Check Point SandBlast and SandBlast Agent

©2016 Check Point Software Technologies Ltd. 1©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
Petr Kadrmas | SE Eastern Europe
Check Point Software Technologies
Check Point SANDBLAST
and SANDBLAST AGENT
Check Point 0-day protection

©2015 Check Point Software Technologies Ltd.
Multi-layer Security
Visibility
Identity
Awareness
DLP
Mobile Access
SmartEvent
Application
Control
URLF
IPS
Anti-Bot
Antivirus
Sandblast

©2016 Check Point Software Technologies Ltd. 3[Restricted] ONLY for designated groups and individuals
With 0-Day Network Protection
ONE STEP AHEAD

©2016 Check Point Software Technologies Ltd. 4
Technology
IPS
Antivirus
SandBlast
Zero-day Protection
Anti-Bot

Traditional Sandboxes are Prone to Evasion
NEW EVASION TECHNIQUES CONSTANTLY DEVELOPED
• Not activating the malware on virtual environments
• Delaying the attack…by time or action
• Different OS versions and variants
• Encrypted channels
©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals

THREATEXTRACTION
CPU-Level Detection
Catches the most sophisticated malware before evasion
techniques deploy
O/S Level Emulation
Stops zero-day and unknown malware in wide range of
file formats
Malware Malware
Original Doc
Safe Doc
Threat Extraction
Deliver safe version of content quickly
SANDBLAST
ZERO-DAY PROTECTION

A Step Ahead
VULNERABILITY
EXPLOIT
SHELLCODE
MALWARE
Thousands
Millions
Only a Handful
EVASION CODE
Traditional Sandbox
CPU Detection Engine
Before the evasion code can execute…
Before the malware is downloaded….
[Restricted] ONLY for designated groups and individuals©2016 Check Point Software Technologies Ltd.

ACCESS TO ORIGINALS
AFTER EMULATION

FAST, FLEXIBLE DEPLOYMENT
SANDBLAST
APPLIANCE
CHECK POINT
GATEWAY
SANDBLAST
CLOUD

With 0-Day Endpoint Protection
ONE STEP AHEAD

SANDBLAST AGENT
Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s
THREAT EXTRACTION &
EMULATION
FOR ENDPOINTS
• Deliver sanitized content
• Emulation of original files
• Protects web downloads and file
copy
Prevent
Zero-Day Attacks
ANTI-BOT
FOR ENDPOINTS &
ENDPOINT QUARANTINE
• Detect & Block C&C
communications
• Pinpoint infections
• Quarantine infected host
AUTOMATIC FORENSIC
ANALYSIS & ATTACK
REMEDIATION
• Incident Analysis - saves time & cost
• Make network detections actionable
• Understand endpoint AV detections
• Clean & remediate the full attack
Identify and
Contain
Infections
Effective Response
& Remediation

Users working remotely External storage devices
Encrypted content Lateral movement
Endpoints Require Advanced
Zero-Day Protection

SandBlast Agent Zero-Day Prevention
[Restricted] ONLY for designated groups and individuals
Block UNKNOWN and ZERO-DAY ATTACKS on your endpoints
NON-
INTRUSIVE
Processing
offloaded from
endpoints to the
cloud
Quick delivery of
safe
reconstructed
content
THREAT
EXTRACTION
Evasion resistant
sandboxing at
CPU- and OS-
Level
THREAT
EMULATION
HIGHEST
CATCH RATE
PROACTIVE
PREVENTION

CONVERT to PDF for best security,
or SANITIZE keeping the original format
Instant Protection for Web Downloads

Access to the Original File
Only After Threat Emulation
when verdict is benign
Self-Catered
No Helpdesk Overhead

Look for Malicious Outgoing Traffic at the Endpoint
THREAT INTELLIGENCE
continuously delivered to
the Agent1
Outgoing traffic
inspected by local
ANTI-BOT2
C&C traffic and
data exfiltration
are BLOCKED3
QUARANTINE malicious process
or LOCKDOWN the entire system4

How do we clean it?
How did it enter? Is there business impact?
Has it spread?
How can I block the attack vector? How do I mitigate? Who should I notify?
How can I save time responding? Am I addressing the full scope?

Collect Forensics Data and Trigger Report Generation
FORENSICS data
continuously collected
from various OS sensors1
Analysis automatically
TRIGGERED upon detection
of network events or AV2
Digested
INCIDENT REPORT
sent to SmartEvent4Processes
Registry
Files
Network
Advanced
ALGORITHMS analyze
raw forensics data3

Investigation Trigger
Identify the process that
accessed the C&C server
Identify Attack Origin
Chrome exploited while
browsing
From Trigger to Infection
Automatically trace back the
infection point
Dropped Malware
Dropper downloads and
installs malware
Exploit Code
Dropper process
launched by Chrome
Activate Malware
Scheduled task
launches after boot
Attack Traced
Even across system boots
Schedule Execution
Malware registered to
launch after boot
Data Breach
Malware reads
sensitive documents

Sandblast for Office 365
ONE STEP AHEAD

Cloud Based Email Adoption is Growing
Enterprise Email Users by Platform – November 2015
“Through 2017, 72% of worldwide organizations
will choose cloud-based office suites for upgrades
or replacements”
Gartner, June 2015:

SandBlast Cloud Mail Protection for Office 365
• Malicious Files Protection
̶ Detect and block malicious attachments using Threat Emulation
̶ Quick access to sanitized versions of the files using Threat Extraction
• Malicious URLs protection
̶ Detect and block malicious URLs within email body
̶ Inspect and block access to links to files within email body
SAFE AND FAST EMAIL CONTENT

Solution Overview
• Pure cloud solution
̶ Can work in a complete independent cloud-base suite
̶ Setup, management and visibility
• Infrastructure based on Capsule Cloud
̶ Check Point GWs handling API between Office365 and SandBlast service
̶ Portal-based management
• API mode offers:
̶ Co-existence with Microsoft built-in Anti-Spam service
̶ Out-of-the-box TLS support
̶ Immune to MTA attacks (e.g. bounce attack)

Solution Architecture – API Mode
Enterprise Users
Mail is sent to
Office365 servers
SANDBLAST
CLOUD
Enterprise Users
Placed in temporary
folder within Office365
Mail becomes
accessible if
content is safe
Attachments and
URLs are sent for
inspection

Product Configuration
Cloud-Based Management Portal
Customizable Overview
Detailed Logs

Antiphishing & Theft prevention
ONE STEP AHEAD

The preferred method of cyber criminals
Up to45%SUCCESS RATE IN
CREDENTIALS THEFT
Google hijacking study, 2014
PHISHING
91%APT ATTACKS BEGIN
WITH PHISING
Trend Micro Incorporated Research Paper 2012

Today’s Solutions Leave Gaps
ANTI-SPAM
Signature based email
security
For known attacks; spear phishing is not
covered
URL Filtering
Categorized phishing
sites
Uncategorized/compromised sites go
undetected
100%
SECURITY
GAP

Categorizing New Sites/Emails Takes Time
The average uptime of a phishing campaign is only 9 hours
Nearly 50% click on phishing links within the 1st hour
ZERO SECONDS PROTECTION IS REQUIRED
Attacker Does Not Wait
Source: Data breach investigations report, 2014

We Introduce….
Enterprise Credentials protection
Protecting user from feeding sensitive
data to phishing sites
Educating for theft awareness
A New Theft Prevention solution

Theft Prevention Extension

Check Point SandBlast and SandBlast Agent

Related slideshows

More Related Content

Check Point SandBlast and SandBlast Agent