Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Gestiona el riesgo de las grandes amenazas

534

Published on

Gestiona el riesgo de las grandes amenazas …

Gestiona el riesgo de las grandes amenazas
Ya puedes ver las ponencias completas de la #jornadanextelxvi sobre la #Gestión del #Riesgo #riskmanagement http://www.nextel.es/jornadanextelxvi

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
534
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • File #: 10275353
  • File #: 4910971
  • The blade is responsible for 3 main activities:Identifying bot infected machines in the organization (most orgs today are unable to detect bot infections)preventing their damages by blocking bot communication to C&C sites, making sure no sensitive information can be stolen and sent out of the organizationand providing the organization with threat visibility to asses damages and decide on next steps (again most orgs today have limited visibility to malware infections)
  • Simple deployment: Ready to protect any network in minutes!Transparent network device easily fits into existing network topology (layer 2 bridge) Can also be deployed in Learning Mode for adjusting the Behavioral Analysis Engine to the protected network and applicationsMinimal maintenance after initial configuration
  • There are 3 DDoS protection deployment types: on the customer premises, off-site, or bothOn-Premise solutions can have better response times and can be customized to each networkOff-Site deployment helps with moving the problem away from the protected network - Fits when attack is on bandwidthA deployment of both types of solution can leverage advantages of the two deployment options
  • High-Availability on DefenseProTo support high availability (HA), you can configure two compatible DefensePro devices to operate in a two-node cluster.To be compatible, both cluster members must be of the same platform, software version, software license, throughput license, and Radware signature file. One member of the cluster is the primary; the other member of the cluster is the secondary.When you configure a cluster and commit the configuration, the newly specified primary device configures the required parameterson the secondary device.You can configure a DefensePro high-availability cluster in the following ways:• To configure the primary device of the cluster, the failover parameters, and the advanced parameters, you can use the High Availability pane (Configuration perspective > Setup > High Availability). When you specify the primary device, you specify the peer device, which becomes the secondary member of the cluster.• To configure only the basic parameters of a cluster (Cluster Name, Primary Device, andAssociated Management Ports), you can use the Configuration perspective main navigation pane System tab.The members of a cluster work in an active-passive architecture.When a cluster is created:• The primary device becomes the active member.• The secondary device becomes the passive member.• The primary device transfers the relevant configuration objects to the secondary device.A secondary device maintains its own configuration for the device users, IP interfaces, and routing.A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users).The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.The following situations trigger the active device and the passive device to switch states (active to passive and passive to active):• The passive device does not detect the active device according to the specified HeartbeatTimeout.• All links are identified as down on the active device according to the specified Link DownTimeout.• Optionally, the traffic to the active device falls below the specified Idle Line Threshold for thespecified Idle Line Timeout.• You issue the Switch Over command. To switch the device states, in the Monitoring & Control perspective navigation pane System tab, right-click the cluster node; and then select Switch over. You can perform only the following actions on a secondary device:• Switch the device state (that is, switch over active to passive and passive to active)• Break the cluster if the primary device is unavailable• Configure management IP addresses and routing• Manage device users• Download a device configuration• Upload a signature file• Download the device log file• Download the support log file• Reboot• Shut down• Change the device name• Change the device time• Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.Notes:You can initiate a baseline synchronization if a cluster member is passive, using CLI or Web Based Management.In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require.If the devices of a cluster belong to different sites, APSolute Vision creates the cluster node under the site where the primary device resides; and APSolute Vision removes thesecondary device from the site where it was configured.APSolute Vision issues an alert if the state of the device clusters is ambiguous. For example, if there has been no trigger for switchover and both cluster members detect traffic. This state is normal during the initial synchronization process.There is no failback mechanism. There is only the automatic switchover action and the manual Switch Over command.When a passive device becomes active, any grace time resets to 0 (for example, the time of the Graceful Startup Mode Startup Timer).You can monitor high-availability operation in the High Availability pane of the Monitoring & Control perspective.For more details please refer to the DefensePro User Guide
  • Have you ordered a product online and seen a product shipping email that looked like this? If you didn’t look closely, you might think it was legitimate.This attempt to deliver malware is not unusual.Around Valentine’s day, infected e-cards were making the rounds. If you received a message with ValentineCard4you.zip and opened it, you would become infected with backdoor.trojan.--CKthe Wall Street Journal stated that “Over 90% of targeted emails use malicious file attachments as the payload or infection source”.
  • The attacks are especially dangerous when they leverage zero-day vulnerabilities. One example that leverages such vulnerabilities is Duqu.--CKDuqu, as some have named “son of stuxnet” used zero-day vulnerabilities in business documents such as MS Word files to compromise target Windows operating systems to harvest information The tell-tale signs included process injection, downloading an installing additional software drivers, modifications to the registry, and contact to C&C servers using HTTP and HTTPS
  • What are Zero-Day attacks and why should we be concerned? These attacks that have no known defenses.In 2012, there were over 200 new vulnerabilities in applications we use every day, and malware variants like SpyEye can be created with a click of a button. In the time I described this slide, someone could have created 60 malware variants. To put this in perspective, Dark Reading reported that up to 100,000 new malware samples are created each day. --CKIf we are only using signature based detections, how are security teams supposed to keep up with the new exploits and new malware? New challenges need new solutions.Oct 15, 2012Dark Reading
  • On May 2013 a customer noticed that a file is being detected as a zero day attack. It was an email coming from citibank, with the title “statement id”. The customer was expecting such an email from this bank, and did not understand why the system blocks it. After talking and providing this email to check point – our analysts detected this file as malicious – that exploiting a vulnerability in MS word, installing a bot agent and trying to communicate with a CnC. Threat Emulation detected and prevented this attack, that at this time was known only to 2 AV vendors in the entire industry (our of almost 50 AV vendors). At the following week – the Threat Emulation system detected this exact same file at additional organizations running the system – and this time stopped it as it was shared with ThreatCloud.
  • This discovery and prevention happens in 1 to 2 minutes. In case you’re worried that Threat Emulation might block good documents, or interrupt business access to key files… we have good news--CKWe use patent pending technologies that has been proven to emulate over a quarter million files with zero false positives--CKWe built in heuristics in file inspection (such as positive elimination of files) that assure that only suspicious files are emulated –completing the process as fast as possible and optimizing performance
  • Threat Emulation is provided as a cloud service.Organizations can set up any gateway running R77 in their environment to inspect incoming files over email or web (HTTP & HTTPS). In case that the file is suspicious – the gateway will send the file to the Threat Emulation Cloud Service for emulation. The cloud service allows the organization to use a global-quota of files that can be inspected, and any security gateway can send files for emulation. We are also introducing an Exchange Agent that can inspect incoming emails on the mail server, and will send files for emulation in the cloud. The exchange agent allows organizations that don’t have Check Point gateways (or not upgrading to R77) to inspect files.
  • In addition to the cloud service, Check Point offers a local-emulation solution – as an appliance. We will provide two dedicated appliances for threat emulation – a small solution and a larger one. Our appliances can be placed on several locations at the organization, such as inline, as a mail transfer agent or as a tap. This appliance can receive files from several or even all gateway at the organization and emulate them.
  • And, for those of you who want to try it now,--CKYou can try Threat Emulation in action by sending a file to the email shown, or uploading to the URL shown.--CKYou will receive a report like the one I should you a few moments ago.This is open to the public now, and I encourage you to try it and even let your customers try it to get a feel for the information summary and detail that we report to you.
  • Threat Emulation is a new and important part of the Check Point multi-layer solution.
  • אנחנו חושבים שזה הזמן למצוא דרך לפשט את העבודה ולחבר בין best practices של סקיורטי לבין הדרישות הרגולטוריות החלות על אירגונים
  • Today we present Check Point’s Compliance blade which changes the way organizations manage compliance!
  • Transcript

    • 1. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. Los Riesgos de Nuevas amenazas Mayo 2014
    • 2. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. ©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. DDoS Attacks
    • 3. 3©2013 Check Point Software Technologies Ltd. 2001 20102005 Attack Risk Time© 2011, Radware, Ltd. Blaster 2003 CodeRed 2001 Nimda (Installed Trojan) 2001 Slammer (Attacking SQL sites) 2003 Vandalism and Publicity Storm (Botnet) 2007 Agobot (DoS Botnet) Srizbi (Botnet) 2007Rustock (Botnet) 2007 Kracken (Botnet) 2009 2010 IMDDOS (Botnet) Financially Motivated Mar 2011 DDoS Wordpress.com Blending Motives Mar 2011 Codero DDoS / Twitter Israeli sites Google / Twitter Attacks2009 Republican website DoS 2004 Estonia’s Web Sites DoS 2007 Georgia Web sites DoS 2008 July 2009 Cyber Attacks US & Korea Dec 2010 Operation Payback Mar 2011 Netbot DDoS Mar 2011 Operation Payback II ―Hacktivism‖ LulzSec Sony, CIA, FBI Peru, Chile 2012 DDoS Timeline—Summary Graph “Worms” DDoS “Blend” DDoS Attacks Gaining Momentum
    • 4. 4©2013 Check Point Software Technologies Ltd. Application Layer Attacks Network Layer Attacks DDoS Attack by Types More attacks are targeted at the application layer TCP SYN Flood
    • 5. 5©2013 Check Point Software Technologies Ltd. Layer 7 DoS Attacks  Legitimate traffic  Low bandwidth  Exploit TCP protocol  Partial HTTP Requests  Recursive DNS Spoofing  Application Exploits  And more…  Use of TOR  Use of proxies  Use of botnets Allowed Traffic Hidden Sources Attack Vectors Attack Damage
    • 6. 10©2013 Check Point Software Technologies Ltd. Attackers Use Multi-Layer DDoS Large-volume network flood attacks Web attacks: brute force login locked SYN flood attack Application vulnerability ―Low and slow‖ DoS attacks (e.g., Sockstress) High and slow application DoS attacks Simultaneous Attack Vectors 1 successful attack vector = No service
    • 7. 11©2013 Check Point Software Technologies Ltd. DDoS and Traditional Security Attackers Take Advantage of Traditional Security  Routers may be affected before firewalls  Firewalls track state of network connections (Can be bottleneck)  Firewalls allow legitimate traffic (e.g. port 80 to web server)  IPS allows legitimate request (e.g. get http/1.0rn)  Application Control allows legitimate services (DNS or HTTPS)
    • 8. 12©2013 Check Point Software Technologies Ltd. Traditional Firewalls Not Sufficient Not Designed for Network and Application DDoS Protection  Basic rate based flood protection affects all traffic (Real users and attack traffic)  Lacks Comprehensive Layer 7 DDoS protection – Poor detection of sly attacks – No filters to block attacks and allow real traffic – Administrators cannot create custom signatures
    • 9. 13©2013 Check Point Software Technologies Ltd. What Software Blades Can Do  Firewall configurations: network access control – Aggressive aging: protection against connection-consuming attacks – Network quota: limit number of connections by source IP – ICMP/UDP perimeter, initial drop rules: drop early in policy – Lower Stateful Inspection timers: defense against slow attack  IPS configurations: proactive intrusion prevention – Geo protection: Rules to block by country and direction of traffic – Worm catcher signature: block known worms (HTTP and CIFS) – TCP window size enforcement: small TCP window and flood – SYN flood protection: cookie-based validation – HTTP flooding: rate-based blocking  SmartEvent and SmartLog: improved visibility and forensics
    • 10. 14©2013 Check Point Software Technologies Ltd. Block Denial of Service Attacks within seconds! Introducing Check Point Check Point DDoS Protector™
    • 11. 15©2013 Check Point Software Technologies Ltd. Check Point DDoS Protector Flexible deployment options Customized multi-layered DDoS protection Fast response time—protect within seconds DDoS Protector Integrated with Check Point security management
    • 12. 17©2013 Check Point Software Technologies Ltd. Product Information Model DP 506 DP 1006 DP 2006 DP 3006 DP 4412 DP 8412 DP 12412 Capacity 0.5Gbps 1Gbps 2Gbps 3Gbps 4GBps 8Gbps 12Gbps Max Concurrent Sessions 2 Million 4 Million Max DDoS Flood Attack Protection Rate 1 Million packets per second 10 Million packets per second Latency <60 micro seconds Real-time signatures Detect and protect against attacks in less than 18 seconds
    • 13. 18©2013 Check Point Software Technologies Ltd. DDoS Attack Information Network Flood High volume of packets Server Flood High rate of new sessions Application Web / DNS connection- based attacks Low & Slow Attacks Advanced attack techniques
    • 14. 19©2013 Check Point Software Technologies Ltd. Network Flood High volume of packets Server Flood High rate of new sessions Application Web / DNS connection- based attacks Low & Slow Attacks Advanced attack techniques Multi-Layer DDoS Protection Behavioral network analysis Stateless and behavioral engines Automatic and pre-defined signatures Protections against misuse of resources Behavioral HTTP and DNS Challenge / response mitigation methods Granular custom filters Create filters that block attacks and allow users
    • 15. 20©2013 Check Point Software Technologies Ltd. Flexible Deployment Options Low Maintenance and Support Optional Learning Mode Deployment Fits to Existing Network Topology Ready to Protect in Minutes 20©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
    • 16. 21©2013 Check Point Software Technologies Ltd. + Deployment Locations On-Premise Deployment DDoS Security Appliance Off-Site Deployment DDoS Security Appliance Scenarios: 1 2 3 Transparent network device easily fits into existing network topology (layer 2 bridge)
    • 17. 22©2013 Check Point Software Technologies Ltd. Simple Deployment Ready to protect any size network in minutes 1.Plug it in… 2.Let it learn… 3.Protected by signatures Signatures are ready to protect Baseline good network and application behavior No network address changes (Layer 2 bridge)
    • 18. 25©2013 Check Point Software Technologies Ltd.©2013 Check Point Software Technologies Ltd. Zero Day & APTs
    • 19. 26©2013 Check Point Software Technologies Ltd. WOULD YOU OPEN THIS ATTACHMENT?
    • 20. 27©2013 Check Point Software Technologies Ltd. TARGETED ATTACKS BEGIN WITH ZERO-DAY EXPLOITS Duqu Worm Causing Collateral Damage in a Silent Cyber-War Worm exploiting zero-day vulnerabilities in a Word document
    • 21. 28©2013 Check Point Software Technologies Ltd. Exploiting Zero-day vulnerabilities New vulnerabilities Countless new variants ―nearly 200,000 new malware samples appear around the world each day‖ - net-security.org, June 2013
    • 22. 29©2013 Check Point Software Technologies Ltd. WHAT ABOUT NEW ATTACKS? Block download of malware infested files Detect and prevent bot damage Stops exploits of known vulnerabilities Check Point Multi-Layered Threat Prevention IPS Anti-Bot Antivirus
    • 23. 30©2013 Check Point Software Technologies Ltd. Check Point introducing Check Point ThreatCloud Emulation Service PREVENTION OF ZERO-DAY ATTACKS !
    • 24. 31©2013 Check Point Software Technologies Ltd. INSPECT FILE PREVENTSHARE Stop undiscovered attacks with Check Point Threat Emulation INSPECT FILE EMULATE PREVENTSHARE
    • 25. 32©2013 Check Point Software Technologies Ltd. Exe files, PDF and Office documents Identify files in email attachments and downloads over the web Send file to virtual sandbox INSPECT Requires no infrastructure change or adding devices
    • 26. 33©2013 Check Point Software Technologies Ltd. EMULATE Open file and monitor abnormal behavior Emulating Multi OS environments WIN 7, 8, XP & user customized Monitored behavior: • file system • system registry • network connections • system processes
    • 27. 34©2013 Check Point Software Technologies Ltd. A STANDARD CV? Emulation @ Work
    • 28. 35©2013 Check Point Software Technologies Ltd. Emulation @ Work
    • 29. 36©2013 Check Point Software Technologies Ltd. Emulation @ Work File System Activity System Registry System Processes Network Connections Abnormal file activity Tampered system registry Remote Connection to Command & Control Sites ―Naive‖ processes created
    • 30. 37©2013 Check Point Software Technologies Ltd. PREVENT Security Gateway Inline stopping of malicious files on any gateway
    • 31. 38©2013 Check Point Software Technologies Ltd. Immediate update of all gateways SHARE
    • 32. 39©2013 Check Point Software Technologies Ltd. INSPECT FILE EMULATE PREVENTSHARE Stop undiscovered attacks with ThreatCloud Emulation Service
    • 33. 40©2013 Check Point Software Technologies Ltd. New exploit variant of vulnerability (CVE-2012-0158) Installs a bot agent Opens network ports for bot communication Steals user credentials Real Life Example Prevented 140 phishing emails targeting 4 customers in 2 days!
    • 34. 41©2013 Check Point Software Technologies Ltd. Most Accurate and Fastest Prevention Optimize analysis by inspecting only files at risk Zero false-positive in document emulation THREAT EMULATION with ongoing innovation
    • 35. 42©2013 Check Point Software Technologies Ltd. ThreatCloud Emulation Service Branch Headquarters Branch Agent for Exchange Server ThreatCloud Emulation Service Single Global Solution – For the entire organization
    • 36. 43©2013 Check Point Software Technologies Ltd. Specifications Recommended # of File scanning per Month 250,000 1,000,000 Recommended # of users 1,700 7,000 Throughput (Mbps) 691 2032 Threat Emulation Private Cloud Appliance Multiple deployment options: Inline, Mail Transfer Agent, Tap
    • 37. 44©2013 Check Point Software Technologies Ltd. ThreatCloud Emulation Service Advantages Cloud based service— works with your existing infrastructure. No need to install new equipment Control expenses with manageable lower monthly costs Organizations can choose from 5 subscription options for global file inspections, starting at 10,000 files per month and up
    • 38. 45©2013 Check Point Software Technologies Ltd. threats@checkpoint.com threatemulation.checkpoint.com Anyone can submit files for THREAT EMULATION
    • 39. 46©2013 Check Point Software Technologies Ltd. Multi-Layered Protection Against all Incoming Cyber Threats Check Point Threat Prevention Solution
    • 40. 47©2013 Check Point Software Technologies Ltd. Top Reasons customers pick Check Point Threat Emulation works with your existing infrastructure -- No need to install any new equipment A Complete Threat Prevention Solution for Known and Unknown threats
    • 41. 48©2013 Check Point Software Technologies Ltd.©2013 Check Point Software Technologies Ltd. Compliance Software Blade REVOLUTIONIZING SECURITY & COMPLIANCE
    • 42. 49©2013 Check Point Software Technologies Ltd. Agenda 1 Market Background Compliance Software Blade2 Extending GRC with easy2comply3 Compliance Customer Stories4 [Restricted] ONLY for designated groups and individuals Summary5
    • 43. 50©2013 Check Point Software Technologies Ltd. As Security Pressures Grow… [Restricted] ONLY for designated groups and individuals
    • 44. 51©2013 Check Point Software Technologies Ltd. … and Regulatory Compliance Needs Increase MORE MORE MORE Regulations Frequent Complex [Restricted] ONLY for designated groups and individuals
    • 45. 52©2013 Check Point Software Technologies Ltd.
    • 46. 53©2013 Check Point Software Technologies Ltd. Compliance Software Blade Presenting: Check Point’s first integrated and fully automated Security & Compliance Monitoring [Restricted] ONLY for designated groups and individuals
    • 47. 54©2013 Check Point Software Technologies Ltd. Security and Compliance Made Easy [Restricted] ONLY for designated groups and individuals
    • 48. 55©2013 Check Point Software Technologies Ltd. Easy Installation: Up and Running within 2Mouse Clicks Fully Integrated Management Blade [Restricted] ONLY for designated groups and individuals
    • 49. 56©2013 Check Point Software Technologies Ltd. Library of Security Best Practices [Restricted] ONLY for designated groups and individuals
    • 50. 57©2013 Check Point Software Technologies Ltd. 360 Security Visibility Detailed Security Analysis [Restricted] ONLY for designated groups and individuals
    • 51. 58©2013 Check Point Software Technologies Ltd. Detailed Security Analysis [Restricted] ONLY for designated groups and individuals
    • 52. 59©2013 Check Point Software Technologies Ltd. ISO 27001 PCI- DSS GLBA NIST 800-41 HIPAA ISO 27002 Cobit 4.1 Complex Regulatory Requirements……mapped to Security Best Practices
    • 53. 60©2013 Check Point Software Technologies Ltd. Real-Time Assessment of major regulations across Check Point Software Blades Regulatory Compliance Monitoring [Restricted] ONLY for designated groups and individuals
    • 54. 61©2013 Check Point Software Technologies Ltd. Out of the Box Audit Preparation [Restricted] ONLY for designated groups and individuals
    • 55. 62©2013 Check Point Software Technologies Ltd. Real Time Security Alerts [Restricted] ONLY for designated groups and individuals
    • 56. 63©2013 Check Point Software Technologies Ltd. Actionable Management [Restricted] ONLY for designated groups and individuals
    • 57. 64©2013 Check Point Software Technologies Ltd. NOW IS THE TIME TO STREAMLINE SECURITY WITH REGULATORY COMPLIANCE [Restricted] ONLY for designated groups and individuals  Real-Time Security Monitoring  Compliance Reporting  Security Alerts  Complementary GRC Solution Summary
    • 58. Thank You

    ×