© 2017 Avecto Inc.avecto.com
Social engineering
2017 Avecto Ltdavecto.com
The solution is simple but not sexy!
Presented by: Andrew Avanessian
VP Technology, Avecto
@avecto
@andyavanessian
© 2017 Avecto Inc.avecto.com
Low risk…
High reward
© 2017 Avecto Inc.avecto.com
› Off the shelf malware
› Licenses and support
› Hard to trace
It’s easy to become a criminal
Don’t get ideas!
© 2017 Avecto Inc.avecto.com
80%of workers fail
to spot phishing
emails
Untargeted attacks
have a yield of circa
1% Targeted attacks
have a yield of
75%+
Phishing
© 2017 Avecto Inc.avecto.comavecto.com 2017
Companies spend millions on firewalls,
encryption and secure access devices, it’s
money wasted, because none of these
measures address the weakest link in the
security chain
“ “
Kevin Mitnick, former Hacker
250% increase in phishing sites and related
email traffic in Q1 2016 vs 2015
© 2017 Avecto Inc.avecto.com
The Endpoint Security Paradox
Hard
100% FREEDOM100% SECURITY
EASY
LOCK DOWN
EASY
OPEN
© 2017 Avecto Inc.avecto.com 2016 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com 2016 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com
© 2017 Avecto Inc.avecto.com 2016 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com
© 2017 Avecto Inc.avecto.com 2016 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com
Detection doesn’t work!
2017 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com
Why detection is failing?
› Attacks are hard to identify
› 99% of unique MD5 hashes are
being seen for 58 seconds or less*
› Attacks are unique & highly personal
› Only a 3% overlap in threat
intelligences feeds*
› Attackers have a disproportionate
advantage
› Adaptation and change is slow
327 new threats every
minute
=
More than 5 per second
In 60% of cases, attackers
are able to compromise an
organization within minutes
*Verizon DBIR 2016
© 2017 Avecto Inc.avecto.com
› Take a old exploit – 100% AV detection
› Change the code
“execute” > “ex”+ “ecu”+ “te”
› Method m = stat.getClass().getMethod("ex"+"ecu"+"te");
› Now 12% AVs detect
AV test
© 2017 Avecto Inc.avecto.com
© 2017 Avecto Inc.avecto.com
Good advice is hard to follow
2016 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com
470,880new threats
discovered per day
1 Application whitelisting
2 Application patching
3 OS patching
4 Reducing admin users
1 Australian Government’s Defence Signals Directorate, Strategy paper
Industry advice
Implementing these 4
strategies mitigates
85% of cyber
threats
© 2017 Avecto Inc.avecto.com
Ponemon
1 Intrusion prevention (network)
2 Intrusion prevention (host)
3 Web content filtering
4 Email content filtering
5 Multi-factor authentication
6 Operating system patching
7 Application whitelisting
8 Perimeter firewalls
9 Application patching
10 Up-to-date antivirus
11 Data loss prevention
12 Reducing admin users
ASD1
= 1
= 2
= 3
= 4
= 8
= 11
= 12
= 17
= 18
= 26
= 30
= 33
Perception vs. Reality
“It is ironic in the security world that
we keep looking for the ‘bad’—even
though it is infinite—without focusing
on known good, which is finite and
achievable via whitelisting.”
John Stewart
Global Cyber Security Center
1 Australian Signals Directorate – Top 4 Mitigation Strategies To Protect Your ICT System &
Australian Signals Directorate - Strategies To Mitigate Targeted Cyber Intrusions . 2 Verizon DBIR 2016
© 2017 Avecto Inc.avecto.com
Foundational security that just works
Start with the basics…
O/S System Configuration & Hardening
O/S System Exploit Mitigation
O/S System Patching
Application Patching
Application Configuration & Hardening
Application Execution Control
Application Privilege Management
Application Isolation
O/S System Security
Patch Management
Application Security
Anti-Malware
Monitoring
D&R
Signature-based
Heuristics or Behavioural
Machine learning
Analysis-based
IOC Signature Based
At least 85% of targeted cyber
attacks used unsophisticated
techniques that can be
mitigated by prevention alone(ASD)
470,880new threats
discovered per day
Skills
Demand
Never 100% protection
Fail frequently
Diminishing effectiveness
Threat Information Overload
Post Compromise
© 2017 Avecto Inc.avecto.com
Prevention is possible
2017 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com
PROACTIVE ENDPOINT SECURITY
Only vendor to combine three proactive capabilities:
PRIVILEGE MANAGEMENT
APPLICATION CONTROL
CONTENT ISOLATION
© 2017 Avecto Inc.avecto.com
Prevent escalation
Reduce known threats
Block payloads
Contain threats
Creating solid foundations
Multi-layered security to stop cyber
attacks at the endpoint
DATA
© 2017 Avecto Inc.avecto.com
Conte
nt
isola
tion
99.9% of vulnerabilities were
compromised a year after
CVE published
~90%of malware unique to
an organization
85%+ Windows exploits
mitigated by removing
admin rights
55%of insider threats
is privilege abuse
97%+ of threat intel is unique
Attack vector mitigationKnown malware
Known exploits
Replace OS files (start/stop services)
Exposure networks to malware (DDOS)
System wide config changes
Install unauthorized / licensed software
Manipulate user accounts & Pwd (PtH) attacks
Disable/uninstall security software/policies
Data leakage
Install malware (i.e. root kits)
Social engineering email/installs
Infected content on external media
APT’s/exploit kits drop files to disk (payloads)
Unknown user installed apps (portable)
Document based attacks (macros, active script)
Theft of corporate data (IPR)
Prevents “fileless malware” (in memory)
Zero day browser/Apps exploits
Applic
ation w
hitelis
ting
Least
privile
ge
Patc
hin
g
Anti-m
alw
are
© 2017 Avecto Inc.avecto.com
Malicious attacks attempt to:
Handling the unknown
Drop executable
payloads
Access admin
rights
Steal user
data
Exploit built in or
whitelisted tools
1 2 3 4
“The foundation of any information security
protection architecture should start by reducing the
surface area of attack by using a
combination of techniques”
© 2017 Avecto Inc.avecto.com
Implementing success
2017 Avecto Ltdavecto.com
© 2017 Avecto Inc.avecto.com
Security scale
All users are LARs
Unknown apps allowed
Unknown content allowed
Ransomware and malicious allowed
Security polices & software easily bypassed
No control of software installs
Defendpoint increases security from day 1
0 Min security 10Max security
7
Standard User Privileges
Privilege Apps have custom tokens
Trusted apps individually identified
Untrusted apps blocked
Untrusted content isolated
Workstyles applied based on role
Only apps requiring admin right are elevated
Trusted applications seamless identified
Untrusted applications are blocked
Untrusted content is isolated
Customisable & secure justification messaging
Accurate user behaviour data captured
Defendpoint
baseline policy
© 2017 Avecto Inc.avecto.com*Circle size: equates to effort required to complete stage
Implementation methodology
: denotes stage may involve multiple iterations
Baseline policy deployed
Security significantly improved
Clie
nt Wintel /
Security / Helpdesk
Implementation workshop
PHASE 1
PROJECT DESIGN
1 52
PHASE 2
TECH DEPLOY
Wintelengineering
Agent & infrastructure deployment
3Wintel /Security
Baseline workstyle
customisation
Baselinedeployment
4
Internal comms
PHASE 3
BASELINE DEPLOYMENT
Comms team
Wintel engineering
Wave 1
PHASE 5
WORKSTYLE DEPLOY
Wintel
Deployment of layered
workstyles
PHASE 6
PROJECT HANDOVER
BAU support
Helpdesk / Wintel
9
PHASE 4
LAYERED WORKSTYLES DESIGN
Wintel / Security
Review user behavioural
data
Wintel /
Security
67
Design layered
workstyles
8
Wave 2
© 2017 Avecto Inc.avecto.com
Protect the future, don’t detect the past!
2017 Avecto Ltdavecto.com
Prevention is possible
@avecto
@andyavanessian
