Presentation is loading. Please wait.

Presentation is loading. Please wait.

Director of Research, SANS Institute

Published byBrenda Maxwell Modified over 8 years ago

Similar presentations

Presentation on theme: "Director of Research, SANS Institute"— Presentation transcript:

1 Director of Research, SANS Institute
95% of all attacks on the enterprise network are the result of successful spearphishing -Allen Paller Director of Research, SANS Institute While Office 365 has many components, today’s focus is on security. Why? Outside of it being indispensable business communication tool, it’s a critical vector, if not the most critical vector, when it comes to targeted attacks. 95% of all successful attacks on the enterprise network start with spear phishing, needs of security are more critical than ever before. NetworkWorld

2 Nearly 1 in 5 users will click on a link within a phishing email
Verizon Data Breach Investigation Report, 2014 And it’s easy to see why it’s such an attractive method of attack. By targeting human vulnerabilities, 1 in 5 users will click on a link within a phishing , installing malware onto your network, and sending out sensitive data.

3 88% of HR and Finance clicked on at least one phishing email
And worst yet, when we look into organizations, HR and Finance performed the worse – those that often hold the most sensitive information. McAfee Phishing Quiz, 2014

4 Phishing Deceives the Masses
57,000 business users Only 6% worldwide correctly classified all s as Legitimate Phishing or Earlier this year, we ran a phishing quiz, that consisted of 10 s , some are safe, some are phishing, and these s emulate just as they would look you or me, as if we received it in our inboxes. We had over 30,000 business users, across 49 countries. Only a stark 6% were able to correctly classify these s. On average: 250,00 new phishing URLs are identified each quarter McAfee Phishing Quiz, 2014

5 Targeted Phishing Attacks Continue to Prevail
Sophistication and Delivery of Malware Increase Unabated Delayed malware drop One time URLs Recon for Targeted Attacks So why do targeted attacks continue to prevail? In addition to the human vulnerability element, and the sophistication of the tactics continue to increase, particularly through web threats being delivered via . (CryptoLocker is an example of a phishing attack) One time URLs – are a big problem because they can be difficult to detect as it barely registers a blip on the radar. Often if you get infected and go back and investigate, that URL no longer exists, so forensics becomes a big challenge. Delayed infection –where an attacker waits until after an is scanned, approved, and delivered by an organization to it’s end-users inbox, before dropping the payload onto the target website. This is also an example of exploits the unwarranted trust recipients grants to messages he/she receives. And phishing attacks are not as simplistic as duping a recipient to give up sensitive information. Attacks can often be multi-staged, where the goal of the first phishing is reconnaissance, silently learning, unbeknownst to the user, more about the target endpoints, or gather more details about the network of an organization, so an even more lucrative attack can be crafted.

6 Anatomy of an Attack Attack How It Happens Recon Data Theft Deliver
SECONDS AFTER DELIVERY Deliver Exploit 1 Attack 5 10 There are many different flavors of how an attack occurs. We’ll walk through one of the most effective approaches, which is the delayed malware drop. Let’s see how this plays out. Let’s pretend I am an attacker, and my target is a user inside your organization, let’s say, your financial controller. I start by Recon: Identify my target, and perhaps identify an unpatched exploit that I know will be effective, and write malware based on that exploit. Deliver: Next, I craft an that includes a URL, which leads to a non-malicious webpage on brand new domain I created. I send off the to your controller, and wait. Your organization’s security solution, in this case, the Office 365 Exchange Online Protection, receives the , interrogates it, including “is the URL safe”, and allows it to be delivered. The message passes the checks, as the attacker expects, since nothing malicious has been identified about the message. Now, as an attacker, it’s game time. My is now in your financial controller’s inbox, and at the moment is received (1s), the URL link in the leads to a perfectly safe website. It’s now that the action occurs. All I have to do, as an attacker (5s), is to put malware on the destination webpage (10s). Now, when your controller clicks on the link (11s) in the I sent, BOOM, your network gets infected, and information is compromised. This delay in introducing the threat is an extremely effective one, and we see this play out too frequently. So this we call a delayed malware infection, because the attacker waits for the to sit in your organization before the threat is introduced (2nd red icon). This scenario plays out all too frequently, and the timing here is just for illustration. In reality, cyber attackers often have much more time, as the great majority of us don’t click on links in an the moment it arrives in our inbox. O365 Exchange Online 11 KaBoom Recipient

7 What Customers Are Asking
Security for Office 365 Exchange Online Uptime? Threats delivered via embedded URLs? How can I gain visibility into phishing attacks my users fell for? Data Exfiltration? How susceptible are my users? Do I need additional security? So if you’re considering Office 365 for your infrastructure, the #1 question that comes up is: “Do I need additional security?” And this comes up because there is typically some level of security provided with a hosted mailbox. And as you start to do your due diligence, questions come up, such as: How do I handle threats delivered via embedded URLs? How susceptible are my users to phishing? What about forensics? How can I gain visibility into phishing attacks my users feel for? As an administrator, you need to know that the uptime of hosted mailboxes is reliable. And then there are concerns about data exfiltration – whereas historically, this might have been managed by a dedicated security solution. First, let’s tackle targeted attacks…

8 Advanced Security for O365 Exchange Online
Protection with Targeted Attack Protection Phishing protection Detects real-time URL malware threats with ClickProtect Customizable warning pages Built-in DLP technology Faster and Reliable Protection Breadth of cloud intelligence sources Threat response times continuity Flexibility Advanced security for Exchange Online, Hybrid Exchange, onsite Exchange Deploy any way you want, when you want Hybrid deployment options with single management and reporting console In summary, McAfee Protection provides your organization with industry-strength security technologies the ability to confidently leverage hosted mailboxes without sacrificing security Flexible deployment and hybrid deployment options to help you take advantage of the cloud without sacrificing privacy. So as mailbox infrastructures move to the cloud, the question is, should your security follow it? Absolutely – it should be at the top of mind. Targeted attack (advanced malware) protection is critical in today’s landscape, and our customers find the deeper you look, the more meaningful it is to extend built-in security capabilities with advanced security.

9 Data Exfiltration Prevention
Preventing the last step of a targeted attack Dec 1H’14 2H’14 150M People Affected 110M 104M 4.6M 12M 800K 1.5M 145M 20.7M 4.5M 5M 868K 76M 310K 338K Built-in DLP provides: Compliance Templates Document Fingerprinting Regular Expressions Starting with the high-profile Target breach last September, a string of major data breaches has affected every major business sector. Here is just a sampling of 2014’s top data breaches. The goal, and last step of any targeted attack is to exfiltrate data back to home base, and unmonitored, is open outlet for sensitive data. McAfee helps companies gain visibility and action on the type of data that is escaping, leveraging the same robust templates, document fingerprinting, and regular expression capabilities as used by almost half of the top 13 in the Fortune 100. Scans 300+ file types Source: Data Breach Today

10 Granular DLP and Encryption Controls for Hosted Mailboxes
Helps Achieve Compliance and Prevent Exfiltration Fully compatible integration Allow filtering from Microsoft Office 365 Google Apps for Work Includes: Extensive, robust templates More granularity per template File fingerprinting Policy-driven encryption Fully compatible integration: Simply a checkbox in the SaaS UI. McAfee maintains the outbound IP addresses of O365 and Google Apps for Work to make sure we scan your organization’s originating from any of these IP addresses. Includes: 100+ pre-built templates (same as those in McAfee DLP); O365 contains only 40 pre-built DLP templates. Only available via Microsoft’s E3/E4 plans. More granularity per template; O365: Dramatically fewer templates; Less granularity per template Missing key templates, i.e. SOX, Acceptable Use and Employee Discontent File Fingerprinting – detect org specific documents Policy Driven push/pull encryption Example: Exchange Online DLP templates for SSN requires format SSN: Unlike McAfee, would not be blocked (cannot edit to fix problem in either solution) Unlike McAfee, obfuscated SSN using “.” or “,” (123,45,6788) would also not be blocked.

11 Email Continuity Ensures Hosted Mailbox Uptime
Automatic service engagement when outage is detected 39% are concerned they will not be able to access cloud applications 60 days of rolling storage Web-based access to during outage Post-outage activity release and synchronization Customers moving to hosted mailboxes also often have concern about the availability of the service. In a study from Frost and Sullivan, 39% are concerned they will not be able to access cloud applications. continuity serves as a disaster recovery (DR) option, which enables your users to have web-based access to during outages to keep the communications flowing. Notable outages:  2014: “Microsoft has suffered major outages to Office 365 cloud services for two straight days now”. (June 24, 2014) “Some Exchange [Online] users went nine hours … without access to .” "The silence from Microsoft is deafening on this issue," one Microsoft partner said of this week's cloud outages. "We have over a thousand Office 365 customers and our phones have been lit up all day with questions about when the service would be restored. All we have is the service dashboard, which doesn’t give us a lot of detail.“ See appendix slides for example captured from 9/2014 on availability issues. Those that hit the mainstream news tend to affect the broader population; we see outages/intermittent issues commonly occur. 2013 “During one month is 2013, there were four major outages that affected Microsoft’s online services” – Osterman Research “Outlook.com (and by extension Office 365) experienced intermittent issues, ranging from trouble accessing Windows Intune and webmail to mail being inaccessible altogether. The issues with 365 lasted for around two hours” Stats suggest that in the service was down for 3 hours.  That doesn’t sound much but % availability would mean only 5 minutes of down time. @MSCloudUS - “We apologize for the inconvenience that the #office365 outage has caused today. We’re are working on resolving the issue. Frost & Sullivan, The Hidden Truth Behind Shadow IT

12 Any device, anywhere, anytime
ClickProtect Scan-time and Click-time URL Protection Any device, anywhere, anytime Combats spear phishing and links to malware Educates users Fully customizable Scan Time URL reputation check Rewrites delivered URLs Click Time Enterprise web security scanning for 0-hour malware Safe Preview Is the URL safe? To protect from phishing, it’s a two-pronged approach. You need technology, and you need user education. ClickProtect is just that. It protects users on any device, regardless of network to combat spearphishing. More uniquely, it offers an opportunity to education users, which we will dive into more detail shortly. And, it’s fully customizable, so you can turn it on or off, make it more or less aggressive. <click to animate>From a technology perspective, we talked earlier about the critical intercept points. ClickProtect does exactly that, and asks at scan time “is the URL safe”? If the and URL destination within it are cleared, it gets delivered to the recipient’s inbox, rewriting the delivered URLs. <click to animate> Since the content of a web page may change between the time a link to it is delivered, and when it was clicked, we’ve implemented technology from our web protection solution right into protection at no extra cost. With ClickProtect, at the time a URL in an is clicked, it asks, “is the URL still safe?” Unique to McAfee, these URLs are also inspected by our Gateway Anti-Malware engine, the exact same engine that powers McAfee Web Protection, using behavioral emulation to detect malicious web content – without reliance on a signature. And the URL awareness and protection follows the messages, such that when they are forwarded to partners, friends, family, and even if they don’t have ClickProtect, they gain the protection to effectively block 0-hour malware delivered via the delayed infection tactic. Next, let’s take a look at the Safe Preview and other elements of the user awareness to be more savvy at detecting phishing. Is the URL still safe?

13 ClickProtect for Embedded URL Protection
Customizable Template Reinforces Awareness Enterprise Web Security We mentioned before that the ClickProtect customizable templates offers a unique benefit of educating the users. Let’s say you have this capability turned on, and a user clicks on medium risk URL embedded within an . This URL will go through our enterprise web security technology, the Gateway Anti-Malware engine, the same technology used in McAfee Web Protection, and the #1 anti-malware detection available on the market. It goes beyond reputation and signatures to emulate the behavior of the destination site to detect 0-hour malware, which is critical when it comes to detecting targeted attacks. In essence, you get enterprise-grade web security in a click. The status of the analysis is displayed in this customizable template, to provide additional information about the safety of the web-site. AV-Test.org

14 ClickProtect for Embedded URL Protection
Customizable Template Reinforces Awareness Enterprise Web Security Unmasks URL It also unmasks the URL, and provides reputation and category information to help users be more aware and vigilant that a hyperlink in an may not be what it initially may appear to be. Unmasked Web Address McAfee GTI® Web Reputation: Unverified McAfee GTI® Web Category: Entertainment, Streaming Media

15 ClickProtect for Embedded URL Protection
Customizable Template Reinforces Awareness Enterprise Web Security Unmasks URL Safe Preview and a Safe Preview, or a sneak peek screen script, allows an opportunity for the user to further validate – is that my indeed, my destination site. Is that your destination site?

16 ClickProtect for Embedded URL Protection
Policy Configuration – Custom Warnings These templates are customizable by policy, and even within the messages themselves, perhaps you want to direct your users to a IT phone number to call if they are unsure, or perhaps links to training… Summing it up, ClickProtect enhances built-in O365 protection with the ability to prevent targeted attacks both from a technology and user awareness perspective.

Download ppt "Director of Research, SANS Institute"

Similar presentations

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Taking Control of Cloud Security Travis Abrams. Consulting and Professional Services Health checks Deployment services Strategic Partner VAR Board Leadership.

Taking Control of Cloud Security Travis Abrams. Consulting and Professional Services Health checks Deployment services Strategic Partner VAR Board Leadership.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
$5 user/month Competitively priced/featured for entry-level cloud services Evolution of Small Business $8.25 user/month For customers who want just the.

$5 user/month Competitively priced/featured for entry-level cloud services Evolution of Small Business $8.25 user/month For customers who want just the.
Email Filter Services. Advantages of Using Spam Filters Effective Filter Bigger Bandwidth Space Easy Interface Accurate Results.

Filter Services. Advantages of Using Spam Filters Effective Filter Bigger Bandwidth Space Easy Interface Accurate Results.
BusinessEnterprise Business Business Essentials Business Premium ProPlusE1E3 Target Customer Price per user per year $USD $99$60$150$144$96$240 Seat Cap.

BusinessEnterprise Business Business Essentials Business Premium ProPlusE1E3 Target Customer Price per user per year $USD $99$60$150$144$96$240 Seat Cap.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.

CensorNet Ltd An introduction to CensorNet Mailsafe Presented by: XXXXXXXX Product Manager Tel: XXXXXXXXXXXXX.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Exchange Online Protection. About Speaker Prabhat Nigam Microsoft MVP: Exchange Server MCSE: Messaging 2013, MCITP 2010/2007, MS Ex – Microsoft Exchange.

Exchange Online Protection. About Speaker Prabhat Nigam Microsoft MVP: Exchange Server MCSE: Messaging 2013, MCITP 2010/2007, MS Ex – Microsoft Exchange.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.

Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
Complete Security. Threats changing, still increasing Data everywhere, regulations growing Users everywhere, using everything We’re focused on protecting.

Complete Security. Threats changing, still increasing Data everywhere, regulations growing Users everywhere, using everything We’re focused on protecting.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
10/14/2015 Introducing Worry-Free SecureSite. Copyright 2007 - Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.
The Changing World of Endpoint Protection

The Changing World of Endpoint Protection
Offer highly configurable and scalable services Maintain an evergreen service Provide a platform built on security, privacy, and trust.

Offer highly configurable and scalable services Maintain an evergreen service Provide a platform built on security, privacy, and trust.
Copyright 2009 Trend Micro Inc. Beyond AV security, now with DLP and web protection. Trend Micro PortalProtect SharePoint Security.

Copyright 2009 Trend Micro Inc. Beyond AV security, now with DLP and web protection. Trend Micro PortalProtect SharePoint Security.
Bill Jensen Bashar Kachachi Session Code: SIA309.

Bill Jensen Bashar Kachachi Session Code: SIA309.

Similar presentations

Ads by Google