Machine Learning &
Exploit Prevention in Endpoint Protection and a few other cool things‌ Matt Pannebaker
Sales Engineering Today
Pause for Clarification…
So-Fōs Saw-Fōs 2
When I Say “Machine Learning”
Google Trends: Machine Learning
Machine Learning: Image Recognition
Machine Learning: Image Recognition
= “cat”
<>
*Machine Learning is still having problems with Matt’s sense of humor…
6
Typical Machine Learning Workflow Training Labels Image Features
Training
Learned Model 7
Feature Extraction
Ghastly Attitude Pointy Ears
Mouth Shape
Fur Color/Pattern
Triangle Nose Oval Eyes
Front Legs Size/Shape
Tail Length Paw Shape/Size
8
Machine Learning: Testing Image Features
Image Features
Training
Learned Model
Learned Model
Prediction
Test Image 9
Biological neuron vs Artificial Neuron
10
Image Recognition In Action
https://www.clarifai.com 11
Deep Learning applied to Cybersecurity
VS BENIGNWARE
MALWARE
Pause for Clarificationâ&#x20AC;Ś
Mall-ware
Maul-ware
Mal-ware
Deep Learningâ&#x20AC;¦
Why?
14
Deep Learning Is All Around Us
DEEP LEARNING
MACHINE LEARNING
Machine Learning vs. Deep Learning OUTPUT
INPUT
OUTPUT
INPUT
Decision Tree
Random Forest
OUTPUT
INPUT
Interconnected Layers of Neurons, Each Identifying More Complex Features
Predictive Security: Detecting Unknown Malware Sophos
50%
Machine Learning Endpoint Security Traditional Endpoint Security
0%
TRUE POSITIVE RATE (TPR)
Up Is Best
100%
Perfect Security
10-6
1/1,000,000
10-4
1/100,000
10-2
1/100
FALSE POSITIVE RATE (FPR) Left Is Best
10-0 1/1 Source: SophosLabs analysis of malware found in the wild
Sophos Deep Learning Malware Detection Features • Prevents both known and never-seen-before malware • Blocks malware before it executes • Does not rely on signatures • Classifies files as malicious, potentially unwanted apps (PUA), or benign • Extremely small footprint (under 20MB) with infrequent updates • Detects malware in approximately 20 milliseconds • Protects even when the host is offline • Works out of the box, no additional training needed
14,709
Pop Quiz Hotshots
A. The number of bad jokes in this presentation
C. The number of B. Number of times users said, “I didn’t click on anything” in a month *reported* vulnerabilities C. The number of *reported* vulnerabilities in 2017 D. Sum total of the caloriesin in a2017 single IHOP crepe breakfast 19
Exploit:
â&#x20AC;Ś any method to gain unauthorized access to computers, the act itself of a hacking attack, or a hole in a system's security that opens a system to an attack. 20
The Attack Chain PREPARATION
HEAP SPRAY
TRIGGERING
MEMORY Use after Free CORRUPTION
GAIN CONTROL
STACK PIVOT
CIRCUMVENT (DEP)
ROP
POST
CALL OS FUNCTION
PAYLOAD DROP
IN-MEMORY
EXFILTRATION, RANSOM, OR
ON DISK
OTHER
ANTIVIRUS
• Most exploit-based attacks consist of 2 or more techniques • Exploit techniques do not change and are mandatory to exploit existing and future software vulnerabilities • Stop the exploit, stop the attack
Exploit and Active Adversary Techniques Enforce data execution prevention Stack-based ROP (caller)
WOW64
Mandatory address space layout randomization Structured exception handling overwrite
(SEHOP)
Bottom-up ASLR
Null page deference
Heap spray allocation
Dynamic heap spray
Stack pivot and stack exec (memory protection)
Import address table faltering (IAF)
Load library
Reflective DLL injection
Malicious shellcode
VBScript god mode
APC protection (Double Pulsar / Atom Bombing)
Process privilege escalation
Meterpreter shell detection
Syscall
Hollow process
DLL hijacking
Squiblydoo Applocker bypass
Credential theft protection
Code cave mitigation
MITB protection (Safe Browsing)
Malicious traffic detection
Exploits Explained Whitepaper
23
Ransomware: “Hey man, I got this great file encryption, ya wanna try it?”
24
Homework! Google: Sophos SamSam 25
Intercepting Ransomware with CryptoGuard Monitor File Access
Attack Detected
Rollback Initiated
Forensic Visibility
• Suspicious file changes are detected • Cryptography events
• Malicious process is stopped • Investigate the process history
• Original files restored • Malicious files removed
• User message • Admin alert • Root cause analysis details available
Root Cause Analysis – EDR – Endpoint Detection & Response Understanding the Who, What, When, Where, Why and How
27
Intercept X w/ EDR: Investigate with SophosLabs Threat Intelligence
• Access latest threat intelligence from SophosLabs • AI analysis of suspicious files • Explore machine learning analysis
SOPHOS INTERCEPT X: THE POWER OF THE PLUS KNOWN THREATS
FOUNDATIONAL
RANSOMWARE
CRYPTOGUARD
UNKNOWN
DEEP
EXECUTABLES
LEARNING
EXPLOITS & FILE-LESS
ANTIEXPLOIT
TECHNIQUES
How Mobile Devices are Lost/Stolen Matt was here in 2017
Left in Public Space Taken from House or Car
Stolen at resturant Taken at nightclub 31
PERSONAL
BUSINESS
BUSINESS
Traditional Device Management
Container-only Management
Containerize!
PERSONAL
32
33
Mobile Threats Are Realâ&#x20AC;¦ Potentially Unwanted Applications
Android Malware
1,600,000
3,500,000
1,400,000
3,000,000
1,200,000
2,500,000
1,000,000 2,000,000 800,000 1,500,000 600,000 1,000,000
400,000 200,000
500,000
0
0
2012
2013
2014
2015
2016
2017 (est)
2012
2013
2014
2015
2016
2017 (est)
Source: SophosLabs, 2017
34
35
Sophos Mobile Security â&#x20AC;&#x201C; Android (and iOS too)
36
Free Stuff!
38
Sophos Home home.sophos.com Manage Windows / Mac Computers Same Great Sophos Endpoint
Web Content Filtering
Free Firewall!*
*Bring your own Hardware with at least 2 NICs 40
Award-winning computer security news
41
42
Thank You