Download presentation
Presentation is loading. Please wait.
1
Threat Landscape & Introduction to Webroot
Sham Miah UK Channel Manager
2
Today’s Threat Landscape
Agenda Introduction Traditional AV How does it work? Today’s Threat Landscape Need for Next Gen Q&A SO FROM AN AGENDA PERSPECTIVE I’LL COVER – WHAT IS CAUSING THE CONFUSION IN THE FIRST PLACE? WHY OVERALL ENDPOINT EFFICACY IS FAR MORE IMPORTANT THAN TODAY’s OUTDATED DETECTION TEST RATES? WHY ON SYSTEM PERFORMANCE IS SUCH A CRITICAL PART OF ENDPOINT SECURITY? THEN WHAT ELSE REALLY MATTERS – LIKE MANAGEABILITY, COST OF OWNERSHIP, ADMINISTRATIVE EFFORT I’LL ALSO COVER DOES PAYING MORE MEAN GETTING MORE? AND HOW PRICE IS JUST A SMALL FACTOR, NOT THE PRIMARY ONE IN YOUR ENDPOINT SECURITY CHOICE AND THEN SOME CONCLUSIONS….
3
What makes Webroot a Smarter Cybersecurity™ solution?
What we Provide Endpoint, Mobile, Web Security, DNS Protection BrightCloud Threat Intelligence Services Proven Gartner MQ Visionary for Endpoint Protection Leading provider of threat intelligence to the security industry Industry’s best customer satisfaction score (96%) #1 - 30% share of MSPmentor 501 Survey MSPs #1 NA retail market share 30+ MILLION Licensed Endpoints 9k + Partners Business Customers 148k+ OEM Users Protected 27+ Who We Secure
4
What We Offer A Smarter Approach to Cybersecurity
Driven by BrightCloud® Threat Intelligence SecureAnywhere™ Business & Enterprise Web Security Web Security SecureAnywhere™ Business Mobile Protection for Android™ and iOS® OEM & Enterprise Mobile Security SDK SecureWeb™ Browser SDK Consumer Mobile protection for Android Secure browsing for iOS Mobile Protection BrightCloud® OEM & Enterprise Web Classification Web Reputation IP Reputation File Reputation Real-Time Anti-Phishing Mobile App Reputation Threat Intelligence Server Connectors to SIEMs, Splunk, NGFWs, UTMs and other security products Threat Intelligence Services SecureAnywhere™ Business Endpoint Protection Enterprise WAI Fraud Solution Identity Shield Consumer Antivirus Antivirus Suites Antivirus for PC Gamers Endpoint Protection
5
Threat Landscape
6
Cybercrime “…for the first time in its history, cybercrime surpassed traditional crime in the UK” “…global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion by 2021” “…cyber attacks against Irish businesses has almost doubled since 2012…nearly one in five incurred losses of between €92,000 and €4.6 million” So I’d like to open with some quotes from recent studies…. (read quotes then ad notes) For those of you who don’t know the NCA it is a large government crime organisation in the UK that is similar in a lot of ways to the CIA or FBI. These type of predictions by Cybersecurity Ventures are tough to corroborate as lots goes undetected but any study you can read today runs into the trillions. Data is the new global currency so the growth of cybercrime shouldn’t be surprising. The money available to criminals is driving amazing innovation from both sides of
7
Nearly 50% of Businesses Hit by Ransomware
8
It’s Here to Stay… Over $1B was paid to ransomware criminals in 2016
Source: CNN
9
The need for Multi-Vector Protection
†90% *94% phishing was behind 90% of security incidents and breaches in 2016 of all malware is unique to a single endpoint…making nearly all malware an unknown threat Sources: †Verizon 2017 Data Breach Investigations Report.” Data Breach Report * Webroot Threat Report 2017
10
Social Engineering – Phishing Macro infection
So here is another phishing tactic – the infamous Macro Infection This has been exploited maliciously since 1995, making it an attack vector that is celebrating it’s 20th birthday This is a fake postal service saying they failed to deliver a package. The attachment is a word document and looks harmless (…next slide)
11
Social Engineering – Phishing Macro infection
They tell you that “This file is protected by Microsoft office…” and you have to enable the content to see the document.” This is absolutely false and this is the trick. Once you do, you are enabling a macro, and I have that macro VBS script here for you guys to see clearly. The macro will immediately resolve that URL, download and save the payload in your documents folder and then run it silently in the background. Now if your anti-virus is good then you have 2 chances of catching it. Once when filtering the URL, next when it’s downloaded and trying to execute. If this file isn’t stopped then you could say goodbye to all of your files. This infection is the Locky infection which we will talk about later. One way to protect against this is to make sure office and windows are updated as Macros are off by default. The best way to protect against this for an admin is to disable Windows scripting host by policy. This will stop this infection and many more from running. One overlooked way of protecting against phishing is employee or user education. There is lots of great educational games and courses free online and you can also keep people on their toes by sending out fake phishing tests.
12
Ransomware Cryptolocker – Constantly evolving
Initially the security industry had successes against these infections Keys were grabbed from the machine, keys were hacked and given to victims However these type of infections have evolved very, very quickly and with a ton of innovative improvements By performing a system restore you could get your files back but soon the infections would wipe the shadowcopies on your machine and prevent this Originally these infections would just encrypt documents but now they target hundreds of different file types. They will even target files related to games This includes saves, any mods you have, and profiles like DayZ. This also hits required game components from makers like valve, Bethesda, unreal engine. Coinvault was the first to introduce a freebie option. You could unencrypt one of your files using the feature and this made victims more likely to payout because they trust that they would get their files back better Padcrypt actually had a live chat feature where you could chat to a criminal who would help walk you through the ransom paying process if you were having trouble reading the instructions Locky is an infection that scrambles the names of all the files it encrypts, this makes restoring from backup much trickier
13
Traditional & Next Generation Endpoint Protection
14
The problem with signatures
AV is vulnerable to blended, MULTIPLE VECTOR ATTACKS, and ever-changing POLYMORPHIC MALWARE THREATS.
15
The problem with NextGen
NextGen solutions may only offer single vector protection - only one chance of stopping the attack One strike… you’re out… GAME OVER!
16
What is Advanced Malware?
EVADES Legacy-Based Defenses Bottom Line Malware has evolved to become a persistent threat with a potent delivery ecosystem. Most layered approaches that rely on traditional, signature-based defenses fail to fully contain advanced persistent threats (APTs). Enterprises must enhance their vigilance. Stealthy Targeted Unknown Typically CRIMINAL Theft Sabotage Espionage Discovered AFTER THE FACT Traditional defense tools are failing to protect enterprises from advanced targeted attacks and the broader problem of advanced malware In 2013, enterprises will spend more than $13 billion on firewalls, intrusion prevention systems (IPSs), endpoint protection platforms and secure Web gateways Source: Malware, APTs, and the Challenges of Defense, Gartner (updated 26 December 2012) 16
17
Traditional Signature-based Antivirus Detection
Update Service Antivirus Client (on average 2GB) Signature DB Daily/hourly updates New file No signature found Open file in emulation mode Allow Execution Scan code for signature Signature found Block Execution Multiple scanning engines Slow
18
What is Driving The Need for Smarter Endpoint Protection?
Poor Efficacy Volume and sophistication of new malware has exploded Many threats have never been seen before so antivirus programs don’t recognize them as harmful and allow them pass Local signatures cannot be updated fast enough to protect against fast-moving threats Poor Performance More antivirus signatures are added and more “engines” are integrated to try to keep up, but this consumes processing power and slows endpoint performance Broadly Distributed Endpoints Are Difficult to Manage Difficult to update policies & monitor status when endpoint is not on the network Infected systems require on-site staff or shipping computer to re-image Need for More Insight About Endpoint Activity Analysis of what is happening on each endpoint needed to identify signs of a breach
19
Webroot Threat Intelligence Network (WIN)
20
BrightCloud Threat Intelligence API
How We Do it – Collective Threat Intelligence Platform INPUT – Millions of Real-World Endpoints 1 CONTEXTUAL ANALYSIS – Relates IPs, URLs, Apps, Files to Threats 3 Millions of customer & partner nodes act as real-time Global Internet sensor network 1. Input Infinitely scalable & geo-redundant Advanced cloud architecture 2. Cloud Automated machine learning & ‘00’sTB of constantly added threat data 3. Big Data Powered by Webroot Threat Intelligence & BrightCloud service portfolio coverage 4. Services Real-time feedback loop Collective Intelligence Prediction grows more effective 5. Feedback Loop internet file mobile BrightCloud Threat Intelligence API Services – Operational Threat Intelligence 4 Internet Sensor Network capture Contextual Database Internet DB File DB Mobile DB Threat Intelligence Global Threat Databases analyze Security Partners publish Webroot Customers (Million) classify 20B URLs 4B IPs 600M Domains 7B File Behaviors 10M Sensors 15M Mobile Apps MACHINE LEARNING – Highly Accurate, Massive Scale 2 Continuous Loop – Self-Improving 5 The Webroot Intelligence Network (WIN) is at the core of BrightCloud. Through millions of sensors around the world, including our customer endpoints which are directly exposed to every kind of threat. WIN is able to automatically capture, analyze, classify, and publish threat intelligence to route back to our customers and partners, creating a ‘network effect’ of near instantaneous protection throughout the network.
21
Webroot Threat Intelligence Platform
27+ Billion URLs 600+ Million Domains 4+ Billion IP Addresses 13+ Billion File Behavior Records 50+ Million Mobile Apps 40+ Million Connected Sensors BrightCloud services continuously classify and score 95% of the internet, and monitor the entire IPv4 space and in-use IPv6 Please create visuals for these on this slide 27+ Billion URLs 600+ Million Domains 4+ Billion IP Addresses 13+ Billion File Behavior Records 50+ Million Mobile Apps 12+ Million Connected Sensors The big data processing used in this platform, coupled with the massive scale of Webroot’s machine learning and powerful contextual analysis engine, enables the Webroot® Threat Intelligence Platform to: Scan the entire IPv4 space and monitor in-use IPv6 addresses to continuously update a list of 8 to 12 million malicious IP addresses Classify and score the reputations of billions of URLs Detect new phishing sites in real time Analyze behaviors to classify the nature of over one million new, unique executable files each day Assess the risk of over 50 million new and updated mobile apps
22
Next Generation Smarter Endpoint Protection
23
Agent Tightly Controls Actions of Unknown Files
Behavioral Analysis Static Code And Dynamic Analysis Pseudo Execution Journaling & Rollback Global File Reputation Webroot Intelligence Network Anti-virus Signatures Webroot Anti-Virus Inspection Local Lists Known Bad, Known Good A new file enters the system 1. One-to-one and one-to-many signatures are calculated locally. The cloud is queried and matching malicious files are blocked. 2. Untrusted files are run in an emulated environment where system changes are observed and virtualized but fully blocked. 3. Cloud is queried again with new data. The new Infrared engine blocks based on the intent, manner of entry, and reputation. 4. If still untrusted, the file is now permitted to execute but is closely watched Webroot sits in kernelmode, between the suspicious application and the operating system, vetting all changes it attempts to make or data it tries to access. Any attempt to access the user’s identity or private data is blocked immediately All changes made to the system or data are journaled, taking a snapshot of the file/registry entry/etc. prior to changes All system changes are bundled and submitted in packets to be analyzed against all other files in the cloud Operating System (user data, registry, applications, processes, network, etc.)
24
How Does it Work GOOD & BAD Cloud Predictive Intelligence
New File Webroot Protected Workstation New File Webroot Protected Workstation Execute Block File Hash File Hash Cloud Predictive Intelligence GOOD & BAD Yes! Good. Has WIN seen this file before? Yes! Bad. Has WIN seen this file before? Known File Hash Database Behaviors Database Other Threat Database Webroot® Intelligence Network Known File Hash Database Behaviors Database Other Threat Database Webroot® Intelligence Network So … How do we do this? I’ll keep it fairly simple. We call these next few slides, the “Good”, the “Bad”, and “The Ugly or “Unknown”. I think this will help you understand our approach and core concepts. To start, we take a snapshot of FILE executing on your machine and create a Hash value for each file that UNIQUELY identifies each file We then compare hash to all of the hashes we have ever seen in the “Webroot Intelligence Network”. If we have seen the hash before and it is classified as a known “Good”, then that file is allowed to execute. GOOD - Eliminates ~98% of event data from the Admin/Security analysts view Similarly, if we have seen the Hash before and it is classified as a known “Bad”, then that file is NOT allowed to execute. BAD - Accounts for 0.2% of overall Endpoint event data This comparison activity is completed in milliseconds.
25
Known File Hash Database Webroot® Intelligence Network
How Does it Work? New File 1 Webroot Protected Workstation Cloud Predictive Intelligence UNKNOWN Pseudo execution on local machine. Analyze categories of behaviors Block Block File Rollback file changes Pseudo execution 2 Behavioral Analysis & Categorization File Hash Yes! Bad. Has WIN seen this behavior before? No. Unknown. Has WIN seen this file before? Known File Hash Database Behaviors Database Other Threat Database Webroot® Intelligence Network Add Bad hash file to database Then, there is what we call the “UNKNOWNS” …. If we have not ever seen that hash previously, then We will unpack and “Pseudo-Execute” that file in our safe “Sandbox” inside the client. There, we observe, analyze, and categorize in further detail all the behaviors of that file. We then send that data back up to our cloud and ask whether we have seen those behaviors before. In this case, we have seen that behavior before, so we now mark that file as a known “Bad” and we block the execution of the file.
26
Single-Vector approach
Attack Vector Stage , web browsers, display ads, hyperlinks, files, social media apps, external devices like DVD or USB drives. Payload Delivery Stage Adware, spyware, ransomware, phishing attacks, keyloggers, viruses, and rootkits. Infection/Remediation No one can prevent all infections instantly. So it’s critical that remediation is easy, fast and complete. ? Block or Allow?
27
Multi-Vector, Multi-Stage protection
Attack Vector Stage , web browsers, display ads, hyperlinks, files, social media apps, external devices like DVD or USB drives. Payload Delivery Stage Adware, spyware, ransomware, phishing attacks, keyloggers, viruses, and rootkits. Infection/Remediation No one can prevent all infections instantly. So it’s critical that remediation is easy, fast and complete. Web Threat Shield Identity Shield USB Shield Infrared Shield Smart Firewall Self-Protection Shield Real-Time Anti-Phishing Real-Time System Shield Offline Shield Rootkit Shield Zero-Day Shield Behavior Shield Core System Shield Monitoring & Journaling Quarantine Rollback & Auto-Remediation With MULTI VECTOR PROTECTION (MVP) you have multiple chances at multiple attack stages to block or stop a threat before it succeeds.
28
Real World Scenario – Phishing Attack
Attack Stage Delivery Stage Infection/Remediation Vector 1 ( ) User receives a phishing from ”UPS” to track a package… Web Threat Shield Vector 2 (Link) Track Your Package Link ( the user clicks on the “track your package” link which then… Behavior Shield Real-Time Anti-Phishing Vector 3 (Browser) opens a web browser and…. Real-Time Shield Vector 4 (Malicious Website) takes them to a malicious site disguised as a legitimate website Auto-Remediation - First our Web Threat Shield protects the user from visiting known malicious sites by looking up URL and IP reputations in our real-time threat intelligence platform. No access means no infection and the threat is BLOCKED. But, let’s say we don’t know anything about this particular URL… - Next, our Real-time Anti-Phishing technology jumps ahead and scans the site to determine -- with more than 90% accuracy -- whether the user is being directed to a phishing site, and if so, we’ll BLOCK it. But, let’s say we miss this one… - Now a malicious payload has been installed. Our endpoint agent creates a ‘fingerprint’ for this file and checks in with our Known Files Database to see if we have a determination of good or bad for this particular file, and if it is bad, we’ll BLOCK it. Let’s say we have never seen this particular file before… - Next, the agent performs a pre-execution behavioral analysis and collects the characteristics the file will demonstrate upon execution, and compares it to more than 13 billion File Behavior Records in our intelligence platform. If the behavioral characteristics are consistent with known malware, execution will be BLOCKED. Let’s say in this case, we are unable to make a pre-execution determination… - We allow the file to execute and now our Journaling and Rollback feature kicks-in. The agent begins journaling all changes to the system that are attributable to the file’s execution, while it continues to monitor its behaviors and check them against our file behavior records database in our intelligence platform.
29
A Smarter Approach to Cybersecurity
Smarter Detection Behavior-based, not signature-based. One of its kind, cloud-based, predictive protection. Smarter Remediation Remediation automatically returns infected devices to their uninfected state. No need to reimage or wipe devices. Smarter Management Automatic software updates. Minimal user performance impact. Industry’s best performance. Smarter Threat Intelligence Real-time analysis of URLs, IPs, files, applications, and phishing sites. Smarter Protection Any time a threat is encountered by one customer, all other customers are protected from that threat in real time. Smarter Incident Response Integrates into SIEM, NGFW, access points and MDMs. Smarter Support One-click support. Most problems are resolved in <10 minutes. Customer satisfaction rating of over 96%. Smarter Future Ready for the next generation of devices: Internet of Everything. Smarter Cybersecurity™ Solutions
30
Awards & Accolades Edison Award for Innovation PC Mag
16-Time Award Winner Frost & Sullivan Innovation Award Gartner “Visionary” {Endpoint Security Platform} PassMark Validation Fastest, Lightest, Least Disruptive Endpoint Insight Cloud Partner of the Year Named “Trailblazer” by Radicati Group Denver Post Top Workplaces 2014
31
Thank You
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.