Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
CASB: The New Generation of Security and Threat Protection
Paolo Passeri
Solutions Architect
Yesterday
2018 © Netskope confidential. All rights reserved.
Today
There are 25,000+ enterprise
cloud services today
2018 © Netskope confidential. All rights reserved.
1,000+ Cloud Services Per Enterprise – How Do They Get In?
42018 © Netskope. All rights reserved.
2%
78%
20%
2018 © Netskope confidential. All rights reserved.
Data
New Technology Challenges, New Risks
2018 © Netskope confidential. All rights reserved.
Disrupt
Destroy
Extort
Exposure
Access
Theft
INTERNAL RISK EXTERNAL RISK
Sensitive data
shared publicly
Download to
personal device
Exfiltration via
unsanctioned cloud
Malware upload to
sanctioned cloud
Ransomware
via cloud
Cloud account
hijacking
Cloud Security Use Cases
1 Understand which cloud applications are being used and their risk
Web
Proxy
aLOG DATA
ApplicationUploaded
Data
Enterprise
Readiness
Salesforce 950GB High
Converter450MB Poor
Microsoft
Office 365300MB High
LinkedIn 200MB Medium
Facebook 20MB Low
2018 © Netskope confidential. All rights reserved.
2 Sanctioned or Approved cloud applications storing or sharing the sensitive data
Access using a Microsoft Office365 API
2018 © Netskope confidential. All rights reserved.
3 Sanctioned or Approved cloud applications allowing data to escape to
unmanaged devices
2018 © Netskope confidential. All rights reserved.
4 Exfiltration of company data to Unsanctioned cloud
applications Important notice
Access to this cloud application is
restricted by company policy
Important notice
Your attempt to upload files to
this application has been
blocked
Important notice
You are not permitted to upload files
to personal OneDrive accounts
2018 © Netskope confidential. All rights reserved.
Cloud Threats
Conceived to Bypass Traditional Web Security…
• Files shared in cloud CRM services have implicit trust among its users which leads to an increase in malware attack surface posing new challenges for enterprise IT.
• Attack begins with a malicious file getting uploaded into the enterprise service accounts either from a managed or unmanaged device.
• The file gets delivered to unsuspecting users via the implicit CRM workflows and collaboration features.
• Three major payloads were observed namely, Pony botnet, Pain Logger and Word files with malicious macros.
• Infection through these payloads can result in data exfiltration, credentials stealing and network compromise.
https://resources.netskope.com/h/i/327390732-cloud-crm-services-as-a-malware-attack-vector
Highly Maintained CloudPhishing Attack Kits
2018 © Netskope confidential. All rights reserved.
CloudSquirrel
Uses multiple cloud services for payload delivery and for command and control
• Uses a variety of cloud services to download its
main payload.
• Uses DropBox for its C&C (command and
control) server.
• Infects users by downloading malicious payloads
(32 bit and 64 bit executables) that collects
information about the victim’s machines including
the victim’s email account credentials configured
in native email clients.https://www.netskope.com/blog/netskope-threat-research-labs-technical-
analysis-cloudsquirrel-malware-2/
2018 © Netskope confidential. All rights reserved.
Hybrid Cloud and Web Threats
1. Malware infects user device via phishing
email, compromised website, cloud service
with infected file, etc.
2. Once malware is downloaded, it calls to
various services like websites, cloud storage
services, or even IaaS servers to download
fragments of malicious code.
3. Malicious fragments are downloaded onto
device with security solutions seeing these
downloads as innocuous as they haven’t
been pieced together yet.
4. Initial malware decrypts and compiles the
downloaded fragments to start an attack or
whatever functions the malicious code is
supposed to perform.
2018 © Netskope confidential. All rights reserved.
• A ransomware blended threat package includes malware such as credential stealers, backdoors, or revenue generation malware in addition to a ransomware payload.
• The purpose is to provide a second means of attack and revenue
• Example: Locky Ransomware coupled with Kovter
• Kovter is a fileless, persistent click fraud malware
Blended Threat: Ransomware + Click Fraud
https://www.netskope.com/blog/ransomware-click-fraud-new-blended-
attack/
2018 © Netskope confidential. All rights reserved.
Virlock and the Cloud Malware Fan-Out Effect
• Virlock not only encrypts files but converts them into apolymorphic file infector. Each of these encrypted files isagain a file infector and can infect other benign users.
• The Virlock file infector can become a dangerousweapon in the cloud context especially due to inadvertentspreading of infected files through cloud sync and sharevia cloud storage and collaboration apps.
• Rapidly the entire peer network is infected
• Many collaborative files are infected and encrypted manytimes.
• Many ransoms to be paid, perhaps a bulk discount canbe negotiated?https://www.netskope.com/blog/cloud-malware-fan-virlock-ransomware/
2018 © Netskope confidential. All rights reserved.
Cloud Services as a Crypto Miner’s Paradise: ZminerCryptocurrency Mining Malware Hosted in Amazon S3 Bucket
1. The kill chain begins with the delivery of a drive-
by download Zminer executable via an exploit
Kit.
2. The executable downloads two payloads from
an Amazon S3 cloud storage to the victim’s
machine.
3. Once the required components are downloaded
and installed in the victim’s machine, Zminer
begins the mining operation.
4. Several details of the victim’s machine are
uploaded to a C&C server also hosted on
Amazon S3
1
2
3
4
https://www.netskope.com/blog/coin-mining-malware-heads-cloud-zminer/
2018 © Netskope confidential. All rights reserved.
Cloud Services as a Crypto Miner’s Paradise: CoinHiveCryptocurrency Mining Browser Plugin Hosted in Office 365
1. Coinhive is a JavaScript library that allows a website to use the
client computer to mine Monero cryptocurrency.
2. The Coinhive miner was installed as a plugin in an SSL
website.
3. The tutorial webpage hosted on the website was saved to the
cloud and shared within an organization.
4. As the mining is performed without users’ consent, the Coinhive
plugin is carrying out a cryptojacking operation
5. The browser miners can also be abused by malware authors to
exploit victims computing power and resources.
https://www.netskope.com/blog/modern-gold-mine-rush-office-365-as-a-
crypto-miners-paradise/
2018 © Netskope confidential. All rights reserved.
Threat Protection
Lack of visibility into
cloud activity
Why Threat Protection for the Cloud?
Increasing cloud usageCloud apps are attractive
to attackers
For companies that inspect cloud services for
malware, 57% find malware (Ponemon Institute)
Threat protection one of four pillars of CASB
functionality (Gartner Market Guide for CASBs)
>50% of cloud usage from
outside corporate network
>50% of cloud access from
sync clients and apps, not
browsers
85% of companies allow
cloud access from
unmanaged devices
51% of employees using
cloud services for work
33% of business data in the
cloud
977 apps on average, with
95% unknown to IT
New cloud threats discovered
by Netskope researchers
Cloud accelerates spread of
malware and amplifies effects
Increased click-through on
links to familiar cloud apps
2018 © Netskope confidential. All rights reserved.
Why is Cloud Attractive to Attackers?Attackers exploiting inherent user trust in familiar cloud apps
2018 © Netskope confidential. All rights reserved.
41.6%Is related to generic
types of malware (Flash
exploits, worms, etc.)
Microsoft Office Macros
account for
8.6%during the last quarter
Source: Netskope Cloud Report February 2018
The Rise of Cloud Threats
Netskope Threat Research Labs
12 Years of Average Experience in Threat Research
Dedicated Team of Experts
Threat Intelligence
Creation
Malware, Threat
Research & Analysis
Zero Day
Vulnerability Research
Threat
Hunting
Botnet
Research
Machine
Learning
Reverse
Engineering
Threat Actor
Attribution
With broad experience & skillsets, enabling threat coverage ahead of leading vendors
Leveraging Solid Security Research and Incident Response Background
EPS 0-Day Mole Ransomware
QKG Ransomware Cobalt Threat Actor
URSNIF Data Stealer Comnie Backdoor
Zyklon Campaign Orcus RAT
From FEB’17
From APR’17
From NOV’17
From NOV’17
From APR’17
From AUG’17
From NOV’17
From NOV’17
*Examples of threats coverage ahead of leading vendors
2018 © Netskope confidential. All rights reserved.
Netskope Threat Research - Highlights from 2017
JAN-17 FEB-17 MAR-17 APR-17 MAY-17 JUN-17 JUL-17 AUG-17 SEP-17 OCT-17 NOV-17 DEC-17
2018 © Netskope confidential. All rights reserved.
Netskope threat Protection – Key Components
Heuristics
• Accepts all files.
• Automated Static Analysis.
• Signature-less detection.
• 3,000+ threat indicators.
• Fully-dissects internal contents of
files without execution, detect
attacks, determine threat level and
expose vital information for
remediation.
• Remove archive and anti-forensic
layers, de-obfuscate, and extract
indicators.
Sandbox
• Identify previously unknown threats.
• Evasion resistant (Monitoring
embedded in CPU virtualization
extension).
• Agentless (no monitoring driver).
• Real windows images.
• Accepts files from Heuristics, PDF,
and Office pre-filters.
• Dynamic analysis of malware
execution to detect/verdict
suspicious/malicious behavior.
Ransomware Engine
• ML driven detection of Ransomware
activity in supported cloud storage
applications.
• Supervised Model: Set of features
(currently 70 “dimensions”)
extracted from encrypted file and
compared to the clean version of
same file.
• 350 unique families of ransomware
tracked and adding more all the
time.
Detections are fed into ATP Blacklist (BL) within <5m, all ATP customers within 1hr, and into GoSkope global BL within 24hrs
2018 © Netskope confidential. All rights reserved.
Multi-Layered Threat Protection for Cloud-based Threats
Proxy (inline, TLS decryption at scale)
API (out-of-band)
Static
Anti-Virus
• Signature-based
detection using
multiple AV engines
• Efficient protection
against known
malware
Threat
Intelligence
• Identifies malicious
URLs / IPs
• Provides collective
protection with
constantly updated
global blacklist
• Supports tenant-level
blacklist / whitelist
Heuristic
Analysis
• Advanced detection of
new threats
• Identifies threat
indicators using
signature-less, pre-
execution analysis of
binary files
Sandbox
Analysis
• Detonates files and
analyzes behavior in
isolated sandbox to
detect zero-day threats
• Also supports third
party sandbox
integrations
Ransomware
Detection
• Proprietary machine
learning analyzes file
operations and data
transformation across
70+ dimensions
• Validated against 300+
ransomware variants
2018 © Netskope confidential. All rights reserved.
Call to Action: Get your Cloud Risk Assessment
Cloud Risk Assessment Report
• Cloud usage
summary
• Three areas of risk
(observations and
recommendations)– Cloud threats
– Data loss
– Non-compliance
• Cloud security
maturity model
SUMMARY
COMPROMISED
CREDENTIALS
UNMONIOTRED CLOUD
STORAGE
WEBMAIL USAGE
RISKY PDF APPS
CONNECTIONS TO
NON-U.S. APPS
UNMONITORED
REGULATED DATA
2018 © Netskope confidential. All rights reserved.
Thank you!