Traditional AV Is Dead, Long Live XGen - Infosec.ba PDF Free Download

1y ago

19 Views

1 Downloads

2.75 MB

39 Pages

Report/dmca

Download PDF

Transcription

Traditional AV is dead, long liveXGenNovember 2016Albin Penič

Solving Real Customer ProblemsIT DynamicsIncreasingly sophisticatedthreatsShift to the cloudChanging user behavior3Copyright 2016 Trend Micro Inc.Customer PainRecovering from highimpact attacksExisting defensesstagnant and ineffectiveComplexity & lack ofvisibilityXGen EndpointSecurityMaximum ProtectionMinimum ImpactProven Security Partner

XGen Endpoint SecurityMaximum ProtectionCross-generational blendof threat defensetechniques4Copyright 2016 Trend Micro Inc.Minimum ImpactCentral visibility &control, lower falsepositives and efficientthreat defenseProven Security PartnerInnovative and timelyresponse to changingthreat landscape

There is no silver bullet “History has clearly shown that no single approach will be successful for thwartingall types of malware attacks. Organizations and solution providers have to use anadaptive and strategic approach to malware protection.”- Gartner EPP Magic Quadrant 20165Copyright 2016 Trend Micro Inc.

Pros & Cons of New Threat TechniquesApplication WhitelistingBehavior AnalysisBlocks all unknown appsRecognizes behaviorOnly stops EXEsCPU intensiveExploit ProtectionBlocks vulnerabilitiesthat threats exploitCan’t block threats that don’texploit app/OS vulnerabilitiesMachine LearningEXE file detectionHigher false positives, needsto be trained with specificfile typesNo silver bullet; combine techniques to get best of all worlds6Copyright 2016 Trend Micro Inc.

What is Machine Learning? Mathematical models that can be used forsecurity Works well on unknown executable malware Extracts file features Uses mathematical models to determineprobability if file is good OR bad Models are constantly trained and learn fromgood & bad file data to maintain their accuracy8Copyright 2016 Trend Micro Inc.

What is Machine Learning? Important to chose features with the bestfidelity– Takes a lot of data and researchers to figure outthe most accurate & efficient– Some machine learning looks at an endless list offeatures Tends to have higher false positivesCopyright 2016 Trend Micro Inc.9

Why Machine LearningSamples Look Different on the SurfaceRansom-Tescrypt1 (Known sample)Ransom-Tescrypt2 (Unknown)Need a new example for machine learning since thiswould be caught by variant protection – Jon Oliverworking on this example now.10Copyright 2016 Trend Micro Inc.

Machine Learning Predicts MaliciousnessWhen features are looked at and comparedRansom-Tescrypt3 (Known sample)Opcode –normalizedin graphAPI calls –displayed inimport table11Copyright 2016 Trend Micro Inc.Ransom-Tescrypt4 (Unknown)Example of 2 codeelements machinelearning found tohave similarcharacteristics

High-fidelity Machine Learning Uses most accurate features to predict if a file is good or bad Unique dual approach for highest fidelityPre-execution MachineLearning Looks at static file features Reduces risk of damage Can miss features that onlyare seen during execution13Copyright 2016 Trend Micro Inc.Runtime MachineLearning Looks at behavior featuresduring execution Kills offending processesduring executionNoise Cancellation Reduces False Positives:Census and Whitelist Checking

Mathematical Algorithm Accuracy Determinedby Quality & Volume of Training DataGlobal ThreatIntelligence 14100 TB analyzed daily500k new threats daily800M good file whitelist100s of millions of sensorsCopyright 2016 Trend Micro Inc.Threat Researchers 450 researchers Threat lifecycle anddistribution research 3k external vulnerability &exploit researchers (ZDI)

Innovative and Timely Response toEvolving Threat LandscapeHigh-FidelityMachine AnalysisWhitelistingCheckData LossPreventionAntimalwareAntispywarePersonal Firewall15WebReputationHost-basedIPSCopyright 2016 Trend Micro nvestigation &Forensics (EDR)ApplicationControlCensusCheck25 years ofinnovation

LEGENDThe Right Techniqueat the Right TimeKnownGood DataKnownBad DataUnknownDataNoiseCancellationWith its cross-generational blend of threat defensetechniques including high-fidelity machine learning,Trend Micro XGen endpoint security is alwaysadapting to identify and defeat new ransomwareand other unknown threats.Web & File ReputationExploit PreventionApplication ControlVariant ProtectionPre-execution Machine LearningBehavioral AnalysisSafe filesallowed16Copyright 2016 Trend Micro Inc.Runtime Machine LearningMaliciousfiles blocked

In The LabOfficeScan Web & File reputation Exploit prevention Behavioral analysis Machine learningAverage Detection Rates100%90%Detection Rate80%70%60%50%40%Cylance Machine learning Exploit protection30%20%10%0%PE FilesScript-based MalwareCylanceMacro MalwareOfficeScanUnknown malware over 11 week testing period.18Copyright 2016 Trend Micro Inc.

Importance of Blocking non-EXE MalwareDetection of new macroand javascript malwareTrend MicroCylance100% detected8% detectedMost Ransomware Attachment Types not .EXE or .RARSource: TrendLabs 2016 1H Security Roundup, August 201619Copyright 2016 Trend Micro Inc.

Best Overall Average Score for 2.5 YearsIncludes performance, protection (prevalent & 0day) & 3,5014,0011,7312,0010,008,006,004,002,000,00Trend lanceSource: av-test.orgJan 2014 to June 2016Microsoft

Exploits & Evasions – Oct 62,8%60,0%50,0%40,0%Trend MicroSymantecKasperskyMcAfeeSophosSource: NSS LabsOctober 2015F-Secure

More Unknown Threat Detection22Behavioral analysisMonitoring for unexpected changesto OS, apps & scripts including inmemory inspectionExploit PreventionDetects abnormal behavior, HIPS,host firewall, lateral movementRansomware DetectionDetects and stops unauthorizedencryption of multiple filesVariant ProtectionUnpacks files to look for fragmentsof known malwareCensus CheckUses frequency and maturity offiles to determine if file issuspiciousInvestigation & Forensics (EDR)Endpoint security monitor thatrecords detailed activities & allowsfor rapid assessment.Copyright 2016 Trend Micro Inc.

Layered Security Eliminates GapsSmart ProtectionComplete In addition to XGen endpointsecurity:– Smart Protection for Endpoints includesdata protection, device control, mobile– Smart Protection Complete addsgateway controls Protects users on/off networkSmart Protectionfor EndpointsEmail GatewayMail ServerOffice 365Cloud filesharingDLPFile serversSharePointCentral management,visibility, threat sharing23Copyright 2016 Trend Micro rolMobile

Connected Threat Defense: Better, Faster ProtectionAssess potentialvulnerabilities andproactively protectendpoints, serversand applicationsEnable rapid responsethrough shared threatintelligence anddelivery of real-timesecurity updatesPROTECTRESPONDGain centralized visibilityacross the system, andanalyze and assessimpact of threatsDetect advancedmalware, behavior andcommunications invisibleto standard defensesDETECT24Copyright 2016 Trend Micro Inc.

SmarterEndpoint Protectionwith Rapid Response1. Advanced malware infects an endpoint2. Network inspection discoversadvanced malware3. Real-time signature pushed toendpoints4. Investigation determines if and wherethe threat has spreadAll via central insight & control

Security ThatAutomatically AdaptsCentral insight & control1. Advanced malware attempts to infectan endpoint or arrives via email2. Sent to network sandbox forassessment3. Sandbox sends alert back to endpoint(for blocking)4. Sandbox also sends alert to ControlManager for sharing across allendpoints

C&C Identification and BlockingBotnet C&CTargeted C&C3rd Party SecurityEndpointsMessagingWebData CenterDeep DiscoveryLocal Detection of TargetedAttacksControl Manager

Lower the Burden on IT and UsersFewer False Positives, More Efficient Performance Only unknown files go throughtechniques that are– Computationally intensive– Produce higher falsepositives– Fewer false positives for IT tomanage and more efficientperformance for users29Copyright 2016 Trend Micro Inc.

Lower the Burden on ITCentral Visibility and Control Single console across endpointsand gateways – on-premise or inthe cloud Graphic dashboards give you aholistic view and help youprioritize actions User-centric threat timelines andforensics tools simplify threatinvestigation

Central Visibility and Automation Single console across endpointsand gateways – on-premise or inthe cloud Graphic dashboards give you aholistic view and help youprioritize actions User-centric threat timelines andforensics tools simplify threatinvestigation

Proven Security PartnerSecurity Innovator36Copyright 2016 Trend Micro Inc. 1st to integrate high fidelity machinelearning, with blend of techniques 1st to deliver connected threat defense 1st to integrate with AWS and Azurecloud environments 1st to integrate virtualization securitywith VMware 1st to deliver threat intelligence from thecloud

Gartner Magic Quadrant forEndpoint Protection PlatformsFeb 2016This graphic was published by Gartner, Inc. as part of a larger research document andshould be evaluated in the context of the entire document. The Gartner document isavailable upon request from rant-Endpoints.htmlGartner does not endorse any vendor, product or service depicted in its researchpublications, and does not advise technology users to select only those vendors with thehighest ratings or other designation. Gartner research publications consist of theopinions of Gartner's research organization and should not be construed as statements offact. Gartner disclaims all warranties, expressed or implied, with respect to this research,including any warranties of merchantability or fitness for a particular purpose.

XGen Endpoint SecurityMaximum ProtectionCross-generational blendof threat defensetechniques38Copyright 2016 Trend Micro Inc.Minimum ImpactCentral visibility &control, lower falsepositives and efficientthreat defenseProven Security PartnerInnovative and timelyresponse to changingthreat landscape