In cyber security, the enemy is continually changing and evolving — and defenses against that enemy must adapt and evolve to meet the new threats. Unveiled today, Sophos Intercept X is an example of that evolution, bringing next-gen techniques to the latest threats.
‘Next-gen’ itself is difficult to define. “One of the areas we struggle with,” said Dan Schiappa, senior vice president of the Sophos Enduser Security Group in conversation with SecurityWeek, “is finding a real unified definition for the term. There is a unified definition for a next gen firewall, but for endpoint products there’s just a variety of different flavors.”
“You have to be able to tackle three critical areas covering the whole spectrum,” said Schiappa: “prevention, detection, and clean and respond — and all with the latest technologies. Only when you do that can you be called ‘next-gen’.”
Intercept X is designed to bring new technology to solving the last three of the Nasty Nine elements: crypto ransomware, exploits and clean and respond; and it does so with zero reliance on malware signatures.
All crypto ransomware has one particular characteristic: it encrypts files. Intercept X continuously monitors for the start of an encryption process. “When a process starts to encrypt,” explained Schiappa, “we create a mechanism that does behavioral analysis on that process. At the same time, we save a pre-encrypted version of the affected file into a safe store in an obfuscated area. If we decide that it is a malicious process and we need to evict it, we’ll shut the process down and we’ll clean it up; but we’ll also return the files back to their pre-encrypted state.” Intercept X stops any ransomware, whether it’s known or unknown, and cleans and restores the original files. “If our behavioral analysis indicates that the process is legitimate,” he added, “we just let it continue.”
The anti-exploit part of Intercept X is new. Statistically, 90% of breaches involve exploits; and 90% of the exploited vulnerabilities are already known. But there’s an average delay of 193 days between publication of a vulnerability and that vulnerability being patched on site. Since all Patch Tuesdays are followed by Exploit Wednesdays, there is a huge window of opportunity for vulnerabilities to be exploited. Rather than tackle the vulnerabilities or the exploits directly, Sophos has determined 24 different techniques used within exploits.
“There were about 7000 vulnerabilities published last year,” explained Schiappa, “attacked in hundreds of thousands of different ways — but all using one or more of the 24 techniques.” By monitoring and blocking the exploit techniques, Intercept X is able stop zero-day exploit attacks without any reference to malware file signatures. Schiappa expects one or two new techniques to appear each year, which will be analyzed and countered, “but we’re no longer on the treadmill of malware and variants continually changing.”
According to Sophos, 66% of IT staff lack incident response skills. Since no security is perfect, companies will get breached regardless of their security defenses. Incident response has become an important part of security’s armory — and the third part of Intercept X is designed to help companies operate a meaningful response. This provides both clean-up and forensics.
“If we see a hacker or piece of malware trying to use one of the known exploit techniques, a data recorder running on the endpoint sends a ‘root-cause chain’ of data up to Sophos Central where we build a report on what happens. We provide the report in different levels of depth suitable for anything from a defense contractor to a small retail store.” At one level, the user can click on the alert notification and Intercept X will show “what happened, where and when it happened, who was logged on at the time, and how it happened. It also provides a list of next steps for the novice incident responder.”
More advanced users can delve deeper. “We provide an asset-based table-driven report for the experts,” said Schiappa. This provides specifics, like what registry changes were made, what processes were launched, and so on. “You can click on specifics to get more detail and see the course the attack.” The final level is a complete visualization of the attack that can be viewed in its entirety.
Intercept X can be installed as a self-contained stand-alone product. Where the primary Sophos central endpoint product is already installed, the agents from both products will merge to provide a single endpoint security product. Alternatively it can run alongside competitor products, without any interference, for a layered security approach.