Integrated endpoint / Automated EDR...Thierry Gourdin –Head of Presales France, North and West...
Transcript of Integrated endpoint / Automated EDR...Thierry Gourdin –Head of Presales France, North and West...
Integrated endpoint / Automated EDR
Thierry Gourdin – Head of Presales France, North and West Africa
Kaspersky
2Modern threats landscape
STEALTHY & EVASIVELeveraging legitimate tools & fileless threats for malicious ends
COMPLEX & PERSISTENT
Multiple Kill Chain phases, iterating phases multiple times
HIGH IMPACTEnterprises are lucrative for attackers (e.g. popularity of ransomware)
Organizations recognize:
The rise in threat numbers
The growing complexity of attack scenarios
The financial impact of threats
Compliance issues that must be dealt with
3
*Source: Cybersecurity Through the CISO’s Eyes PERSPECTIVES ON A ROLE, 451 Research, 2019
Leverage the most automation Use precious resources for value-added activity Add additional capabilities to counter today's threat landscape Augment in-house staff with managed services
Of companies find it hard to hire skilled personnel in multiple IT-security roles*
70%
Today’s organizational challenges
When resources are limited, businesses need to:
Еvery business needs to be
able to stop complex
threats…
…despite the global shortage
of IT security personnel and
expertise
TARGETED CAMPAIGNS
AND CYBER
WEAPONS
ADVANCED THREATS
AND TARGETED ATTACKS
BROADERTHREAT
LANDSCAPE
2
1
AdvancedDefense
Integratedcybersecurity
Security Foundations
PeopleData SupportNetwork
Intelligence Privacy
Automated EDR
Expertise
Anti Targeted Attack Platform
IT Security Manager
Mature IT Security Team or SOC
IT Manager
Automated Optimum EDR
EDR Optimum
Servers
Advanced detection
Response actions to detected threats
Visibility
Traditional primary EDR capabilities
IoC search
Kaspersky response based on automated EDR capabilities
What do we at Kaspersky mean by Automated EDR?
Automated response and recovery (remote connection, threat blocking, quarantine, roll-back, blocking based on KSN verdicts, etc.)
Advanced detection of vulnerabilities and unknown threats using multi-layered engines based on behavior analysis: Fileless Threat Detection, Adaptive Anomaly Control, Exploit and Vulnerability Detection, Threat Intelligence (KSN) etc.
Only executable hash-scan
Detects information, but does not support root cause analysis
KESB with Automated EDR defends every endpoint on the infrastructure against complex threats. This is much more effective than using traditional EDR functionality enabled selectively only on critical endpoints due to financial or resourcing constraints.
Threat hunting Automated EDR is positioned for businesses without specific IT security expertise, an where manual threat hunting tools would be of no value.
+ Optimum EDR
+ EDR Expert
Advanced detection
Response actions to detected threats
Visibility
Traditional primary EDR capabilities
IoC search
Kaspersky response based on automated EDR capabilities
What do we at Kaspersky mean by Automated EDR?
Automated response and recovery (remote connection, threat blocking, quarantine, roll-back, blocking based on KSN verdicts, etc.)
Advanced detection of vulnerabilities and unknown threats using multi-layered engines based on behavior analysis: Fileless Threat Detection, Adaptive Anomaly Control, Exploit and Vulnerability Detection, Threat Intelligence (KSN) etc.
Only executable hash-scan
Detects information, but does not support root cause analysis
KESB with Automated EDR defends every endpoint on the infrastructure against complex threats. This is much more effective than using traditional EDR functionality enabled selectively only on critical endpoints due to financial or resourcing constraints.
Threat hunting Automated EDR is positioned for businesses without specific IT security expertise, an where manual threat hunting tools would be of no value.
+ Optimum EDR
+ EDR Expert
7
No additional investment in
staff and in-house expertise !
Improved detection and
automated response to
advanced threats
!Remediation Engine
Exploit Detection
Behavior Detection
Adaptive Anomaly
Control
Vulnerability Detection/Patch
Management
Automatic Sandbox
An advanced suite with Automated EDR
POWERFUL MULTI-LAYERED PROTECTION FROM ALL FORMS OFCYBER-THREAT
Firewall
Network Threat Protection
File, Web, Mail Threat Protection
Heuristics Scanning
Cloud-enabled Protection
Exploit Prevention
Behavioural Detection
Remediation Engine
Anti-Cryptor
The best security foundation possible —
Kaspersky industry-leading protection
against known, unknown and advanced threats
Kaspersky Endpoint Protection Components
Limit the ATTACK SURFACE“An attack surface is the total sum of vulnerabilities that can be exploited to carry out a security attack”
Access to the vulnerability status of your environment with
simple reporting and real time results without introducing
complex hardware or time consuming scans.
REALTIME OR ON-DEMAND VULN. SCAN
DETECTION AND PRIORITIZATION OF VULNERABILITIESMS and non-MS applications
DISTRIBUTES RELEVANT UPDATES TO DEVICES AND INSTALLS, PATCHING THE VULNERABILITIES.MS and non-MS applications
10
Unparalleled defense against
• Fileless threats
• PowerShell and script-based attacks
• Software exploits
• Web miners and threats
• Ransomware
• Mobile malware
• Advanced threats
Reducing your risk of falling victim to a targeted attack
Automated EDR
Unified security management
Integration with your systems
Multi-layeredprotection
Hardening and zero trust
Visibility & inventory
Unlike products from our leading
competitors,we also provide
You need to be prepared to face any and all attacks — but you can't fix what you can't see.
WHAT ENDPOINTS - PHYSICAL, VIRTUAL ARE ON MY NETWORK
WHAT APPLICATIONS ARE MY USERS RUNNING?
WHICH CONNECTIONS ARE ACTIVATED ON MY ENDPOINT ?
Network Security Monitoring & IT Hygiene
FULL HARDWARE INVENTORY
ANTI SPOOFING
FULL SOFTWARE INVENTORY
ANTI-BRIDGING, WIFI CONTROL
See what apps are CURRENTLY running on which hosts
Eliminate unprotected and unmanaged systems
Real-time application and hardware inventory
Block unwanted connections, devices, applications
KSN
Advanced detection
Response actions to detected threats
Visibility
Traditional primary EDR capabilities
IoC search
Kaspersky response based on automated EDR capabilities
What do we at Kaspersky mean by Automated EDR?
Automated response and recovery (remote connection, threat blocking, quarantine, roll-back, blocking based on KSN verdicts, etc.)
Advanced detection of vulnerabilities and unknown threats using multi-layered engines based on behavior analysis: Fileless Threat Detection, Adaptive Anomaly Control, Exploit and Vulnerability Detection, Threat Intelligence (KSN) etc.
Only executable hash-scan
Detects information, but does not support root cause analysis
KESB with Automated EDR defends every endpoint on the infrastructure against complex threats. This is much more effective than using traditional EDR functionality enabled selectively only on critical endpoints due to financial or resourcing constraints.
Threat hunting Automated EDR is positioned for businesses without specific IT security expertise, an where manual threat hunting tools would be of no value.
+ Optimum EDR
+ EDR Expert
13Kaspersky Sandbox
Dynamic threat emulation
Minimal impact on
productivity
Multiple operation modes
Evasion prevention
Automatic IoC generation
Automatic scan & prevention
Detect complex threatszero-day exploits,new and unknown threats, attacks designed to bypass EPP
14Kaspersky Sandbox Asynchronous Mode
Internet
Endpoint
Test Virtual Machines
Source of object
• Counter evasion techniques• Several emulation modes• User actions modeling
Send to Kaspersky Endpoint Security
for Business
Automatic prevention
KasperskyEndpoint Security
for Business
Automatic IoC generation and infrastructure
scanning
Collect Analyze Get verdict
Send verdict to Kaspersky Security
Network
Verdict
Emulation
Collect artifacts
Analysis
• Monitoring interaction withinternet resources
• Module loading
Local
• Notify user
• Push Critical Area scan
• Remove and quarantine
Group
• Find indicators of compromise on managed group
— Remove and quarantine after indicators of compromise found
— Push critical area scan after indicators of compromise found
What actions can be done by KSB
Kaspersky Sandbox
Kaspersky Endpoint Security for Business Agents
Kaspersky Security Center
16Sandbox Advantages
Low profile Some samples just won’t work if presence of security solution is determined. This can result in passing malware, tested by AV, to unprotected workstation
Detection rate increase
DR increase is caused by many reasons
Malware testing Threat actors always test new samples before spreading them in the wild
Farms Threat actors often have farms for testing threats against known endpoint security solutions. But they don’t have exclusive tools, such as Sandbox
17Sandbox Advantages
Dumps, dropped and downloaded files Memory dumps can be scanned. On endpoints this can cause performance issues. Drops and downloads are correlated with original sample
Isolated environment
Activities and artifacts within SB are related to sample execution and can be analyzed
TrafficAll traffic (outgoing as well) gathered during execution on SB is scanned with comprehensive set of Snort/Suricatarules. SB can decrypted traffic freely, unlike endpoint security solutions
ActivitiesActivities of all processes can be used for detection easily. Endpoint solutions have to work with trusted processed with caution to avoid interruption of user’s work
18Migration or coexistence - it’s your decision with a
New Cloud Console
We continue to support scenarios where some users still need to be managed by an on-premises installation.
But with our new SaaS offering, we take care of console upgrades and much more - at no extra cost.
› Unified
management for
both protection and
systems
management.
› Available to
manage as via
either an on
premise or web
console.
› Management
multiple products
and solutions
under one ‘pane of
glass’.
Unified Security Management
Mobile Device
Protection
Workstation
Protection
Hybrid
Cloud
Protection
Server Protection
SCADA
Protection
Embedded
Systems
Protection
Application Control
Vulnerability Assessment
Patch Management
OS Deployment
SIEM Integration
Remote Access
Data Encryption
NAS Storage ProtectionSAN Storage Protection
Web ControlDevice Control
Application Deployment
20Integrated Proposal for the Mainstream Market
Visibility across endpoints
Automated root cause analysis
Threat evidence discovery
In-depth dynamic analysis (automatic sandbox detect)
A range of response actions
Behavior detection &machine learning
Adaptive anomaly control
Exploit & filelessprotection
Vulnerabilityassessment &
patch management
Remediation engine
Maximum Automation Simple to operate
UNIFIED CONSOLE
21Maximizing the number of incidents processed, without increasing your manpower costs
EDR Optimum
Attack spread path
Kaspersky
Security
Center
Automated Sandbox
Full info onthe incident
Undemandingand time efficient
IoC scan
Automatedand 'singleclick'
response
Dynamic threat emulation
Automatic scan& prevention
Automatic IoCgeneration
Multipleoperationmodes
SIEM
Alerts management
Status &updates
Health check
Central management
Export in CEF format
Endpoint agents
Advanced detection
Response actions to detected threats
Visibility
Traditional primary EDR capabilities
IoC search
Kaspersky response based on automated EDR capabilities
OPTIMUM EDR
Automated response and recovery (remote connection, threat blocking, quarantine, roll-back, blocking based on KSN verdicts, etc.)
Advanced detection of vulnerabilities and unknown threats using multi-layered engines based on behavior analysis: Fileless Threat Detection, Adaptive Anomaly Control, Exploit and Vulnerability Detection, Threat Intelligence (KSN) etc.
Only executable hash-scan
Detects information, but does not support root cause analysis
KESB with Automated EDR defends every endpoint on the infrastructure against complex threats. This is much more effective than using traditional EDR functionality enabled selectively only on critical endpoints due to financial or resourcing constraints.
Threat hunting Automated EDR is positioned for businesses without specific IT security expertise, an where manual threat hunting tools would be of no value.
+ Optimum EDR
+ EDR Expert
23Kaspersky EDR Optimum
Kill chain visualization
Full info on the incident
Automated and manual response
Root cause analysis
Automated creation and scan for IoCs
No additional hardware required
Visibilityand
response
Connections
Process injection
File drops
Registry key modifications
After detecting a threat, response options include:
Optimized EDR
Anomalies in user behavior
Kaspersky EDR Optimum combines high levels of automation, including processes likeimporting and generating IoCs, initiating further scans and responding to incidents,
with single-click manual response options.
Thank you!
Questions ?
kaspersky.com
Thierry Gourdin – Head of Presales France, North and West Africa