Synchronized Security Revolutionizing Advanced Threat Protection Lars Putteneers Sales Engineer
What we’re going to cover What’s the problem? It’s time for a security revolution How it works Synchronized Security 2015-2016 Your path to synchronized Security
What’s the problem?
Threat Landscape
Increasing attacks, increasing sophistication Attack surface exponentially larger Laptops/Desktops Phones/Tablets Virtual servers/desktops Cloud servers/storage Threats more sophisticated Attacks are more coordinated than defenses
Security industry 2D view Each product FW, AV, Dev control, App Control, Mobile – has a unique way of looking at the network. You are looking at it from a sideview, not a top-down 3D view. This is just the nature of the beast. FW just looks at the network. If it’s designed to let port 80 through, I craft my malware to use port 80. We’re left with competent products, but only a 2D view (un-integrated).
It’s time for a security revolution
Generations of security Point Products Anti-virus IPS Firewall Sandbox Layers Bundles Suites UTM EMM Synchronized Security Security Heartbeat™
Synchronized Security CORPORATE DATA WINDOWS PHONE Comprehensive protection Prevent Malware Detect Compromises Remediate Threats Investigate Issues Encrypt Data iOS MAC WINDOWS Endpoint security used to be about stopping malware from infecting Windows PCs on the network. Now it has to evolve to not only prevent malware, but also detect machines that are already compromised and help remediate detected threats on a variety of workstation and mobile platforms. Endpoint security also has to include a focus on the data, ensuring it is encrypted and accessible only to authorized users regardless of where the data lives. ANDROID LINUX
Integration at a different level Synchronized Security Alternative Management SIEM Enduser Network Endpoint Mgmt NW Mgmt Endpoint Network System-level intelligence Automated correlation Faster decision-making Accelerated Threat Discovery Automated Incident Response Simple unified management Resource intensive Manual correlation Dependent upon human analysis Manual Threat/Incident response Extra products Endpoint/Network unaware of each other
Synchronized Security Sophos Cloud Security must be comprehensive The capabilities required to fully satisfy customer need SOPHOS LABS Next Gen Enduser Security Next Gen Network Security Security can be made simple Platform, deployment, licensing, user experience Security is more effective as a system New possibilities through technology cooperation heartbeat Synchronized Security Integrated, context-aware security where Enduser and Network technology share meaningful information to deliver better protection.
How it works
3 pillars of advanced threat protection Security Heartbeat™ Accelerated Threat Discovery Active Source Identification Automated Incident Response Endpoint and network protection combine to identify unknown threats faster. Sophos Security Heartbeat™ pulses real-time information on suspicious behaviors By device identification reduces time taken to manually identify infected or at risk device or host by IP address alone Compromised endpoints are isolated by the firewall automatically, while the endpoint terminates and removes malicious software. Faster, better decisions Quicker, easier investigation Reduced threat impact
System Initialization Sophos Cloud Registration NGEP & NGFW register with Sophos Cloud which sends certificate/sec info to both SOPHOS LABS Next Gen Enduser Security Next Gen Network Security Connection Endpoints initiate connection to the trusted Firewall Validation Firewall and Endpoints check sec info sent to them by Cloud to verify they are valid heartbeat Support of multiple locations Endpoints can establish connection to Firewalls at any customer’s location as the Sophos Cloud registry can be shared among all Galileo-enabled Firewalls
Accelerated Threat Discovery Sophos Cloud Security Heartbeat A few bytes of information are shared every 15 seconds from Endpoint to Network SOPHOS LABS Next Gen Enduser Security Next Gen Network Security Events Upon discovery, security information like Malware, PUA is shared between Endpoints and Network Health Endpoint sends Red, Yellow, Green health status to Network heartbeat VPN support Galileo supports endpoints connected within the local network as well as those connected via VPN as long as they are connecting to the Firewall.
Active Source Identification Sophos Cloud Security Heartbeat Positively identifying the machine. Associating the IP address with a particular Endpoint SOPHOS LABS Next Gen Enduser Security Next Gen Network Security Advanced Attack If Network Firewall detects an advanced attack but can’t determine source, it requests details from endpoints Source Identification Endpoint sends details of machine name, user, process, and IP address heartbeat
Automated Incident Response Sophos Cloud Green Endpoints have full access to internal applications and data as well as internet SOPHOS LABS Next Gen Enduser Security Next Gen Network Security Yellow Affected endpoints can be isolated from internal/sensitive applications and data while maintaining access to internet Red Affected endpoints are isolated from the network and have no access to internal systems or external internet heartbeat Defaults and customization There are no default policies based on health status so admins can customize responses as needed. We are developing a best practices guide to assist customers in recommended policy setup.
Synchronized Security 2015
Comprehensive Next-Gen Endpoint Application Control Application Tracking Reputation Web Protection IoC Collector SOPHOS SYSTEM PROTECTOR Security Heartbeat™ Threat Engine Live Protection Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection
Comprehensive Next-Gen Network Routing Email Security Web Filtering Intrusion Prevention System Firewall SOPHOS FIREWALL OPERATING SYSTEM Threat Engine Security Heartbeat™ Proxy Selective Sandbox Application Control Data Loss Prevention ATP Detection
Next Generation Threat Detection Sophos Cloud Application Control Application Tracking Reputation Web Protection IoC Collector Routing Email Security Web Filtering Intrusion Prevention System Firewall heartbeat SOPHOS SYSTEM PROTECTOR SOPHOS FIREWALL OPERATING SYSTEM Threat Engine Security Heartbeat™ Security Heartbeat™ Threat Engine Live Protection Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Proxy Selective Sandbox Application Control Data Loss Prevention ATP Detection User | System | File Compromise Isolate subnet and WAN access Block/remove malware Identify & clean other infected systems
Synchronized Security 2016
Improved Threat Detection Sophos Cloud Application Control Application Tracking Reputation Web Protection IoC Collector Routing Email Security Web Filtering Intrusion Prevention System Firewall heartbeat SOPHOS SYSTEM PROTECTOR SOPHOS FIREWALL OPERATING SYSTEM Threat Engine Security Heartbeat™ Security Heartbeat™ Threat Engine Live Protection Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Proxy Selective Sandbox Application Control Data Loss Prevention ATP Detection User | System | File Compromise Lockdown local network access Remove file encryption keys Terminate/remove malware Identify & clean other infected systems
Automated Protection of Endpoints Sophos Cloud Application Control Application Tracking Reputation Web Protection IoC Collector Routing Email Security Web Filtering Intrusion Prevention System Firewall heartbeat SOPHOS SYSTEM PROTECTOR SOPHOS FIREWALL OPERATING SYSTEM Threat Engine Security Heartbeat™ Security Heartbeat™ Threat Engine Live Protection Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Proxy Selective Sandbox Application Control Data Loss Prevention ATP Detection NGFW notes if EP is sending Heartbeat (if it is, it is definitely managed) If not, NGFW characterizes EP by inspecting traffic (e.g. is it a Windows, MAC, printer, IP phone, mobile device etc) NGFW queries Cloud EP management to ask two questions 1) Could it be managed (true for Windows, MAC, mobile; false for printer, IP phone etc) ? 2) Is it managed already (to cover the case we don't support Heartbeat on that platform yet) ? If the device is one which could be managed but isn't, NGFW redirects device to a Self Service portal defined by Administrator to become managed NGFW restricts network traffic from that device to that portal to protect customer network. Also an incentive for device owner to make device compliant. Portal authenticates user (username / password) Portal will present device dependent information e.g. will contain installers for Cloud EP (Windows, MAC), registration page for mobiles etc. Portal can also contain security profile information for that customer e.g. certificates to be installed to access customers WiFi and network resources Win | Mac | Mobile Endpoint Discover unmanaged Endpoints Could it be managed? Self-service portal setup User authentication Distribute security profile
Detect and Remediate Compromises Sophos Cloud Application Control Application Tracking Reputation Web Protection IoC Collector Routing Email Security Web Filtering Intrusion Prevention System Firewall heartbeat SOPHOS SYSTEM PROTECTOR SOPHOS FIREWALL OPERATING SYSTEM Threat Engine Security Heartbeat™ Security Heartbeat™ Threat Engine Live Protection Emulator HIPS/ Runtime Protection Device Control Malicious Traffic Detection Proxy Selective Sandbox Application Control Data Loss Prevention ATP Detection User | System | File Compromise Identify compromise Detect source Assess impact Block/remove malware Identify & clean other infected systems
Your path to Synchronized Security
Endpoint and Network working together NEXT-GEN ENDUSER SECURITY NEXT-GEN NETWORK SECURITY SOPHOS CLOUD ENDPOINT SOPHOS UTM NEXT-GEN FIREWALL CLOUD ENDUSER PROTECTION NETWORK PROTECTION MODULE NETWORK PROTECTION MODULE FULLGUARD LICENSE NEXT-GENGUARD LICENSE CLOUD ENDPOINT ADVANCED TOTALPROTECT BUNDLE NEXT-GENPROTECT BUNDLE
Already using Sophos * Cloud Endpoint requires Sophos Cloud Endpoint Protection Advanced or Sophos Cloud Enduser Protection subscriptions
Sophos Endpoint – Cloud managed Sophos Endpoint – SEC managed Already using Sophos Sophos Endpoint – Cloud managed Sophos Endpoint – SEC managed Sophos Firewall user Deploy an XG Series Firewall If you have SG Series, upgrade to Sophos Firewall OS Switch to a Sophos Cloud-managed Endpoint option Deploy an XG Series Firewall If you have SG Series, upgrade to Sophos Firewall OS XG Series user Deploy Sophos Cloud- managed endpoint SG Series user In early 2016, upgrade to Sophos Firewall OS UTM Series user Refresh your firewall with an XG Series appliance Alternative slide option to slide 28 in case you prefer this version.
Conclusion
The Synchronized Security difference Sophos Competition Synchronized Security Point Products Simple Complex Comprehensive Incomplete Prevention, Detection, Investigation, Remediation, Encryption Prevention Enduser, Network, Server, Mobile, Web, Email, Encryption Endpoint or Network Automated Manual Block the known, unknown, advanced, coordinated attacks Partial Prevention
Revolutionizing advanced threat protection Synchronized Security Accelerated Threat Discovery Positive Source Identification Automated Incident Response Faster, better decisions Quicker, easier investigation Reduced threat impact