Endpoint Security - HIPS. egambit, your defensive cyber-weapon system. You have the players. We have the game.

Transcription

1 egambit Endpoint Security - egambit, your defensive cyber-weapon system. You have the players. We have the game. TEHTRI-Security

2 Endpoint Security In this document, we will introduce how egambit can help at improving endpoint security, thanks to a Host-based Intrusion Prevention System: egambit-. Based on egambit version 3.1 September 2015

3 About Endpoint Security - Let s focus on Microsoft Windows environment - Windows is one of the main operating systems used in current infrastructures Ø Servers Ø Workstations, Laptops - Attackers spend an incredible time at creating unknown and undetected weapons in order to get illegal remote accesses - The problem is that current defensive technologies like antivirus, anti-malwares, personal firewall, cannot handle intruders alone Ø This explains why most attacks will finally success, thanks to human errors or poor configurations and insecurity Evil link followed, Evil attachment open

4 About egambit - To struggle against potential intruders over your Windows environment, egambit offers an - Host-based Intrusion Prevention System Ø Detection + Prevention in your Windows - This Endpoint Security technology will securely connect your Windows environments to their nearest egambit appliance - Then, egambit will be able to detect weird behaviors, suspicious files, exfiltration of data - egambit is the best friend of your Antivirus, as it will help at catching what is usually missed

5 egambit- overview Standard windows box with Antivirus, Antimalware, Firewall, Proxy, Hardening Remotely owned by attackers. Nothing happens. Stealth attack successful. egambit worldwide cloudbased intelligence Local egambit Engine Data from the ground Remote checks & analysis Proportional Responses Defensive Cyber-weapons Same situation, except that the will detect, report, and answer to the threat.

6 Example based on 2014, November experience SCADA Production network attacked in a multinational company. Unknown Trojan horse [0/57 on Virustotal] with SSL exfiltration. Local egambit Engine egambit results = detection + retaliation 1) Detection of suspicious unknown activity ( engine) 2) Reporting to the worldwide cloud-based intelligence (global analysis) 3) Remote advanced analysis of the Windows (from egambit appliance) IP of attackers retrieved. Evil tools stolen and sent to Sandbox in minutes. 4) TEHTRIS MSSP: alert sent to IT Security expert team from customer (SOC) 5) Mitigation authorized by customer (protection of the SCADA production) Exfiltration path broken. Physical location of attackers found. Offensive weapons remotely broken. Offensive actions broken.

7 These weapons, called defensive missiles, can be enabled or disabled by the customer, to adapt the threat response to the desired level. For increased security, an integrity check is run at each missile reception to avoid running something the customer didn t specifically allowed. EXAMPLES OF DEFENSIVE CYBER-WEAPONS

8 Oletools Support Oletools is a must-have technology created by the well-known security expert Philippe LAGADEC (@decalage2). egambit version 3.1 [September 2015] is fully compatible with Oletools. - Scans of office documents (Word, Excel, Powerpoint) - Automatic scans - Live security analysis of macro-based threats

9 YARA Support YARA is a tremendous technology created by Victor Manual Alvarez (@plusvic) from VirusTotal. Some say YARA is like an, for files+memory. egambit version 3.1 [September 2015] is fully compatible with YARA. - Scans of memory + file system - On-demand scans + Automatic scans - Custom YARA rules supported - Build specific YARA based rules as Indicators Of Compromise (IOC) to scan your whole infrastructure memory during a malware / spyware global hunt

10 Cloud-based intelligence - Live reports from analysis made on the ground in the Windows computers are shared with the nearest egambit appliance - Some results might be sent to a cloud-based intelligence in order to beneficiate from all experiences from worldwide global fighting Ø When a new malware is caught somewhere on earth, all egambit brothers get stronger Ø It s a kind of collective cloud-based artificial intelligence dedicated to IT Security - Example Ø Threats are hunted by more than 50 antiviruses at the same time, with no CPU impact on your Endpoints [More than 50 antiviruses] is stronger than [1 or 2 antiviruses]

11 Defensive cyber-weapon system - Others defensive missiles Ø ARP Spoofing detection Ø Malware persistence detection Ø Running processes scan Ø Web browser insecurity checks Ø Potentially Unwanted Programs checks Ø Local system information gathered Ø Network exfiltration detection Ø Network mitigation missiles Ø System mitigation missiles Ø

12 egambit = Console

13 Compatibility matrix - egambit was successfully running on these environments so far Ø Windows XP Ø Windows 2003 Ø Windows 2008 Ø Windows 2012 Ø Windows 7 Ø - The deployment is pretty easy as it contains hardened auto-configuration protocol and features. Ø Just launch the MSI on your Windows, and the cyber protection against malwares and intruders works alone.

14 Synthesis egambit [Endpoint Security] - Two complementary levels of work Ø Live Intrusion Detection alerts (monitoring) Ø Retaliation and interaction against threats (mitigation) - Multiple skills and features added to your security Ø Follow the activity in your Windows boxes Ø Improve your security and check compliance issues Ø Detect unusual and unwanted programs Ø Follow weird behaviors and anomalies Ø Detect hidden software, insiders threats Ø Retrieve APT, lateral movements, malwares Ø Increase SOC/CSIRT capacities and speed Ø Ease Forensics and Incident Management

15 Join us Ready for innovative solutions against cyber threats?

16 security.com egambit egambit is a product that can monitor and improve your IT Security against complex threats like cyber-spy or cyber-sabotage activities. This product is realized by the TEHTRI-Security company in FRANCE. It is fully designed and developed near Bordeaux, and Paris as well. Created in 2012, the egambit product has already helped companies in China, Brazil, USA and Europe against internal and external cyber threats. In 3 years egambit has already caught billions of events related to security issues worldwide, thanks to the tremendous skills and motivation of expert Consultants working on the project with a real Ethical Hacking spirit. 100% of the source code is within TEHTRIS hands, and it was designed with extended security features. egambit is your defensive cyber-weapon system.

17 egambit Your defensive cyber-weapon system You have the players. We have the game. Let s use egambit in your environment, in order to improve hardening and detection of security issues and incidents.

18 Follow-up Do not hesitate to contact our team TEHTRI-Security Managed Security Service Provider egambit Complete defensive weapon

19