STAYING

ONE STEP AHEAD

OF MALWARE
With SandBlast Zero-Day Protection

Ivan Štrbac
Security engineer Adriatic

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content​ 1

 ONE STEP AHEAD
OF WHAT?
Of the Latest Hacker Tactics

Of the Most Dangerous and Sophisticated Threats

Of Modern Evasion Techniques

Of User Expectations for Safe Content Delivery

Of Enterprise IT Architecture Models

©2016 Check
CheckPoint
PointSoftware Technologies
Software Ltd. Ltd.
Technologies [Protected] Non-confidential content 2
 Successful Defense Strategy

Make every effort to PREVENT attacks

Detection is not enough
The only way to avoid the cost of an attack is to prevent it altogether

DETECT and CONTAIN attacks as soon as possible

Don’t linger
Once infected the cost of the attack will just keeps on rising

Effectively RESPOND and REMEDIATE

Address the real business impact
Make sure the infection doesn’t come back

©2016 Check Point Software Technologies Ltd. 3

 The Power to Prevent Attacks
On the Network and At the Endpoint

Catches More Malware. Proactive Prevention. Complete Integrated Protection.

The Insight to Understand Them.

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content​ 4
 STAYING ONE STEP AHEAD
OF NETWORK ATTACKS

Detect and stop hackers’ attempts

to evade detection
and infiltrate
your network

©2016 Check
CheckPoint
PointSoftware Technologies
Software Ltd. Ltd.
Technologies [Protected] Non-confidential content​ 5
 How
Howdodoyou
youprotect
protectagainst
your infrastructure against

WHAT
WHATYOU
YOU
DON’T
DON’T KNOW…
KNOW…
…ZERO-DAY
…ZERO-DAY
Malware
Malwarethat
thathas
hasnot
notpreviously
previouslybeenbeenseen
seen
can
canoften
oftengetgetpast
pasttraditional
traditionaltechnology
technology
[Protected] Non-confidential content
©2016 Check
©2015 CheckPoint
PointSoftware Technologies
Software Ltd. Ltd.
Technologies 6
 FROM START-UPS TO
LARGE CORPORATIONS

NO ONE IS IMMUNE

©2016 Check
©2015 CheckPoint
PointSoftware Technologies
Software Ltd. Ltd.
Technologies
 THE TRADITIONAL SANDBOX
HOW IT WORKS
Open and detonate any files

THREAT CONTAINED
Examine:
• System Registry
• Network Connections
• File System Activity
• System Processes

Watch for telltale signs of malicious code

at the Operating System level
©2016 Check Point Software Technologies Ltd. 8
 Traditional Sandboxes are Prone to Evasion

NEW EVASION TECHNIQUES CONSTANTLY DEVELOPED

• Not activating the malware on virtual environments

• Delaying the attack…by time or action

• Different OS versions and variants

• Encrypted channels

©2016 Check
CheckPoint
PointSoftware Technologies
Software Ltd. Ltd.
Technologies 9
 Staying One Step Ahead…

Highest Proactive
Catch Rate Prevention
Evasion-resistant Deployable in
malware blocking mode
detection
CPU-level Threat
Detection Extraction

Real-time Prevention Against Unknown Malware, Zero-Day

and Targeted Attacks
©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content​ 10
 A Step Ahead

Thousands

VULNERABILITY

Only a Handful

EXPLOIT

CPU Detection Engine

SHELLCODE
Before the evasion code can execute…
EVASION CODE Before the malware is downloaded….
Millions

MALWARE Traditional Sandbox

©2015 Check
©2016 CheckPoint
PointSoftware Technologies
Software Ltd. Ltd.
Technologies [Protected] Non-confidential content​ 11
 CPU-LEVEL & • Highest catch rate
OS-LEVEL • Evasion-resistant
EXPLOIT • Efficient and fast
DETECTION
©2016 Check Point Software Technologies Ltd.
• Unique to Check Point
[Protected] Non-confidential content 12
 STAYING ONE STEP AHEAD
OF USER EXPECTATIONS

Deliver files safely and maintain

business flow

©2016 Check
CheckPoint
PointSoftware Technologies
Software Ltd. Ltd.
Technologies [Protected] Non-confidential content​ 13
 Traditional Sandboxes are Slow

INSPECTION TAKES TIME

• As a result many sandboxes are deployed in non-blocking mode

• Allows malicious files to reach the user while the sandbox inspects
the file in the background

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content​ 14

 Sandblast Threat Extraction
Providing Clean Files

BEFORE AFTER
Malware Activated Malware Removed

Immediate Access. Proactive Prevention. Attack Visibility.

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content​ 15
 Fast, Flexible Deployment

SANDBLAST SANDBLAST
APPLIANCE
CLOUD

CHECK POINT
GATEWAY

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content 16

 VISIBILITY INTO ATTEMPTED ATTACKS

©2016 Check Point Software Technologies Ltd. 17

 SANDBLAST
ZERO-DAY PROTECTION

Threat Extraction
Deliver safe version of content quickly

THREAT EXTRACTION
O/S Level Emulation CPU-Level Detection
Stops zero-day and unknown malware in wide range of Catches the most sophisticated malware before evasion
file formats techniques deploy

Malware Malware

Safe Doc

Original Doc

©2016 Check Point Software Technologies Ltd. 18

 STAYING ONE STEP AHEAD
OF ENDPOINT INFILTRATION

Detect and prevent hackers’

attempts to infect and
commandeer endpoint devices

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content 19

 INTRODUCING…

THE POWER TO PROTECT. THE INSIGHT TO UNDERSTAND.

©2016 Check Point Software Technologies Ltd. 20
 Check Point SandBlast Agent

PREVENT Quickly IDENTIFY REMEDIATE

Zero-Day and CONTAIN and RESPOND
Attacks Infections Effectively

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 21
 Check Point SandBlast Agent

PREVENT Quickly IDENTIFY REMEDIATE

Zero-Day and CONTAIN and RESPOND
Attacks Infections Effectively

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 22
 Protect from What You Don’t Know

Traditional signature-based anti-virus

protects from KNOWN THREATS

But it cannot keep up with modern

UNKNOWN MALWARE and ZERO-DAY THREATS

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 23
 UsersSome
working threats
remotely External
are best storage devices
prevented
at the endpoint
Encrypted content Lateral movement

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 24
 SandBlast Agent Zero Day Prevention
Block UNKNOWN and ZERO-DAY ATTACKS on your endpoints

HIGHEST PROACTIVE NON-

CATCH RATE PREVENTION INTRUSIVE
THREAT THREAT
EMULATION EXTRACTION Processing
Quick access to
offloaded from
Evasion resistant
sandbox CPU- safe content while endpoints to
Level and OS-Level purging potential
technologies malware the cloud

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 25
 Eliminate Zero Day Malware at the Endpoint

SANDBLAST
CLOUD

1 Web downloads sent

to SandBlast cloud
©2016 Check Point Software Technologies Ltd.
2 Sanitized version
delivered promptly
[Restricted] ONLY for designated groups and individuals​
3 Original file emulated
in the background
26
 Check Point SandBlast Agent

PREVENT Quickly IDENTIFY REMEDIATE

Zero-Day and CONTAIN and RESPOND
Attacks Infections Effectively

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 27
 Timing is Everything
Days to Identify and Contain a Cyber Attack The Longer an attack
MINIMUM 20 7
goes UNDETECTED,
the more time it
MEAN 206 69 Identify takes to CONTAIN it
Contain

MAXIMUM 582 175 • $154 per lost record

• $3.79M average damage
0 100 200 300 400 500 600 700 800
• 23% increase from previous year
Source: 2015 cost of data breach study: global analysis, Ponemon Institute

The longer it takes to CONTAIN it, the more it will COST

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 28
 SandBlast Agent Quickly Detect and Contain

• Expose hidden infections

Identify and block
• Obstruct malware ability to spread
malicious communication
• Prevent data exfiltration

• Lockdown the infected host

Neutralize the infection
• Quarantine infected files

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 29
 Look for Malicious Outgoing Traffic at the Endpoint

Outgoing traffic

2 inspected by local
ANTI-BOT
THREAT INTELLIGENCE

1 continuously delivered to
the Agent

C&C traffic and

3 data exfiltration
are BLOCKED

4 QUARANTINE malicious process

or LOCKDOWN the entire system

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 30
 Check Point SandBlast Agent

PREVENT Quickly IDENTIFY REMEDIATE

Zero-Day and CONTAIN and RESPOND
Attacks Infections Effectively

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 31
 How did it enter? Is there business impact?
How can I block the attack vector? How do I mitigate? Who should I notify

What You Really Need to Know

How do we clean it? Has it spread?
How can I save time responding? Am I addressing the full scope?

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 32
 SandBlast Agent Forensics Analysis
AUTOMATED incident analysis for EFFECTIVE incident response

ACTIONABLE GENERATED
INFORMATION AUTOMATICALLY
Interactive Triggered
Attack Summary when it matters

Instant visibility to Avoids expensive

what you need to manual analysis of
know raw forensic data

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 33
 Collect Forensics Data and Trigger Report Generation

FORENSICS data

Report generation
1 continuously collected
from various OS sensors
Digested incident

2 automatically triggered
upon detection of network
events or 3rd party AV
Network

Files
Registry
Processes 4 report sent to
SmartEvent

Advanced
3 algorithms analyze
raw forensics data
©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 34
 Identify Attack Origin Exploit Code Schedule Execution
Chrome exploited while Dropper process Malware registered to
browsing launched by Chrome launch after boot

Dropped Malware
From Trigger to Infection Attack Traced Dropper downloads and
Automatically trace back the Even across system boots installs malware
infection point Data Breach
Malware reads
sensitive documents

Investigation Trigger Activate Malware

Identify the process that Scheduled task
accessed the C&C server launches after boot

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 35
 STAYING ONE STEP AHEAD
IN IMPLEMENTATION

Flexible deployment
minimizes TCO and provides complete
threat visibility

©2016Check
©2015 Check Point
Point Software
Software Technologies
Technologies Ltd. Ltd. 36
 Unified Management
FOR BEST ROI AND OPTIMAL PROTECTION

Integrated Unified Customized

Monitoring Policy Visibility

©2016 Check Point Software Technologies Ltd. 37

 SUMMARY

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content

 One Step Ahead in
Zero-Day Protection

Catches Complete
More Proactive
Prevention Integrated
Malware Protection

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content​ 39

 Together with Check Point SandBlast Agent

THE POWER TO PROTECT.

THE INSIGHT TO UNDERSTAND.
PREVENT Quickly IDENTIFY REMEDIATE
Zero-Day and CONTAIN and RESPOND
Attacks Infections Effectively

©2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals​ 40
 THANK YOU

©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content​ 41