Staying One Step Ahead with Zero-Day Protection

©2015 Check Point Software Technologies Ltd. 1

STAYING ONE STEP AHEAD WITH ZERO-DAY PROTECTION CPUL + TEX

Martin Koldovský

Threat Prevention Security Engineer, Eastern Europe

[Restricted] ONLY for designated groups and individuals ©2015 Check Point Software Technologies Ltd.

začínáme 14:55


Of hackers’ attempts to

evade detection

and infiltrate

your network

STAYING ONE STEP AHEAD

[Restricted] ONLY for designated groups and individuals ©2015 Check Point Software Technologies Ltd.


SANDBLAST ZERO-DAY PROTECTION

CPU-level

Exploit Detection Catches the most sophisticated

malware before evasion

techniques deploy

Threat

Extraction Deliver safe

version of

content quickly

OS-level

Sandboxing Stops zero-day and

unknown malware in wide

range of file formats

[Restricted] ONLY for designated groups and individuals


Examine:

• System Registry

• Network Connections

• File System Activity

• System Processes

Open and detonate any files

THE TRADITIONAL SANDBOX HOW IT WORKS

Watch for telltale signs of malicious code

at the Operating System level

T H R E AT C O N T AI N E D


THE TRADITIONAL SANDBOX PRONE TO EVASION


ATTACKERS CONSTANTLY DEVELOP NEW EVASION TECHNIQUES

• Not activating the malware on virtual environments

• Delaying the attack… by time or action

• Different OS versions and variants

• Encrypted channels

©2015 Check Point Software Technologies Ltd.


STAYING ONE STEP AHEAD Introducing

Catches More Malware.

Proactive Prevention.

Complete Integrated Protection.


Unprecedented real-time prevention against

unknown malware, zero-day and targeted attacks

WHAT IS SANDBLAST?

Sandboxing

Evasion-

resistant

malware

detection

Threat Extraction

Prompt

Delivery of safe

reconstructed

files



ALREADY A STEP AHEAD

[Protected] Non-confidential content

Independent Test Results

Recommend Check Point for

Security Effectiveness

and Value

HTTP Malware

SMB Malware

Email Malware

Drive-by-Exploits

And 100% Stability / Reliability / Performance Under Load

100% CATCH RATE

These results were achieved

without

CPU-level

Exploit Detection


THE ATTACK CHAIN IN DATA FILES LET’S CHECK UNDER THE HOOD…


Trigger an attack through unpatched

software or zero-day vulnerability

Bypass the CPU and OS security

controls using exploitation methods

Activate an embedded payload to

retrieve the malware

Run malicious code

VULNERABILITY

EXPLOIT

SHELLCODE

MALWARE


A STEP AHEAD BY IDENTIFYING MALWARE AT THE EXPLOIT PHASE


VULNERABILITY

EXPLOIT

SHELLCODE

MALWARE

Thousands

Millions

Only a Handful

DETECT USE OF EXPLOIT METHODS

A Step Ahead of Malware Variants

• Very few exploitation methods

• New ones are very rare

A Step Earlier in the Attack Cycle

• Before sandbox evasion techniques

can be employed

EVASION CODE

©2015 Check Point Software Technologies

Ltd. 14

STAYING AHEAD OF THE MOST COMMON ATTACKS

[Restricted] ONLY for designated groups and

individuals

“Almost all exploits discovered in the last two years

have used return-oriented programming techniques”


A B C

D E

F

CPU OPERATION

Normal execution



ROP EXPLOIT (Return Oriented Programming)

A B C

D E

F 2

1 3

4 5

6 Hijacks small pieces of legitimate code from the memory and manipulates the CPU to load and execute the actual malware.


CPU-LEVEL EXPLOIT DETECTION inspects this data to identify malware before it can deploy

Staying one step ahead

Modern processors include sophisticated

debug and performance monitoring

mechanisms that can track branch

operations



CPU-LEVEL EXPLOIT DETECTION

• Highest catch rate

• Evasion-resistant

• Efficient and fast

• Unique to Check Point


Deliver files safely and

maintain business flow

STAYING A STEP AHEAD

OF USER EXPECTATIONS



THE TRADITIONAL SANDBOX DELAYED RESPONSE


• As a result many sandboxes are deployed in non-blocking mode

• Allows malicious files to reach the user while the sandbox inspects the file in the background

INSPECTION TAKES TIME


SANDBLAST THREAT EXTRACTION


Immediate access

Preemptive protection, not detection

Visibility into attack attempts

Proactive Prevention


A STEP FASTER FOR USERS… PROMPTLY PROVIDING CLEAN FILES


ACCESS TO ORIGINALS AFTER EMULATION


VISIBILITY INTO ATTEMPTED ATTACKS


Flexible deployment

minimizes TCO and

provides complete

threat visibility

A STEP AHEAD IN IMPLEMENTATION



Customized Visibility

Unified Policy

Everywhere Monitoring

UNIFIED MANAGEMENT FOR BEST ROI AND OPTIMAL PROTECTION



SANDBLAST DEPLOYMENT OPTIONS


SandBlast Appliance On premise solution compatible with strict privacy regulations

SandBlast Cloud Easy to deploy cloud-based service

In Step with Your Modern IT Infrastructure


FAST, FLEXIBLE DEPLOYMENT

SANDBLAST

APPLIANCE

CHECK POINT GATEWAY

SANDBLAST

CLOUD


SandBlast for Office 365

SandBlast solution for cloud-based applications - Office365

Office365 integration will be done via Microsoft API with no additional MTA (no on-premises gateway/management needed)

Microsoft API Get email when they arrive at users inbox


Q&A


Staying One Step Ahead with Zero-Day Protection

Technology

Transcript of Staying One Step Ahead with Zero-Day Protection