec Professional
Introducing Sophos Intercept X Anti-Ransomware Anti-Exploit Root-Cause Analysis Detect Next-Gen Threats Stops Malicious Encryption Behavior Based Conviction Automatically Reverts Affected Files Identifies source of Attack Prevent Exploit Techniques Signatureless Exploit Prevention Protects Patient-Zero / Zero-Day Blocks Memory-Resident Attacks Tiny Footprint & Low False Positives Automated Incident Response IT Friendly Incident Response Process Threat Chain Visualization Prescriptive Remediation Guidance Advanced Malware Clean ADVANCED MALWARE ZERO DAY EXPLOITS LIMITED VISIBILITY Prevent Ransomware Attacks Roll-Back Changes Attack Chain Analysis No User/Performance Impact No File Scanning No Signatures Faster Incident Response Root-Cause Visualization Forensic Strength Clean
Sustainable Security & Compliance Solutions Contact Us for a Private Demo! 45
TopGolf!
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-1-13-2017 http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016 http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017 http://www.computerweekly.com/news/450410530/ransomware-expected-to-dominate-in-2017 https://www.theguardian.com/technology/2016/aug/03/ransomware-threat-on-the-rise-as-40-of-businesses-attacked https://digitalguardian.com/blog/ransomware-protection-attacks https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx https://www.secureworldexpo.com/new-q3-kaspersky-report-shows-cyber-criminals-are-getting-smarter https://www.secureworldexpo.com/russian-bank-cyberheists-are-spreading-worldwide http://www.csoonline.com/article/3134029/security/frightening-technology-trends-to-worry-about.html#slide1 http://www.infosecurity-magazine.com/news/ransomware-mobile-botnets-and-ek/ http://www.infosecurity-magazine.com/news/autorooting-overlay-malware-are/ http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-oct-21-2016 http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ http://www.idtheftcenter.org/itrc-surveys-studies/2015databreaches.html http://breachlevelindex.com/ http://www.mcafee.com/us/resources/reports/rp-hidden-data-economy.pdf https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf? https://community.sophos.com/kb/en-us/124679 https://community.sophos.com/kb/en-us/120797 https://heimdalsecurity.com/blog/what-is-ransomware-protection/ https://www.corero.com/blog/759-the-links-between-ransom-ransomware-and-ddos-attacks.html http://www.idigitaltimes.com/ransomware-hitting-dozens-healthcare-organizations-why-file-encrypting-malware-523219 http://www.darkreading.com/partner-perspectives/intel/healthcare-organizations-must-consider-the-financial-impact-of-ransomware-attacks/a/d-id/1325030 https://lists.riskbasedsecurity.com/pipermail/breachexchange/2016-april/000143.html http://blogs.cisco.com/security/ransomware-the-race-you-dont-want-to-lose http://www.hhs.gov/blog/2016/07/11/your-money-or-your-phi.html http://www.fcmcclerk.com/news/malicious_email_campaign.php http://arstechnica.com/security/2016/03/two-more-healthcare-networks-caught-up-in-outbreak-of-hospital-ransomware/ http://arstechnica.com/security/2016/03/two-more-healthcare-networks-caught-up-in-outbreak-of-hospital-ransomware/ https://heimdalsecurity.com/blog/what-is-ransomware-protection/ http://venturebeat.com/2016/03/26/next-wave-of-ransomware-could-demand-millions/ http://www.zdnet.com/article/cybersecurity-predictions-for-2016-how-are-they-doing/ http://www.healthcareitnews.com/news/phishing-attack-baystate-health-puts-data-13000-patients-risk Tech https://www.techsupportall.com/best-anti-ransomware-software/