Check Point: Sandblast Zero-Day protection Federico Orlandi Itway Support Engineer 2015 Check Point Software Technologies Ltd. 1
Check Point Threat Prevention SandBlast IPS Antivirus SandBlast stops zero-day and unknown malware SandBlast Zero-day Protection Anti-Bot 2015 Check Point Software Technologies Ltd. 2
WHAT IS SANDBLAST? Unprecedented real-time prevention against unknown malware, zero-day and targeted attacks Threat Emulation with CPU-Level Detection Evasionresistant malware detection Threat Extraction Prompt Delivery of safe reconstructed files 2015 Check Point Software Technologies Ltd. 3
Check Point SandBlast Zero-Day Protection Introducing CPU-Level Detection Advanced Malware use various techniques to evade traditional Sandboxes Check Point s Advanced deep CPU-Level inspection Detects malware at exploitation stage - No chance to attempt evasion Vulnerability Trigger an attack through an unpatched or zero-day vulnerability Exploit Bypass the CPU and OS security controls using exploitation methods Shellcode Activate an embedded payload to retrieve the malware Malware Run malicious code 2015 Check Point Software Technologies Ltd. 4
Threat Emulation Exploit Detection and Prevention Prevent Zero-Day Attacks Constantly Update ThreatCloud Original Document Document is sent for sandboxing, where it is opened and inspected Original Document If no infection found If infected with unknown Malware -Document is deleted, -ThreatCloud is updated, -Admin is notified Attack is PREVENTED 2015 Check Point Software Technologies Ltd. 5
ACCESS TO ORIGINALS AFTER EMULATION 2015 Check Point Software Technologies Ltd. 6
Threat Emulation Admin has comprehensive Attack Visibility Summary Details 2015 Check Point Software Technologies Ltd. 7
Threat Extraction Document Reconstruction Reconstructed safe copy of documents Original Document Document Reconstructed Safe Copy of Document Delivered immediately Customizable Protection Level 2015 Check Point Software Technologies Ltd. 8
A STEP FASTER FOR USERS PROMPTLY PROVIDING CLEAN FILES 2015 Check Point Software Technologies Ltd. 9
FAST, FLEXIBLE DEPLOYMENT SANDBLAST APPLIANCE SANDBLAST CLOUD CHECK POINT GATEWAY 2015 Check Point Software Technologies Ltd. 10
SandBlast Cloud Check Point SandBlast Zero-Day Protection Check Point SandBlast Cloud Real-time security intelligence delivered from Check Point ThreatCloud. Turns zero-day attacks into known and preventable attacks. No new hardware is needed Requires Check Point Security Gateway withr77 and above Internet Check Point Security Gateway (Requires R77 and above) SANDBLAST CLOUD Threat Extraction (Prompt delivery of reconstructed clean files) on Local Appliance Corporate Network (LAN) Threat Emulation O/S Level Sandboxing and CPU-Level Detection in Cloud 2015 Check Point Software Technologies Ltd. 11
On Premise Deployment Check Point SandBlast Zero-Day Protection On-Premises Check Point SandBlast Appliance Added to existing Check Point Security Gateway in two ways: Prevent: Inline Emulate before allowing into network Detect: Duplicate network traffic (via SPAN port) Internet Check Point Security Gateway (Requires R77 and above) Corporate Network (LAN) Inline or SPAN Port Threat Emulation (O/S Level Sandboxing with CPU-Level Evasion detection) Check Point SandBlast Appliance Threat Extraction (Prompt delivery of reconstructed clean files) 2015 Check Point Software Technologies Ltd. 12
I N T R O D U C I N G T HE POWER T O PROTECT. T HE I NSIGHT T O UNDERSTAND. 2016 Check Point Software Technologies Ltd. 13
SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s Prevent Zero-Day Attacks Identify & Contain Infections Effective Response & Remediation THREAT EXTRACTION & EMULATION FOR ENDPOINTS Deliver sanitized content Emulation of original files Protects web downloads and file copy 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 14
Eliminate Zero-Day Malware at the Endpoint SANDBLAST CLOUD 1 Web downloads sent to SandBlast cloud 2 Sanitized version delivered promptly 3 Original file emulated in the background 2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 15
Instant Protection for Web Downloads CONVERT to PDF for best security, or SANITIZE keeping the original format 2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 16
Access to the Original File Only After Threat Emulation when verdict is benign Self-Catered No Helpdesk Overhead 2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 17
SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s Prevent Zero-Day Attacks Identify & Contain Infections Effective Response & Remediation ANTI-BOT FOR ENDPOINTS & ENDPOINT QUARANTINE Detect & Block C&C communications Pinpoint infections Quarantine infected host 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 18
Look for Malicious Outgoing Traffic at the Endpoint 2 Outgoing traffic inspected by local ANTI-BOT 1 THREAT INTELLIGENCE continuously delivered to the Agent 3 C&C traffic and data exfiltration are BLOCKED 4 QUARANTINE malicious process or LOCKDOWN the entire system 2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 19
SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s Prevent Zero-Day Attacks Identify & Contain Infections Effective Response & Remediation AUTOMATIC FORENSIC ANALYSIS & ATTACK REMEDIATION Incident Analysis - saves time & cost Make network detections actionable Understand endpoint AV detections Clean & remediate the full attack 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 20
Collect Forensics Data and Trigger Report Generation 1 FORENSICS data continuously collected from various OS sensors 2 Analysis automatically TRIGGERED upon detection of network events or AV Network Files Registry Processes 4 Digested INCIDENT REPORT sent to SmartEvent 3 Advanced ALGORITHMS analyze raw forensics data 2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 21
Identify Attack Origin Chrome exploited while browsing Exploit Code Dropper process launched by Chrome Schedule Execution Malware registered to launch after boot From Trigger to Infection Automatically trace back the infection point Attack Traced Even across system boots Dropped Malware Dropper downloads and installs malware Data Breach Malware reads sensitive documents Investigation Activate Trigger Malware Identify the Scheduled process task that launches accessed the C&C after server boot 2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 22
THANK YOU! 2015 Check Point Software Technologies Ltd. 23
Lascia il tuo feedback su www.itwaycampus.it Nella pagina Agenda clicca sul nostro intervento e poi su «Inserisci il tuo feedback» 2015 Check Point Software Technologies Ltd. 24