Download - Protecting Against Ransomware
Part 2: Protecting against Ransomware
Jonathan KorbaSystems EngineerSymantec
5-Part Webinar Series: Endpoint Protection…what really matters?
5-Part Webinar Series: Endpoint Protection…what really matters?
Title: Date:
Part 1 of 5 Tackling Unknown Threats with Symantec Endpoint Protection 14 Machine Learning January 26, 2017
Part 2 of 5 Block The Risk Of Ransomware February 23, 2017
Part 3 of 5 Achieving Zero-Day Attacks and What To Do About ItMarch 23, 2017
Part 4 of 5 Easy Ways To Improve Your Security Posture April 20, 2017
Part 5 of 5 A Step-By-Step Approach for Endpoint Detection & ResponseMay 18, 2017
https://www.symantec.com/about/webcasts
Agenda
3
What is Ransomware and what are the risks?
How does Symantec Endpoint Protection 14 block Ransomware?
Demos: SEP 14 in action
Copyright © 2016 Symantec Corporation
Superior Protection and Response Across the Attack ChainStop Ransomware Threats with layered protection
INCURSION INFESTATION and EXFILTRATIONINFECTION
ANTIVIRUS
NETWORK FIREWALL & INTRUSION
PREVENTION
APPLICATION AND DEVICE
CONTROL
BEHAVIOR MONITORING
MEMORY EXPLOIT
MITIGATION
REPUTATION ANALYSIS
ADVANCED MACHINE LEARNING
EMULATOR
Patented real-time cloud lookup for scanning of suspicious files
NETWORK FIREWALL & INTRUSION
PREVENTION
INNOCULATION
POWER ERASER HOST INTEGRITY SYSTEM LOCKDOWN
SECURE WEB GATEWAY
INTEGRATION
EDR CONSOLE (ATP:ENDPOINT)
While end-users see Word files as harmless they can hide macro-viruses
5
Copyright © 2016 Symantec Corporation
6
Copyright © 2016 Symantec Corporation
7
8
Drive-by-Downloads Malicious Email
Infection Vectors
How is Ransomware getting in?
Ransomware Attack Chain
1. Malware Delivery
2. Malware installed 3. Call C&C Server
4. Encryption
9Copyright © 2016 Symantec Corporation
SEP 14 Protection across Ransomware Attack Kill Chain
1. Malware Delivery
2. Malware installed 3. Call C&C Server
4. Encryption
Download Insight,AV: Machine Learning, Emulator IPS, Memory Exploit Mitigation
IPS
SONAR,Application Control
10Copyright © 2016 Symantec Corporation
Emulation CapabilitiesFast and accurate detection of hidden malware
Copyright © 2016 Symantec Corporation11
Packer
Packer
Executable
No Emulation
Emulation
Emulation Environment
Packed, not recognized
Payload Recognized
Emulation Environment
Unpacking
Executable
Emulates file execution to cause threats to reveal
themselves
Lightweight solution runs in milliseconds with high
efficacy
Malware hidesbehind custom
polymorphic packers
Emulator ‘unpacks’ the malware in a
virtual environment
Executable
Memory Exploit MitigationBlocks zero-day attacks by hardening the operation system
12
Signature-less and works regardless of the
flaw/bug/vulnerability
Preemptively blocks exploit techniques, foiling attempts of
attackers to take over a machinePatch
ReleasedPatch
AppliedVulnerability Discovered
Vulnerability Disclosed
ZONE OF EXPLOITATION
WEEKS
MONTHS
“Memory Exploit Mitigation”
1. Java Exploit Protection2. Heap Spray3. SEHOP
Copyright © 2016 Symantec Corporation
13
Demo: IPS Blocks Outbound Communications from Ransomware
Copyright © 2016 Symantec Corporation14
Demo: Application Control Blocks Ransomware the uses Office Documents
Copyright © 2016 Symantec Corporation15
Protection Against Ransomware
• User Education
• Email/Gateway Security
• OS/App Patching
• Maintain an endpoint security solution– File reputation analysis
– Static file malware prevention with Machine Learning
– Exploit prevention
– Behavior-based prevention
– Application Control
• Limit end user access to mapped drives – make read only and password protect
• Deploy and secure a comprehensive backup solution
16
Copyright © 2016 Symantec Corporation
Q&A
17
Thank you!
Copyright © 2016 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Jonathan KorbaSystems EngineerSymantec
18