Endpoint Security - HIPS. egambit, your defensive cyber-weapon system. You have the players. We have the game.

eGambit, your defensive cyber-weapon system.

You have the players.

We have the game.

©TEHTRI-Security – 2010-2015

www.tehtri-security.com

eGambit

Endpoint Security - HIPS

Endpoint Security – HIPS

In this document, we will introduce how eGambit can help at

improving endpoint security, thanks to a Host-based Intrusion

Prevention System: eGambit-HIPS.

Based on eGambit version 3.1 – September 2015

About Endpoint Security

- 

_{Let’s focus on Microsoft Windows environment}

- 

_{Windows is one of the main operating systems used in current}

infrastructures

Ø 

Servers

Ø 

Workstations, Laptops…

- 

_{Attackers spend an incredible time at creating unknown and}

undetected weapons in order to get illegal remote accesses

- 

_{The problem is that current defensive technologies like}

antivirus, anti-malwares, personal firewall, cannot handle

intruders alone

Ø 

This explains why most attacks will finally success, thanks to human

errors or poor configurations and insecurity

About eGambit HIPS

- 

_{To struggle against potential intruders over your}

Windows environment, eGambit offers an HIPS

- 

_{Host-based Intrusion Prevention System}

Ø 

Detection + Prevention in your Windows

- 

_{This Endpoint Security technology will securely}

connect your Windows environments to their

nearest eGambit appliance

- 

_{Then, eGambit will be able to detect weird}

behaviors, suspicious files, exfiltration of data…

- 

_{eGambit HIPS is the best friend of your Antivirus, as}

eGambit-HIPS overview

Data from the ground

Local eGambit Engine

Remote checks & analysis

Proportional Responses

Cyber-weapons

Defensive

Standard windows box with Antivirus,

Antimalware, Firewall, Proxy, Hardening…

Remotely owned by attackers.

Nothing happens.

Stealth attack successful.

Same situation, except that the HIPS will detect, report, and answer to the threat.

eGambit

worldwide

cloud-based intelligence

Example based on 2014, November experience

Local eGambit Engine

eGambit results = detection + retaliation

1)

 

Detection of suspicious unknown activity (HIPS engine)

2)

 

Reporting to the worldwide cloud-based intelligence (global analysis)

3)

 

Remote advanced analysis of the Windows (from eGambit appliance)

•

 

IP of attackers retrieved. Evil tools stolen and sent to Sandbox in minutes.

4)

 

TEHTRIS MSSP: alert sent to IT Security expert team from customer (SOC)

5)

 

Mitigation authorized by customer (protection of the SCADA production)

•

 

Exfiltration path broken. Physical location of attackers found.

•

 

Offensive weapons remotely broken. Offensive actions broken.

SCADA Production network attacked in a multinational company.

EXAMPLES OF DEFENSIVE

CYBER-WEAPONS

These weapons, called defensive missiles, can be enabled or disabled

by the customer, to adapt the threat response to the desired level.

For increased security, an integrity check is run at each missile

reception to avoid running something the customer didn’t specifically

allowed.

Oletools Support

Oletools is a must-have technology

created by the well-known security

expert Philippe LAGADEC

(@decalage2).

eGambit HIPS version 3.1 [September

2015] is fully compatible with Oletools.

-

 

Scans of office documents (Word,

Excel, Powerpoint)

-

 

Automatic scans

-

 

Live security analysis of macro-based

YARA Support

YARA is a tremendous technology created by Victor Manual Alvarez

(@plusvic) from VirusTotal. Some say YARA is like an NIDS, for files+memory.

eGambit HIPS version 3.1 [September 2015] is fully compatible with YARA.

-

 

Scans of memory + file system

-

 

On-demand scans + Automatic scans

-

 

Custom YARA rules supported

-

 

Build specific YARA based rules as Indicators Of Compromise (IOC) to scan

Cloud-based intelligence

- 

_{Live reports from analysis made on the ground in the}

Windows computers are shared with the nearest eGambit

appliance

- 

_{Some results might be sent to a cloud-based intelligence in}

order to beneficiate from all experiences from worldwide

global fighting

Ø 

When a new malware is caught somewhere on earth, all eGambit

HIPS brothers get stronger

Ø 

It’s a kind of collective cloud-based artificial intelligence dedicated to

IT Security

- 

_Example

Ø 

Threats are hunted by more than 50 antiviruses at the same time,

with no CPU impact on your Endpoints

Defensive cyber-weapon system

- 

_{Others defensive missiles}

Ø 

ARP Spoofing detection

Ø 

Malware persistence detection

Ø 

Running processes scan

Ø 

Web browser insecurity checks

Ø 

Potentially Unwanted Programs checks

Ø 

Local system information gathered

Ø 

Network exfiltration detection

Ø 

Network mitigation missiles

Ø 

System mitigation missiles

Ø 

…

eGambit = HIPS + NIDS + SIEM + …

Compatibility matrix

- 

_{eGambit HIPS was successfully running on these}

environments so far

Ø 

Windows XP

Ø 

Windows 2003

Ø 

Windows 2008

Ø 

Windows 2012

Ø 

Windows 7

Ø 

…

- 

_{The deployment is pretty easy as it contains}

hardened auto-configuration protocol and features.

Ø 

Just launch the MSI on your Windows, and the cyber

Synthesis

eGambit HIPS [Endpoint Security]

- 

_{Two complementary levels of work}

Ø 

Live Intrusion Detection alerts (monitoring)

Ø 

Retaliation and interaction against threats (mitigation)

- 

_{Multiple skills and features added to your security}

Ø 

Follow the activity in your Windows boxes

Ø 

Improve your security and check compliance issues

Ø 

Detect unusual and unwanted programs

Ø 

Follow weird behaviors and anomalies

Ø 

Detect hidden software, insiders threats

Ø 

Retrieve APT, lateral movements, malwares

Ø 

Increase SOC/CSIRT capacities and speed

Join us

eGambit

“eGambit” is a product that can monitor and improve your IT Security

against complex threats like cyber-spy or cyber-sabotage activities.

This product is realized by the TEHTRI-Security company in FRANCE.

It is fully designed and developed near Bordeaux, and Paris as well.

Created in 2012, the eGambit product has already helped companies in

China, Brazil, USA and Europe against internal and external cyber threats.

In 3 years eGambit has already caught billions of events related to security

issues worldwide, thanks to the tremendous skills and motivation of expert

Consultants working on the project with a real Ethical Hacking spirit.

100% of the source code is within TEHTRIS’ hands, and it was designed with

extended security features. eGambit is your defensive cyber-weapon system.

eGambit

Your defensive cyber-weapon system

You have the players. We have the game.

www.tehtri-security.com

TEHTRI-Security

Managed Security Service Provider

eGambit

Complete defensive weapon system

@tehtris

www.tehtri-security.com

EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTOR

Y

FORENSICS

_SECURITY

EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTORY

FORENSICS

SECURITY

EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTORY

SECURITY EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTOR

Y

FORENSICS

SECURITY

EGAMBIT

SIEM

HIPS

HIDS

AUDITS

HONEYPOTS INVENTORY

FORENSICS

SECURITY

EGAMBIT

SIEM

NIDS

HIPS

HIDS

HONEYPOTS

INVENTORY

FORENSICS SECURITY EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTORY

FORENSICS SECURITY

EGAMBIT

SIEM

NIDS HIPS HIDSAUDITS

INVENTOR

Y

FORENSICS

SECURITY

EGAMBIT

SIEM

NIDS

HIPS HIDS

AUDITS

HONEYPOTS

INVENTOR

Y

SECURITY

EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS FORENSICS

SECURITY

EGAMBIT

NIDS

HIPS

HIDS

AUDITS

INVENTORY

FORENSICS

SECURITY

EGAMBIT

SIEM

NIDS HIDS

AUDITS

HONEYPOTS

FORENSICS

SECURITY

EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTOR

Y

FORENSICS

SECURITY EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTOR Y FORENSICS SECURITY

EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

INVENTORY

FORENSICS

SECURITY

EGAMBIT SIEM

NIDS

HIPS

HIDS AUDITS HONEYPOTS INVENTORY FORENSICS SECURITY

SIEM

NIDS

HIPS

HIDS

AUDITS INVENTORY FORENSICS SECURITY EGAMBIT SIEM

NIDS

HIPS HIDS

AUDITS

INVENTOR Y EGAMBIT

SIEM

NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

INVENTORY

FORENSICS SECURITY EGAMBIT SIEM

NIDS

HIPS HIDS INVENTORY FORENSICS EGAMBIT

NIDS

HIPS

HIDS AUDITS

INVENTORY

FORENSICS

SECURITY

SIEM

NIDS

HIDS

AUDITS HONEYPOTS

INVENTORY

NIDS

HIPS

HIDS

AUDITS INVENTOR Y EGAMBIT

SIEM

NIDS

HIPS

HIDS

INVENTORY

SECURITY SIEM NIDS HIPS

HIDS

AUDITS

HONEYPOTS INVENTOR Y SECURITY SIEM

NIDS

AUDITS INVENTOR Y SECURITY

SIEM

NIDS

HIDS

AUDITS

HONEYPOTS

INVENTOR Y FORENSICS

SECURITY

EGAMBIT SIEM

NIDS

HIPS

HIDS

AUDITS HONEYPOTS FORENSICS SECURITY EGAMBIT SIEM NIDS

HIPS

HIDS

EGAMBIT

SIEM NIDS HIPS

HIDS

AUDITS

HONEYPOTS INVENTORY

SECURITY

EGAMBIT SIEM NIDS HIPS HIDS

AUDITS

HONEYPOTS INVENTOR Y SECURITY EGAMBIT

SIEM

AUDITS HONEYPOTS INVENTORY SECURITY

SIEM

NIDS HIPS

HIDS

AUDITS

HONEYPOTS SECURITY EGAMBIT

SIEM

HIPS

HIDS

INVENTORY FORENSICS SECURITY

EGAMBIT

SIEM

NIDS

HIPS

AUDITS HONEYPOTS

EGAMBIT

NIDS HIPS HIDS

AUDITS

HONEYPOTS

FORENSICS

EGAMBIT SIEM HIPS

HIDS

HONEYPOTS SECURITY EGAMBIT NIDS HIDS AUDITS HONEYPOTS INVENTORY SECURITY EGAMBIT SIEM NIDS

HIPS

HIDS

AUDITS HONEYPOTS SECURITY EGAMBIT SIEM NIDS HIPS

AUDITS

HONEYPOTS INVENTOR Y FORENSICS EGAMBIT NIDS HIPS FORENSICS SECURITY EGAMBIT SIEM NIDS HIPS HIDS HONEYPOTS INVENTOR Y FORENSICS EGAMBIT

SIEM

NIDS HIDS AUDITS FORENSICS SECURITY SIEM NIDS HIPS HONEYPOTS FORENSICS SIEM NIDS HIPS INVENTORY SIEM NIDS

HIPS

HIDS AUDITS INVENTOR Y

SECURITY

SIEM NIDS

HIPS

HIDS

AUDITS

HONEYPOTS

EGAMBIT

SIEM NIDS HIPS HIDS

AUDITS

HONEYPOTS INVENTOR Y FORENSICS EGAMBIT SIEM HIPS HIDS INVENTORY SIEM HIPS

HIDS

HONEYPOTS SECURITY EGAMBIT NIDS HIPS HIDS AUDITS HONEYPOTS

SIEM

NIDS AUDITS HONEYPOTS SECURITY

EGAMBIT

SIEM NIDS

HIPS

HIDS AUDITS EGAMBIT SIEM NIDS

HIPS

HIDS AUDITS SECURITY SIEM NIDS HIPS HIDS AUDITS INVENTOR Y SECURITY EGAMBIT SIEM NIDS SECURITY NIDS

HIPS

HIDS

AUDITS SIEM NIDS HIPS SECURITY

EGAMBIT

SIEM AUDITS HONEYPOTS INVENTOR Y EGAMBIT SIEM

NIDS

HIPS

HIDS AUDITS HONEYPOTS NIDS HIDS EGAMBIT SIEM NIDS HIPS INVENTOR Y SECURITY EGAMBIT SIEM NIDS HIPS NIDS HIPS HIDS HONEYPOTS INVENTORY SECURITY SIEM NIDS AUDITS HONEYPOTS INVENTORY SECURITY SIEM NIDS HIPS HIDS AUDITS INVENTORY SECURITY EGAMBIT SIEM NIDS HIDS FORENSICS NIDS HIDS

AUDITS

INVENTOR Y EGAMBIT SIEM HIPS AUDITS SECURITY EGAMBIT SIEM NIDS AUDITS FORENSICS SECURITY HIPS HONEYPOTS EGAMBIT SIEM NIDS HIDS FORENSICS EGAMBIT SIEM NIDS HIPS HIDS AUDITS HONEYPOTS NIDS HIPS HONEYPOTS SIEM NIDS HIPS HIDS AUDITS FORENSICS EGAMBIT SIEM HIDS INVENTOR Y FORENSICS SIEM NIDS HIPS AUDITS EGAMBIT SIEM HIPS HIDS AUDITS SIEM NIDS HIPS

HIDS

SECURITY EGAMBIT SIEM NIDS HIDS AUDITS SECURITY EGAMBIT FORENSICS EGAMBIT SIEM NIDS HIPS HIDS AUDITS HONEYPOTS INVENTOR Y SECURITY NIDS SIEM HIPS INVENTORY SECURITY NIDS HIDS AUDITS INVENTORY FORENSICS EGAMBIT SIEM HIDS AUDITS EGAMBIT SIEM NIDS HIPS SIEM NIDS HIPS HIDS FORENSICS NIDS HIDS AUDITS HONEYPOTS SIEM NIDS HIPS HIDS AUDITS HONEYPOTS HIDS AUDITS EGAMBIT SIEM HIPS FORENSICS SECURITY EGAMBIT NIDS HIDS AUDITS INVENTORY FORENSICS SECURITY SIEM NIDS FORENSICS SIEM NIDS HIDS FORENSICS EGAMBIT NIDS HIPS AUDITS SECURITY EGAMBIT SIEM NIDS HIPS HIDS AUDITS SECURITY NIDS HIDS AUDITS INVENTOR Y FORENSICS HIDS AUDITS INVENTORY EGAMBIT HIPS AUDITS INVENTOR Y SECURITY SIEM NIDS HIPS HIDS INVENTOR Y NIDS INVENTORY SECURITY EGAMBIT SIEM HIPS HONEYPOTS SECURITY HIPS HIDS FORENSICS SIEM NIDS HIDS EGAMBIT SIEM AUDITS HONEYPOTS EGAMBIT NIDS HIDS AUDITS HONEYPOTS HIDS SECURITY SIEM HIPS HIDS SIEM NIDS SECURITY NIDS HIPS HIDS AUDITS EGAMBIT SIEM NIDS HIPS HONEYPOTS HIPS AUDITS HONEYPOTS AUDITS INVENTOR Y SECURITY NIDS AUDITS SIEM HIDS NIDS EGAMBIT SIEM NIDS HIPS HIDS HONEYPOTS SIEM NIDS HIPS HIDS EGAMBIT HIPS HIDS FORENSICS NIDS HIDS EGAMBIT HIDS EGAMBIT NIDS HIPS HIDS INVENTORY EGAMBIT NIDS HIPS HIDS AUDITS SIEM NIDS HIPS SECURITY NIDS HIPS HIDS AUDITS HIPS AUDITS INVENTOR Y HIPS HIDS SECURITY HIDS EGAMBIT SIEM HIPS HIDS AUDITS HIPS INVENTOR Y SIEM NIDS HIDS EGAMBIT HIPS HIDS AUDITS SECURITY HIPS HIDS INVENTORY SIEM SIEM HIPS FORENSICS HIDS EGAMBIT SIEM NIDS HIPS SIEM NIDS HIDS INVENTOR Y SECURITY NIDS NIDS HIDS HIPS FORENSICS SIEM AUDITS SIEM NIDS HIPS AUDITS SECURITY SIEM HIPS SIEM NIDS HIDS EGAMBIT HIPS AUDITS SIEM HIPS SECURITY NIDS HIDS AUDITS NIDS HIDS AUDITS HIPS HIDS SIEM HIPS SIEM HIPS HIPS NIDS NIDS HONEYPOTS SIEM HIPS INVENTORY NIDS SIEM HIPS NIDS NIDS NIDS EGAMBIT HIPS HIDS HONEYPOTS NIDS HIDS SIEM HIPS INVENTOR Y SIEM HIDS AUDITS HIDS EGAMBIT HIDS NIDS HIPS HIDS AUDITS FORENSICS SECURITY HIPS HIDS HIDS SECURITY HIDS HIDS AUDITS HIPS AUDITS NIDS AUDITS NIDS HIDS HIPS SIEM NIDS HIPS NIDS HIDS SIEM NIDS SIEM HIDS AUDITS HIDS SIEM HIPS HIDS SIEM NIDS HIDS NIDS NIDS HIDS EGAMBIT SIEM SIEM NIDS AUDITS AUDITS HONEYPOTS HIDS AUDITS HONEYPOTS NIDS HIPS NIDS HIPS HIDS HIDS NIDS HIDS SIEM HIPS HIPS NIDS HIDS HIPS NIDS HIDS EGAMBIT HIPS HIDS HIPS HIDS SIEM NIDS HIDS SIEM NIDS HIPS SIEM NIDS HIDS HIDS HIDS INVENTORY NIDS HIPS NIDS HIPS EGAMBIT HIDS HIDS HIPS SIEM HIPS AUDITS NIDS NIDS SIEM NIDS SIEM NIDS HIPS HIDS NIDS HIDS HIPS SIEM AUDITS NIDS NIDS HIDS SIEM HIPS HIPS SIEM SIEM NIDS HIDS HIPS NIDS HIDS NIDS NIDS HIPS SIEM NIDS HIPS AUDITS HIDS SIEM HIDS HIPS SIEM HIPS SIEM SIEM NIDS HIDS HIPS NIDS NIDS HIDS HIPS NIDS HIPS HIDS HIDS SIEM NIDS NIDS HIDS NIDS HIDS NIDS HIPS SIEM HIPS NIDS NIDS SIEM HIPS HIPS HIPS SIEM HIDS SECURITY HIPS NIDS HIDS NIDS SIEM NIDS HIDS SIEM NIDS NIDS NIDS HIPS HIPS NIDS NIDS HIDS HIPS HIPS HIPS HIPS NIDS HIPS SIEM SIEM HIPS HIDS SIEM HIDS SIEM HIPS