SandBlast Agent
•
1 like•1,037 views
The document discusses Check Point's SandBlast Agent, which provides zero-day protection, detection and containment of infections, and automated forensic analysis and attack remediation for endpoints. SandBlast Agent uses threat emulation to sanitize web downloads and files before delivery. It also detects command and control communications to identify and quarantine infected machines. Additionally, SandBlast Agent performs automatic forensic analysis to understand attacks, answer questions about infections, and generate remediation scripts.
Report
Share
![©2016 Check Point Software Technologies Ltd. 1©2016 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals
Adding more protection layers
at the endpoint
(aneb na co AV a FW nestačí)
Martin Koldovský | Threat Prevention
Security Engineer, Eastern Europe
SANDBLAST AGENT
Začínáme ve 13:35](https://cdn.statically.io/img/image.slidesharecdn.com/1-sandblast-agent-161017183649/85/SandBlast-Agent-1-320.jpg)
![©2016 Check Point Software Technologies Ltd. 2
Check Point BLOG
[Confidential] For designated groups and individuals
• http://blog.checkpoint.com/tag/sandblast-agent-
forensics/](https://cdn.statically.io/img/www.slideshare.net/data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
SandBlast Agent
- 1. ©2016 Check Point Software Technologies Ltd. 1©2016 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals Adding more protection layers at the endpoint (aneb na co AV a FW nestačí) Martin Koldovský | Threat Prevention Security Engineer, Eastern Europe SANDBLAST AGENT Začínáme ve 13:35
- 2. ©2016 Check Point Software Technologies Ltd. 2 Check Point BLOG [Confidential] For designated groups and individuals • http://blog.checkpoint.com/tag/sandblast-agent- forensics/
- 3. ©2016 Check Point Software Technologies Ltd. 3[Confidential] For designated groups and individuals SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s THREAT EXTRACTION & EMULATION FOR ENDPOINTS • Deliver sanitized content • Emulation of original files • Protects web downloads and file copy Prevent Zero-Day Attacks Identify & Contain Infections Effective Response & Remediation
- 4. ©2016 Check Point Software Technologies Ltd. 4 Prevent Endpoint Threats [Confidential] For designated groups and individuals Attack Vectors that need to be covered Outside of the office M2M inside the perimeter Removable Media
- 5. ©2016 Check Point Software Technologies Ltd. 5 Prevent Endpoint Threats [Confidential] For designated groups and individuals • Offer the same unknown malware protection regardless of location including downloads over HTTPS • Protect from files arriving encrypted or password protected in archives or on removable media • Protect from traffic arriving East- West inside the network
- 6. ©2016 Check Point Software Technologies Ltd. 6[Confidential] For designated groups and individuals SANDBLAST CLOUD (Public or Private) Browser Extension Web downloads Threat Extraction & Threat Emulation File-System Monitor Any file copied or created Threat Emulation Zero-day Protection – How it Works
- 7. ©2016 Check Point Software Technologies Ltd. 7[Confidential] For designated groups and individuals Instant Protection for Web Downloads Deliver safe content quickly Convert to PDF or a sanitized version in original format
- 8. ©2016 Check Point Software Technologies Ltd. 8[Confidential] For designated groups and individuals Self-Catered, No Helpdesk Overhead Access to the Original File After Threat Emulation is Completed
- 9. ©2016 Check Point Software Technologies Ltd. 9[Confidential] For designated groups and individuals SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s THREAT EXTRACTION & EMULATION FOR ENDPOINTS • Deliver sanitized content • Emulation of original files • Protects web downloads and file copy Prevent Zero-Day Attacks Identify & Contain Infections Effective Response & Remediation
- 10. ©2016 Check Point Software Technologies Ltd. 10[Confidential] For designated groups and individuals SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s ANTI-BOT & QUARANTINE FOR ENDPOINTS • Detect & Block C&C communications • Pinpoint infections • Quarantine infected host Prevent Zero-Day Attacks Identify & Contain Infections Effective Response & Remediation
- 11. ©2016 Check Point Software Technologies Ltd. 11 Identify and Contain Threats [Confidential] For designated groups and individuals Attack Vectors that need to be covered Identify infection outside of the office Block data exfiltration outside of the office Quarantine and remediate infected machines
- 12. ©2016 Check Point Software Technologies Ltd. 12 Identify and Contain Threats [Confidential] For designated groups and individuals • Offer the same C&C detection regardless of location with added process / user information. • Prevent data from being sent to C&C and stop initial conversations with known C&C servers • Allow remediation of malicious events and containment of problem devices
- 13. ©2016 Check Point Software Technologies Ltd. 13[Confidential] For designated groups and individuals Lockdown and isolate infected machines Prevent malware damage • Block Command and Control Communications • Prevent Data Exfiltration Sandblast Agent: Anti-Bot Anti-Bot on the Endpoint Identify compromised hosts • Inside & Outside the network • Pinpoint when inside the network Detect the C&C Channel – and we know the host is infected Block the C&C Channel – and we contain the malware Communications Blocked C&C communications ANTI-BOT
- 14. ©2016 Check Point Software Technologies Ltd. 14[Confidential] For designated groups and individuals SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s ANTI-BOT & QUARANTINE FOR ENDPOINTS • Detect & Block C&C communications • Pinpoint infections • Quarantine infected host Prevent Zero-Day Attacks Identify & Contain Infections Effective Response & Remediation
- 15. ©2016 Check Point Software Technologies Ltd. 15 Identify & Contain Infections [Confidential] For designated groups and individuals SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s AUTOMATIC FORENSIC ANALYSIS & ATTACK REMEDIATION • Incident Analysis • Make network detections actionable • Understand AV detections • Clean & remediate the full attack Prevent Zero-Day Attacks Effective Response & Remediation
- 16. ©2016 Check Point Software Technologies Ltd. 16[Confidential] For designated groups and individuals There is no incident response Without incident understanding Questions: • Is it real? • How did it enter? • Was data stolen? • How do we clean it?
- 17. ©2016 Check Point Software Technologies Ltd. 17 Making Todays Detections Actionable [Confidential] For designated groups and individuals SandBlast Agent Forensics Bot event detected C&C communication blocked Infected host C&C server Understanding The Attack
- 18. ©2016 Check Point Software Technologies Ltd. 18[Confidential] For designated groups and individuals Investigation Trigger Identify the process that accessed the C&C server Identify Attack Origin Chrome exploited while browsing Dropped Malware Dropper downloads and installs malware Exploit Code Dropper process launched by Chrome Activate Malware Scheduled task launches after boot Attack traced even across system boots
- 19. ©2016 Check Point Software Technologies Ltd. 19[Confidential] For designated groups and individuals Understanding an incident Instant answers to important questions Malicious and suspicious activities Drill-down detail Severity Q1: Is it a real infection?
- 20. ©2016 Check Point Software Technologies Ltd. 20 Understanding an Incident [Confidential] For designated groups and individuals Summary Detail Q2: How Did the Malware Get In?
- 21. ©2016 Check Point Software Technologies Ltd. 21 Understanding an Incident [Confidential] For designated groups and individuals Breached data files Q3: What is the Damage? Was data stolen?
- 22. ©2016 Check Point Software Technologies Ltd. 22 From Understanding to Action [Confidential] For designated groups and individuals Generate a remediation script Q4: How to remediate? How do we clean it?
- 23. ©2016 Check Point Software Technologies Ltd. 23[Confidential] For designated groups and individuals Interactive Forensics Report • Single view of entire attack • Tracks all attack elements • Spans multiple reboots • Drill-down on any element Comprehensive View of Attack Flow
- 24. ©2016 Check Point Software Technologies Ltd. 24[Confidential] For designated groups and individuals Local Security Event (TE, AB, AM) Automated Incident Analysis Ongoing Forensic Data Collection trigger analysis Digested Incident Report • Malicious Behaviour • Attack Vector • Data Breach • Graphic Attack Model • Quarantine and Remediation Network Detection 3rd party AV detection IOC provided manually SmartEvent How Forensics Analysis Works
- 25. ©2016 Check Point Software Technologies Ltd. 25 Identify & Contain Infections [Confidential] For designated groups and individuals SANDBLAST AGENT Z e r o - D a y P r o t e c t i o n f o r E n d p o i n t s AUTOMATIC FORENSIC ANALYSIS & ATTACK REMEDIATION • Incident Analysis • Make network detections actionable • Understand AV detections • Clean & remediate the full attack Prevent Zero-Day Attacks Effective Response & Remediation
- 26. ©2016 Check Point Software Technologies Ltd. 26 SandBlast Agent – Closing the Loop [Confidential] For designated groups and individuals PROTECTION AND CONTAINMENT FORENSICS AND RESPONSE M A K I N G D E T E C T I O N S A C T I O N A B L E I M P R O V E S E C U R I T Y P O S T U R E Automated Incident Analysis Policy Changes IOC Updates Remediation
- 27. ©2016 Check Point Software Technologies Ltd. Q&A [Confidential] For designated groups and individuals
- 28. ©2016 Check Point Software Technologies Ltd. HTTP://BLOG.CHECK POINT.COM/TAG/SAN DBLAST-AGENT- FORENSICS/ [Confidential] For designated groups and individuals