Check Point SandBlast and SandBlast Agent
- 1. ©2016 Check Point Software Technologies Ltd. 1©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
Petr Kadrmas | SE Eastern Europe
Check Point Software Technologies
Check Point SANDBLAST
and SANDBLAST AGENT
Check Point 0-day protection
- 2. ©2015 Check Point Software Technologies Ltd.
Multi-layer Security
Visibility
Identity
Awareness
DLP
Mobile Access
SmartEvent
Application
Control
URLF
IPS
Anti-Bot
Antivirus
Sandblast
- 3. ©2016 Check Point Software Technologies Ltd. 3[Restricted] ONLY for designated groups and individuals
With 0-Day Network Protection
ONE STEP AHEAD
©2015 Check Point Software Technologies Ltd.
- 4. ©2016 Check Point Software Technologies Ltd. 4
Technology
IPS
Antivirus
SandBlast
Zero-day Protection
Anti-Bot
- 5. ©2016 Check Point Software Technologies Ltd. 5
Traditional Sandboxes are Prone to Evasion
NEW EVASION TECHNIQUES CONSTANTLY DEVELOPED
• Not activating the malware on virtual environments
• Delaying the attack…by time or action
• Different OS versions and variants
• Encrypted channels
©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
- 6. ©2015 Check Point Software Technologies Ltd. 6[Restricted] ONLY for designated groups and individuals
THREATEXTRACTION
CPU-Level Detection
Catches the most sophisticated malware before evasion
techniques deploy
O/S Level Emulation
Stops zero-day and unknown malware in wide range of
file formats
Malware Malware
Original Doc
Safe Doc
Threat Extraction
Deliver safe version of content quickly
SANDBLAST
ZERO-DAY PROTECTION
- 7. ©2015 Check Point Software Technologies Ltd. 7
A Step Ahead
VULNERABILITY
EXPLOIT
SHELLCODE
MALWARE
Thousands
Millions
Only a Handful
EVASION CODE
Traditional Sandbox
CPU Detection Engine
Before the evasion code can execute…
Before the malware is downloaded….
[Restricted] ONLY for designated groups and individuals©2016 Check Point Software Technologies Ltd.
- 8. ©2015 Check Point Software Technologies Ltd. 8[Restricted] ONLY for designated groups and individuals
ACCESS TO ORIGINALS
AFTER EMULATION
- 9. ©2015 Check Point Software Technologies Ltd. 9[Restricted] ONLY for designated groups and individuals
FAST, FLEXIBLE DEPLOYMENT
SANDBLAST
APPLIANCE
CHECK POINT
GATEWAY
SANDBLAST
CLOUD
- 10. ©2015 Check Point Software Technologies Ltd. 10
With 0-Day Endpoint Protection
ONE STEP AHEAD
©2015 Check Point Software Technologies Ltd.
- 11. ©2015 Check Point Software Technologies Ltd. 11
SANDBLAST AGENT
Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s
THREAT EXTRACTION &
EMULATION
FOR ENDPOINTS
• Deliver sanitized content
• Emulation of original files
• Protects web downloads and file
copy
Prevent
Zero-Day Attacks
ANTI-BOT
FOR ENDPOINTS &
ENDPOINT QUARANTINE
• Detect & Block C&C
communications
• Pinpoint infections
• Quarantine infected host
AUTOMATIC FORENSIC
ANALYSIS & ATTACK
REMEDIATION
• Incident Analysis - saves time & cost
• Make network detections actionable
• Understand endpoint AV detections
• Clean & remediate the full attack
Identify and
Contain
Infections
Effective Response
& Remediation
- 12. ©2015 Check Point Software Technologies Ltd. 12
Users working remotely External storage devices
Encrypted content Lateral movement
Endpoints Require Advanced
Zero-Day Protection
- 13. ©2015 Check Point Software Technologies Ltd. 13
SandBlast Agent Zero-Day Prevention
[Restricted] ONLY for designated groups and individuals
Block UNKNOWN and ZERO-DAY ATTACKS on your endpoints
NON-
INTRUSIVE
Processing
offloaded from
endpoints to the
cloud
Quick delivery of
safe
reconstructed
content
THREAT
EXTRACTION
Evasion resistant
sandboxing at
CPU- and OS-
Level
THREAT
EMULATION
HIGHEST
CATCH RATE
PROACTIVE
PREVENTION
- 14. ©2015 Check Point Software Technologies Ltd. 14
CONVERT to PDF for best security,
or SANITIZE keeping the original format
Instant Protection for Web Downloads
[Restricted] ONLY for designated groups and individuals
- 15. ©2015 Check Point Software Technologies Ltd. 15
Access to the Original File
[Restricted] ONLY for designated groups and individuals
Only After Threat Emulation
when verdict is benign
Self-Catered
No Helpdesk Overhead
- 16. ©2015 Check Point Software Technologies Ltd. 16
Look for Malicious Outgoing Traffic at the Endpoint
[Restricted] ONLY for designated groups and individuals
THREAT INTELLIGENCE
continuously delivered to
the Agent1
Outgoing traffic
inspected by local
ANTI-BOT2
C&C traffic and
data exfiltration
are BLOCKED3
QUARANTINE malicious process
or LOCKDOWN the entire system4
- 17. ©2015 Check Point Software Technologies Ltd. 17
How do we clean it?
How did it enter? Is there business impact?
Has it spread?
How can I block the attack vector? How do I mitigate? Who should I notify?
How can I save time responding? Am I addressing the full scope?
- 18. ©2015 Check Point Software Technologies Ltd. 18
Collect Forensics Data and Trigger Report Generation
[Restricted] ONLY for designated groups and individuals
FORENSICS data
continuously collected
from various OS sensors1
Analysis automatically
TRIGGERED upon detection
of network events or AV2
Digested
INCIDENT REPORT
sent to SmartEvent4Processes
Registry
Files
Network
Advanced
ALGORITHMS analyze
raw forensics data3
- 19. ©2015 Check Point Software Technologies Ltd. 19
Investigation Trigger
Identify the process that
accessed the C&C server
Identify Attack Origin
Chrome exploited while
browsing
From Trigger to Infection
Automatically trace back the
infection point
Dropped Malware
Dropper downloads and
installs malware
Exploit Code
Dropper process
launched by Chrome
Activate Malware
Scheduled task
launches after boot
Attack Traced
Even across system boots
Schedule Execution
Malware registered to
launch after boot
Data Breach
Malware reads
sensitive documents
- 20. ©2015 Check Point Software Technologies Ltd. 20
Sandblast for Office 365
ONE STEP AHEAD
©2015 Check Point Software Technologies Ltd.
- 21. ©2015 Check Point Software Technologies Ltd. 21
Cloud Based Email Adoption is Growing
[Restricted] ONLY for designated groups and individuals
Enterprise Email Users by Platform – November 2015
“Through 2017, 72% of worldwide organizations
will choose cloud-based office suites for upgrades
or replacements”
Gartner, June 2015:
- 22. ©2015 Check Point Software Technologies Ltd. 22
SandBlast Cloud Mail Protection for Office 365
• Malicious Files Protection
̶ Detect and block malicious attachments using Threat Emulation
̶ Quick access to sanitized versions of the files using Threat Extraction
• Malicious URLs protection
̶ Detect and block malicious URLs within email body
̶ Inspect and block access to links to files within email body
[Restricted] ONLY for designated groups and individuals
SAFE AND FAST EMAIL CONTENT
- 23. ©2015 Check Point Software Technologies Ltd. 23
Solution Overview
• Pure cloud solution
̶ Can work in a complete independent cloud-base suite
̶ Setup, management and visibility
• Infrastructure based on Capsule Cloud
̶ Check Point GWs handling API between Office365 and SandBlast service
̶ Portal-based management
• API mode offers:
̶ Co-existence with Microsoft built-in Anti-Spam service
̶ Out-of-the-box TLS support
̶ Immune to MTA attacks (e.g. bounce attack)
[Restricted] ONLY for designated groups and individuals
- 24. ©2015 Check Point Software Technologies Ltd. 24
Solution Architecture – API Mode
[Restricted] ONLY for designated groups and individuals
Enterprise Users
Mail is sent to
Office365 servers
SANDBLAST
CLOUD
Enterprise Users
Placed in temporary
folder within Office365
Mail becomes
accessible if
content is safe
Attachments and
URLs are sent for
inspection
- 25. ©2015 Check Point Software Technologies Ltd. 25
Product Configuration
Cloud-Based Management Portal
[Restricted] ONLY for designated groups and individuals
Customizable Overview
Detailed Logs
- 26. ©2015 Check Point Software Technologies Ltd. 26
Antiphishing & Theft prevention
ONE STEP AHEAD
©2015 Check Point Software Technologies Ltd.
- 27. ©2015 Check Point Software Technologies Ltd. 27
The preferred method of cyber criminals
Up to45%SUCCESS RATE IN
CREDENTIALS THEFT
Google hijacking study, 2014
PHISHING
91%APT ATTACKS BEGIN
WITH PHISING
Trend Micro Incorporated Research Paper 2012
[Restricted] ONLY for designated groups and individuals
- 28. ©2015 Check Point Software Technologies Ltd. 28
Today’s Solutions Leave Gaps
ANTI-SPAM
Signature based email
security
For known attacks; spear phishing is not
covered
URL Filtering
Categorized phishing
sites
Uncategorized/compromised sites go
undetected
100%
SECURITY
GAP
[Restricted] ONLY for designated groups and individuals
- 29. ©2015 Check Point Software Technologies Ltd. 29
Categorizing New Sites/Emails Takes Time
The average uptime of a phishing campaign is only 9 hours
Nearly 50% click on phishing links within the 1st hour
ZERO SECONDS PROTECTION IS REQUIRED
Attacker Does Not Wait
Source: Data breach investigations report, 2014
[Restricted] ONLY for designated groups and individuals
- 30. ©2015 Check Point Software Technologies Ltd.
We Introduce….
Enterprise Credentials protection
Protecting user from feeding sensitive
data to phishing sites
Educating for theft awareness
A New Theft Prevention solution
[Restricted] ONLY for designated groups and individuals
- 31. ©2015 Check Point Software Technologies Ltd. 31
Theft Prevention Extension
[Restricted] ONLY for designated groups and individuals
- 32. ©2016 Check Point Software Technologies Ltd. 32©2016 Check Point Software Technologies Ltd.
THANK YOU
[Restricted] ONLY for designated groups and individuals