Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Advance threat protection frameworks


Published on


Join the Fortinet Team in a panel session about the importance of an advanced threat protection framework. Don Murphy and the Fortinet Team will explain the closed loop between email, firewalls, web application firewalls, endpoint protection and sandboxes to provide protection against zero-day threats.

Speakers: Don Murphy, Senior Systems Engineer, Fortinet

David Leinberry, Major Account Manager, Fortinet

Track: Security Sessions

Published in: Technology
  • Be the first to comment

Advance threat protection frameworks

  1. 1. Advance Threat Protection - Sandboxing David Leinberry, Don Murphy Enhanced Technologies – Americas
  2. 2. Industry Information  In the US, estimated $300 Billion a year of Intellectual Property (IP) is Stolen  The Average incursion went 200+ days without detection  300% uptick, $206 Mil, FBI - in Ransomware in the last 3 months  Verizon 2016 Data Breach Report: "Phishing Tops The List Of Increasing Concerns  Incident Response results: o 100% of victims had Up-to-Date Antivirus signatures o 100% of the breaches involved use of stolen credentials o 67% of companies learned they were breached from and external entity o 46% of the compromised systems had no Malware on them o Breaches are not any one industry All verticals are vulnerable • Healthcare 80 million records • Home Improvement Chain 56 million records • Finance 76 million records  A new defense strategy is needed
  3. 3. Audience Poll #1  What do you think the average cost of a data breach was in 2014? A. $2m B. $3.5m C. $3.8m D. $162m E. Don’t Know
  4. 4. Data Breach Cost Data Points B.
  5. 5. Why a Sandbox?  To provide a pristine & isolated environment that automatically tests potentially malicious software o Will need a feature to act like a mouse, executes the file just like a human would ( double click) o Sandbox steps through the file open other programs as need to execute it ( Office , Adobe, etc,) o If a GUI is opened we screen shot the malware install o Call back/C2 is tracked o A forensics report needs to be created and emailed to the pre-defined alias list  After testing, intelligence is applied in deciding to alert  Multiple VM in a single appliance allows for multiple files and threats to be analyzed at once  Integrated with multiple Security Platforms is critical in being proactive – Mail, endpoint, edge (FW)  Integration with all major SIEMs should be a part of the integration
  6. 6. Insider Threat the Unintentional Participant (This can lead to APT) Intentional Participants are IMHO already APT s  Who are they? o Any Employee, it is not intentional (executives are usually a High Value Target)  Use Case 1 Why did I click it? o A user clicks a link that they don’t know is bad • FortiGate coupled with FortiSandbox can detect, block, and alert on bad links  Use Case 2 phishing spear phishing A user opens an attachment they shouldn’t have o Attacks are sophisticated now its no longer a smash and grab o FortiMail , FortiSandbox will block, clean, and alert even if you have another spam solution  Use Case 3 insufficient best practices for password, user behavior (Audits) o Default Admin/Application passwords or shared passwords o Unusual Behavior in DB access ( that little healthcare breach) o FortiDB, FortiAuthenticator User Profiling and Strong Authentication no default or shared PW’s
  7. 7. Audience Poll #3  What are you most concerned about losing as result of a cyber attack?  Customer Data  System Availability/Business Continuity  Intellectual Property  Employee Data  Company Brand
  8. 8. Sandbox – Usually has 4 Steps to Enhance Security Call Back Detection Full Virtual Sandbox Cloud File Query AV Prefilter • Apply top-rated anti-malware engine • Examine real-time, full lifecycle activity in the sandbox to get the threat to expose itself • Check community intelligence & file reputation • Identify the ultimate aim, call back & exfiltration • Mitigate w/ analytics
  9. 9. 14 Types of Danger and some examples  Adware  BitTorrent  Riskware  smsreg  Botnet  Fastflux  Hijack  Trovi  Trojan  CryptoLocker 40 Variants in the Extreme DB  Worm  Backdoor  Rootkit  Dropper  Downloader  Injector  Attacker  Stealer  Infector
  10. 10. Flexible Deployment Modes Standalone Mode – Ideal for scalable requirements Data Center Integrated Mode – Ideal for centralized gateway with inline protection Headquarters (Enterprise Core) Distributed Mode – Ideal for protection in distributed environment Branch Offices (Distributed Enterprise)
  11. 11. All Input Methods Supported Simultaneously  Devices o Files submitted from a edge FW product  Sniffer o Files extraction from monitored traffic  File Share o Files are examined on a network share  On-demand o Files or URLs manually submitted through the web- based manager of the Sandbox Sandbox Devices Sniffer On-demand File Shares NFS/CIFS
  12. 12. Breaking the Kill Chain of Advanced Threats Spam Malicious EmailMalicious Link Malicious Web Site Exploit Malware Bot Commands & Stolen Data Command & Control Center Spam Malicious Link Exploit Malware Bot Commands & Stolen Data Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation
  13. 13. Breaking the Kill Chain of Advanced Threats Spam Malicious EmailMalicious Link Malicious Web Site Exploit Malware Bot Commands & Stolen Data Command & Control Center Spam Malicious Link Exploit Malware Bot Commands & Stolen Data Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation Sandbox
  14. 14. FortiSandbox Detecting Targeted Attacks  Prefilters objects, identifying known threats  Uncovers full threat lifecycle and presents indicators of compromise  Full deployment capabilities  Sniffer: span port mode to capture all packets  On-demand: manual submission & analysis  Integrated: with FortiGate, FortiMail, FortiWeb & FortiClient to feed into and act on intelligence out of FortiSandbox  Integrated File Share scan capability  True dynamic URL analysis engine plus integration with other Forti- components Network Traffic Cloud File Query AV Prefilter Code Emulation Full Sandbox Callback Detection
  15. 15. Products
  16. 16. How Should It All Work? File Submission/ Result Quarantine Devices/Block Traffic Sandbox Client Device/File Quarantine Fire Wall/Mail/Web Sever Block Objects Security, follow the sun analytical Labs Intelligence Sharing Security Updates Forensics and Response File Submission/ Result 3b 2a 2b 2d 2c 11 4 Real-time intelligence updates3a
  17. 17. A Sandbox Should Sit at the Heart of Every Security System Web Server Analytical Lab Mail Server Web Server Mail Server
  18. 18. QUESTIONS?
  19. 19. Our Partners ADNET proudly partners with leading technology and business solution providers to help our clients find the best possible fit for their needs. We encourage you to visit our partners' websites to learn more about their services.
  21. 21. @ADNETTech @ADNETTechnologiesLLC @ADNETTechnologiesLLC @MarcumLLP @Marcum-LLP @MarcumLLP