1 / 29

Advanced Threat Protection

Advanced Threat Protection. Addressing Today’s Latest Attacks. Nabila EL ATTABI. Agenda. Market Situation Breaches, Priorities and Options Why Sandboxing Introduction to Sandbox What it is and does Key components `How Does it works Compared to stand-alone approaches

marjorieq
Download Presentation

Advanced Threat Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advanced Threat Protection Addressing Today’s Latest Attacks Nabila EL ATTABI

  2. Agenda • Market Situation • Breaches, Priorities and Options • Why Sandboxing • Introduction to Sandbox • What it is and does • Key components • `How Does it works • Compared to stand-alone approaches • Compared to integrated offerings • Recap and Discussion

  3. Market Situation

  4. APTs, Data Breaches Top of Mind Priority of IT Security Initiatives in 2016 Source: IDG Research, January 2016

  5. There is Good Reason For Concern Incidents Breaches • 64,199 incidents • 2,260 breaches • CEOs, CIOs and CISOs who resigned All organizations should now assume that they are in a state of continuous compromise. — Gartner, 2/14/14 Sources: Verizon 2016 Data Breach Investigations Report, April 2016 Gartner. Designing an Adaptive Security Architecture for Protection From Advanced Attacks. February 2014.

  6. Advanced Threat Protection • Cyber Acronym jungle: APT, ATA, ATP – what’s it all mean? • APT – Advanced Persistent Threat • Advanced – targeted, multi-faceted, coordinated • Persistent – never ends, of particular concern - capitalizes on just one mistake • Threat – political in nature, monetary gain, notoriety, revenge Confidential

  7. Advanced Threat Protection • Cyber Acronym jungle: APT, ATA, ATP – what’s it all mean? • ATA – Advanced Targeted Attack • Advanced – targeted, multi-faceted, coordinated • Targeted – the advantage of targeting a specific company or system. Normally knowledge of weakness in defense is exploited • Attack – focus of effort, embarrass, produce notoriety, enforce will Confidential

  8. Advanced Threat Protection • The Zero-Day – oft misconfused! • A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.(sans.org) Confidential

  9. Advanced Threat Protection • Cyber Acronym jungle: APT, ATA, ATP • Advanced Threat Protection Framework • Framework used to integrate security assets to break kill chain of ATs • Centered around Prevention, Detection, and Mitigation Confidential

  10. How Does it Remain Undetected? Unique Code.

  11. How Should We Address it? Sandboxing.

  12. IDC Forecasts Spending of $2bn…Mostly on Sandboxing

  13. Does Sandboxing Really Work? Source: Forrester Sandbox Survey, August 2015

  14. Sandbox Introduction

  15. Kill Chain of an Advanced Attack Bots leverage legitimate IPs to pass filters. Social engineering fools recipient. Spam Anti-spam Malicious Email Malicious Link Fast flux stays ahead of web ratings Web Filtering Malicious Web Site Exploit Intrusion Prevention Zero-days pass IPS Compression passes static inspection Malware Antivirus Command & Control Center Encrypted communication passes controls Bot Commands & Stolen Data App Control/ IP Reputation

  16. Enter Sandboxing • Sandbox Spam Anti-spam Malicious Email Malicious Link Web Filtering Malicious Web Site Exploit Intrusion Prevention Malware Antivirus Command & Control Center Bot Commands & Stolen Data App Control/ IP Reputation

  17. Sandbox Overview An advanced threat detection solution the analyzes dynamic activity, rather than static attributes, to identify previously unknown malware • Extracts objects for more inspection • Analyzes runtime operation in a virtual environment • Provides risk ratings • Uncovers, distributes threat intelligence • Detects call back attempts 3 modes of operation • Sniffer: span port mode to capture all packets • On-demand: manual submission of files • Integrated: with NGFW, SEG, WAF and EPP

  18. Key Sandbox Components • Distribute real-time updates • Feed global systems Intelligence Sharing • Identify the ultimate aim, call back & exfiltration • Mitigate securityupdates Call Back Detection • Examine real-time, full lifecycle activity to get the threat to expose itself Full Virtual Sandbox • Quickly simulate intended activity • OS independent and immune to evasion/obfuscation Code Emulation • Check community intelligence & file reputation Cloud File Query • Apply top-rated anti-malware engine AV Prefilter

  19. ATP Details Network Traffic • 2. File type support • AV Prefilter: all • Full Sandbox: as follows • Archived: .tar, .gz, .tar.g, .tgz, .zip, .bz2, .tar.bz2, .bz, .tar.Z, .cab, .rar, .arj • Executable: PE, .dll, .scr • File: PDF, Office, SWF, Google APKs • URLs • 1. Protocol support • Stand-alone mode: HTTP, FTP, POP3, IMAP, SMTP, SMB • NGFW Integrated: HTTP, FTP,POP3, IMAP, SMTP, SMB, MAPI, IM and SSL encrypted equivalents • Mail Integrated: SMTP • EndPointIntegrated: All • 3. Operating Environment • Code emulation: OS-independent • Sandbox: Windows XP, 7, 8, 10, Android, IE, Adobe, Office 2007, 2010, Custom VM Objects for Inspection Ratings and Updates

  20. API • JSON based API for 3rdparties • Can receive objects, return ratings, share update packages and more • Antivirus integration Unknown objects Unknown objects Automated Response Unknown objects CbEP Client Risk Ratings Bit9 Server Internet Automated Response CbEP Client

  21. The Value of ATP

  22. Getting More Out of Your Sandbox

  23. Advanced Threat Protection Solution

  24. Which is Why We Promote Advanced Threat Protection (ATP) • Known Threats • Reduce Attack Surface • Inspect & Block Known Threats • Unknown Threats • Identify Unknown Threats • Assess Behavior & Identify Trends • Response • Identify scope • Mitigate impact

  25. Technical Interaction

  26. Recap

  27. Key Points • Data breaches continue to make headlines, are the #1 priority for 2016 • Sandboxing addresses the source (custom malware) of the problem • The integrated approach of Advanced Threat Protection is unmatched • Pick the point(s) of integration that make sense over time

More Related