SlideShare a Scribd company logo

Staying One Step Ahead with Zero-Day Protection

MarketingArrowECS_CZ
MarketingArrowECS_CZ

This document discusses Check Point's SandBlast technology for detecting zero-day threats. SandBlast provides unprecedented prevention against unknown malware, zero-day, and targeted attacks by detecting exploits at the CPU level before evasion techniques can be used. It also quickly delivers safe reconstructed files to maintain business productivity while inspecting files in real-time. SandBlast can be deployed flexibly on-premise or in the cloud for optimal protection.

Related slideshows

2015 Security Report
2015 Security Report 2015 Security Report
2015 Security Report
 
Forcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelůForcepoint - Analýza chování uživatelů
Forcepoint - Analýza chování uživatelů
 
Protecting Critical Infastrucutre: Zero Tolerance
Protecting Critical Infastrucutre: Zero ToleranceProtecting Critical Infastrucutre: Zero Tolerance
Protecting Critical Infastrucutre: Zero Tolerance
 
1 of 30
Download to read offline
©2015 Check Point Software Technologies Ltd. 1 STAYING ONE STEP AHEAD WITH ZERO-DAY PROTECTION CPUL + TEX Martin Koldovský Threat Prevention Security Engineer, Eastern Europe [Restricted] ONLY for designated groups and individuals​©2015 Check Point Software Technologies Ltd. začínáme 14:55
©2015 Check Point Software Technologies Ltd. 2[Restricted] ONLY for designated groups and individuals​
©2015 Check Point Software Technologies Ltd. 3[Restricted] ONLY for designated groups and individuals​
©2015 Check Point Software Technologies Ltd. 4[Restricted] ONLY for designated groups and individuals​
©2015 Check Point Software Technologies Ltd. 5 Of hackers’ attempts to evade detection and infiltrate your network STAYING ONE STEP AHEAD [Restricted] ONLY for designated groups and individuals​©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 6 SANDBLAST ZERO-DAY PROTECTION CPU-level Exploit Detection Catches the most sophisticated malware before evasion techniques deploy Threat Extraction Deliver safe version of content quickly OS-level Sandboxing Stops zero-day and unknown malware in wide range of file formats [Restricted] ONLY for designated groups and individuals​
©2015 Check Point Software Technologies Ltd. 7[Restricted] ONLY for designated groups and individuals​ Examine: • System Registry • Network Connections • File System Activity • System Processes Open and detonate any files THE TRADITIONAL SANDBOX HOW IT WORKS Watch for telltale signs of malicious code at the Operating System level T H R E AT C O N T AI N E D
©2015 Check Point Software Technologies Ltd. 8 THE TRADITIONAL SANDBOX PRONE TO EVASION [Restricted] ONLY for designated groups and individuals​ ATTACKERS CONSTANTLY DEVELOP NEW EVASION TECHNIQUES • Not activating the malware on virtual environments • Delaying the attack… by time or action • Different OS versions and variants • Encrypted channels ©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 9[Restricted] ONLY for designated groups and individuals​ STAYING ONE STEP AHEAD Introducing Catches More Malware. Proactive Prevention. Complete Integrated Protection.
©2015 Check Point Software Technologies Ltd. 10 Unprecedented real-time prevention against unknown malware, zero-day and targeted attacks WHAT IS SANDBLAST? Sandboxing Evasion- resistant malware detection Threat Extraction Prompt Delivery of safe reconstructed files [Restricted] ONLY for designated groups and individuals​
©2015 Check Point Software Technologies Ltd. 11[Restricted] ONLY for designated groups and individuals​ ALREADY A STEP AHEAD Independent Test Results Recommend Check Point for Security Effectiveness and Value HTTP Malware SMB Malware Email Malware Drive-by-Exploits And 100% Stability / Reliability / Performance Under Load 100% CATCH RATE These results were achieved without CPU-level Exploit Detection
©2015 Check Point Software Technologies Ltd. 12 THE ATTACK CHAIN IN DATA FILES LET’S CHECK UNDER THE HOOD… [Restricted] ONLY for designated groups and individuals​ Trigger an attack through unpatched software or zero-day vulnerability Bypass the CPU and OS security controls using exploitation methods Activate an embedded payload to retrieve the malware Run malicious code VULNERABILITY EXPLOIT SHELLCODE MALWARE
©2015 Check Point Software Technologies Ltd. 13 A STEP AHEAD BY IDENTIFYING MALWARE AT THE EXPLOIT PHASE [Restricted] ONLY for designated groups and individuals​ VULNERABILITY EXPLOIT SHELLCODE MALWARE Thousands Millions Only a Handful DETECT USE OF EXPLOIT METHODS A Step Ahead of Malware Variants • Very few exploitation methods • New ones are very rare A Step Earlier in the Attack Cycle • Before sandbox evasion techniques can be employed EVASION CODE
©2015 Check Point Software Technologies Ltd. 14 STAYING AHEAD OF THE MOST COMMON ATTACKS [Restricted] ONLY for designated groups and individuals​ “Almost all exploits discovered in the last two years have used return-oriented programming techniques”
©2015 Check Point Software Technologies Ltd. 15[Restricted] ONLY for designated groups and individuals​ A B C D E F CPU OPERATION Normal execution
©2015 Check Point Software Technologies Ltd. 16[Restricted] ONLY for designated groups and individuals​ ROP EXPLOIT (Return Oriented Programming) A B C D E F2 1 3 4 5 6 Hijacks small pieces of legitimate code from the memory and manipulates the CPU to load and execute the actual malware.
©2015 Check Point Software Technologies Ltd. 17 CPU-LEVEL EXPLOIT DETECTION inspects this data to identify malware before it can deploy Staying one step ahead Modern processors include sophisticated debug and performance monitoring mechanisms that can track branch operations [Restricted] ONLY for designated groups and individuals​
©2015 Check Point Software Technologies Ltd. 18[Restricted] ONLY for designated groups and individuals​ CPU-LEVEL EXPLOIT DETECTION • Highest catch rate • Evasion-resistant • Efficient and fast • Unique to Check Point
©2015 Check Point Software Technologies Ltd. 19[Restricted] ONLY for designated groups and individuals​ Deliver files safely and maintain business flow STAYING A STEP AHEAD OF USER EXPECTATIONS ©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 20 THE TRADITIONAL SANDBOX DELAYED RESPONSE [Restricted] ONLY for designated groups and individuals​ • As a result many sandboxes are deployed in non-blocking mode • Allows malicious files to reach the user while the sandbox inspects the file in the background INSPECTION TAKES TIME
©2015 Check Point Software Technologies Ltd. 21 SANDBLAST THREAT EXTRACTION [Restricted] ONLY for designated groups and individuals​ Immediate access Preemptive protection, not detection Visibility into attack attempts Proactive Prevention
©2015 Check Point Software Technologies Ltd. 22[Restricted] ONLY for designated groups and individuals​ A STEP FASTER FOR USERS… PROMPTLY PROVIDING CLEAN FILES
©2015 Check Point Software Technologies Ltd. 23[Restricted] ONLY for designated groups and individuals​ ACCESS TO ORIGINALS AFTER EMULATION
©2015 Check Point Software Technologies Ltd. 24[Restricted] ONLY for designated groups and individuals​ VISIBILITY INTO ATTEMPTED ATTACKS
©2015 Check Point Software Technologies Ltd. 25[Restricted] ONLY for designated groups and individuals​ Flexible deployment minimizes TCO and provides complete threat visibility A STEP AHEAD IN IMPLEMENTATION ©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 26 Customized Visibility Unified Policy Everywhere Monitoring UNIFIED MANAGEMENT FOR BEST ROI AND OPTIMAL PROTECTION
©2015 Check Point Software Technologies Ltd. 27 SANDBLAST DEPLOYMENT OPTIONS [Restricted] ONLY for designated groups and individuals​ SandBlast Appliance On premise solution compatible with strict privacy regulations SandBlast Cloud Easy to deploy cloud-based service In Step with Your Modern IT Infrastructure
©2015 Check Point Software Technologies Ltd. 28[Restricted] ONLY for designated groups and individuals​ FAST, FLEXIBLE DEPLOYMENT SANDBLAST APPLIANCE CHECK POINT GATEWAY SANDBLAST CLOUD
©2015 Check Point Software Technologies Ltd. 29[Restricted] ONLY for designated groups and individuals​ SandBlast for Office 365  SandBlast solution for cloud-based applications - Office365  Office365 integration will be done via Microsoft API with no additional MTA (no on-premises gateway/management needed) Microsoft API Get email when they arrive at users inbox
©2015 Check Point Software Technologies Ltd. Q&A [Restricted] ONLY for designated groups and individuals​

More Related Content

Staying One Step Ahead with Zero-Day Protection

  • 1. ©2015 Check Point Software Technologies Ltd. 1 STAYING ONE STEP AHEAD WITH ZERO-DAY PROTECTION CPUL + TEX Martin Koldovský Threat Prevention Security Engineer, Eastern Europe [Restricted] ONLY for designated groups and individuals​©2015 Check Point Software Technologies Ltd. začínáme 14:55
  • 2. ©2015 Check Point Software Technologies Ltd. 2[Restricted] ONLY for designated groups and individuals​
  • 3. ©2015 Check Point Software Technologies Ltd. 3[Restricted] ONLY for designated groups and individuals​
  • 4. ©2015 Check Point Software Technologies Ltd. 4[Restricted] ONLY for designated groups and individuals​
  • 5. ©2015 Check Point Software Technologies Ltd. 5 Of hackers’ attempts to evade detection and infiltrate your network STAYING ONE STEP AHEAD [Restricted] ONLY for designated groups and individuals​©2015 Check Point Software Technologies Ltd.
  • 6. ©2015 Check Point Software Technologies Ltd. 6 SANDBLAST ZERO-DAY PROTECTION CPU-level Exploit Detection Catches the most sophisticated malware before evasion techniques deploy Threat Extraction Deliver safe version of content quickly OS-level Sandboxing Stops zero-day and unknown malware in wide range of file formats [Restricted] ONLY for designated groups and individuals​
  • 7. ©2015 Check Point Software Technologies Ltd. 7[Restricted] ONLY for designated groups and individuals​ Examine: • System Registry • Network Connections • File System Activity • System Processes Open and detonate any files THE TRADITIONAL SANDBOX HOW IT WORKS Watch for telltale signs of malicious code at the Operating System level T H R E AT C O N T AI N E D
  • 8. ©2015 Check Point Software Technologies Ltd. 8 THE TRADITIONAL SANDBOX PRONE TO EVASION [Restricted] ONLY for designated groups and individuals​ ATTACKERS CONSTANTLY DEVELOP NEW EVASION TECHNIQUES • Not activating the malware on virtual environments • Delaying the attack… by time or action • Different OS versions and variants • Encrypted channels ©2015 Check Point Software Technologies Ltd.
  • 9. ©2015 Check Point Software Technologies Ltd. 9[Restricted] ONLY for designated groups and individuals​ STAYING ONE STEP AHEAD Introducing Catches More Malware. Proactive Prevention. Complete Integrated Protection.
  • 10. ©2015 Check Point Software Technologies Ltd. 10 Unprecedented real-time prevention against unknown malware, zero-day and targeted attacks WHAT IS SANDBLAST? Sandboxing Evasion- resistant malware detection Threat Extraction Prompt Delivery of safe reconstructed files [Restricted] ONLY for designated groups and individuals​
  • 11. ©2015 Check Point Software Technologies Ltd. 11[Restricted] ONLY for designated groups and individuals​ ALREADY A STEP AHEAD Independent Test Results Recommend Check Point for Security Effectiveness and Value HTTP Malware SMB Malware Email Malware Drive-by-Exploits And 100% Stability / Reliability / Performance Under Load 100% CATCH RATE These results were achieved without CPU-level Exploit Detection
  • 12. ©2015 Check Point Software Technologies Ltd. 12 THE ATTACK CHAIN IN DATA FILES LET’S CHECK UNDER THE HOOD… [Restricted] ONLY for designated groups and individuals​ Trigger an attack through unpatched software or zero-day vulnerability Bypass the CPU and OS security controls using exploitation methods Activate an embedded payload to retrieve the malware Run malicious code VULNERABILITY EXPLOIT SHELLCODE MALWARE
  • 13. ©2015 Check Point Software Technologies Ltd. 13 A STEP AHEAD BY IDENTIFYING MALWARE AT THE EXPLOIT PHASE [Restricted] ONLY for designated groups and individuals​ VULNERABILITY EXPLOIT SHELLCODE MALWARE Thousands Millions Only a Handful DETECT USE OF EXPLOIT METHODS A Step Ahead of Malware Variants • Very few exploitation methods • New ones are very rare A Step Earlier in the Attack Cycle • Before sandbox evasion techniques can be employed EVASION CODE
  • 14. ©2015 Check Point Software Technologies Ltd. 14 STAYING AHEAD OF THE MOST COMMON ATTACKS [Restricted] ONLY for designated groups and individuals​ “Almost all exploits discovered in the last two years have used return-oriented programming techniques”
  • 15. ©2015 Check Point Software Technologies Ltd. 15[Restricted] ONLY for designated groups and individuals​ A B C D E F CPU OPERATION Normal execution
  • 16. ©2015 Check Point Software Technologies Ltd. 16[Restricted] ONLY for designated groups and individuals​ ROP EXPLOIT (Return Oriented Programming) A B C D E F2 1 3 4 5 6 Hijacks small pieces of legitimate code from the memory and manipulates the CPU to load and execute the actual malware.
  • 17. ©2015 Check Point Software Technologies Ltd. 17 CPU-LEVEL EXPLOIT DETECTION inspects this data to identify malware before it can deploy Staying one step ahead Modern processors include sophisticated debug and performance monitoring mechanisms that can track branch operations [Restricted] ONLY for designated groups and individuals​
  • 18. ©2015 Check Point Software Technologies Ltd. 18[Restricted] ONLY for designated groups and individuals​ CPU-LEVEL EXPLOIT DETECTION • Highest catch rate • Evasion-resistant • Efficient and fast • Unique to Check Point
  • 19. ©2015 Check Point Software Technologies Ltd. 19[Restricted] ONLY for designated groups and individuals​ Deliver files safely and maintain business flow STAYING A STEP AHEAD OF USER EXPECTATIONS ©2015 Check Point Software Technologies Ltd.
  • 20. ©2015 Check Point Software Technologies Ltd. 20 THE TRADITIONAL SANDBOX DELAYED RESPONSE [Restricted] ONLY for designated groups and individuals​ • As a result many sandboxes are deployed in non-blocking mode • Allows malicious files to reach the user while the sandbox inspects the file in the background INSPECTION TAKES TIME
  • 21. ©2015 Check Point Software Technologies Ltd. 21 SANDBLAST THREAT EXTRACTION [Restricted] ONLY for designated groups and individuals​ Immediate access Preemptive protection, not detection Visibility into attack attempts Proactive Prevention
  • 22. ©2015 Check Point Software Technologies Ltd. 22[Restricted] ONLY for designated groups and individuals​ A STEP FASTER FOR USERS… PROMPTLY PROVIDING CLEAN FILES
  • 23. ©2015 Check Point Software Technologies Ltd. 23[Restricted] ONLY for designated groups and individuals​ ACCESS TO ORIGINALS AFTER EMULATION
  • 24. ©2015 Check Point Software Technologies Ltd. 24[Restricted] ONLY for designated groups and individuals​ VISIBILITY INTO ATTEMPTED ATTACKS
  • 25. ©2015 Check Point Software Technologies Ltd. 25[Restricted] ONLY for designated groups and individuals​ Flexible deployment minimizes TCO and provides complete threat visibility A STEP AHEAD IN IMPLEMENTATION ©2015 Check Point Software Technologies Ltd.
  • 26. ©2015 Check Point Software Technologies Ltd. 26 Customized Visibility Unified Policy Everywhere Monitoring UNIFIED MANAGEMENT FOR BEST ROI AND OPTIMAL PROTECTION
  • 27. ©2015 Check Point Software Technologies Ltd. 27 SANDBLAST DEPLOYMENT OPTIONS [Restricted] ONLY for designated groups and individuals​ SandBlast Appliance On premise solution compatible with strict privacy regulations SandBlast Cloud Easy to deploy cloud-based service In Step with Your Modern IT Infrastructure
  • 28. ©2015 Check Point Software Technologies Ltd. 28[Restricted] ONLY for designated groups and individuals​ FAST, FLEXIBLE DEPLOYMENT SANDBLAST APPLIANCE CHECK POINT GATEWAY SANDBLAST CLOUD
  • 29. ©2015 Check Point Software Technologies Ltd. 29[Restricted] ONLY for designated groups and individuals​ SandBlast for Office 365  SandBlast solution for cloud-based applications - Office365  Office365 integration will be done via Microsoft API with no additional MTA (no on-premises gateway/management needed) Microsoft API Get email when they arrive at users inbox
  • 30. ©2015 Check Point Software Technologies Ltd. Q&A [Restricted] ONLY for designated groups and individuals​