1. Malwarebytes

2. “We believe that everyone has a fundamental right to a malware-free existence”
– Our Vision

3. Why Malwarebytes Proactive and Generic Exploit Mitigation Technology
Sophisticated Linking Engine
Aggressive Detection Techniques
Focus on Zero-Day Threats
80% of all malware is delivered via exploit kits.
100% focused on dealing with zero-day malware and exploits.
Thoroughly remediates payload and all threat artifacts.
We don’t just remove threats- we prevent them.

4. Two ways to secure your endpoints
Remediation
Prevention
Retro-Active vs Pro-Active

5. Breach Remediation (MBBR)

6. Putting out fires
In late 1800s and early 1900s, as architecture started to increase and buildings grew in size, unfortunately the technology used to fight fires didn’t scale with it. Buildings would burn to the ground as individuals ran from minor fire to minor fire trying to fight them with their own hands. Since then, many advancements have been made, most noteworthy being the automated sprinkler systems for large buildings. This allows for an immediate response without the need of a human interaction. It saves lives, it saves time, and it saves effort. Similar to this story, IT professionals are facing a problem with malware. They lack the tools to put out the “fire” to minimize the damage before it’s too late. Detection and alarms have advanced and are doing a good job of notifying the users of possible infections, but they are still trying to manually put that fire out, without knowing what kind of fire they are fighting. Enter Breach Remediation- The automated response to breaches and malware attacks that reacts when alarm systems are triggered in the system.

7. Traditional Remediation
Advanced threat slips past network and endpoint defenses
Malware infects endpoint, hidden by thousands of alerts each day
200 days for incident response team to detect breach
4-8 hours to remediate malware or reimage compromised endpoint
When it comes to detecting and responding to a breach, it traditionally follows this pattern:
Usually an advanced threat or attack slips past existing network and endpoint defenses.
Malware infects the endpoint. This activity is often hidden by the thousands of other alerts the security team receives each day.
IR teams detect the breach, and according to Gartner that could be an average of 205 days after the initial attack, or 256 days according to Ponemon Institute.
And once the IR team completed their forensics of the attack, it takes IT staff an average of 6 hours to remediate the malware and/or re-image the compromised endpoint. And this process gets repeated dozens, hundreds, or thousands of times a day depending on the size of the business.
Responding to advanced threats and cyber attacks with traditional security is like using a fire extinguisher – running from cyber fire, or machine to machine, trying to mitigate the effects of an attack or breach, and piece together the forensics of what happened.
And how many times a day does this happen to you?
How much does it cost for staff to fix?
What was your employee working on when this happened? What about lost productivity?
What was the purpose of the attack?
What did the attacker get?
Repeat…

8. Advanced Threat Removal
Automated endpoint detection and remediation solution
Desktops + Laptops
Data Centers + Cloud Servers
Security & Management Tools
Reduces incident response time- preventing breaches
Thoroughly remediates advanced threats and artifacts
Hunt for malware with custom IOCs
Proactive; reducing downtime drastically
Automated to save man hours
Integrates with existing IT investments
But there’s a better way…
As I mentioned, today I’m giving you a quick deep dive on Malwarebytes Breach Remediation, our endpoint detection and remediation (EDR) cybersecurity platform.
It radically accelerates your ability to remove advanced threats from your endpoints.
Breach Remediation is easily deployed onto enterprise desktops and laptops as well as Windows Servers running in data centers and clouds.
- Not only will it find advanced threats on these endpoints, it thoroughly remediates the payload and all associated threat artifacts.
- This comprehensive approach to breach remediation helps eliminate the possibility of new cyber attacks or lateral movements that capitalize on leftover malware traces.
- This is a key differentiator for Malwarebytes and the reason so many businesses and people (like you) trust us.
It integrates with your existing security and management tools – creating new opportunities for enterprise-wide advanced threat detection and remediation.
It’s like having an automated sprinkler system that enables the whole enterprise to put out cyber fires as they appear across thousands of endpoints.
With Breach Remediation’s flexible scripting capabilities, we are able to tightly integrate with diverse environments that include their SIEMs and endpoint management tools.

9. Technical Features
Advanced malware remediation with anti-rootkit scanning
Intelligent heuristic- and definitions-based scanning engine
Automated remote malware discovery and remediation
Timeline view of forensic events
Custom OpenIOC threat indicators (XML format)
Four system scan types (Full, Threat, Hyper, Path)
Optional scan-and-remediate or scan only modes
Quarantine management of detected threats
Event logging to central location (CEF format) No lasting footprint on endpoint
Dedicated Mac malware and adware scanning engine
Extensible platform supports flexible deployment options

10. Better Together

11. Breaking the attack chain

12. Breaking the Attack Chain
Pre-execution
Post-execution
Profiling
Delivery
Exploitation
Payload Execution
Malicious Behavior
Every modern threat attack requires an attacker to proceed using several stages, commonly referred to as the attack chain. Lockheed Martin even coined the phrase “Cyber Kill Chain” to explain
1. Profiling
2. Delivery
3. Exploitation
4. Payload execution
These first 4 stages are all pre-execution, with the last stage of the attack being post-execution of the attack payload.
5. Malicious behavior – any/all actions the attacker is taking on the endpoint, whether it’s stealing data, propagating the attack wider across more of the networked endpoints, or encrypting files in the case of ransomware.

13. Breaking the Attack Chain
Pre-execution
Post-execution
Profiling
Application hardening
reduces the vulnerability surface making the computer more resilient and proactively detects fingerprinting attempts by advanced attacks (signature-less).
Profiling:
We have fingerprinting detection and application hardening technology

14. Breaking the Attack Chain
Pre-execution
Post-execution
Profiling
Delivery
Web protection
protects users by preventing access to malicious websites, ad networks, scammer networks, and bad neighborhoods.
Delivery:
Our web blocking technology prevents access to phishing and malicious website

15. Breaking the Attack Chain
Pre-execution
Post-execution
Profiling
Delivery
Exploitation
Exploit mitigation
proactively detects and blocks attempts to abuse vulnerabilities that remotely execute code on the machine, which is one of the main infection vectors nowadays. (signature-less).
Exploitation:
We use signature-less exploit mitigation technology prevents execution of shellcode

16. Breaking the Attack Chain
Pre-execution
Post-execution
Profiling
Delivery
Exploitation
Payload Execution
Application behavior
ensures that installed applications behave correctly and prevents them from being abused to infect the machine. (signature-less).
Payload execution:
We use signature-less application behavior protection and malware behavior heuristics
Anti-malware
is composed of heuristic and behavioral rules to identify entire families of known and relevant malware.

17. Breaking the Attack Chain
Pre-execution
Post-execution
Profiling
Delivery
Exploitation
Payload Execution
Malicious Behavior
Anti-ransomware
is a specialized behavior monitoring technology that detects and blocks ransomware from encrypting users’ files (signature-less).
Malicious behavior:
We use specialized signature-less behavior monitoring, data leak prevention to C&C, and remediation engine technology
Callback protection
prevents access to command and control (C&C) servers and other malicious websites.
Remediation engine
is able to quickly remediate the active component of the infection as well as all the related artifacts.

18. Breaking the Attack Chain
Pre-execution
Post-execution
Profiling
Delivery
Exploitation
Payload Execution
Malicious Behavior
Malwarebytes Endpoint Security
Malwarebytes Endpoint Security brings all of our industry-leading protection and remediation technologies into one powerful solution. This multi-layer defense model breaks the attack chain by combining advanced malware detection and remediation, malicious website blocking, ransomware blocking, and exploit protection in a single platform.
Delivering multi-stage attack protection provides companies of all sizes, across all industries, around the globe the ability to stop an attacker at every step.
…And all of these different layers of technologies that provide protection across each of the 5 stages of the attack chain are included in our Endpoint Security product.

19. Anti-Exploit Technology

20. Anti-exploit technology
Pre-execution
Post-execution
Profiling
Delivery
Exploitation
Payload Execution
Malicious Behavior
pusha
mov ebp,esp
xor edx,edx
mov edx, [fs:edx+0x30]
mov edx,[edx+0xc]
mov edx,[edx+0x14]
mov esi,[edx+0x28]
movzx ecx,word [edx+0x26]
xor edi,edi
Finally delivery is complete, and the payload will attempt to execute- either attempting to execute via an unacceptable application behavior, or from a malicious memory area.
Applications are used to provide fingerprinting to the criminals to more efficiently attack the user, then are utilized to deliver the payload silently- without any user interaction.
Once the payload is in transit, exploitation of your applications and bypassing of the operations system security commences.

21. Anti-exploit technology
Layer 0
Application Hardening
Techniques which generically harden outdated or un-patched applications to be less susceptible to vulnerability exploit attacks.
Layer 1
Protection against OS Security Bypass
Advanced memory techniques prevents exploit shellcode from executing by detecting attempts to bypass DEP and/or using ROP gadgets. 1 2 3
Layer 2
Malicious Memory Caller Protection
Multiple 32 & 64bit memory exploit mitigation techniques prevent exploits from executing payload code from malicious memory areas (Heap, RW, etc.).
Layer 3
Application Behavior Protection
Blocks sandbox escapes (i.e. Java exploits) and malicious payloads from application design abuse exploits like Word Macros, PowerPoint exploits, etc. Last defense against exploits that bypass memory corruption mitigations.

22. Anti-exploit technology
Protects with four layers Four layers work together to block exploits instantly. In the first stage of the attack, anti-exploit prevents shell code execution. In the second stage, it stops memory calls, sandbox escapes, and memory mitigation. Saves bandwidth, resources Malwarebytes Anti-Exploit for Business doesn't use a signature database like traditional endpoint security, so it doesn't require frequent updates and conserves network bandwidth. Its small 3 MB footprint and lean client further minimizes use of system resources. Conserves CPU cycles Malwarebytes Anti-Exploit for Business doesn't waste valuable CPU cycles employing virtual machines. Making it the perfect solution for older hardware and EOL operating systems like Microsoft XP, which is no longer supported with security updates. Hands free, maintenance free Our advanced technology doesn't employ blacklisting/whitelisting or sandboxing, so it needs far less management by the IT department than traditional endpoint security. Malwarebytes Anti- Exploit for Business also requires minimal or no end-user interaction.
Browsers/Components
Google Chrome
Mozilla Firefox
Internet Explorer
Opera
Jaza Adobe Reader
Flash
Shockwave
Any other add-on that runs in the browser space
Applications
Wmplayer/wmplayer2
Quicktime
VLC Player
Adobe Acrobat Reader
Microsoft Word
Microsoft Excel
Adobe Acrobat Pro
Foxit Reader

23. Anti-Malware Technology

24. Anti-malware technical features
Anti-Malware/Anti-Spyware
Our proprietary blend of heuristic and definitions-based technologies protects against these threats at zero hour, often before they have been identified by other security products.
Three System Scan Modes (Quick, Flash, Full)
Prevents malicious threats from executing code and quarantines them to prevent malware attacks.
Chameleon Technology
Prevents malware from blocking the installation of Malwarebytes Anti-malware for business on an infected endpoint so the infection can be remediated.
Malicious Website Blocking
Prevents access to known malicious IP addresses so that end users are proactively protected from downloading malware, hacking attempts, redirects to malicious websites, and “malvertising.”
Advanced Malware Remediation
If your endpoint security fails to detect malware, our bleeding-edge remediation tool will remove it completely.
File Execution Blocking
Prevents malicious threats from executing code and quarantines them to prevent malware attacks.
Command-Line Interface
Offers an alternative to the Malwarebytes GUI for control and flexibility, and enables importation and exportation of client settings for faster configuration.
XML Logging
Provides reporting in a convenient human-readable and machine-readable format to simplify use by log analysis tools and data management.

25. Anti-malware technology
Proactive anti-malware scanning engine  Anything we can remediate we can prevent, stopping data breaches before they happen.
World’s most advanced remediation engine The sophisticated linking engine is the power behind our ability to remove all active threats and threat artifacts better than anyone else on the market.
Malicious website blocking (2-way traffic) Stops ingoing and outgoing communication with known bad locations, domains advertising servers as well as command and control servers.
Compatible with legacy security solutions Built purpose-specific to work with other security vendors to bolter clients defenses, without interruption or conflict.
Prevents lengthy reimaging processes Reimaging happens when you don’t trust your remediation capabilities- Malwarebytes customers trust our capabilities and reimage significantly less than others.
* Malwarebytes research team conducted this test in 2014 with malware samples. Each competitor product was on the most current version available from their website, and was updated at 4 hour intervals to ensure a “play-fair” method of testing.

26. Anti-Ransomware Technology

27. Anti-Ransomware Technology
Purpose-built to stop ransomware Engineered from scratch to defeat ransomware immediately. Traditional security offerings rely on obsolete techniques or a collection of repurposed technologies that were not originally built to combat ransomware.
Signature-less protection  Protects your data without the need of a signature, or of ever having seen the ransomware attack before.
Reduces vulnerability to ransomware attacks  Signature-less behavioral monitoring technology automatically detects and blocks unknown ransomware.
Protects your business data Stops ransomware in its tracks before files are encrypted, eliminating the risk of data loss. Saves your business-critical data and help you avoid paying cybercriminal ransom demands.
Compatible with legacy security solutions Built purpose-specific to work with other security vendors to bolter clients defenses, without interruption or conflict.
Small system footprint

28. Putting it all together

29. Demo Add final demo video
This is a sample demo video of what our multi-stage attack protection with MBES looks like!

30. Thank You!