Embed Size (px)
DESCRIPTION
Citation preview
1
Panda Security
Building a safer digital world
Name: TS Wong
Position: Country Manager
Date: October 2007
Agenda
– Who is Panda Security?– Our Customers– Malware Landscape– Commercial Comparisons– Why Panda Security?– Innovations*
• Collective Intelligence• TruPrevent (HIPS)• NanoScan
– Gartner 2007– Case Studies: PDRM– Case Studies: Syabas
– Our Solutions• MalwareRadar• TrustLayer Mail• Security Appliances
– GateDefender Performa
– GateDefender Integra
• PandaSecurity for Mobile Operators
• PandaSecurity for Enterprise• PandaSecurity for Internet
Transactions
2
3
Who is Panda Security?Protection Technology Leader. 4th antivirus vendor worldwide.
Who we are
• Founded in 1990
• Leading European company in security, and the fourth worldwide company in the sector [Gartner]
• Solid financial situation with the participation of important private equity firms:
– 55% growth in 2004– Offices in more than 50 countries– Product available in 23 languages
• Investing in R&D more than 25% of the annual revenue
• Leader in protection technologies against unknown threats [Gartner]
Who we are
• Presence in 54 countries with 1,500 people
• 2.5 Million customers worldwide• 140,000 corporate costumers
Busiest Antivirus Vendor
6
► Introduction of products• TruPrevent (HIPS)• GateDefender Performa• GateDefender Integra• Desktop for Linux• MalwareRadar• NanoScan• TrustLayer• PreScan
1990STARTED BILBOA SPAIN
2008LEADERSHIP IN MALWARE PROTECTION TECHNOLOGY
2004GATE DEFENDER & WEBADMIN
2005TRUPREVENT
2006WORLD NO. 4 INTEGRA
2007NanoScanMalwareRadarTrustLayerMegaDetection<rebranding>
► Protection technologies incorporated into our products includes:• Integrated Spyware• Rootkit Detection• Centralized Quarantine• SDK• IIS Integration for Updates
► PandaLabs 2007• DDoS of samples• Revamped• Automated by 100s of
server• MegaDetection!
7
Our CustomersProviding protection to government agencies and corporations.
Some of our customers
• Government• PDRM• Mindef• Jabatan Pertanian• SIRIM• Lembaga Kemajuan Pertanian Muda • LKIM• MTIB• JAKIM• Malaysia Tourism Promotion Board• SUK Negeri Sembilan• SUK Selangor• Tekun• NISER• JHEOA• Kastam• KKLW• MPSJ• JAIWP• PTGWP• Suruhanjaya Perkhidmatan Pelajaran• JASA• JPA
• Corporate• EuroMobil
• Touch N’ Go
• Alam Flora
• MPH
• MUI Group
• Prostaco Group
• Classita
• Privasia
• OSIM
• Elken
• NasionCom
• Sin Chew Jit Poh
• Syabas
• Hyundai
• Ingress
• NAZA
• Metro Parking
• Genting
• ISS Consulting
• Banking• Bank Pembangunan & Infrastruktur
• EXIM Bank
8
Some of our customers
• Penang (northern region)• Malayawata• Classita• IQ Group• Brusia Engineering• Boon Siew• The City Bayview Hotel• CMT• Advanced Ceramics Technology• UltraSonic• MADA• Kulim Hi-Tech Park• NAZA• Toyo Memory• Chemical Industries• Rubberex
• Healthcare• Hospital Besar Melaka• Hospital Pantai Mutiara• Queen Elizabeth Hospital
• Education• Universiti Perguruan Sultan Idris• Universiti Putra Malaysia• INSTUN• TARC• Terengganu Advanced Technical
Institute• Institut Teknologi Tinggi Kulim• Politeknik Ipoh• KISMEC• GMI• Akademi Sains Malaysia
9
10
Some of our customers
11
Commercial ComparisonsFrequencies, consistencies and qualities.
Oct 2005 – PC World
• Only one able to eliminate 100% running processes of spyware.
• Better than specific anti-spyware solutions such as – McAfee AntiSpyware 2006
– Trend Micro Anti-Spyware 3.0
• Panda Platinum Internet Security eliminated 100% of BHOs (browser helper objects) and unwanted toolbars, components frequently used to hijack browsers.
12
May 2006 – PC World
• Of the Internet Security suites analyzed, Panda detected the most unknown viruses and completed the full scan of the computer the fastest.
13
USA - May 2006
Heuristic detection 91% 74% 65% 41%
Detection of malware within file archives 100% 96% 78% 87%
Detection of malware embedded in Microsoft Office OLE objects
100% 100% 86% 90%
Scan speed (minutes) 6.65 10.47 17.34 13.31
* Comparative review published in PC World USA May 2006 with 2006 versions of security suites. This slide will be updated with the 2007 versions, as soon as an updated comparative review is published.
7.
May 2007 – PC Magazine
14
Panda Anti-Rootkit REVIEW DATE: 04.20.07
Panda Anti-Rootkit digs deeper than any other anti-rootkit tool I've seen, telling you exactly what it found. For safety it won't delete files digitally signed by Microsoft—smart! And it wiped out every one of my test rootkits.
Detects rootkit activity in file system, Registry, processes, drivers, and Alternate Data Streams. Offers very detailed reports. Eliminates known and unknown rootkits.
Basic results list is cramped in a non-resizable window.
GCN Lab Review - 2007
15
Panda Internet Security 2008
Vicious panda: The Panda software viciously tracks down viruses and cookies.
Functionality: A+ Ease of use: A Speed: A- Value: B+
Pros: Gives users a lot of info, deletes anything remotely suspicious. Cons: Does a few things without asking.
When Panda software wanted to submit a beta of its 2008 antivirus software, we were a little skeptical; we put betas through the same rigorous testing as released software. But Panda representatives insisted. Panda Internet Security 2008 more than lived up to our expectations.
Installing the software was simple and easy, taking 4 minutes, 52 seconds, plus a reboot. It was the only program to find all 10 of the cookies we put on the test system, and it did it before it was even installed. During the install process, the program runs an anti-spyware scan. During this scan, it found all 10 cookies and automatically deleted them. The bad part about this was that seven of the cookies were not malicious, and we were given no choice as to their fate. The software just killed them without prompting and then finished the install.
Once installed, the Panda software was no less vicious in tracking down and eliminating all the viruses we had put on the system, in addition to others we tried to implant through various means. One nice feature is that the software constantly scans all active connections into or out of a system for anything suspicious. One screen shows you each and every port that is open on a system, what programs are using them and where the programs are located. This makes it impossible for any program that tries to get to the outside world to do so without detection. A separate screen monitors wireless access to a system, so you are protected from that angle, too.
About GCN Government Computer News is the leading publication in the $90 billion government technology market. The magazine, published 34 times per year,
serves more than 100,000 readers in federal government, state, county and municipal governments in the U.S. Now
in its 24th year of publication, Government Computer News is well respected for its insightful coverage of
breaking news and in-depth analysis of how technology is changing and challenging the public sector. Founded in 1982, it is published by PostNewsweek Tech Media, a
division of the Washington Post Company.
16
Malware LandscapeOutbreak in almost every organization.
Malware 2.0
• Targeted Attacks– Many variants– Distribute few copies
• Quality Control– Submit to online scanning– Customized tools
• Rootkits – Low level entry point– Growing momentum
• Runtime Packers– Changes executable to
different form but does exactly the same thing.
• Botnets– Cyber criminals– Remote control via
IRC/HTTP/P2P
• Stage Infection Vectors– Two-staged attackes– Exploits– Downloaders
• Exponential increase to DDoS against AV Labs
17
Statistics
• DDoS against AV vendor– Malware identified in 2006 > all
identified since 1990
– Neither we at PandaLabs nor anyone can cope
• August 2007: we are adding > 4,000 detections per day
18
Nu
mb
er
of
sam
ple
sA
vera
ge
da
ily d
ete
ctio
n a
dd
ed
B
y P
an
da
La
bs
Antivirus Vendor Not Ready
• Situation changed, problems changed, customers need to change.
19Source: Gartner, Market Trends: Security Markets,Worldwide, 2005-2010
Summary
• Odds stacked against AV vendors and users.
• AV vendors must provide a definitive solution.
20
Background
• All vendors has only a subset of each other.
• Viruses increases faster than signature.
• Law of nature for reactive solution.
21
Vendor A:Signature
New Viruses or Unknown
Vendor B:Signature
orKnown Viruses
22
Why Panda Security?Unified Technologies delivers Unified Protection.
Unified Technologies
• One developer for all technologies layer• Protection Technologies• Kernel • Transport• Malware Labs
23
Unified Malware Protection
• We cover all types of malware• Known + Unknown Threats Protection• Any type of malware:
• Virus• Spyware• Adware• Phishing• ActiveX• Javascript• Applet• Zero Day Threats
24
NewSecuritySolutions
Proactive Technologies
25
PandaLabs
• Collective Intelligence– Automated analysis of samples
– Automated development of signature
– To consistently deliver fast response time
• Critical Success Factors– Good heuristics
– Proactive detections to collect suspicious samples.
26
27
Collective IntelligenceRevamping and Automating PandaLabs
Objective of Collective Intelligence
• Confront the “Malware 2.0” problem• Detect 10 times more with 10 times less effort• Maximize detection capacity• Minimize costs (CPU/RAM resource and bandwidth)• Focus on convenience and universality of solution.
28
Definition
• What is the Collective Intelligence?– Threat management system “from the cloud”.
– Based on the aggregated knowledge of the community.
– Based on process automation and on the correlation of information, at our infrastructure.
29
30
<Program ID:XXXXX Status:unknown. Behavioral traces:log1,…
Date/time of appearance: HHMMDDMMYY …
<Program ID:XXXXX Status:unknown. Behavioral traces: log2,… Date/time of appearance: HHMMDDMMYY
…
<Program ID:XXXXX Status:Malware W32/XY. Behavioral traces:log1,…
Date/time of appearance: HHMMDDMMYY …
<Program ID:XXXXX
Status:Malware W32/XY. Behavioral traces:log2,… Date/time of appearance:
HHMMDDMMYY …
• Intelligence in the cloud• Global visibility• Continuous correlation
• Automatic classification• Malware, Goodware• Transparent to the user
How do we do it?
Collection• Process signatures• Inbound filters• Prioritization• Unique samples• No. of times seen• Receipt
Processing• Identifiers with multi-
scanner• Check for goodware• Decompression• Emulation• Heuristic• Sandboxing• Behavioral analysis
Classification• By genetic family• By analysis of
similarity• By neural networks• By positive
identification• By negative
identification• Manual analysis
Remedy• Immediate response • Exclusions• 'Express‘ sigs • Automatic
generation of the sig file
• Generation of the sig file (PandaLabs)
31
Panda TruPreventHost-based Intrusion Prevention System
Architecture
32
DETECTION OF MALWARE USING BEHAVIORAL ANALYSIS
Scanning and disinfection of malware detected
Detection of network viruses and attacks
DETECTION OF MALICIOUS NETWORK PACKETS
PROTECTION AGAINST BUFFER OVERFLOWS
DEFINITION OF SECURITY POLICIES
SOFTWARE UPGRADES
SIGNATURE AND PATTERN UPDATESASSOCIATED SERVICES
TECHNOLOGIES
Event correlation
Behavioral analysis of processes
Deep packet inspection
What is TruPrevent
• TruPrevent technologies automatically detect and block unknown threats, zero-day attackes and intrusions.
• Key objectives:– Without user intervention
– Avoid propogation of new threats via network
– Most advanced HIPS:• Deep packet inspection firewall
• Behavorial Analysis
• Genetic Heuristic Analysis
• User Application Rules
• OS Kernel Rules
33
Rules for Rules for OS KernelOS Kernel
Rules forRules forUsers and Users and
ApplicationsApplications
BehavioralBehavioralAnalysisAnalysis
Genetic Heuristic Genetic Heuristic ScanScan
Malware Malware IdentifiersIdentifiers
Advanced Advanced FirewallFirewall
IntrusionIntrusionPreventionPrevention
NetworkSecureNetworkSecure
34
• The same engine and identifier for different types of malware
– Viruses, worms, Trojans, spyware, adware, hacking tools, etc.
• Decompresses most packers.• Emulation of code for detecting polymorphic viruses.• Detection of rootkits v1.0 (v1.1 low-level HDD access).• SmartClean for restoring the system to the status it
had before infection (hosts, registry, modules loaded, …).
Malware signature engineMalware signature engine
Panda Technologies
35
• Bidirectional firewall.• TDI filter: controls which applications
have access (Internet Explorer, IM, P2P, …).
• NDIS filter: controls ports and addresses.
• Secure restart of the PC.• Centralized management of desktop
firewalls
Distributed firewallDistributed firewall
Panda Technologies
36
• Computer “health” management.
• Detects security products and the update
status.
• Auto-checks– Authorizes or denies communication depending on the
status of the workstation
• Endpoint Security Enforcement Protocol – Control over PC access based on security policies.
• Integrates with Network Access Control (NAC).
NetworkSecureNetworkSecure
Panda Technologies
37
Intrusion preventionIntrusion prevention• Identifiers of network attacks.
• Scans the content and behavior of
TCP/IP packets (buffer overflows).
• Detects Syn Flood, port scanning,
spoofing, denial of services (DoS).
• Active response (blocks attacking IP).
Panda Technologies
38
• Correlation of genetic similarity without false positives to determine "malware family” :
– Location– Format– Form– Properties– Content– etc.
• “The Magic”: calculates, correlates and diagnosis.
• GHE available for file systems, http, smtp, httpmail, pop3, nntp, mapi and IM
Genetic Heuristic Engine:Genetic Heuristic Engine:
Panda Technologies
39
• Security policies for systems (OS policies).• Outsourced security managed by Panda:
– Rules for rapid patching of vulnerabilities– Preventive rules for malware detection– Rules for blocking suspicious OS actions– Specific rules for servers (databases, web, file
servers)
• Can be activated and applied to different users.
OS kernel rulesOS kernel rules
Panda Technologies
40
Rules for users and applicationsRules for users and applications• Security policies for users and applications.• Controlled by the system administrator:
– Control over access to files– Control over access to user accounts– Control over access to the Registry– Control over access to COM components– Control over access to services– Control over network access
• System rules• Rules for applications• IDS rules
Panda Technologies
41
Buffer Overflow ProtectionBuffer Overflow Protection• Monitors execution of processes and guarding
data areas at all times.
• Capable of generating a signature identifier and send to network virus detection level to block subsequent attacks at firewall level.
Panda Technologies
42
• We classify a process on the basis of all its interactions with the user and the system over time, and not simply looking at the file
– Form, format, content, location, etc. of the file.– Changes and system behavior– Modules and resources loaded– Ports accessed
• More than 5 million sensors distributed around the globe.
• High level of detectionHigh level of detection• Low false positive ratioLow false positive ratio• Transparent to the userTransparent to the user
Behavioral analysisBehavioral analysis
Panda Technologies
Screenshots
43
Sample Rules
• Rule 1001: This rule prevents loading and viewing, by Internet Explorer and the Explorer.exe file, of the Browser Helper Object (BHO) associated with spyware and which are normally used once installed.
• Rule 1002: In order to protect against certain malware, command interpreters and user applications that require user intervention cannot be executed by specific programs: mail clients, instant messengers, Office programs, text editors, multimedia applications, system applications, etc.
• Rule 1003: This rule prevents the installation, by any application, of the Browser Helper Object (BHO) associated with spyware and which are normally used once installed.
• Rule 1004: If the file C:\explorer.exe exists, it is run instead of the file of the same name stored in the Windows directory. To prevent malware from modifying it, this rule blocks any attempt to create, modify or run a file called explorer.exe stored in C:\.
44
45
Gartner 2007Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren't Enough
46
47
TruPrevent
48
“The best example of a vendor that has taken the visionary step of delivering a single client with a full complement of host-based intrusion prevention technologies is Panda Software, with its ClientShield product, which is priced as a single solution and provides protection across eight of the nine protection styles outlined in our HIPS research”
http://www.gartner.com/teleconferences/attributes/attr_165281_115.pdf
KRE KREBehavioral
analysis
NetworkSecure
Panda AV GHE
Distributed firewall IDS/IPS
IPS
49
49
50
Panda Security SolutionsOur solution suite to provide protection for every organizations
Panda’s Solutions
52
Malware Radar
It is an automated audit service of the whole network– Specialized in detecting and disinfecting malware and
other security problems not detected by resident security systems
- Complements and reinforces traditional protection systems that are insufficient to combat the new malware dynamic
Key features- On-demand- It can be run locally or remotely- It does not require local installation or uninstallation of
current security software
53
TrustLayer Mail is a managed security service designed to guarantee email security providing 100% virus-free mail backed by a service level agreement. Helps organizations optimize investment in network infrastructure.
TrustLayer Mail
GNOC
VPN secure communication
Monitoring tools: status, warnings, alarm, load
Remote HW management
Daily and ad-hoc update of filtering rules
Protection against attacks (DoS...)
GNOC
VPN secure communication
Monitoring tools: status, warnings, alarm, load
Remote HW management
Daily and ad-hoc update of filtering rules
Protection against attacks (DoS...)
PandaLabs
Automatic sending and encryption of files detected as suspicious
Analysis and action on quarantined messages
Commitment to resolve the situation in under 24 hours
Average resolution time of four hours
PandaLabs
Automatic sending and encryption of files detected as suspicious
Analysis and action on quarantined messages
Commitment to resolve the situation in under 24 hours
Average resolution time of four hours
TrustLayer Mail – Key Features
54
Security appliances - Performa
GateDefender: Protecting the perimeter
55
• Anti-malware• Anti-spam• Content Filter• Web Filter• Blocking of P2P and IM
Security appliances - Integra
GateDefender: Protecting the perimeter
• Anti-malware• Anti-spam• Content Filter• Web Filter• Firewall• VPN• IPS
PandaSecurity for Mobile Operators
57
Unified protection for all:
Devices: Symbian, Windows Mobile, J2ME…
Services: Multimedia messaging, Wap browsing, Mobile E-mail, HTTP Push…
Protocols: MM1-MM7, WAP, I-Mode, HTTP, SMTP,
Protection against any kind of threats:
Mobile malware: Disco.mid, RedBrowser, RomRide
Threats for PCs with GPRS and UMTS cards, ….
Virus (polimórphic, etc.), phishing, trojans, hacking-tools...
• Anti-malware• Anti-spam• Content Filtering• Web Filtering
58
Centralized management solution for corporate environments. Maximum protection against malware with the highest simplicity
Corporate Solutions
Advanced protection• Layered security• Integration of advanced anti-malware technologies
Easy management• The centralized management console AdminSecure allows you to:
- install, uninstall and update all protections - control the protections activity - monitor the risks and act in real time
Solutions for financial market
Solutions for the financial market
– Giving financial organizations the guarantee that their users will be making online transactions free from malware
– The client organization will have a control panel that lets them decide what action to take in each case
• Targeted Attacks Alert Service– A service provided by PandaLabs to monitor and alert of
any new malware affecting a specific financial entity
59
60
Case StudiesOur solution suite to provide protection for every organizations
Polis Diraja Malaysia
• > 10,000 PCs• Challenges
– Replaced Trend Micro.
– No anti-spyware module.
– High outbreak and infection incidents
• Details– Completed installation in Bukit Aman.
– No outbreak incidents.
– Next deployment Sabah/Sarawak, etc.
• Problems– Some PCs with resource issues.
61
Syabas
• > 1,500 PCs• Challenges
– Multiple AV
– Mutliple locations
– Frequent outbreak
– Network congestion due to network viruses
• Details– 15 locations throughout Selangor.
• Problems– Virus (Brontok and Korgo) infected a few PCs without
TruPrevent.
62
Sin Chew Jit Poh
• 1,000 PCs• Previous antivirus: Symantec• Challenges:
– Outbreak of network viruses
• Details– Purchased Nov 2005 bef expiry of existing AV
– 1,000 licenses of EnterpriSecure
– 2 x units of GateDefender• Network Antivirus
• Anti-Spam
• Web Filtering
63
64
Panda Security SolutionsOur solution suite to provide protection for every organizations
Summary
• Fourth worldwide company in the sector
• Leaders on protection and technology
• First in Services from the Cloud and Collective Intelligence
• Our solutions cover all layers– From the endpoint– To the cloud
• Certifications and Recognitions from the industry
thank you!
