Integrated endpoint / Automated EDR...Thierry Gourdin –Head of Presales France, North and West...

Integrated endpoint / Automated EDR

Thierry Gourdin – Head of Presales France, North and West Africa

Kaspersky

2Modern threats landscape

STEALTHY & EVASIVELeveraging legitimate tools & fileless threats for malicious ends

COMPLEX & PERSISTENT

Multiple Kill Chain phases, iterating phases multiple times

HIGH IMPACTEnterprises are lucrative for attackers (e.g. popularity of ransomware)

Organizations recognize:

The rise in threat numbers

The growing complexity of attack scenarios

The financial impact of threats

Compliance issues that must be dealt with

3

*Source: Cybersecurity Through the CISO’s Eyes PERSPECTIVES ON A ROLE, 451 Research, 2019

Leverage the most automation Use precious resources for value-added activity Add additional capabilities to counter today's threat landscape Augment in-house staff with managed services

Of companies find it hard to hire skilled personnel in multiple IT-security roles*

70%

Today’s organizational challenges

When resources are limited, businesses need to:

Еvery business needs to be

able to stop complex

threats…

…despite the global shortage

of IT security personnel and

expertise

TARGETED CAMPAIGNS

AND CYBER

WEAPONS

ADVANCED THREATS

AND TARGETED ATTACKS

BROADERTHREAT

LANDSCAPE

2

1

AdvancedDefense

Integratedcybersecurity

Security Foundations

PeopleData SupportNetwork

Intelligence Privacy

Automated EDR

Expertise

Anti Targeted Attack Platform

IT Security Manager

Mature IT Security Team or SOC

IT Manager

Automated Optimum EDR

EDR Optimum

Servers

Advanced detection

Response actions to detected threats

Visibility

Traditional primary EDR capabilities

IoC search

Kaspersky response based on automated EDR capabilities

What do we at Kaspersky mean by Automated EDR?

Automated response and recovery (remote connection, threat blocking, quarantine, roll-back, blocking based on KSN verdicts, etc.)

Advanced detection of vulnerabilities and unknown threats using multi-layered engines based on behavior analysis: Fileless Threat Detection, Adaptive Anomaly Control, Exploit and Vulnerability Detection, Threat Intelligence (KSN) etc.

Only executable hash-scan

Detects information, but does not support root cause analysis

KESB with Automated EDR defends every endpoint on the infrastructure against complex threats. This is much more effective than using traditional EDR functionality enabled selectively only on critical endpoints due to financial or resourcing constraints.

Threat hunting Automated EDR is positioned for businesses without specific IT security expertise, an where manual threat hunting tools would be of no value.

+ Optimum EDR

+ EDR Expert

7

No additional investment in

staff and in-house expertise !

Improved detection and

automated response to

advanced threats

!Remediation Engine

Exploit Detection

Behavior Detection

Adaptive Anomaly

Control

Vulnerability Detection/Patch

Management

Automatic Sandbox

An advanced suite with Automated EDR

POWERFUL MULTI-LAYERED PROTECTION FROM ALL FORMS OFCYBER-THREAT

Firewall

Network Threat Protection

File, Web, Mail Threat Protection

Heuristics Scanning

Cloud-enabled Protection

Exploit Prevention

Behavioural Detection

Remediation Engine

Anti-Cryptor

The best security foundation possible —

Kaspersky industry-leading protection

against known, unknown and advanced threats

Kaspersky Endpoint Protection Components

Limit the ATTACK SURFACE“An attack surface is the total sum of vulnerabilities that can be exploited to carry out a security attack”

Access to the vulnerability status of your environment with

simple reporting and real time results without introducing

complex hardware or time consuming scans.

REALTIME OR ON-DEMAND VULN. SCAN

DETECTION AND PRIORITIZATION OF VULNERABILITIESMS and non-MS applications

DISTRIBUTES RELEVANT UPDATES TO DEVICES AND INSTALLS, PATCHING THE VULNERABILITIES.MS and non-MS applications

10

Unparalleled defense against

• Fileless threats

• PowerShell and script-based attacks

• Software exploits

• Web miners and threats

• Ransomware

• Mobile malware

• Advanced threats

Reducing your risk of falling victim to a targeted attack

Automated EDR

Unified security management

Integration with your systems

Multi-layeredprotection

Hardening and zero trust

Visibility & inventory

Unlike products from our leading

competitors,we also provide

You need to be prepared to face any and all attacks — but you can't fix what you can't see.

WHAT ENDPOINTS - PHYSICAL, VIRTUAL ARE ON MY NETWORK

WHAT APPLICATIONS ARE MY USERS RUNNING?

WHICH CONNECTIONS ARE ACTIVATED ON MY ENDPOINT ?

Network Security Monitoring & IT Hygiene

FULL HARDWARE INVENTORY

ANTI SPOOFING

FULL SOFTWARE INVENTORY

ANTI-BRIDGING, WIFI CONTROL

See what apps are CURRENTLY running on which hosts

Eliminate unprotected and unmanaged systems

Real-time application and hardware inventory

Block unwanted connections, devices, applications

KSN

Advanced detection


Visibility


IoC search


What do we at Kaspersky mean by Automated EDR?







+ Optimum EDR

+ EDR Expert

13Kaspersky Sandbox

Dynamic threat emulation

Minimal impact on

productivity

Multiple operation modes

Evasion prevention

Automatic IoC generation

Automatic scan & prevention

Detect complex threatszero-day exploits,new and unknown threats, attacks designed to bypass EPP

14Kaspersky Sandbox Asynchronous Mode

Internet

Endpoint

Test Virtual Machines

Source of object

• Counter evasion techniques• Several emulation modes• User actions modeling

Send to Kaspersky Endpoint Security

for Business

Automatic prevention

KasperskyEndpoint Security

for Business

Automatic IoC generation and infrastructure

scanning

Collect Analyze Get verdict

Send verdict to Kaspersky Security

Network

Verdict

Emulation

Collect artifacts

Analysis

• Monitoring interaction withinternet resources

• Module loading

Local

• Notify user

• Push Critical Area scan

• Remove and quarantine

Group

• Find indicators of compromise on managed group

— Remove and quarantine after indicators of compromise found

— Push critical area scan after indicators of compromise found

What actions can be done by KSB

Kaspersky Sandbox

Kaspersky Endpoint Security for Business Agents

Kaspersky Security Center

16Sandbox Advantages

Low profile Some samples just won’t work if presence of security solution is determined. This can result in passing malware, tested by AV, to unprotected workstation

Detection rate increase

DR increase is caused by many reasons

Malware testing Threat actors always test new samples before spreading them in the wild

Farms Threat actors often have farms for testing threats against known endpoint security solutions. But they don’t have exclusive tools, such as Sandbox

17Sandbox Advantages

Dumps, dropped and downloaded files Memory dumps can be scanned. On endpoints this can cause performance issues. Drops and downloads are correlated with original sample

Isolated environment

Activities and artifacts within SB are related to sample execution and can be analyzed

TrafficAll traffic (outgoing as well) gathered during execution on SB is scanned with comprehensive set of Snort/Suricatarules. SB can decrypted traffic freely, unlike endpoint security solutions

ActivitiesActivities of all processes can be used for detection easily. Endpoint solutions have to work with trusted processed with caution to avoid interruption of user’s work

18Migration or coexistence - it’s your decision with a

New Cloud Console

We continue to support scenarios where some users still need to be managed by an on-premises installation.

But with our new SaaS offering, we take care of console upgrades and much more - at no extra cost.

› Unified

management for

both protection and

systems

management.

› Available to

manage as via

either an on

premise or web

console.

› Management

multiple products

and solutions

under one ‘pane of

glass’.

Unified Security Management

Mobile Device

Protection

Workstation

Protection

Hybrid

Cloud

Protection

Server Protection

SCADA

Protection

Embedded

Systems

Protection

Application Control

Vulnerability Assessment

Patch Management

OS Deployment

SIEM Integration

Remote Access

Data Encryption

NAS Storage ProtectionSAN Storage Protection

Web ControlDevice Control

Application Deployment

20Integrated Proposal for the Mainstream Market

Visibility across endpoints

Automated root cause analysis

Threat evidence discovery

In-depth dynamic analysis (automatic sandbox detect)

A range of response actions

Behavior detection &machine learning

Adaptive anomaly control

Exploit & filelessprotection

Vulnerabilityassessment &

patch management

Remediation engine

Maximum Automation Simple to operate

UNIFIED CONSOLE

21Maximizing the number of incidents processed, without increasing your manpower costs

EDR Optimum

Attack spread path

Kaspersky

Security

Center

Automated Sandbox

Full info onthe incident

Undemandingand time efficient

IoC scan

Automatedand 'singleclick'

response

Dynamic threat emulation

Automatic scan& prevention

Automatic IoCgeneration

Multipleoperationmodes

SIEM

Alerts management

Status &updates

Health check

Central management

Export in CEF format

Endpoint agents

Advanced detection


Visibility


IoC search


OPTIMUM EDR







+ Optimum EDR

+ EDR Expert

23Kaspersky EDR Optimum

Kill chain visualization

Full info on the incident

Automated and manual response

Root cause analysis

Automated creation and scan for IoCs

No additional hardware required

Visibilityand

response

Connections

Process injection

File drops

Registry key modifications

After detecting a threat, response options include:

Optimized EDR

Anomalies in user behavior

Kaspersky EDR Optimum combines high levels of automation, including processes likeimporting and generating IoCs, initiating further scans and responding to incidents,

with single-click manual response options.

Thank you!

Questions ?

kaspersky.com

Thierry Gourdin – Head of Presales France, North and West Africa

Integrated endpoint / Automated EDR...Thierry Gourdin –Head of Presales France, North and West...

Documents

Transcript of Integrated endpoint / Automated EDR...Thierry Gourdin –Head of Presales France, North and West...