Threat Intelligence. How to Implement Software-Defined Protection. Nir Naaman, CISSP Senior Security Architect

Transcription

1 How to Implement Software-Defined Protection Nir Naaman, CISSP Senior Security Architect Threat Intelligence 1

2 The Spanish flu, 1918 killing at least million people worldwide. 2

3 The H1N1 Pandemic, 2009 Over 14,000 deaths worldwide 3

4 How Did We Stop It? The H1N1 Pandemic, Over 14,000 deaths worldwide 4

5 MEDICAL COLLABORATION The H1N1 Pandemic, Over 14,000 deaths worldwide 5

6 The Fight Against the H1N1 Malware Global Sharing of Symptoms Flu Malware Strain Identification Research Signature Vaccine Development Preventative Vaccinations Update all gateways Globally Collaboration of Data Research Distribution 6

7 ThreatCloud Collaboration Putting in all Together Global Sharing of Symptoms Malware Research Signature Development Update all gateways Malicious PDF sent to threatcloud DLL Hideout Malware analyzed & reverse engineered C&C Functions New network signature for C&C communication HTTP protocol Detect new variants of the malware New hideouts Collaboration of Data Research Distribution 7

8 Over 11 million malware signatures Over 2.7 million malware-infested sites Over 5,500 different botnet communication patterns 8

9 But threat intelligence also comes from many isolated sources [Restricted] ONLY for designated groups and individuals 9

10 Introducing The first Cyber Intelligence Marketplace to proactively fight threats [Restricted] ONLY for designated groups and individuals 10

11 Our first available industry-leading partners: Adversary focused intelligence based on advanced Cyber security research Intelligence identifying advanced threats and targeted attacks Global intelligence based on threats and malware analysis Validated intelligence for financial, government & critical infrastructure 11

12 Our first available industry-leading partners: Finance related intelligence against cybercrime: fraud, phishing & DDoS Global intelligence on APTs, malware, exploit drops & DDoS Focused on intelligence to fight child sexual abuse AND MORE COMING 12

13 Immediate subscription for intelligence feeds For all of your security gateways [Restricted] ONLY for designated groups and individuals 13

14 Measure effectiveness of intelligence feeds via statistics and reports [Restricted] ONLY for designated groups and individuals 14

15 Sample isight event log Click to get report [Restricted] ONLY for designated groups and individuals 15

16 User defined IOC s New category of customer input into Threat Prevention software blade Enables input and parsing of files containing threat indicators Centrally managed, distributed and monitored Leverages Threat Prevention engine no need for policy push [Restricted] ONLY for designated groups and individuals 16

17 Your biggest problem It starts with something like this 17

18 There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns the ones we don t know we don t know. Donald Rumsfeld, Former Sec of Defense 18

19 Check Point Threat Prevention IPS Prevent exploit of known vulnerabilities Antivirus Block download of known malware Block Bot Threat Anti-Bot Communication Emulation? Fighting Unknown Unknown Threats Threats Real Time Security Collaboration Powered by ThreatCloud [Confidential] For designated groups and individuals 19

20 Heartbeat TLS/DTLS Extension 20

21 The bug is simple Heartbeat Length Declaration Sending bytes of data Actual payload is much smaller or even null I said I was sending bytes but I m only sending 1 byte For response, payload is written to memory and read back based on declared length not actual length. I wrote 1 byte to memory. For the response I will read bytes of memory bytes of unrelated data is copied from memory adjacent to the 1 byte of original payload. [Restricted] ONLY for designated groups and individuals 22

22 Lessons learned? [Restricted] ONLY for designated groups and individuals 23

23 24

24 IT Infrastructure Deployment Models SECURED BY SECURED BY SECURED BY NOW SECURED BY Physical Virtual (VE, VSX) Private Cloud (VE, VSX) Public Cloud (VE, AWS) Appl OS HW Appl OS HW Appl OS HW Appl Appl OS OS VMWARE. Appl OS HARDWARE Traditional enterprise Virtualization, better utilization Owned and operated by organization Resources on demand and pay-per-use MANAGED BY IaaS Infrastructure as a Service 25

25 Most complete NSX ecosystem integration Tags Security Groups VM NSX 1 Consume 2 Enforce 3 Contribute Use NSX security groups in Check Point policy rules Enforce policy rules by Check Point physical & virtual GWs Tag bot infected VMs triggered by Check Point bot detection [Confidential] For designated groups and individuals 26

26 ADVANCED SECURITY for Amazon Web Services Virtual Appliance for Amazon Public Cloud Public Cloud Deploy Check Point Software Blades for Amazon Public Cloud 2011 Check Point Software Technologies Ltd. [Restricted] 2014 Check ONLY Point for designated Software groups Technologies and individuals Ltd. 27

27 Summary Accessible Intelligence Choose from a diverse range of threat intelligence feeds that best meets your organizations needs Proactive Protection Automatically enforce intelligence data at the Security Gateway via ThreatCloud Simple to Implement and Operate Requires no policy or infrastructure changes [Restricted] ONLY for designated groups and individuals 28

28 29