eliminating email & web malware with isolation · hta, rtf, etc. word fetches remote object at...
Post on 23-Sep-2018
223 Views
Preview:
TRANSCRIPT
Eliminating Email & Web Malware with IsolationCarlos A. Muñoz, CISSPRegional Director
Jon Peppler, Sr Director Channels
“It’s Safe to Click”
| © 2017 / Menlo Security, Inc. All rights reserved. 2
Detection for protection
Main Security Layers over time
firewalls anti-virus
1993
IDS Threat Intelligence
1998
IPS
behavioralanalysis
2003
| © 2017 / Menlo Security, Inc. All rights reserved. 3
Reactive, layered defenses stop
of threats.
Anti-Spam
Sandboxing
Access Security
Next Generation Firewall
Site Categorization
Anti-Phishing
Content Analysis
Anti-Fraud
DNS Security
Web Application Firewall
Next Generation Antivirus
DDoS Prevention
99%
| © 2017 / Menlo Security, Inc. All rights reserved. 4
But
Anti-Spam
Sandboxing
Access Security
Next Generation Firewall
Site Categorization
Anti-Phishing
Content Analysis
Anti-Fraud
DNS Security
Web Application Firewall
Next Generation Antivirus
DDoS Prevention
still gets through.
1%
CONTENTFILTERING
Content filtering is being circumvented
USER
Browser Zero-DayMalvertising
Plug-in ExploitsJavaScript
DownloadersZero Pixel IframesDocuments from
WebDrive-by
Downloads
SANDBOX
Delayed ExecutionVersion MismatchBenign Payloads
Sandboxing is being circumvented
Inbound
| © 2017 / Menlo Security, Inc. All rights reserved. 6
Today’s Advanced Protection Can't Block Malware in Active Content
3RD PARTY AFFILIATES
TRACKERSADSBEACONS
ANALYTICS
CDNs
Anti-Spam
Sandboxing
Access Security
Next Generation Firewall
Site Categorization
Anti-Phishing
Content Analysis
Anti-Fraud
DNS Security
Web Application Firewall
Next Generation Antivirus
DDoS Prevention
| © 2017 / Menlo Security, Inc. All rights reserved. 7
Attackers Use Trusted Sites for Phishing
Business and Economy 11679
Phishing sites leverage popular hosting services
Anti-Spam
Sandboxing
Access Security
Next Generation Firewall
Site Categorization
Anti-Phishing
Content Analysis
Anti-Fraud
DNS Security
Web Application Firewall
Next Generation Antivirus
DDoS Prevention
| © 2017 / Menlo Security, Inc. All rights reserved. 8
Site Categories Can and Do Change
Malicious sites can be registered in trusted category
9/26 10/01 10/06 10/11 10/16 10/21
News and Media
Category over 90 Day Period
Malware Sites
Anti-Spam
Sandboxing
Access Security
Next Generation Firewall
Site Categorization
Anti-Phishing
Content Analysis
Anti-Fraud
DNS Security
Web Application Firewall
Next Generation Antivirus
DDoS Prevention
| © 2017 / Menlo Security, Inc. All rights reserved. 9
DRIDEX
MICROSOFT WORD ZERO DAY
EXPLOITS
Modern Day ThreatsCommon attacker tactics over the past few years
AdGholas
MALVERTISING
DNC
CREDTHEFT
| © 2017 / Menlo Security, Inc. All rights reserved. 10
User clicks
DNCcredential theft
Other similar attacks: Google Phishing Attack, Netflix Phish, DocuSign Phish, and more…
Secure Email Gateway
Secure Web Gateway
URL is a categorized websiteNo email context
URL hosted on popular user sites, not known malicious
Sandbox finds no risk indicators
John Podesta email credential loss a Gmail “reset your password”
phishing email
| © 2017 / Menlo Security, Inc. All rights reserved. 11
AdGholas Campaignmalvertising
Secure Web GatewayExploit
DownloadExploit
Download
User clicks
Sandbox did not see any risk indicatorsBrowser Zero Day was CVE-2017-0222 exploited to drop Astrum Exploit Kit
Malvertising URL kept changing, couldn’t block ot
as known bad
| © 2017 / Menlo Security, Inc. All rights reserved. 12
Useropens doc
Secure Email Gateway
Secure Web Gateway
DRIDEX - Microsoft Word (Office) zero day exploit
DRIDEX
HTA, RTF, etc. Word fetches remote
object at URL
Endpoint is infectedURL not known malicious
Sandbox did not find any risk indicators
No Exploit Shell CodeNo Macros
No Active Code
There is always a “Patient Zero” because detection-based security, within Secure Email Gateways and Secure Web Gateways, rely on lagging information sources, threat research and analyzing traffic patterns to identify new threats.It is not a perfect approach.
The Patient Zero Problem
| © 2017 / Menlo Security, Inc. All rights reserved. 14
Isolation to Eliminate Email and Web Threats
VDI
VDI VDI
VDI VDI
2008
Endpoint Isolation
2010
Dedicated Browser Isolation
2015 - Present
Cloud Isolation Platform
– 10x advantage over VDI/visual streaming– Superior bandwidth utilization – send
rendering instructions vs. graphic content– Layout and painting on the endpoint saves
~10x CPU/memory
| © 2017 / Menlo Security, Inc. All rights reserved. 15
User experience preserved. User transparent technology.
| © 2017 / Menlo Security, Inc. All rights reserved. 16
The Current Approach
Execution happens locally, leaving browser vulnerable to attack
| © 2017 / Menlo Security, Inc. All rights reserved. 17
c l o u d
The Menlo Approach
| © 2017 / Menlo Security, Inc. All rights reserved. 18
c l o u d
The Menlo Approach
Browser Vulnerabilities
Flash/JavaExploits
WeaponizedDocuments
Executable DownloadDrive-ByDownload Links
WeaponizedAttachments
WinEXE
MP3
GZIPVisio
MS Office
JPGMS Project
ZIP
Autocad
Phishing Links
AgnosticExecutables
| © 2017 / Menlo Security, Inc. All rights reserved. 19
c l o u d
The Menlo Approach
Adaptive Clientless Rendering
| © 2017 / Menlo Security, Inc. All rights reserved. 20
A SeamlessExperience
| © 2017 / Menlo Security, Inc. All rights reserved. 21
Browser Functionality Preserved
Printing
| © 2017 / Menlo Security, Inc. All rights reserved. 22
Browser Functionality Preserved
Copy & Paste
| © 2017 / Menlo Security, Inc. All rights reserved. 23
Browser Functionality Preserved
Cookies & Syncing
Browser Functionality Preserved
Streaming Video
Isolation
Don’t Just Detect – Isolate!
USE CASES for:Secure Web Gateway
& Secure Email Gateway
TheMENLODifference
| © 2017 / Menlo Security, Inc. All rights reserved. 25
Menlo Isolation Platform: Protection Use Cases
1. “Isolate-all” web browsing, email links and documents
2. Isolate risky and uncategorized web sites3. Isolate email links & attachments only
4. Isolate personal web mail & attachments only5. Credential phishing protection
100% eliminate malware from web browsing & email links. Increase SOC productivity
| © 2017 / Menlo Security, Inc. All rights reserved. 26
Patented Isolation Engine and Adaptive Clientless Rendering
Menlo Security
Isolation Platform
FETC H
EXEC U TE
web
FETC H
EXEC U TE
Dispose after every sessionPHISHING
MALICIOUSEMAIL
WEAPONIZEDDOCS
INFECTEDWEBSITES
Corporate and Personal
Devices
| © 2017 / Menlo Security, Inc. All rights reserved. 27
Web Isolation
Menlo Security
Isolation Platform
Endpoint Browser
Menlo Security
Isolation Platform
Isolated Browser
Rendered O utput
D O M TreeWeb
HTTP REQUESTS
UNSAFE HTML, JAVASCRIPT AND
FLASH
ADAPTIVE CLIENTLESS RENDERING HTML 5
RENDERING UPDATES,
PROPRIETARY ENCODING
<body>
<script> <script>
(Flash)
Rendered O utput
D O M Tree
MP4
<body>
<video> MP4
new s.com
| © 2017 / Menlo Security, Inc. All rights reserved. 28
Web Isolation in the Enterprise
Secure Web Gateway
HTTP & HTTPS
Inbound
Outbound
Threat Protection
SWG Integrations
DLP CASB
CONTENT ANALYSIS
SANDBOXING
KNOWN MALICIOUS SITES
ANTI-VIRUS/HASH REPUTATION
Isolation Protection Capabilities
BROWSER ZERO DAY
JAVASCRIPT
DOWNLOADERS
PLUG-IN EXPLOITS
ZERO PIXEL IFRAMES
MALVERTISING
DOCUMENTS FROM WEB
DRIVE-BY DOWNLOADS
FLASH EXPLOITS
JAVA EXPLOITS
DATA URI
Existing Threat Protection PLUS 100% Defense
| © 2017 / Menlo Security, Inc. All rights reserved. 29
Phishing & Email Link Isolation
Menlo Security
Isolation Platform
FETC H
EXEC U TE
FETC H
EXEC U TE
User
webINFECTEDWEBSITES
WEAPONIZEDDOCUMENTS
webPHISHING
MALICIOIUSEMAIL
MS EXCHANGE
1
2 3
Eliminates drive-by exploits by isolating all email links
By opening all email links in safe isolation sessions, MSIP protects every user against targeted spear-phishing and drive-by exploits, thus eliminating “patient-zero” infections
Enables teachable moments
OFFICE365
| © 2017 / Menlo Security, Inc. All rights reserved. 30
Document Isolation
web
Native User Experience
Web Docs & Email Attachments
Menlo Security
Isolation Platform
Documents rendered in
Disposable Virtual Containers
Documents converted into HTML5 with no active content
Optional download of safe PDF (view-only) or original document
Any Device
Any OS
Any browser
ADAPTIVE CLIENTLESS
RENDERING (ACR)
RENDERING INFO ONLY,
100% MALWARE FREE
| © 2017 / Menlo Security, Inc. All rights reserved. 31
Eliminate Credential Phishing Threats With Isolation
Isolate Email Links
Menlo Security Isolation Platform
MALICIOUS EMAILRESTRICTED
RESTRICTED
USER NAME
PASSWORD
Restrict Inputs Train at Time-of-Click
Menlo’s Approach Scale
| © 2017 / Menlo Security, Inc. All rights reserved. 33
Multi-tenant from Ground Up
Auto-scale to Handle Any Load
Ops Management for SP & Large Enterprise
Global Enterprise Cloud
99.99% uptime on par with world-class service providers
| © 2017 / Menlo Security, Inc. All rights reserved. 34
Case Study: JP Morgan Chase
- 80% of malware emanating from uncategorized sites
- Blocking access led tocomplaints & lost productivity
- Implemented Menlo to Isolate Uncategorized & Risky Web
Step 1Isolate Risky Websites
- Eliminate All Risk from Web and Email for high value targets
Step 2Isolate All Web for High-Value Users
Step 3Isolate All Employees (250,000 users)
2016 Innovation Award for
partnership and strategic impact to
JPMC business
Menlo Security “It’s Safe to Click”
top related