Sophos UTM 9 - Infinigate (Schweiz)Sophos Sandstorm –0-Day Malware ProtectionVerfügbar für...
Transcript of Sophos UTM 9 - Infinigate (Schweiz)Sophos Sandstorm –0-Day Malware ProtectionVerfügbar für...
Sophos Sandstorm – 0-Day Malware ProtectionVerfügbar für
Sophos UTM / SG
Sophos XG Firewall
Sophos Email Appliance
Sophos Web Appliance
Sophos Central Mail
Sophos Data Center
New - Sandstorm Deep Threat PreventionYour best protection from zero day threats – way beyond normal behavioural analysis
Frequent & Aggressive Run-Time
Analysis
Sandbox EvasionTechniques,
API & File System Behavior
Intercept X Exploit Detection & CyrptoGuard
IPS detections coming soon
Continuously adaptive learning
model
Sophos Sandstorm
Deep Memory Analysis
Initial & Post Execution Memory
Inspection & Analysis
Deep Behavioural Analysis Deep Network Analysis Deep Learning Analysis
Sandstorm prevention goes beyond endpoint or firewall
Full port and protocol analysis
Analysis of all dropped
executables
Now Powered by Deep Learning
6
Sandstorm now has the same Deep Learning technology as Intercept X
~75,000 suspicious files submitted each
week
~10,000malware and PUA files stopped each
week
How Sandboxing with Deep Learning Beats Endpoint & Firewall Detection
✓More aggressive & frequent memory analysis✓Added behavioral analysis scrutiny✓More thorough network activity analysis
Deep Learning in Sandstorm is increasing conviction by 10%
Sophos - Aggressive model with lower false positives
TRU
E P
OSI
TIV
E R
ATE
(TP
R)
1/100 1/1
0%
10
0%
Up
Is B
est
10-6 10-010-4 10-2
1/10,0001/1,000,000
Perfect Security
FALSE POSITIVE RATE (FPR)Left Is Best
Traditional Endpoint Security
Machine Learning Endpoint Security
Sophos Deep Learning
50
%
Source: SophosLabs analysis of malware found in the wild
Sophos Deep Learning Malware Detection Features
• Identifies both known and never-seen-before malware
• Classifies files as malicious, potentially unwanted apps (PUA), or benign
• Does not rely on signatures
• Engine idetiffies malware in approx. 20 milliseconds
• Extremely small footprint (under 20MB) with infrequent updates
• Stops threats before they get on the network
Sophos Deep Learning Advantages
• Performance• Stops unknown malware without signatures• Detects and stops threats in 20 milliseconds
• Experience• In development since 2010• Created by data scientists at SophosLabs with DARPA driven technology
• SophosLabs: • Trained on 100’s of millions of samples
• Proven• #1 malware detection rate in industry• Validated on VirusTotal since August 2016, 3rd party validated
One of the best performance scoreswe have ever seen in our tests“
“
Maik Morgenstern, CTO, AV-TEST
Powerful cloud-based next generation sandbox
11
• Cloud-based Sandbox
• Safe, isolated environment
• Does not impact firewall performance at all
• Executing untrusted programs (detonating in a virtual machine)
• Determine if programs contain malicious code
• Behavioral Detection + Deep Learning
• Including detection of several Sandbox evasion techniques
Cloud-sandboxing
Suspect Control Report
Sophos Sandstorm
Hash ?
Determine Behavior
with Machine Learning
Behavioral detection + deep learning
12
File Submission
• Detect suspicious files
• Pick execution environment
Attack Replay
• Event logging
• Payload extraction
• Anti-evasion
Behavior Analysis
• Rules
• Patterns
• Event correlations
Deep Learning
• Detect unknown executable threats
Detects threats with known malicious
behaviors
Stops
10%more of EXE
malware
Now even Deeper Protection – Powered by Deep Learning
13
SCRIPT1% ARCHIVE
19%
EXE15%
OTHER5%
OFFICE60%
FILES SUBMITTED
SCRIPT1%
ARCHIVE39%
EXE34%
OTHER6%
OFFICE20%
FILES DETECTED~75,000 suspicious files submitted each
week
~10,000malware and PUA files stopped each
week
File type breakdown
14
SCRIPT1% ARCHIVE
19%
EXE15%
OTHER5%
OFFICE60%
FILES SUBMITTED
SCRIPT1%
ARCHIVE39%
EXE34%
OTHER6%
OFFICE20%
FILES DETECTED
1334
4020
5
SCRIPTARCHIVE
EXEOTHEROFFICE
% CONVICTION
~75,000 suspicious files submitted each
week
Percent of submissions identified as malware or PUA and stopped,
per file type
Sandbox Analysis
~10,000malware and PUA files stopped each
week
What’s New in Wireless v2.0 - Highlights
16
APX Series
Security Heartbeat™ enabled next-gen access points
Synchronized Securityw/ Endpoint and Mobile
Health-based network access control and visibility
Enhanced Rogue AP Detection
Visibility into potential threats to your network
Easier Onboarding
Bulk provisioning - register up to 30 APs in a single step
Better performance Better visibility and control Better user experience
No firewall required for Security Heartbeat with Wireless
APX – Next Generation Access Points - 802.11ac Wave 2.0
17
• APX 740: Flagship 4x4:4 access point with high-density, high-capacity for the mid-market enterprise
• APX 530: High performance 3x3:3 access point for the carpeted enterprise of all sizes
• APX 320: 2x2:2 Dual 5 GHz based access point, perfect for tablets/phones, high-density environment in education, small retail scenarios
All APX Models have a 5-Year Warranty
Support in Central from July. Order from Aug 3 2018Support in XG from late 2018 (17.5 MR)
No support in SG UTM planned
APX will not be certified in all regions.No launch planned in China, Taiwan, Malaysia. Japan will be late 2018, as will Brazil.
BEST Indoor3 x 3 MIMODual radio
BETTER Indoor2 x 2 MIMODual radio
GOOD Indoor2 x 2 MIMOSingle radio
APX Hardware Positioning
18
TODAY – AP Series
AP 15 AP 15C
AP 55 AP 55C
AP 100 AP 100C
BEST Outdoor3 x 3 MIMODual radio
AP 100X
BEST Indoor/Ceiling/Wall3 x 3 MIMODual radio, 2.4 and 5 GHz, BLE
BETTER Indoor/Ceiling/Wall2 x 2 MIMODual radio, 2.4/5 and 5 GHz, BLE
APX 320
APX 530
80
2.1
1ac
Wav
e 1
80
2.1
1n
NEW – APX SeriesFlagship Indoor/Ceiling/Wall4 x 4 MIMODual radio, 2.4 and 5 GHz, BLE
APX 740
80
2.1
1ac
Wav
e 2
All other models TBC
GOOD Indoor2 x 2 MIMODual radio, details TBC
APX 120NOV
Understanding APX Naming
19
APX 3 2 0Next-gen, Security Heartbeat
enabled access point –described as APX Series
Legacy models will be referred to as AP Series
Range or model series
(think BMW)
MIMO capabilities
2 = 2x23 = 3x34 = 4x4
Product Generation, starts with ’0’
Next generation would be 1 (or at least that’s the plan…)
Example: APX 320
Wireless APX Buyer Persona vs. Positioning
20
MODEL APX 740MIMO: 4x4:4
APX 530MIMO: 3x3:3
APX 320MIMO: 2x2:2
APX 120MIMO: 2x2:2
DENSITYNumber of clients connecting
HIGH MEDIUMMEDIUM (2.4 GHz)
LOW to MEDIUMHIGH (Dual 5 GHz)
CAPACITYWhat load the APX can handle
HIGH HIGH MEDIUM LOW
PERFORMANCEBenefits for high performance clients
HIGH HIGH MEDIUM LOW
TYPICAL DEPLOYMENT
Larger offices, high-tech, high bandwidth consumption
Medium office environment, high performance clients connecting
Areas like schools, larger number of medium performance clients
Basic connectivity, small retail, budget conscious deployments
NOV
APX – Technical Specification
21
MODEL APX 320 APX 530 APX 740
MANAGEMENT Sophos CentralXG Firewall planned for late 2018
DEPLOYMENT Indoor; desktop, wall, or ceiling mount.
WLAN STANDARDS 802.11 a/b/g/n/ac
RADIOS1x 2.4 GHz/5 GHz dual-band
1x 5 GHz single band1x Bluetooth low energy (BLE)
1x 2.4 GHz single band1x 5 GHz single band
1x Bluetooth low energy (BLE)
ANTENNAS2x internal dual-band antenna for Radio-1
2x internal 5 GHz antenna for Radio-21x internal 2.4 GHz antenna for BLE
3x internal 2.4 GHz antenna for Radio-13x internal 5 GHz antenna for Radio-21x internal 2.4 GHz antenna for BLE
4x internal 2.4 GHz antenna for Radio-14x internal 5 GHz antenna for Radio-21x internal 2.4 GHz antenna for BLE
PERFORMANCE 2x2:2 MU-MIMO 3x3:3 MU-MIMO 4x4:4 MU-MIMO
INTERFACES1x RJ45 connector console serial port1x RJ45 10/100/1000 Ethernet w/PoE
1x RJ45 connector console serial port1x RJ45 10/100/1000 Ethernet port
1x RJ45 10/100/1000 Ethernet w/PoE
POWER (MAX.) 11.5 W 16.7 W 22.4 W
POWER-OVER-ETHERNET (MIN.) PoE 802.3af PoE+ 802.3at
DIMENSIONS 155x155x38 mm 183x183x39 mm 195x195x43 mm
WEIGHT 0.474 kg 0.922 kg 1.012 kg
Synchronized Security: Wireless + Mobile
23
Security Heartbeat™
Mobile: Predefined ActionsSophos Mobile sees that there is a compliance violation and triggers the predefined actions
2
1 Compliance violationMobile user does something which is defined as a compliance violation
Wireless: Deny NetworkIf deny network rule is selected in Mobile, Sophos Wireless will receive a red heartbeat status and restrict internet access.
3
Mobile Client: AlertWhen the Mobile user tries to access the Web, they see a splash screen telling them that internet access has been restricted.
4b
YourWi-Fi access is restricted
1
Wireless: Dashboard StatusDashboard widget shows one device with red heartbeat
4a
Functionality with endpoint is similar
Synchronized Security: Wireless + Endpoint
24
Security Heartbeat™
Endpoint: Sends StatusEndpoint sends the health status to Sophos Wireless
2
1 Incident on EndpointEndpoint gets infected or does something which gives it a red health status
Wireless: Restricts AccessIf Sophos Wireless receives a red heartbeat status, Wi-Fi access is restricted.
3
Endpoint User: AlertUser sees splash screen telling them that Wi-Fi access has been restricted
4b
1
Wireless: Dashboard StatusDashboard widget shows one device with red heartbeat
4a
Yourinternet access is
restricted
Synchronized Security in Wireless
25
NEW: Dashboard Widget: Security Heartbeat™• Consolidated view of the health status of all devices
which are connected to an APX powered Wireless network managed in Central only
• If the customer has multiple Wi-Fi networks, also with legacy APs, it will not show ALL clients
• Only Mobile devices and Endpoints managed in Central can have a heartbeat
NEW: Client View with Heartbeat Status• Consolidated view of ALL clients connected to
any Wi-Fi network managed in Central
Expanding Synchronized Security Beyond Firewall + Endpoint
26
Important Note: Wireless Sync Security ≠ XG Firewall Sync Security
• Wireless is a consumer of the Security Heartbeat of a client.
• Initially, either XG Firewall OR Wireless owns the Heartbeat – that will eventually change so that both products can report on the health status of an EP
• Environments with XG + Central Wireless should switch it on in one product only, probably XG Firewall due to the more advanced feature-set.
• Functionality is (today) different between Wireless Sync Sec and XG Firewall. Wireless only limits web access at this time.
Setup in Sophos Mobile
28
Network Access ControlSophos Mobile allows granular settings to restrict web access via Wi-Fi and perform other automated actions for devices with security compliance issues.
Security Heartbeat™A ‘Deny network’ setting translates as a red heartbeat. Upon violation, this relays the status back to any APX Series access point and so limits web connectivity.For an individual device, the automatic settings can be changed to always allow, always block.
Enhanced Rogue AP Detection
30
NEW: Dashboard Widget: Threats• View of all visible Wi-Fi networks which the Central
managed access points can see• Automatic classification according to potential threat
level
NEW: Filter Option
NEW: On-demand scanNEW: Manual classification
The Ultimate Sales Opportunity
32
Low-hanging fruit/Sophos Central Customers• Add Wireless to existing accounts to increase share of wallet• Particularly Endpoint, Mobile as target customers – as connectivity topic• Sales pitch as simple as “What are you doing for Wi-Fi?”
Medium-hanging fruit - New Customers in ‘sweet spot’• Position Wi-Fi with new SMB prospects ≤500 users• Position Wi-Fi in K-12 education environments (20 to 100 APs distributed env.)
• No hard limits for scalability, but feature-set today suited to lower end of market
UTM Customers not ready for XG (e.g. in DACH, also some of APJ and WE)• Shift SG UTM customers to Central Wireless• Offers Sync Sec for SG UTM customers, also APX as newer technology• UTM Wi-Fi customers are often small or using additional Wi-Fi on top• Gets them onto Central = retention + cross-sell
Licensing for APX – Order from August 3, 2018Phase 1: Adding the new APX SKU
EXISTING EXISTING NEW
Central Wireless Standard - Entry
Central Wireless Standard - Performance
Central Wireless Standard (for APX)
AP 15 / AP 15C✓
1Y = $50
AP 55 / AP 55C / AP 100 / AP 100C / AP 100X✓
1Y = $100
All APX models✓ NEW1Y = $75
Bundle SKU for APX onlyAPX + Central Wireless Standard Bundle
✓ NEW5% discount over individual
purchase