Office 365 has garnered widespread adoption from enterprises due to its advantages such as ease of deployment, lower TCO, and high scalability. Additionally, it enables end-users to work and collaborate from anywhere and on any device. Although Office 365 enables IT to shift the burden for app and infrastructure to the cloud vendor, data security remains the responsibility of the enterprise. Given the limitations of native malware protection on Office 365, should the enterprise rely on Office 365 to protect their data from malware and ransomware?
Join Bitglass and Cylance for a discussion on malware protection solutions for Office 365. We will cover the limitations of native Office 365 malware protection as well as the benefits of AI and machine learning based approaches. We will wrap up the session by discussing how CASBs, with Advanced Threat Protection (ATP) capabilities, are uniquely positioned to protect cloud apps and end-points from malware attacks and proliferation.
2. Agenda
1. Cloud and mobile require new security strategy
2. Overview of CASB architecture
3. How malware infects O365?
4. Attack stages of Advanced Persistent Threat?
5. AI-based approach to Advanced Threat protection
6. O365 Advanced Threat Protection
7. Use cases protected by CASBs
8. Q & A
3. The Perfect Storm
exponential growth in malware samples and cloud app adoption
source: https://www.okta.com/blog/2015/05/okta-the-perfect-complement-to-google-for-wsource: https://www.av-test.org/en/statistics/malware/
4. cloud & mobile drive data outside the firewall...
...leaving traditional security technologies ineffective
Problem
5. CASB Security
a data-centric approach
the new data reality requires a new security
architecture
■ cross-device, cross-platform data protection
■ granular controls for protecting data at rest and
in motion
■ contextual access control
■ detailed logging for compliance and audit
7. Attack stages of Advanced Persistent Threat
CASBs offer holistic protection
Delivery
• URL filtering: Block malicious sites and links
Exploitation
• Identify and block exploits
Installation
• Block known and zero-day malware
• Block unwanted file types (e.g: executables)
Command&
Control
• Block malware domains
• Deny access to compromised Users and devices
Actions on
Objectives
• Prevent malware spread
• Prevent data exfiltration by enforcing DLP and access control policies
CASB persistent threat detection and prevention capabilities
8. Poll:
How are you protecting
your O365 instances
from malware attacks?
1. Deployed 3rd party AV
2. O365 advanced threat protection
3. CASB/proxy-based solutions
4. No malware protection
5. Did not deploy O365
9. O365 Advanced Threat Protection (ATP)
reactive, slow, limited
Sandbox-based detection adds significant
latency
E5 is required for ATP.
75% more expensive than E3.
Requires a minimum deployment of 500 seats
Protected by AV engines built on legacy
detection technologies, such as signature and
heuristics, that are reactive
10. MALWARE’S VICIOUS
INFINITE LOOP
Malware mutations are the norm
Malware authors use polymorphism,
obfuscation and automation to create
390,000 new malicious programs per day
AV engines can’t keep up
Using signatures, whitelists,
rules/heuristics or execution to detect
malicious behavior doesn’t scale
Detection misses lead to…
Incident response
Increased hunting
More cleanup & re-imaging
More risk
11. HUMANS ARE A FINITE RESOURCE
It’s a question of scale, speed, breadth, and correlation.
Which approach meets the modern challenge?
• Linear ability to combat attacks
• Human correlated feature sets
• Algorithmic ability to combat attacks
• Machine correlated feature sets make
connections that humans can’t see
12. Leverage the power of
machines,not humans, to
dissect malware’s DNA.
Artificial intelligence then
determines if the code is
safe to run.
Never have an unknown file
threat because the AI
prediction doesn’t change.
AI IS NOTAI-BASED APPROACH IS
Rely on AI
and ML
Analyze Malware
at the DNA-level
Advanced Threat
Prevention
Minimal
Updates
PredictiveAutonomous
Decision
Rely on Human
Classifications
Require Constant
Updates
Behavioral
Analysis
Require On-Premise
Infrastructure
Wait for Threats
to Execute
Signatures
Micro-
Virtualization
Heuristics
Sandboxing
13. WHAT’S SO SPECIAL ABOUT PREDICTING ATTACKS?
Predictive analysis provides highly effective detection and prevention of never before
seen threats
GLASSRAT
• Undetected for Years
• Human Discovered Nov
23, 2015
Cylance –
Blocked as of April 2014:
18 months prior to human
discovery
ZCRYPTOR
• Spear-Phishing
• Human Discovered April
2016
Cylance –
Blocked as of Oct 2015:
6 months prior to human
discovery
SAURON/STRIDER/
REMSEC
• Espionage Backdoor
dating back to 2011.
Human Discovered
August 2016
Cylance –
Blocked as of Jan 2015:
18 months prior to human
discovery
GOLDENEYE
RANSOMWARE
• Weaponized Excel and
PDF Files
Cylance –
Blocked as of Oct 2015:
14 months prior to human
discovery
GOLDENEYE
RANSOMWARE
• Weaponized Excel and
PDF Files
Cylance –
Blocked as of Oct 2015:
14 months prior to human
discovery
WANNACRY/
WANNACRYPT
• New ransomware variant
exploiting MS
vulnerability
Cylance –
Blocked as of Jan 2015:
17 months prior to
discovery
14. Business Areas
Endpoint Security
Consulting Services
OEM / Technology Partnerships
Unprecedented Market Acceptance
1,089% Year-Over-Year Growth
1,000+ Clients
4 Million+ Endpoints
BUSINESS SNAPSHOT
V E R T I C A L
M A R K E T
A G N O S T I C
“
”
Cylance is easily the
fastest-growing EPP
startup in the last ten
years…
16. Use Case 1:
real-time malware protection
■ block malware before it reaches cloud app
■ leverage proxies to control access to any
app from any device
■ quick detection with low-latency
■ whitelisting mechanism for false-positives
17. Use Case 2:
protect managed devices
■ block malware before it reaches end-point
■ prevent sync clients from downloading
malicious content
■ Layered anti-malware strategy
18. Use Case 3:
protect unmanaged devices
■ protect unmanaged with no or poor EPP
solutions
■ enable access to enterprise apps on
BYOD
■ block malware on unmanaged devices
spreading to cloud apps
19. Use Case 4:
prevent spread of malware via interconnected cloud apps
■ It is common to connect cloud apps to
other apps (i.e: O365 and Box)
■ Interconnected cloud services provide new
paths for malicious files to make their way
into cloud services and devices
■ Delete or quarantine files that are deemed
malicious
20. Poll: What is your
primary O365 use case
that needs malware
protection?
1. Protect unmanaged devices
(PC/Mac)
2. Protect managed / corporate-
owned devices
3. Protect mobile devices
(iOS/Android)
4. Prevent spread of malware via
interconnected cloud services
21. STORYBOAR
omni citadel harbor
data protection on
any device
high-performance
advanced DLP
patented cloud
encryption
only bitglass
agentless, cloud-based solution
deploys in minutes
threat
known- and unknown-
malware
protection
Personal cloud apps are outside of the scope of IT monitoring via CASB due to privacy concerns, inability to monitor on BYOD, and the intractable nature of trying to chase tens of thousands of applications for a very small risk of corporate data leakage. These apps do, however, pose a threat risk via things like malware infecting managed devices. Enterprises should leverage existing tools - endpoint protection suites and perimeter controls (SWG, NGFW) to counter the threat risk posed by personal cloud apps.
AV products use signatures, heuristics and hand crafted rules that do not scale well
Using polymorphism and obfuscation, malware authors can circumvent signature and rules based detection techniques
Signature-based tech does not address today’s problem of unique malware variants
Customers are forced to detect then respond
Resources are spread thin
Risk to information disclosure is huge
AV Engines Can’t Keep Up
Signatures Don’t Scale
Mutations are the Rule not the Exception
Humans are Required
Network Encryption Makes You Blind
Cybercrime is easy
Lacks extradition and attribution
Anonymous currencies
Using an AI-based approach means it doesn’t have to know something is bad to prevent it. The technology does not look for a signature or behavior match.
We analyze ALL portable executables at the “DNA” level to extract 1000’s of features and combinations of features. The AI produces a confidence score.
We map and classify these many features with our AI-powered math engine that sits on the device itself—no need to send the file anywhere. Works online or offline.
We predict what’s bad and overly powerful. These are threats that can subvert the endpoint or be used against you in lateral movement.
Neither signatures nor behaviors are used.
We are able to identify the previously unseen (targeted) malware.
Updates are minimal. Though we have monthly updates, many customers elect to only update every few months.
Speaker Notes:
Some examples:
GLASSRAT:
November 23, RSA discovered the presence of GlassRAT – it had been around for a LONG time before a human discovered it – Someone noticed some odd call backs and after many human hours/days they discovered what would become known as GlassRAT.
Cylance is interesting because we took all of those hashes that were in the RSA report – some were as old as 2012.
We took all those hashes and ran it against one of our oldest algorithms – from April 2014 – in this way Cylance is able to look back in time and say would we have been able to predict the presence of this threat or at least detect it – before humans could have.
The answer is yes! In fact, by nearly 18months!
This threat has been around longer than Cylance has been a company and that’s too bad for all of us.
We were still 18 months ahead of the spear in this case and be able to block/prevent.
ZCRYPTOR:
Another example, Zcryptor – came out about mid this year. Ransomware is every where and this is a particularly bad one.
Zcryptor was really bad because it would just blow through Microsoft’s EMET for the first time – EMET was supposed to be a saving grace.
We ran these files against our October 2015 model – a full six months ahead of the rest of the human race’s discovery of Zcryptor.
This was far enough ahead, before the code was even compiled, that Cylance may have even been ahead of the entire threat campaign itself in this case. This is what I call “dead on compile.” Cylance was able to detect and prevent Zcryptor before it was even compiled.
6 months might not sound like a lot, but in today’s malware it’s nearly a life time – especially when you consider the fact that the ”life time” of a specific malware file hash is only about 58 seconds - according to a report from Verizon’s Data Breach Investigation Report.
SAURON/ STRIDER/ REMSEC:
Last example because it’s a very powerful example – most advanced and evasive APTs that the human race has found in the last few years.
Both reports break on the same day – 1 Symantec and and 1 from Kaspersky.
Again, we took the files that came out in these reports and ran them against a Cylance model from January of 2015 – sure enough – we stopped every single one of them from the Symantec report.
We were able to predict a full 18 months ahead of the rest of human race being able to discover the presence of this malware.
Think about all the work that human researchers have to do when researching a new APT or threat actor campaign like this. It’s a TREMENDOUS amount of work – there’s all sorts of problems with the human approach to this
http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets
IOC’a: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf
PETYA:- A new variant of the notorious ransomware Petya is back, and with yet another James Bond reference for a name: Goldeneye. In this past week, the new ransomware variant has been almost exclusively attacking hosts in Germany. Numerous organizations have already been hit.
- Presumably from the same author of Petya, first seen in December 2015, and the Petya-Mischa combo, which hit users back in July 2016, Goldeneye overwrites the master boot record (MBR) in order to block access to both the user’s files and operating system.
- Goldeneye infects hosts primarily via malicious email attachments containing macros. Once the ransomware executes, the user’s machine will crash, restart, and show a skull-and-crossbones animation before displaying a ransom note asking for a payment in bitcoin of $1,000.
- As with most malicious Microsoft Office documents, before the embedded macro can execute, user intervention is required. All MS Office documents since MS Office 2007 that contain macros present a security warning to the user as default, so the malware author provides some instructional text in an attempt to fool the user into clicking the “Enable Content” button.
- Cylance’s Research team tested over 300 samples of the Goldeneye ransomware against our endpoint protection product, CylancePROTECT. Our artificial intelligence powered mathematical model was able to prevent the execution of Goldeneye right out of the gate, stopping it dead.
- Watch CylancePROTECT® do battle with live Goldeneye ransomware and block it, pre-execution.
- To make things more challenging, the Research team did not use a recent version of CylancePROTECT in our demo. We demonstrate the predictive nature of Cylance by using a version of CylancePROTECT created one full year before Goldeneye was released – built in October 2015. Even though the version of CylancePROTECT we used is a year old, it completely prevents Goldeneye from executing and protects the system from ransomware.
- With most legacy AV solutions, it may take days to weeks to provide updated signature protection. In the meantime, many users will become victims of the Goldeneye ransomware.
- Ask yourself this: would you trust your existing security solution to keep you fully protected after not updating it for a year? What about a week?
Cylance, based in Irvine, CA, is fastest growing private cyber security company in the 2015 Inc. 5000 (#26 overall with >7000% growth over 3 years)
The company has achieved $177M in funding (with $100M from series D). Investors include: Fairhaven Capital, Khosla ventures, BlackStone, DFJ, KKR, CapitalOne, Dell, In-Q-Tel, and BlackStone Tactical
1200+ customers; 2,500,000+ endpoints
Cylance was selected as a Gartner Visionary: “Cylance is easily the fastest-growing EPP startup in the last ten years…”
Cylance provides network OEMs with a unique machine learning based malware detection engine
Competitors: Symantec/Blue Coat, McAfee, TrendMicro, SentinelOne, Crowdstrike
Endpoint Prevention Platform (EPP) is Gartner’s term for AV and related security products http://www.gartner.com/it-glossary/endpoint-protection-platform-epp/
Endpoint Detection and Response (EDR) is a related market. Unlike EPP, EDR is reactive. Gartner sees these two markets merging.
At the core of our solution are three key technologies
Omni - multimode proxies that enable data protection on any device, agentlessly. AJAX-VM means we’re futureproof. Can rapidly be adapted to support new apps.
Citadel - native advanced, adaptive DLP for cloud and mobile. Results in faster inline inspection + remediation vs using external DLP
Harbor - encryption / tokenization of data at rest within cloud applications. With patented preservation of frontend / backend application functionality and full strength encryption
These technologies are packaged in an agentless, cloud-based solution that deploys rapidly and is used to protect mission critical applications in more enterprises than any other CASB.