Advanced Threat Protection

1. Advanced Threat Protection Addressing Today’s Latest Attacks Nabila EL ATTABI

2. Agenda • Market Situation • Breaches, Priorities and Options • Why Sandboxing • Introduction to Sandbox • What it is and does • Key components • `How Does it works • Compared to stand-alone approaches • Compared to integrated offerings • Recap and Discussion

3. Market Situation

5. APTs, Data Breaches Top of Mind Priority of IT Security Initiatives in 2016 Source: IDG Research, January 2016

6. There is Good Reason For Concern Incidents Breaches • 64,199 incidents • 2,260 breaches • CEOs, CIOs and CISOs who resigned All organizations should now assume that they are in a state of continuous compromise. — Gartner, 2/14/14 Sources: Verizon 2016 Data Breach Investigations Report, April 2016 Gartner. Designing an Adaptive Security Architecture for Protection From Advanced Attacks. February 2014.

7. Advanced Threat Protection • Cyber Acronym jungle: APT, ATA, ATP – what’s it all mean? • APT – Advanced Persistent Threat • Advanced – targeted, multi-faceted, coordinated • Persistent – never ends, of particular concern - capitalizes on just one mistake • Threat – political in nature, monetary gain, notoriety, revenge Confidential

8. Advanced Threat Protection • Cyber Acronym jungle: APT, ATA, ATP – what’s it all mean? • ATA – Advanced Targeted Attack • Advanced – targeted, multi-faceted, coordinated • Targeted – the advantage of targeting a specific company or system. Normally knowledge of weakness in defense is exploited • Attack – focus of effort, embarrass, produce notoriety, enforce will Confidential

9. Advanced Threat Protection • The Zero-Day – oft misconfused! • A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.(sans.org) Confidential

10. Advanced Threat Protection • Cyber Acronym jungle: APT, ATA, ATP • Advanced Threat Protection Framework • Framework used to integrate security assets to break kill chain of ATs • Centered around Prevention, Detection, and Mitigation Confidential

11. How Does it Remain Undetected? Unique Code.

12. How Should We Address it? Sandboxing.

13. IDC Forecasts Spending of $2bn…Mostly on Sandboxing

14. Does Sandboxing Really Work? Source: Forrester Sandbox Survey, August 2015

15. Sandbox Introduction

16. Kill Chain of an Advanced Attack Bots leverage legitimate IPs to pass filters. Social engineering fools recipient. Spam Anti-spam Malicious Email Malicious Link Fast flux stays ahead of web ratings Web Filtering Malicious Web Site Exploit Intrusion Prevention Zero-days pass IPS Compression passes static inspection Malware Antivirus Command & Control Center Encrypted communication passes controls Bot Commands & Stolen Data App Control/ IP Reputation

17. Enter Sandboxing • Sandbox Spam Anti-spam Malicious Email Malicious Link Web Filtering Malicious Web Site Exploit Intrusion Prevention Malware Antivirus Command & Control Center Bot Commands & Stolen Data App Control/ IP Reputation

18. Sandbox Overview An advanced threat detection solution the analyzes dynamic activity, rather than static attributes, to identify previously unknown malware • Extracts objects for more inspection • Analyzes runtime operation in a virtual environment • Provides risk ratings • Uncovers, distributes threat intelligence • Detects call back attempts 3 modes of operation • Sniffer: span port mode to capture all packets • On-demand: manual submission of files • Integrated: with NGFW, SEG, WAF and EPP

19. Key Sandbox Components • Distribute real-time updates • Feed global systems Intelligence Sharing • Identify the ultimate aim, call back & exfiltration • Mitigate securityupdates Call Back Detection • Examine real-time, full lifecycle activity to get the threat to expose itself Full Virtual Sandbox • Quickly simulate intended activity • OS independent and immune to evasion/obfuscation Code Emulation • Check community intelligence & file reputation Cloud File Query • Apply top-rated anti-malware engine AV Prefilter

20. ATP Details Network Traffic • 2. File type support • AV Prefilter: all • Full Sandbox: as follows • Archived: .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .arj • Executable: PE, .dll, .scr • File: PDF, Office, SWF, Google APKs • URLs • 1. Protocol support • Stand-alone mode: HTTP, FTP, POP3, IMAP, SMTP, SMB • NGFW Integrated: HTTP, FTP,POP3, IMAP, SMTP, SMB, MAPI, IM and SSL encrypted equivalents • Mail Integrated: SMTP • EndPointIntegrated: All • 3. Operating Environment • Code emulation: OS-independent • Sandbox: Windows XP, 7, 8, 10, Android, IE, Adobe, Office 2007, 2010, Custom VM Objects for Inspection Ratings and Updates

21. API • JSON based API for 3rdparties • Can receive objects, return ratings, share update packages and more • Antivirus integration Unknown objects Unknown objects Automated Response Unknown objects CbEP Client Risk Ratings Bit9 Server Internet Automated Response CbEP Client

22. The Value of ATP

23. Getting More Out of Your Sandbox

24. Advanced Threat Protection Solution

25. Which is Why We Promote Advanced Threat Protection (ATP) • Known Threats • Reduce Attack Surface • Inspect & Block Known Threats • Unknown Threats • Identify Unknown Threats • Assess Behavior & Identify Trends • Response • Identify scope • Mitigate impact

26. Technical Interaction

27. Recap

28. Key Points • Data breaches continue to make headlines, are the #1 priority for 2016 • Sandboxing addresses the source (custom malware) of the problem • The integrated approach of Advanced Threat Protection is unmatched • Pick the point(s) of integration that make sense over time