©2015 Check Point Software Technologies Ltd. 1
STAYING ONE STEP AHEAD WITH ZERO-DAY PROTECTION CPUL + TEX
Martin Koldovský
Threat Prevention Security Engineer, Eastern Europe
[Restricted] ONLY for designated groups and individuals ©2015 Check Point Software Technologies Ltd.
začínáme 14:55
©2015 Check Point Software Technologies Ltd. 2 [Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 3 [Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 4 [Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 5
Of hackers’ attempts to
evade detection
and infiltrate
your network
STAYING ONE STEP AHEAD
[Restricted] ONLY for designated groups and individuals ©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 6
SANDBLAST ZERO-DAY PROTECTION
CPU-level
Exploit Detection Catches the most sophisticated
malware before evasion
techniques deploy
Threat
Extraction Deliver safe
version of
content quickly
OS-level
Sandboxing Stops zero-day and
unknown malware in wide
range of file formats
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 7 [Restricted] ONLY for designated groups and individuals
Examine:
• System Registry
• Network Connections
• File System Activity
• System Processes
Open and detonate any files
THE TRADITIONAL SANDBOX HOW IT WORKS
Watch for telltale signs of malicious code
at the Operating System level
T H R E AT C O N T AI N E D
©2015 Check Point Software Technologies Ltd. 8
THE TRADITIONAL SANDBOX PRONE TO EVASION
[Restricted] ONLY for designated groups and individuals
ATTACKERS CONSTANTLY DEVELOP NEW EVASION TECHNIQUES
• Not activating the malware on virtual environments
• Delaying the attack… by time or action
• Different OS versions and variants
• Encrypted channels
©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 9 [Restricted] ONLY for designated groups and individuals
STAYING ONE STEP AHEAD Introducing
Catches More Malware.
Proactive Prevention.
Complete Integrated Protection.
©2015 Check Point Software Technologies Ltd. 10
Unprecedented real-time prevention against
unknown malware, zero-day and targeted attacks
WHAT IS SANDBLAST?
Sandboxing
Evasion-
resistant
malware
detection
Threat Extraction
Prompt
Delivery of safe
reconstructed
files
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 11 [Restricted] ONLY for designated groups and individuals
ALREADY A STEP AHEAD
[Protected] Non-confidential content
Independent Test Results
Recommend Check Point for
Security Effectiveness
and Value
HTTP Malware
SMB Malware
Email Malware
Drive-by-Exploits
And 100% Stability / Reliability / Performance Under Load
100% CATCH RATE
These results were achieved
without
CPU-level
Exploit Detection
©2015 Check Point Software Technologies Ltd. 12
THE ATTACK CHAIN IN DATA FILES LET’S CHECK UNDER THE HOOD…
[Restricted] ONLY for designated groups and individuals
Trigger an attack through unpatched
software or zero-day vulnerability
Bypass the CPU and OS security
controls using exploitation methods
Activate an embedded payload to
retrieve the malware
Run malicious code
VULNERABILITY
EXPLOIT
SHELLCODE
MALWARE
©2015 Check Point Software Technologies Ltd. 13
A STEP AHEAD BY IDENTIFYING MALWARE AT THE EXPLOIT PHASE
[Restricted] ONLY for designated groups and individuals
VULNERABILITY
EXPLOIT
SHELLCODE
MALWARE
Thousands
Millions
Only a Handful
DETECT USE OF EXPLOIT METHODS
A Step Ahead of Malware Variants
• Very few exploitation methods
• New ones are very rare
A Step Earlier in the Attack Cycle
• Before sandbox evasion techniques
can be employed
EVASION CODE
©2015 Check Point Software Technologies
Ltd. 14
STAYING AHEAD OF THE MOST COMMON ATTACKS
[Restricted] ONLY for designated groups and
individuals
“Almost all exploits discovered in the last two years
have used return-oriented programming techniques”
©2015 Check Point Software Technologies Ltd. 15 [Restricted] ONLY for designated groups and individuals
A B C
D E
F
CPU OPERATION
Normal execution
©2015 Check Point Software Technologies Ltd. 16
[Restricted] ONLY for designated groups and individuals
ROP EXPLOIT (Return Oriented Programming)
A B C
D E
F 2
1 3
4 5
6 Hijacks small pieces of legitimate code from the memory and manipulates the CPU to load and execute the actual malware.
©2015 Check Point Software Technologies Ltd. 17
CPU-LEVEL EXPLOIT DETECTION inspects this data to identify malware before it can deploy
Staying one step ahead
Modern processors include sophisticated
debug and performance monitoring
mechanisms that can track branch
operations
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 18 [Restricted] ONLY for designated groups and individuals
CPU-LEVEL EXPLOIT DETECTION
• Highest catch rate
• Evasion-resistant
• Efficient and fast
• Unique to Check Point
©2015 Check Point Software Technologies Ltd. 19 [Restricted] ONLY for designated groups and individuals
Deliver files safely and
maintain business flow
STAYING A STEP AHEAD
OF USER EXPECTATIONS
©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 20
THE TRADITIONAL SANDBOX DELAYED RESPONSE
[Restricted] ONLY for designated groups and individuals
• As a result many sandboxes are deployed in non-blocking mode
• Allows malicious files to reach the user while the sandbox inspects the file in the background
INSPECTION TAKES TIME
©2015 Check Point Software Technologies Ltd. 21
SANDBLAST THREAT EXTRACTION
[Restricted] ONLY for designated groups and individuals
Immediate access
Preemptive protection, not detection
Visibility into attack attempts
Proactive Prevention
©2015 Check Point Software Technologies Ltd. 22 [Restricted] ONLY for designated groups and individuals
A STEP FASTER FOR USERS… PROMPTLY PROVIDING CLEAN FILES
©2015 Check Point Software Technologies Ltd. 23 [Restricted] ONLY for designated groups and individuals
ACCESS TO ORIGINALS AFTER EMULATION
©2015 Check Point Software Technologies Ltd. 24 [Restricted] ONLY for designated groups and individuals
VISIBILITY INTO ATTEMPTED ATTACKS
©2015 Check Point Software Technologies Ltd. 25 [Restricted] ONLY for designated groups and individuals
Flexible deployment
minimizes TCO and
provides complete
threat visibility
A STEP AHEAD IN IMPLEMENTATION
©2015 Check Point Software Technologies Ltd.
©2015 Check Point Software Technologies Ltd. 26
Customized Visibility
Unified Policy
Everywhere Monitoring
UNIFIED MANAGEMENT FOR BEST ROI AND OPTIMAL PROTECTION
[Restricted] ONLY for designated groups and individuals
©2015 Check Point Software Technologies Ltd. 27
SANDBLAST DEPLOYMENT OPTIONS
[Restricted] ONLY for designated groups and individuals
SandBlast Appliance On premise solution compatible with strict privacy regulations
SandBlast Cloud Easy to deploy cloud-based service
In Step with Your Modern IT Infrastructure
©2015 Check Point Software Technologies Ltd. 28 [Restricted] ONLY for designated groups and individuals
FAST, FLEXIBLE DEPLOYMENT
SANDBLAST
APPLIANCE
CHECK POINT GATEWAY
SANDBLAST
CLOUD
©2015 Check Point Software Technologies Ltd. 29 [Restricted] ONLY for designated groups and individuals
SandBlast for Office 365
SandBlast solution for cloud-based applications - Office365
Office365 integration will be done via Microsoft API with no additional MTA (no on-premises gateway/management needed)
Microsoft API Get email when they arrive at users inbox
©2015 Check Point Software Technologies Ltd.
Q&A
[Restricted] ONLY for designated groups and individuals
Top Related