Zero Trust Security – Web Isolationand Mobile DefenseSam Tong,Senior Principal Consultant,Symantec Corporation

What is Zero TrustThe model promotes a more holistic approach to information securityand puts special focus on processes and technologies. The goal is toproduce secure micro-perimeters, strengthened data security usingobfuscation techniques, limit the risks associated with excessive userprivileges and access, and improved security detection and responsewith analytics and automation.“ZTX provides a framework for the modern Security Platform “Copyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY2

Forrester ZTX ModelForrester Zero Trust eXtended (ZTX) Ecosystem ModelCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY3

Symantec Portfolio and Zero TrustDEVICESDATA Data Loss Prevention Data Encryption, Tagging,and Analytics Device Encryption Endpoint Protectionand Management IoT Security Data Center SecurityWORKFORCE/PEOPLEWORKLOADS Multi-Factor Auth (VIP) Web & Email Gateways Web Browser Isolation Content Analysis and Sandboxing Cloud Security Gateway (CASB)Cloud Workload ProtectionStorage ProtectionCloud Security Gateways (CASB)Compliance AutomationWAF/Reverse ProxyNETWORK Cloud Proxy & SD-WAN/Firewall Data Center Security Proxy, Reverse Proxy, & WAF Encrypted Traffic ManagementAUTOMATION &ORCHESTRATIONICDxVISIBILITY & ANALYTICS Data-Driven Analytics/ReportingUEBAFull-Packet Capture ForensicsEndpoint, Network, Cloud, EmailCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLYReporting& Threat Analytics

Symantec Named a Leader in the Forrester Wave : Zero Trust eXtended (ZTX)Ecosystem Providers, Q4 2018“Symantec is a juggernaut, given its breadth ofsecurity solutions. The company hasextensive endpoint, network security, and threatidentification capabilities”- The Forrester Wave : Zero Trust eXtended (ZTX)Ecosystem Providers, Q4 2018Source: November 2018, The Forrester Wave : ZeroTrust eXtended (ZTX) Ecosystem Providers, Q4 2018The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and ForresterWave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphicalrepresentation of Forrester's call on a market and is plotted using a detailed spreadsheetwith exposed scores, weightings, and comments. Forrester does not endorse any vendor,product, or service depicted in the Forrester Wave. Information is based on best availableresources. Opinions reflect judgment at the time and are subject to change.Copyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY

The Zero Trust DilemmaChanging Usage Models Will Mandate Zero Trust ArchitectureCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY6


Integrated Cyber Defense PlatformSeamless, Overlay, zero-trust security platformManaged Service& IntelligenceCSS (MSS/IR)GINPremium SupportManaged Security Service/Incident ResponseThreat IntelligenceEmail SecurityManagementServiceProfession ionData LossProtectionProxySG/ASGTaggingConsultingSecurity Consulting /Vulnerability ManagementPacketShaperTraffic imizationWeb & Cloud SecurityESSAdvanced EmailSecurityCloud ServiceSecure WebGatewayDataSSLVASSL VisibilityCASADual SandboxNetwork ForensicICSWSSData ProtectionSecure WebGatewaySWIWeb IsolationEDREndpoint Detection& ResponseorICSP/CSPIndustrial SystemSecurityIoTEndpoint SecurityBranchOfficeSEP MobileSEPEDR CloudMobile ThreatDefenseEndpointProtectionEndpoint Detection &ResponseSmart DeviceMobile/SOHOEndpointCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY8

Zero Trust Threat Protection

Web Isolation

The Threat of the Unknown WebParameterALLOWKnownGoodUnknown/RiskyTHE CHALLENGE Millions of new sites created every day 71% of all host names exist for 24 hoursor lessALLOW? Many are legitimate, but some offer ideal cover forhackers“HOWCAN I INCREASE SECURITY/launching attacksWITHOUT OVER-BLOCKING?”BLOCK? Difficult to assess w. traditional “detection”approachesuncategorized or potentially risky* domains Customizing protection without over-blockingBLOCKKnownBadCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY11

The Big NumbersEnterprise PerimeterCorporate UserInternet Security Threat Report Volume 23 Copyright 2018 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use OnlyDLP Policiesand IncidentsCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITEDUSE ONLYDLP Detection and Control

13Copyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY13

Copyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY

15Copyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY15

16Copyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY16

17Copyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY17

Web Browsers – The Ultimate Attack SurfaceAdvanced malware exploitsbrowser vulnerabilities bydelivering malware toendpoints via web pagerendering resourcesJavaScriptCSSSVGHTMLImagesFlash & 3rdPartiesAddonsFontsSocialCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY

Web Isolation ArchitectureRisksWebDocumentsSymantecWeb 01001 01010110100 11110010101 10Secure Disposable Container101010011010100101001 01010110100 11110010101 10Email100% saferendering informationUser gesturesSecure Disposable Container101010011010100101001 01010110100 11110010101 10Secure Disposable ContainerSeamless browsing experienceIsolate both web and email,including documentsOn premise, cloud and hybridCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY19

Key Use Cases1Stop Over-blocking:Expand webaccess by isolatinguncategorized andpotentially risky traffic2Additionalprotection forprivileged users3 Prevent phishingattacks by isolatingrisky embeddedURL linksCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY20

Expand Web Access by IsolatingUncategorized and Potentially Risky TrafficDon’t Over-block Access to Uncategorizedor Potentially Risky WebsitesPrevent Malware While Expanding Web AccessI need to:AllowBlockY/N ? Enable broad web access and avoid “over-blocking” whilestill protecting my organization from advanced threats Minimize support tickets requesting accessto blocked sitesCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY21

Stop Over-blockingWeb isolation with proxy using website categoriesWeb access policy: Always allow certaincategories/sites Always block certaincategories/sitesAllowedCategoriesHealth, FinancialServices, etc.Categories where someaccess may be requiredDynamicDNS HostFile reat CatsSuspiciousMaliciousin/out Middle groundcategories/sitesget isolated Expanded accesswith no malware riskALLOWISOLATEDENYCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY22

Stop Over-blockingWeb isolation with proxy using categories(with risk levels: BCIS-advanced)Web access policy: Allow certaincategories andlow risk sites Block certaincategories andriskiest sites Middle groundcategories andpotentially riskysites get isolated Expanded accesswith no malware riskRiskLevelAllowedCategoriesHealth, FinancialServices, etc.10987654321CustomerCategoryCategories where someaccess may be requiredCategory File Storage/of InterestSharingDynamicDNS HostUncategorizedSecurity ConcernsHacking Uncategorized SuspiciousMalicious OutboundDENYISOLATEALLOWCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY23

Additional Protection for Privileged UsersSafeguard Privileged UsersPrevent Malware with Web Access We have privileged users like executives, IT admins,HR, and finance that have extra permissions andaccess rights to sensitive data and systemsC-LevelTeamKey ITStaffHR, Legal,Finance I need to enable secure web browsing on thosecritical endpoints, and ensure internet deliveredmalware never impacts these devicesMalware on these endpoints hassevere consequences because ofunique system privilegesCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY24

Policies Set to Isolate All Privileged User TrafficWebIsolationIsolate All Web BrowsingPrivilegedUserAll Websites Privileged users have all web browsing isolated Eliminates possibility of web-delivered malwareto these highly sensitive endpointsCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY25

Prevent Phishing Attacks by Isolating RiskyEmbedded URL LinksPrevent malware/ransomware from phishing attacksIsolate websites launched from URLsembedded in email Stop credential theft by preventing users fromsubmitting corporate credentials and othersensitive information on unknown andmalicious sites Protect my users from embedded URLs thatlinks to malicious websitesCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY26

Isolate Web-Activity Launched From Email Prevent users from submittingcorporate passwords and sensitiveinformation to malicious web sitesby rendering sites in read-only mode Isolates links in email so users cansafely click on themCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY27

Web Isolation Benefits Eliminate any web threats Prevent infections before theyever happen Stop ransomware attacks Secure access to uncategorizedand risky sites No detection required (!!) Protect against zero-day exploitsDefeat phishing threats Prevent infections viamalicious links Block users from disclosingsensitive information (e.g.corporate credential) Managed and unmanageddevicesMinimize security overhead Simplify web access policies Mitigate support ticketsrequesting access to risky sites No false negative/positive alerts Minimize investigations andremediationCopyright 2017 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY28

Zero Trust Mobile Security

Symantec Endpoint Security FamilyTraditional Endpoints:SEP 14 and EDR (ATP Endpoint) Single agent for multi-layered protection andEndpoint Detection & Response (EDR) High efficacy with low false positives Detect, investigate, and remediate suspiciousactivities across all endpoints Scalable and flexible architectureMobile Endpoints:Skycure Mobile Threat Defense Protect BYOD and corporate managed mobiledevices Predictive technology with high efficacy Productive and unobtrusive to enableseamless mobile experience Scalable and effortless deploymentComplete Endpoint Security to Defend Against Advanced ThreatsCopyright 2017 Symantec Corporation30

Mobile Threat LandscapeEVERY ORG WITH 500 DEVICESHAS A ROOTED/JAILBROKEN DEVICENetworkPineappleWifigatearpspoofSSL decryptiondnsspoofEvil TwinSSL strippingContent manipulationCIA “Vault ingBadMobile Malware Detections1100% Growth PERCENTAGE OF DEVICES EXPOSEDTO NETWORK THREATSMOBILE OS VULNERABILITIES1Malicious bility ClickjackingNo iOS ZoneShared Cookie StoresLinkedOut2017 PROJECTIONMalicious ChargersDrive-by-attacksNFC AttacksBluetooth AttacksLost Stolen Left in UberMalwareMILLIONPhysicalNew mobile vulnerabilities201620152014TOTAL60655220010 BlackBerry1- Internet Security Threat Report (ISTR) 2017, SymantecCopyright 2017 Symantec Corporation31

Skycure Solution OverviewTHREAT INTELLIGENCECrowd-sourced3rd party threat aggregationSkycure researchCLOUD SERVEREMMRisk/compliance visibilityEMMAdvanced securityAutomation & integrationConsistentacross Managed& UnmanagedscenariosPUBLIC APPSimple deployment & maintenanceEnsured privacyMinimal footprintCopyright 2017 Symantec Corporation32

Skycure Network Based Attack DetectionActive Honeypot ApproachEMMDetectionApp Sandboxing (vs. Root / Admin in PCs)Privacy (personal & business use)EMMCopyright 2017 Symantec Corporation33

Skycure Network Based Attack DetectionCrowd-sourced: Mobile Threat IntelligenceDetectionRogue network detectionMatch ISPnetwork patternDoes not matchISP’s networkpatternEMMEMMPublic FreeWiFiMatch ISPnetwork patternPublic FreeWiFiPublic FreeWiFiMatch ISPnetwork patternPublic FreeWiFiMatch ISPnetwork patternPublic FreeWiFiCopyright 2017 Symantec Corporation34

Detection of Indicators of CompromiseDetectionCurrent Jailbreak/Rooting DetectionsEMMEMM Existence of directories/files fileExistsAtPath(“/bin/sh”) fopen(“/Applications/”,”r”) Directory permissions statfs() Process Forking fork() 0 Cydia scheme detection Check if cydia:// is callable Prohibited commands system() 1Attacks are much more sophisticatedLibrary 1Library 2fopenfopen impl.Library 3“LegitLib.dylib”Fake fopen impl.Copyright 2017 Symantec Corporation35

Detection of Indicators of CompromiseDetectionAttacks are much more sophisticatedEMMEMMSkycure servers receivesuspicious libraries for further analysisCrowd-sourced analysisidentifies new and unknown anomaliesOn device analysislooks for known anomaliesLibrary 1Library 2fopenfopen impl.Library 3“LegitLib.dylib”Fake fopen impl.Copyright 2017 Symantec Corporation36

Malware Analysis Flow – On DeviceDetectionEMMEMMo Download or installation detectedo Analyze app metadataPermissions, Developer, Sourceo Signature based matching8732f94f211230e01ba9dff4e260936b9902a5b4 8732f94f211230e01ba9dff4e260936b9902a5b4o App structure dissection01010011 01101011 01111001 01100011 01110101 01110010 01100101 o Gradual AnalysisUpload Metadata - App dissection summary - APKo Protect Delete installation file Block installationCopyright 2017 Symantec Corporation37

Malware Analysis Flow – On CloudDetectiono Analyze metadataEMMEMMPermissions, developer reputation, app sourceo Code structure analysisIdentify new instances of malware through clusteringo Send to crowd-wisdom engine Attacker profilingLegitimate app profilingDetect repackaged appsSignature based analysisCode patterns collection Run app in a sandboxInject hooks into sensitive methodsFeed it with custom inputsWalk through its UIAnalyze method calls and code flowsAnalyze outgoing/incoming network traffico Send to static analysis engineo Send to dynamic analysis engineCopyright 2017 Symantec Corporation38

On-device Conditional AccessEnforcementEMMEMMCopyright 2017 Symantec Corporation39

Skycure Holistic Device ProtectionVPNEMMEMMProtects against MitMattacks by rerouting throughOn Device ProtectionProtects against malware, Malicious Profiles,Network attacks with or without MDMSKYCURE VPN3rd PARTY VPNServer2Server CommunicationProvide visibilityand enforcepoliciesProactive AnalysisScans APKs beforeinstallationUser NotificationsEMMEXCHANGESIEMAdmin NotificationsEMMApp2App CommunicationCommunication between Skycure and 3rdParty AppsConditional AccessOn-device protection for pre-identifiedsensitive corporate resourcesON DEVICE Continued protectioneven in case of network unavailabilityCopyright 2017 Symantec Corporation40

Architecture OverviewCopyright 2017 Symantec Corporation41

Thank You

"Symantec is a juggernaut, given its breadth of security solutions. The company has . Advanced Email Security EDR Endpoint Detection & Response SA Network Forensic Smart Device On-Premise DLP Data Loss . Encryption Tagging UEBA Packet Shaper Traffic Optimizer Cloud Branch Office Mobile/SOHO IoT Data ICSP/CSP