2. Where are we ?
2000 2010 2015 2017
THREA
TS
PROTECTIONS
Networks
Gen II
Applications
Gen III
Payload
Gen IV
GRADE I
GRADE II
GRADE III
GRADE V
GRADE IV
Virus
1990
Gen I
Enterprises are
between Gen 2-3
2.8
Mega
Gen V
6. Check Point Infinity Architecture
Shared Threat Intelligence
Consolidated Security
Management
MOBILE
ENDPOINT
Hybrid Cloud
NETWORK
Perimeter & Data centers
Best Threat Prevention across entire enterprise
CLOUD
7. NETWORK
Shared Threat Intelligence
Consolidated
Security
Management
Multi & Hybrid Cloud
Headquarters Branch
Access Control
Multi Layered Security
Advanced Threat Prevention
Data Protection
Access Control
Multi Layered Security
Advanced Threat Prevention
Wi-Fi, DSL, PPoE Ready
MOBILE
Network Protection
Device Protection
App Protection
Capsule
WorkSpace/Docs
Remote Access
Secure Business Data
Protect Docs Everywhere
ENDPOINT
Anti-Ransomware
Forensics
Threat Prevention
Access/Data Security
Access Control
Secure Media
Secure Documents
CLOUD
Advanced Threat Prevention
Adaptive Security
Automation and Orchestration
Cross Environment
Dynamic Policies
Infrastructure
Identity Protection
Sensitive Data Protection
Zero-Day Threat Protection
End-to-end SaaS Security
Applications
8. THREAT
EXTRACTION
CPU-Level Detection
Catches the most sophisticated malware
before evasion techniques deploy
O/S Level Emulation
Stops zero-day and unknown malware in
wide range of file formats
Malware Malware
Original Doc
Safe Doc
Threat Extraction
Deliver safe version of content quickly
SandBlast Network HOW IT WORKS
9. Hacker
Threat
Intelligence
•
• The content is
inspected for potential
threats using KNOWN
signatures/URL
reputation
• Malicious
download/Exploit are
blocked
SandBlast Network HOW IT WORKS
10. • For UNKNOWN
attacks/browser exploits
the content is sent for
emulation in cloud or in
designated local
appliance
• If the file identified as
malicious, the mail is
quarantined and the
incident is reported to
the administrator
CPU Level
Machine
Learning
Emulation Engine
File/URL
Reputation
Push Forward
Hacker
Traps& Decoys
SandBlast Network HOW IT WORKS
Threat
Intelligence
11. • In parallel, a sanitized
copy is sent to the user
without any embedded
objects, macros, Java
Script Code and sensitive
hyperlink
• Post Emulation, If
identified as benign, per
the user request, the
original attachment will
be delivered to the user
A sanitized file
is sent
MTA
SandBlast Network HOW IT WORKS
Threat
Intelligence
12. ELEMENTS IN NEED OF PROTECTION
INCOMING MAIL
BROWSING USERS
EXPOSED SYSTEMS
14. GET THE DATA
NOT THE RISK
Convert documents
to PDF
CONVERT MODE
CLEAN MODE
Retain file format,
remove active
content
Fast
delivery
Preserve all text
and visual content
We recommend
CONVERT MODE - for Word documents
CLEAN MODE - for everything else
DELIVER CLEAN ATTACHMENTS
Threat Extraction for Documents
Self-catered access to
original files
15. SMTP
MAIL TRANSFER AGENT
SMTP
ANTI-SPAM MAIL SERVER
MTA next hop = GW
SMTP
WHY MTA?
• Guaranteed prevention
• Threat Extraction support
• SMTP TLS support
• User interaction
• Excellent stability and performance
• Configuration granularity
• Mail queue visibility and control
• Continued improvements in R80.20
MTA next hop = Mail
Server
SMTP
CHECK POINT GATEWAY
16. WHERE TO DEPLOY YOUR MTA?
ANTI-SPAM
PERIMETER
GW
Mail Server
DEDICATED GATEWAY OR PERIMETER GATEWAY
Don’t impact perimeter gateway Reuse existing gateway
ANTI-SPAM MT
A GW Mail Server
17. ELEMENTS IN NEED OF PROTECTION
INCOMING MAIL
BROWSING USERS
EXPOSED SYSTEMS
18. Evasion-resistant sandbox detection
of malicious flash
PUSH-FORWARD
Threat Emulation dynamically drives
Adobe Flash execution, forcing detonation if
it’s malicious
19. NETWORK PROTECTIONS
IPS
ANTI-VIRUS
THREAT EMULATION
THREAT EXTRACTION*
* Coming in R80.20
BROWSING THREATS
MALICIOUS
DOWNLOADS
BROWSER EXPLOITS
CREDENTIAL THEFT
ANTI-VIRUS
THREAT EMULATION
THREAT EXTRACTION
ANTI-EXPLOIT
ZERO PHISHING
ANTI-RANSOMWARE
ENDPOINT PROTECTIONS
GA
TEWA
Y
PROTECTING BROWSING USERS
SANDBLAST
NETWORK
SA
U
N
S
D
E
B
R
LA
S
ST
AGENT
A
TT
ACKER
20. WHAT IF A SYSTEM IS
COMPROMISED?
ANTI BOT
Identify and contain infections
22. ANTI-BOT: PINPOINT INFECTED HOSTS
INFECTED
HOST
ATTACKER
GATEWAY
C&C
when behind a proxy
PROXY
C&C
PROBLEM
Source IP = Proxy
IP: 10.100.0.123
Blocked
by Anti-Bot
G
GE
ET
T /
/iin
nd
de
ex
x.
.h
ht
tm
mll H
HT
TT
TP
P/
/1
1.
.1
1
HOST: www.example.com
X--
F-
O
--
R
-W
--A
--
R
-D
--
E
-D
: X
-F
...
HTTP REQUEST WITH XFF
Correct IP written to log
SOLUTION
Turn on XFF
PRIVACY
CONCERNS?
The gateway can
wipe the internal IP
.
23. ANTI-BOT: PINPOINT INFECTED HOSTS
when behind a DNS Server
INFECTED
HOST
ATTACKER
GATEWAY
DNS QUERY
IP: 10.100.0.123
Blocked
by Anti-Bot
PROBLEM
Source IP = DNS Server
DNS
Server
SOLUTION
Turn on DNS TRAP
DNS QUERY
Resolve
C&C domain
1
DNS response
with predefined IP
2
Communication attempt
with the predefined IP
is pinpointed to the infected host
3
24. Threat Intelligence
Endpoint Blades
SandBlast Mobile
Anti-Bot Anti-Virus
Application
Control
URL Filtering
Threat Emulation
IPS
Collaboration
Industry Feeds
- URLs, Hashes, Domains
- Virus Total indicators
- Cyber Threat Alliance
Data Mining
- Campaign hunting
Threat Intelligence
Sensors
Malware
research
Event
Analysis
Analysts
Community
CERTS
AI
400
researchers &
Analysts
27. CloudGuard
• New name for all our cloud security
solutions including vSEC
• Introduction of new SaaS/CASB
offering
• Introduction of Alibaba Cloud and
Oracle Cloud offerings
30. CLOUDGUARD SAAS
SAAS SECURITY IS
ONE CLICK AWAY
Identity
Protection
Protect
Sensitive Data
Zero-day threats
Protection
End-to-End
SaaS Security
31. Security Gateway
SAAS PROVIDERS
SECURITY STACK
Prevent
Account
T
akeovers
Data Leak
Prevention
Reveal
Shadow IT
HOW IT WORKS
API & AD
…
CloudGuard SaaS
Documents
encryption
Zero-day
Threats
Protection
32. Accesses
App
Accesses
App
Stolen ID
Hacker
Identify Device
• Only users and devices with ID-
Guard endpoint agent can login
• Malicious login prevented even if
the hacker has correct credentials
• No user involvement
PREVENT ACCOUNT
TAKEOVER WITH
CLOUDGUARD SAAS
IDENTITY PROTECTION
Identity Server
ADFS, AzureAD,
Okta
Employee
Identity Server
ADFS,
AzureAD, Okta
33. • Collects network intelligence from
on premise devices, Threat Cloud
and SaaS
• Prevents suspicious logins
Example: seen in two locations,
bad source IP reputation
Accesses app
Stolen
credentials
Hacker
Intelligence
PREVENT ACCOUNT
TAKEOVER WITH
CLOUDGUARD SAAS
IDENTITY PROTECTION
Agentless Mode
Identity Server
ADFS,
AzureAD, Okta
35. ADVANCED THREAT PREVENTION FOR CLOUD ENVIRONMENTS
CHECK POINT CLOUDGUARD IAAS
IN AN AGILE AND AUTOMATED NATURE
36. CLOUD = SHARED RESPONSIBILITY
Customer
responsible for
security in the
cloud
Customer Data
Platform, Applications, IAM
Operating System, Network and FW Configs
Client-side Data
Encryption & Data
Integrity Authentication
Server-side Encryption
(File System / Data)
Network Traffic
Protection (Encryption,
Integrity, Identity)
Cloud vendor
responsible for
security of the
cloud
Cloud Global
Infrastructure
Regions
Availability Zones
Edge Locations
Compute Storage Database Networking
37. CloudGuard IaaS
• All the Advanced Threat Prevention
features of Check Point Security
R81 Management
• For all these clouds
ACI
Gateways and
plus:
Automation and
Orchestration
Cross Environment
Dynamic Policies
Adaptive Security
44. CloudGuard for VMware NSX
Hardware
Hypervisor
vm vm
ESXi ESXi
Security
Management
Server
Hardware
vSphere API NSX vSphere API
NetX API
vCente
r
Hypervisor
vm vm
CloudGuar
d
CloudGuar
d
53. HOW IT WORKS
APP ANALYSIS
(INFECTED APPS)
CLOUD-BASED
BEHAVIORAL RISK ENGINE
ON DEVICE DETECTION
OS EXPLOITS
(JAILBREAK/ROOT)
NETWORK
ATTACKS
(WIFI, BLUETOOTH)
SMS ATTACKS
REAL-TIME INTELLIGENCE,
MONITORING AND CONTROL
54.
55. MOBILE THREAT
DEFENSE (MTD)
Android Antivirus
Apps Analysis / Emulation
Network Threats (MiTM,…)
OS Vulnerability Research
MOBILE CONTENT
MANAGEMENT (MCM)
Document Repositories
MOBILE APPLICATION
MANAGEMENT (MAM)
MOBILE INFORMATION
PROTECTION
Secure Container
Dual Persona
REMOTE ACCESS
(Secure) Email Proxy
Per-App VPN
VDI / VMI
Full-Device VPN / Profile
MOBILE DEVICE
MANAGEMENT (MDM)
Documents Lifecycle
Enterprise Apps / Store Apps White/Black - Listing
Apps White/Black - Listing App Profile Management
Device “Fleet” Management GEO-Location T
racking
Device Profiles (Settings) App Distribution
HARMONY MOBILE
CAPSULE VPN
CAPSULE DOCS
CAPSULE WORKSPACE
CAPSULE WORKSPACE
SSL VPN
Native Containment
56. CAPSULE WORKSPACE | Architecture overview
Corporate
Servers
Check Point Firewall with
Mobile Access Blade
Management
Console
Internet Mobile Device
Wireless
Networks
MOBILE
57. CAPSULE WORKSPACE | Simplify mobile security
• Manage corporate data, not devices
• A PIN unlocks a single app so you can
̶ Access email/calendar/PIM/Intranet securely
̶ Launch security-wrapped business apps
̶ Keep data encrypted at rest and in motion
̶ Track and require higher levels of access to docs
̶ Extend consistent security to iOS and Android
̶ Wipe corporate data on lost or stolen devices
̶ Capsule Workspace is integrated with
Check Point Mobile Threat Prevention
59. Identify and block
unknown and zero-
day threats
Deliver clean
documents in
seconds
Safeguard
credentials from
theft
Accelerate
understanding for
better response
Keeping endpoints
safe from cyber
extortion
ADVANCED THREAT PREVENTION TECHNOLOGIES
THREAT
EMULA
TION
THREAT
EXTRACTION
ZERO
PHISHING
FORENSICS
ANTI
RANSOMWARE
60. SANDBLAS
T
SERVICE
Web downloads sent
to remote SandBlast
1 Sanitized version
delivered promptly
2 Original file emulated
in the background
3
How SandBlast Agent Works
61. Lookalike Characters
Image Only Site
Multiple T
op-Level
Domain
Lookalike Favicon
IP
Reputation
URL
Similarity
Title
Similarity
Visual
Similarity
Text
Similarity
Domain Reputation
PHISHING SCORE: 95%
User access to new site
triggers review
1 Evaluation based on
reputation and advanced
heuristics
2 Verdict issued in
seconds
3
Beware! Probable
Phishing Attack
How Zero-Phishing Works
62. Corporate
Credentials
With so many credentials to
remember…
Users often re-use
the same password
Corporate Password
Exposed
How Credential Protection Works
Preventing Reuse of Corporate Credentials
63. How Forensics Works
FORENSICS data
continuously collected
from various OS
sensors
1
Report generation
automatically triggered
upon detection of network
events or 3rd party AV
2
Digested incident
report sent to
SmartEvent
4
Processes
Registry
Network
Files
Advanced
algorithms analyze
raw forensics data
3
64. How Anti-Ransomware Works
ONGOING UPON DETECTION
BEHAVIORAL ANALYSIS
Constantly monitor for
ransomware specific behaviors
DA
T
A SNAPSHOTS
Continuously create short-
term file backups
QUARANTINE
Stop and quarantine
all elements of the
attack
RESTORE
Restore encrypted
files from snapshots
ANALYZE
Initiate forensic
analysis to analyze
attack details
RANSOMWARE PROTECTION IS
ON
65. ADVANCED THREAT PREVENTION TECHNOLOGIES
THREAT
EMULA
TION
THREAT
EXTRACTION
ZERO
PHISHING
FORENSICS
ANTI
RANSOMWARE
BASELINE THREAT PREVENTION TECHNOLOGIES
ACCESS
CONTROL
ANTI VIRUS ANTI BOT
66. Secure Remote
Mobile Access to
corporate resources
Security verification
Compliance with
regulatory
requirements
How Access Control Works
Industry first
Desktop Firewall and
Application Control
Secure endpoint access, data in transit and verify compliance
67. Lockdown infected machines
• Block C&C communications
• Prevent data exfiltration
Identify compromised hosts
• Inside and outside the network
• Pinpoint when inside the network
Detect the C&C Channel – and we know the host is infected
Block the C&C Channel – and we contain the malware
Communications Blocked
ANTI-BOT
How Anti-Bot Works
C&C Communications
68. How Full Disk Encryption Works
Windows and Apple
Pre-Boot Authentication
69. Business Data Segregation
Seamless Experience
Automatic data encryption
and seamless access to
authorized users
Policy based automatic
segregation
End User Education
Engage and educate
users with UserCheck
Non Business Data (E:)
Business Data – Encrypted (F:)
How Media Encryption Works
Transparent security for information on storage drives
70. Ensure that only authorized
devices/ports can be used
Get the benefit of a flexible
blacklisting/whitelisting approach
Use discovered devices for
policy fine-tuning
How Port Protection Works
71. Share
Select the authorized
users and groups
Classify
Classify and set
permissions according to
your needs
Encrypt Data
Protect your documents
with a single click
Automatic protection for seamless user experience
User Education and Engagement using UserCheck
How Capsule Docs Works
73. NETWORK
Shared Threat Intelligence
Consolidated
Security
Management
Hybrid Cloud
n
Headquarters Branch
Access Control Access Control
Data Protection Multi Layered Security
Advanced Threat Preventio
Multi Layered Security
Wi-Fi, DSL, PPoE Ready
Advanced Threat Prevention
MOBILE
Capsule
WorkSpace/Docs
App Protection Re
Network Protection Sec
Device Protection Prot
mote Access
ure Business Data
ect Docs Everywhere
ENDPOINT
Access/Data Security
Threat Prevention Access Control
Anti-Ransomware Secure Media
Forensics Secure Documents
CLOUD
Advanced Threat Prevention
Adaptive Security
Automation and Orchestration
Cross Environment
Dynamic Policies
Infrastructure Applications
Advanced
Zero-DThrayeatThrPereventioat
P
r
o
t
e
n
c
t
i
o
n
Adaptive Security
Sensitive Data Protection
Automation and
End-O
to
r-
che
end
stS
ra
a
ta
io
S
nSecurity
Cross Environment
IdenDytitynamProitcecPtoionlicies
SmartEvent
Compliance
Unified Policy
86. Stops traffic to remote operators
Multi-tier
PREVENT
Bot Damage
IDENTIFY
Bot Infected
Devices
Reputation Patterns SP
AM
How Anti-Bot Works
Identify and Isolate Infected Hosts to Prevent Bot Damage
88. How URL Filtering Works
Allow, Block or Limit Web Access Based on Time or Bandwidth
89. Granular Visibility of Users, Groups and Machines
How Identity Awareness Works
BRANCH
CLOUD IaaS
PRIVATE CLOUD
ACI
HEADQUARTERS
RADIUS TERMINAL SERVER
{REST}
API
KERBEROS
AD QUERY IDENTITY AGENT REMOTE ACCESS
CLIENTS
IDENTITY
COLLECTOR
CISCO ISE
TRUSTSEC
Network
IDENTITY SOURCES
IDENTITY POLICY ENFORCEMENT
90. Involve Users
Prevent Data Loss
Open MultiSpect
Detection Language
600+
data
types
800+ file
formats
How DLP Works
Inspect Sensitive Data Leaving Organizations in Real Time
Detect Proprietary
Documents
91. Virtual Systems
Max Efficiency with Hardware Virtualization
Consolidate Up To 250 Gateways
To Secure Multiple Network Segments
Unique Virtual System Load Sharing (VSLS)
For Unmatched Availability
92. Multiple Security Group
More And More Hardware Efficiency
Support Up To 8 Segregated Installations
On Separate Blades - Same Chassis
Each Security Group Runs An Independent SMO
With Its Own Software Version And Configuration
Each Security Group Can Run Up To
250 Virtual Systems: 2,000 VSs in Total