Check Point Sandblast Zero-Day Protection: September 2015

CHECK POINT SANDBLAST
ZERO-DAY PROTECTION
September 2015
Kaushal Varshney | Technical Marketing, Threat Prevention
©2015 Check Point Software Technologies Ltd. 1

WHAT IS SANDBLAST?
Unprecedented real-time prevention against

unknown malware, zero-day and targeted attacks
Threat Emulation
with CPU-Level Detection Threat Extraction
Evasion- Prompt
resistant Delivery of safe
malware reconstructed
detection files

SANDBLAST
ZERO-DAY PROTECTION
Threat Extraction
Deliver safe version of content quickly
THREAT EXTRACTION
O/S Level Emulation CPU-Level Detection
Stops zero-day and unknown malware Catches the most sophisticated malware
in wide range of file formats before evasion techniques deploy
Malware Malware
Safe Doc
Original Doc

Threat Extraction
Document Reconstruction
Reconstructed Original Document Safe Copy of

Document Reconstructed Document
safe copy of
documents
Delivered
immediately
Customizable
Protection
Level

Threat Emulation
Exploit Detection and Prevention
Prevent Zero-Day Document is sent for Original

Attacks sandboxing, where it Document
is opened and If no infection
Constantly Update inspected found
Original
ThreatCloud Document
If infected with unknown Malware

-Document is deleted,
-ThreatCloud is updated,
-Admin is notified
Attack is PREVENTED

Deployment Options
Check Point SandBlast
Zero-Day Protection
Deployment Highlights
• Two form factors: Cloud and On-Premises:

o Sensitive to both privacy and industry specific regulatory requirements
• Emulation of e-Mail attachments on one appliance

o Single appliance can emulate files from throughout the network
• MTA for true mail prevention (not just detection)

o Emulate files before they enter the network
o Check Point provides emulation in a timeframe that doesn’t disrupt the business
• Multiple deployment options

FAST, FLEXIBLE DEPLOYMENT
SANDBLAST SANDBLAST
APPLIANCE
CLOUD
CHECK POINT
GATEWAY

SandBlast Cloud
Zero-Day Protection
 Check Point SandBlast Cloud
 Real-time security intelligence delivered from Check Point ThreatCloud.

Turns zero-day attacks into known and preventable attacks.
 No new hardware is needed

Requires Check Point Security Gateway withR77 and above
SANDBLAST
Check Point Security Gateway
CLOUD
Internet (Requires R77 and above)
Threat Emulation
Threat Extraction
O/S Level Sandboxing
(Prompt delivery of
and CPU-Level Detection
reconstructed clean files)
in Cloud
on Local Appliance
Corporate Network (LAN)

On Premise Deployment
Zero-Day Protection
 On-Premises Check Point SandBlast Appliance
 Added to existing Check Point Security Gateway in two ways:

Prevent: Inline – Emulate before allowing into network
Detect: Duplicate network traffic (via SPAN port)
Check Point Security Gateway

Internet (Requires R77 and above)
Corporate Network (LAN)
Inline or SPAN Port
Threat Extraction
Threat Emulation (Prompt delivery of
(O/S Level Sandboxing with reconstructed clean files)
Check Point
CPU-Level Evasion detection)
SandBlast Appliance
Standalone Deployment
Zero-Day Protection
 Standalone Check Point SandBlast Appliance on-premises
Prevent: Inline – Emulate before allowing into network
Detect: Duplicate network traffic (via SPAN port)
 One-box solution – Ideal for proof-of-concept (No Check Point Gateway)
Check Point
SandBlast Appliance
Internet Corporate Network (LAN)
Threat Emulation Threat Extraction

(O/S Level Sandboxing with (Prompt delivery of
CPU-Level Evasion detection) reconstructed clean files)

Hybrid Solution
Zero-Day Protection
 Check Point SandBlast as a Hybrid Solution
For both Single-site and Multi-site
 Check Point Security Gateways with R77

NGTP elements – AV, AB, Anti Spam etc. alongside Threat Extraction
 SandBlast Appliance only required at Headquarters
Branch
Agent
Branch
SANDBLAST
CLOUD
Headquarters
Threat Emulation
O/S Level Sandboxing and CPU-Level Detection
in Cloud OR/AND On-Premise Appliance
Threat Emulation
Admin has comprehensive Attack Visibility
Summary
Details

Threat Extraction
End-user Experience
Threat Extraction – No delay in email delivery
Access to original files

– Download option if user trust the source

Zero-Day Protection
Provisioning Options in Threat Prevention

Zero-Day Protection
Introducing CPU-Level Detection
 Advanced Malware use various techniques to evade traditional Sandboxes
 Check Point’s Advanced deep CPU-Level inspection
 Detects malware at exploitation stage - No chance to attempt evasion
Vulnerability Trigger an attack through an unpatched or zero-day vulnerability
Bypass the CPU and OS security controls using exploitation methods

Exploit
Shellcode Activate an embedded payload to retrieve the malware
Malware Run malicious code

Zero-Day Protection
CPU-Level Detection: Anatomy of Zero-Day Attack
Exploit the vulnerability

How an OS deploys DEP – Data Execution Prevention ASLR – Address Space Layout
Security Controls Randomization
“The Processor will only run the
code that was marked as “Code is loaded to a random
executable” location in memory”
How Attacker bypass ROP – Return Oriented Use clues to locate the useful
OS Security Controls Programming code in memory
“Use only pre-existing pieces of “a small piece of code located

code already loaded into in known system DLLs and
executable-approved memory” vulnerable software, such as
browser and adobe reader”

Zero-Day Protection
CPU-Level Detection: Focus on Exploit
 Detect the Exploit instead of the evasive malware – Evasion proof

 Based on CPU execution flow – Independent of Operating System
CPU-Level Detection:
 Activate the CPU debug mode
Windows Server 2012
(64bit)
Windows 7 7(64bit)
Windows 7 (32bit)
 Examine the CPU code execution

10.9
OSXX10.9
Windows XP
Windows
CentOS 77
Look for inconsistencies in the execution flow

CentOS

Mac OS
Mac
Windows 7 (64bit)
Hypervisor “Double Click”

CPU-level Sandbox Activate the file
in its native
Activate CPU Debug application
Mode
Inspect CPU Flows

Look for
inconsistencies in the
execution flow Type From To
Call from_addr_1 to_addr_1
CPU Call from_addr_2 to_addr_2
(Intel Haswell+) Return from_addr_3 to_addr_3
Call from_addr_4 to_addr_4
Collect CPU flow data … …

SUMMARY
Check Point SandBlast Zero-Day Protection
Threat Extraction, Threat Emulation, and CPU-Level Detection
Reconstructs incoming files

THREAT
Promptly delivers safe reconstructed files
EXTRACTION
Ensures Business Continuity
Safe access to original document

THREAT
Visibility on attack attempts
EMULATION Evasion-proof CPU-Level detection of unknown malware

THANK YOU!

Deployment Options
Zero-Day Protection Coming
Soon …
Deployment Highlights
• Two form factors: Cloud and On-Premises:

o Sensitive to both privacy and industry specific regulatory requirements
• Emulation of Mail, Web and File Shares on one appliance

o Single appliance can emulate files from throughout the network
• MTA for true mail prevention (not just detection)

o Emulate files before they enter the network
o Check Point provides emulation in a timeframe that doesn’t disrupt the business
• Multiple deployment options

Check Point Sandblast Zero-Day Protection: September 2015

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Check Point Sandblast Zero-Day Protection: September 2015

Transféré par

Droits d'auteur :

Formats disponibles

CHECK POINT SANDBLAST

Kaushal Varshney | Technical Marketing, Threat Prevention

©2015 Check Point Software Technologies Ltd. 1

Unprecedented real-time prevention against

©2015 Check Point Software Technologies Ltd. 2

©2015 Check Point Software Technologies Ltd. 3

Reconstructed Original Document Safe Copy of

©2015 Check Point Software Technologies Ltd. 4

Prevent Zero-Day Document is sent for Original

If infected with unknown Malware

©2015 Check Point Software Technologies Ltd. 5

• Two form factors: Cloud and On-Premises:

• Emulation of e-Mail attachments on one appliance

• MTA for true mail prevention (not just detection)

• Multiple deployment options

©2015 Check Point Software Technologies Ltd. 6

©2015 Check Point Software Technologies Ltd. 7

 Real-time security intelligence delivered from Check Point ThreatCloud.

 No new hardware is needed

©2015 Check Point Software Technologies Ltd. 8

 Added to existing Check Point Security Gateway in two ways:

Check Point Security Gateway

Inline or SPAN Port

 One-box solution – Ideal for proof-of-concept (No Check Point Gateway)

Threat Emulation Threat Extraction

©2015 Check Point Software Technologies Ltd. 10

 Check Point Security Gateways with R77

 SandBlast Appliance only required at Headquarters

©2015 Check Point Software Technologies Ltd. 12

Threat Extraction – No delay in email delivery

Access to original files

©2015 Check Point Software Technologies Ltd. 13

©2015 Check Point Software Technologies Ltd. 14

Vulnerability Trigger an attack through an unpatched or zero-day vulnerability

Bypass the CPU and OS security controls using exploitation methods

Shellcode Activate an embedded payload to retrieve the malware

Malware Run malicious code

©2015 Check Point Software Technologies Ltd. 15

Exploit the vulnerability

“Use only pre-existing pieces of “a small piece of code located

©2015 Check Point Software Technologies Ltd. 16

 Detect the Exploit instead of the evasive malware – Evasion proof

 Examine the CPU code execution

Look for inconsistencies in the execution flow

Hypervisor “Double Click”

Inspect CPU Flows

©2015 Check Point Software Technologies Ltd. 17

Reconstructs incoming files

Safe access to original document

©2015 Check Point Software Technologies Ltd. 18

©2015 Check Point Software Technologies Ltd. 19

• Two form factors: Cloud and On-Premises:

• Emulation of Mail, Web and File Shares on one appliance

• MTA for true mail prevention (not just detection)

• Multiple deployment options

©2015 Check Point Software Technologies Ltd. 20

Vous aimerez peut-être aussi