Check Point Solutions Portfolio- Detailed
•Download as PPTX, PDF•
9 likes•4,135 views
Check Point's CloudGuard provides advanced threat prevention across cloud environments. It offers security solutions for SaaS, IaaS, and SDN environments. CloudGuard for SaaS provides identity protection, data leak prevention, and zero-day threat protection for SaaS applications. CloudGuard for IaaS brings the same advanced threat prevention features of Check Point gateways to multiple public clouds. It uses a hub and spoke architecture for perimeter and east-west security. CloudGuard also supports multi-cloud and hybrid cloud environments with dynamic policies. For VMware NSX environments, CloudGuard integrates with NSX to provide network security.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Check Point Solutions Portfolio- Detailed
Similar to Check Point Solutions Portfolio- Detailed (20)
More from Moti Sagey מוטי שגיא
More from Moti Sagey מוטי שגיא (18)
Recently uploaded
Recently uploaded (16)
Check Point Solutions Portfolio- Detailed
- 1. 1©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd. March 2018 SOLUTION PORTFOLIO This is an interactive slide deck. Use Click to drill down Click on to go back to main slide
- 2. Where are we ? 1990 2000 2010 2015 2017 THREATS PROTECTIONSNetworks Gen II Applications Gen III Payload Gen IV GRADE I GRADE II GRADE III GRADE V GRADE IV Virus Gen I Enterprises are between Gen 2-3 2.8 Mega Gen V
- 3. GEN 5 PROTECTION Against MEGA ATTACKS
- 4. 4©2018 Check Point Software Technologies Ltd. 4©2018 Check Point Software Technologies Ltd. WHAT INGREDIENTS DO WE NEED ?
- 6. Check Point Infinity Architecture Best Threat Prevention across entire enterprise Shared Threat Intelligence Consolidated Security Management MOBILE ENDPOINT Hybrid Cloud NETWORK Perimeter & Data centers CLOUD
- 7. NETWORK Shared Threat Intelligence Consolidated Security Management Multi & Hybrid Cloud Headquarters Branch Access Control Multi Layered Security Advanced Threat Prevention Data Protection Access Control Multi Layered Security Advanced Threat Prevention Wi-Fi, DSL, PPoE Ready MOBILE Network Protection Device Protection App Protection Capsule WorkSpace/Docs Remote Access Secure Business Data Protect Docs Everywhere ENDPOINT Anti-Ransomware Forensics Threat Prevention Access/Data Security Access Control Secure Media Secure Documents CLOUD Advanced Threat Prevention Adaptive Security Automation and Orchestration Cross Environment Dynamic Policies Infrastructure Identity Protection Sensitive Data Protection Zero-Day Threat Protection End-to-end SaaS Security Applications
- 8. PRODUCTS FAMILY GATEWAYS, CLOUD Perimeter and cloud protection SANDBLAST AGENT Endpoint and browsers protection SANDBLAST API Custom applications protection SANDBLAST MOBILE Mobile device protection
- 9. THREATEXTRACTION CPU-Level Detection Catches the most sophisticated malware before evasion techniques deploy O/S Level Emulation Stops zero-day and unknown malware in wide range of file formats Malware Malware Original Doc Safe Doc Threat Extraction Deliver safe version of content quickly SandBlast Network HOW IT WORKS
- 10. • A mail with a malicious content (attachment or URL) is sent • The content is inspected for potential threats using KNOWN signatures/URL reputation • Malicious download/Exploit are blocked Hacker Threat Intelligence • A user is downloading malicious content from the web SandBlast Network HOW IT WORKS
- 11. • For UNKNOWN attacks/browser exploits the content is sent for emulation in cloud or in designated local appliance • If the file identified as malicious, the mail is quarantined and the incident is reported to the administrator CPU Level Machine Learning Emulation Engine File/URL Reputation Push Forward Hacker Traps & Decoys SandBlast Network HOW IT WORKS Threat Intelligence
- 12. • In parallel, a sanitized copy is sent to the user without any embedded objects, macros, Java Script Code and sensitive hyperlink • Post Emulation, If identified as benign, per the user request, the original attachment will be delivered to the user A sanitized file is sent MTA SandBlast Network HOW IT WORKS Threat Intelligence
- 13. ELEMENTS IN NEED OF PROTECTION INCOMING MAIL BROWSING USERS EXPOSED SYSTEMS INCOMING MAIL
- 14. SANDBLAST THREAT EMULATION SANDBLAST THREAT EXTRACTION Detects and blocks unknown malware and Zero-day attacks Proactively delivers safe, reconstructed files to avoid delays
- 15. DELIVER CLEAN ATTACHMENTS GET THE DATA NOT THE RISK Convert documents to PDF CONVERT MODE Retain file format, remove active content CLEAN MODE Fast delivery Preserve all text and visual content We recommend CONVERT MODE - for Word documents CLEAN MODE - for everything else Threat Extraction for Documents Self-catered access to original files
- 16. SMTP MAIL TRANSFER AGENT SMTP ANTI-SPAM MAIL SERVER MTA next hop = GW SMTPSMTP WHY MTA? • Guaranteed prevention • Threat Extraction support • SMTP TLS support • User interaction • Excellent stability and performance • Configuration granularity • Mail queue visibility and control • Continued improvements in R80.20 MTA next hop = Mail Server CHECK POINT GATEWAY
- 17. WHERE TO DEPLOY YOUR MTA? OR Reuse existing gateway PERIMETER GATEWAY ANTI-SPAM PERIMETER GW Mail Server DEDICATED GATEWAY Don’t impact perimeter gateway ANTI-SPAM MTA GW Mail Server
- 18. ELEMENTS IN NEED OF PROTECTION BROWSING USERS EXPOSED SYSTEMS INCOMING MAIL BROWSING USERS
- 19. Evasion-resistant sandbox detection of malicious flash PUSH-FORWARD Threat Emulation dynamically drives Adobe Flash execution, forcing detonation if it’s malicious
- 20. IPS ANTI-VIRUS THREAT EMULATION THREAT EXTRACTION* NETWORK PROTECTIONS * Coming in R80.20 MALICIOUS DOWNLOADS BROWSER EXPLOITS CREDENTIAL THEFT BROWSING THREATS ANTI-VIRUS THREAT EMULATION THREAT EXTRACTION ANTI-EXPLOIT ZERO PHISHING ANTI-RANSOMWARE ENDPOINT PROTECTIONS GATEWAY PROTECTING BROWSING USERS SANDBLAST AGENT SANDBLAST NETWORK USERSATTACKER
- 21. WHAT IF A SYSTEM IS COMPROMISED? ANTI BOT Identify and contain infections
- 22. ANTI-BOT C&C INFECTED HOST ATTACKER GATEWAY C&C Anti-Bot prevents C&C communications LOG What about roaming users? Use Anti-Bot and Forensics with SandBlast Agent
- 23. ANTI-BOT: PINPOINT INFECTED HOSTS when behind a proxy INFECTED HOST ATTACKER GATEWAY C&C PROXY C&C PROBLEM Source IP = Proxy SOLUTION Turn on XFF IP: 10.100.0.123 HTTP REQUEST WITH XFF Correct IP written to log Blocked by Anti-Bot PRIVACY CONCERNS? GET /index.html HTTP/1.1 HOST: www.example.com X-FORWARDED-FOR: 10.100.0.123 ... GET /index.html HTTP/1.1 HOST: www.example.com X--------------: XXXXXXXXXXXX ... The gateway can wipe the internal IP.
- 24. ANTI-BOT: PINPOINT INFECTED HOSTS when behind a DNS Server INFECTED HOST ATTACKER GATEWAY DNS QUERY PROBLEM Source IP = DNS Server IP: 10.100.0.123 Blocked by Anti-Bot DNS Server SOLUTION Turn on DNS TRAP DNS QUERY Resolve C&C domain 1 DNS response with predefined IP 2 Communication attempt with the predefined IP is pinpointed to the infected host 3
- 25. Threat Intelligence Endpoint Blades SandBlast Mobile Anti-Bot Anti-Virus Application Control URL Filtering Threat Emulation IPS Industry Feeds Collaboration - URLs, Hashes, Domains - Virus Total indicators - Cyber Threat Alliance Data Mining - Campaign hunting Threat Intelligence CERTS Sensors Malware research Event Analysis Analysts Community AI 400 researchers & Analysts
- 26. ©2018 Check Point Software Technologies Ltd. CloudGuard
- 27. ADVANCED THREAT PREVENTION FOR CLOUD ENVIRONMENT Check Point CloudGuard
- 28. CloudGuard • New name for all our cloud security solutions including vSEC • Introduction of new SaaS/CASB offering • Introduction of Alibaba Cloud and Oracle Cloud offerings
- 30. ©2018 Check Point Software Technologies Ltd. CloudGuard for SaaS
- 31. CLOUDGUARD SAAS SAAS SECURITY IS ONE CLICK AWAY Identity Protection Protect Sensitive Data Zero-day threats Protection End-to-End SaaS Security
- 32. Security Gateway SAAS PROVIDERS SECURITY STACK Prevent Account Takeovers Data Leak Prevention Reveal Shadow IT HOW IT WORKS API & AD … CloudGuard SaaS Documents encryption Zero-day Threats Protection
- 33. Accesses App Accesses App Stolen ID Hacker Identify Device • Only users and devices with ID- Guard endpoint agent can login • Malicious login prevented even if the hacker has correct credentials • No user involvement PREVENT ACCOUNT TAKEOVER WITH CLOUDGUARD SAAS IDENTITY PROTECTION Identity Server ADFS, AzureAD, Okta Employee Identity Server ADFS, AzureAD, Okta
- 34. • Collects network intelligence from on premise devices, Threat Cloud and SaaS • Prevents suspicious logins Example: seen in two locations, bad source IP reputation Accesses app Stolen credentials Hacker Intelligence PREVENT ACCOUNT TAKEOVER WITH CLOUDGUARD SAAS IDENTITY PROTECTION Agentless Mode Identity Server ADFS, AzureAD, Okta
- 35. ©2018 Check Point Software Technologies Ltd. CloudGuard for IaaS
- 36. ADVANCED THREAT PREVENTION FOR CLOUD ENVIRONMENTS CHECK POINT CLOUDGUARD IAAS IN AN AGILE AND AUTOMATED NATURE
- 37. CLOUD = SHARED RESPONSIBILITY Customer responsible for security in the cloud Customer Data Platform, Applications, IAM Operating System, Network and FW Configs Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System / Data) Network Traffic Protection (Encryption, Integrity, Identity) Cloud vendor responsible for security of the cloud Cloud Global Infrastructure Regions Availability Zones Edge Locations Compute Storage Database Networking
- 38. CloudGuard IaaS • All the Advanced Threat Prevention features of Check Point Security Gateways and R80 Management plus: • For all these clouds ACI Automation and Orchestration Cross Environment Dynamic Policies Adaptive Security
- 39. CloudGuard IaaS Advanced Protection Basic Firewall / Access Rule Firewall IPS App Control DLP Zero-Day Anti-bot Forensics FilteringAntivirus Threat Emulation Threat Extraction Multi-cloudVPN Identity Awareness Anti-Spam
- 41. THE HUB & SPOKE ARCHITECTURE (TRANSIT) Cloud Northbound HUB Southbound HUB SPOKE 1 SPOKE 2 SPOKE N…. WWW VPN • Advanced threat protection on perimeter • North-South & East-West security is controlled by security admin • Inside spoke security controlled by DevOps
- 42. MULTI & HYBRID CLOUD ENVIRONMENTS Southbound-HUB Southbound-HUB Northbound-HUB Northbound-HUB ….. VPN WEB APP SPOKE-3 VPN ….. DB AAD SPOKE-3 VPN ….. Northbound-HUB WEB APP SPOKE-3 Southbound-HUB Azure AWS Google VPN WWW
- 43. CLOUDGUARD ADAPTIVE SECURITY Check Point Access Policy Rule From To Application Action 3 Web_SecurityGroup Object DB_VM Object MSSQL Allow 4 CRM_SecurityGroup Object SAP_SecurityGroup Object CRM Allow 5 AWS_VPC Object Azure_VNET Object ADFS Allow Drag & Drop dynamic policy with cloud objects
- 44. ©2018 Check Point Software Technologies Ltd. CloudGuard for SDN
- 45. CloudGuard for VMware NSX Hardware Hypervisor vm vm ESXi ESXi Security Management Server Hardware vSphere API NSX vSphere API NetX API vCente r Hypervisor vm vm CloudGuard CloudGuard
- 46. ©2018 Check Point Software Technologies Ltd. CloudGuard for SDDC
- 47. 72©2018 Check Point Software Technologies Ltd. CloudGuard Virtual Edition (VE) VMware ESXi CloudGuard Virtual Edition can be deployed as a security gateway to provide perimeter protection, segmentation, and inter-VM protection using standard routing configurations. Supported hypervisors
- 48. ©2018 Check Point Software Technologies Ltd. CLOUDGUARD ECOSYSTEM
- 50. ©2018 Check Point Software Technologies Ltd. MOBILITY
- 51. MOBILE THREAT DEFENSE (MTD) Android Antivirus Apps Analysis / Emulation Network Threats (MiTM,…) OS Vulnerability Research Documents Lifecycle MOBILE CONTENT MANAGEMENT (MCM) Document Repositories MOBILE APPLICATION MANAGEMENT (MAM) Enterprise Apps / Store Apps White/Black - Listing Apps White/Black - Listing App Profile Management MOBILE INFORMATION PROTECTION Secure Container Dual Persona REMOTE ACCESS (Secure) Email ProxyPer-App VPN VDI / VMIFull-Device VPN / Profile MOBILE DEVICE MANAGEMENT (MDM) Device “Fleet” Management Device Profiles (Settings) GEO-Location Tracking App Distribution SANDBLAST MOBILE CAPSULE VPN CAPSULE DOCS CAPSULE WORKSPACE CAPSULE WORKSPACE SSL VPN Native Containment
- 54. HOW IT WORKSHOW IT WORKS APP ANALYSIS (INFECTED APPS) CLOUD-BASED BEHAVIORAL RISK ENGINE ON DEVICE DETECTION OS EXPLOITS (JAILBREAK/ROOT) NETWORK ATTACKS (WIFI, BLUETOOTH) SMS ATTACKS REAL-TIME INTELLIGENCE, MONITORING AND CONTROL
- 55. HOW IT WORKSHOW IT WORKS APP ANALYSIS (INFECTED APPS) CLOUD-BASED BEHAVIORAL RISK ENGINE ON DEVICE DETECTION OS EXPLOITS (JAILBREAK/ROOT) NETWORK ATTACKS (WIFI, BLUETOOTH) SMS ATTACKS REAL-TIME INTELLIGENCE, MONITORING AND CONTROL
- 57. MOBILE THREAT DEFENSE (MTD) Android Antivirus Apps Analysis / Emulation Network Threats (MiTM,…) OS Vulnerability Research Documents Lifecycle MOBILE CONTENT MANAGEMENT (MCM) Document Repositories MOBILE APPLICATION MANAGEMENT (MAM) Enterprise Apps / Store Apps White/Black - Listing Apps White/Black - Listing App Profile Management MOBILE INFORMATION PROTECTION Secure Container Dual Persona REMOTE ACCESS (Secure) Email ProxyPer-App VPN VDI / VMIFull-Device VPN / Profile MOBILE DEVICE MANAGEMENT (MDM) Device “Fleet” Management Device Profiles (Settings) GEO-Location Tracking App Distribution SANDBLAST MOBILE CAPSULE VPN CAPSULE DOCS CAPSULE WORKSPACE CAPSULE WORKSPACE SSL VPN Native Containment
- 58. CAPSULE WORKSPACE | Architecture overview Corporate Servers Check Point Firewall with Mobile Access Blade Management Console Internet Mobile DeviceWireless Networks MOBILE
- 59. CAPSULE WORKSPACE | Simplify mobile security • Manage corporate data, not devices • A PIN unlocks a single app so you can ̶ Access email/calendar/PIM/Intranet securely ̶ Launch security-wrapped business apps ̶ Keep data encrypted at rest and in motion ̶ Track and require higher levels of access to docs ̶ Extend consistent security to iOS and Android ̶ Wipe corporate data on lost or stolen devices ̶ Capsule Workspace is integrated with Check Point Mobile Threat Prevention
- 60. Anti-Ransomware Forensics Threat Prevention Access/Data Security Access Control Secure Media Secure Documents ENDPOINT
- 61. Identify and block unknown and zero- day threats Deliver clean documents in seconds Safeguard credentials from theft Accelerate understanding for better response Keeping endpoints safe from cyber extortion ADVANCED THREAT PREVENTION TECHNOLOGIES THREAT EMULATION THREAT EXTRACTION ZERO PHISHING FORENSICS ANTI RANSOMWARE
- 62. SANDBLAST SERVICE Web downloads sent to remote SandBlast1 Sanitized version delivered promptly2 Original file emulated in the background3 How SandBlast Agent Works
- 63. Visual Similarity Text Similarity Title Similarity URL Similarity Lookalike Characters Image Only Site Multiple Top-Level Domain Lookalike Favicon IP Reputation Domain Reputation PHISHING SCORE: 95% User access to new site triggers review1 Evaluation based on reputation and advanced heuristics2 Verdict issued in seconds3 Beware! Probable Phishing Attack How Zero-Phishing Works
- 64. Corporate Credentials With so many credentials to remember… Users often re-use the same password Corporate Password Exposed How Credential Protection Works Preventing Reuse of Corporate Credentials
- 65. How Forensics Works FORENSICS data continuously collected from various OS sensors 1Report generation automatically triggered upon detection of network events or 3rd party AV 2 Digested incident report sent to SmartEvent4Processes Registry Files Network Advanced algorithms analyze raw forensics data3
- 66. How Anti-Ransomware Works ONGOING UPON DETECTION BEHAVIORAL ANALYSIS Constantly monitor for ransomware specific behaviors DATA SNAPSHOTS Continuously create short- term file backups QUARANTINE Stop and quarantine all elements of the attack RESTORE Restore encrypted files from snapshots ANALYZE Initiate forensic analysis to analyze attack details RANSOMWARE PROTECTION IS ON
- 67. ADVANCED THREAT PREVENTION TECHNOLOGIES THREAT EMULATION THREAT EXTRACTION ZERO PHISHING FORENSICS ANTI RANSOMWARE BASELINE THREAT PREVENTION TECHNOLOGIES ACCESS CONTROL ANTI VIRUS ANTI BOT
- 68. Secure Remote Mobile Access to corporate resources Security verification Compliance with regulatory requirements How Access Control Works Industry first Desktop Firewall and Application Control Secure endpoint access, data in transit and verify compliance
- 69. Lockdown infected machines • Block C&C communications • Prevent data exfiltration Identify compromised hosts • Inside and outside the network • Pinpoint when inside the network Detect the C&C Channel – and we know the host is infected Block the C&C Channel – and we contain the malware Communications BlockedANTI-BOT How Anti-Bot Works C&C Communications
- 70. How Full Disk Encryption Works Windows and Apple Pre-Boot Authentication
- 71. Business Data SegregationSeamless Experience Automatic data encryption and seamless access to authorized users Policy based automatic segregation End User Education Engage and educate users with UserCheck Non Business Data (E:) Business Data – Encrypted (F:) Transparent security for information on storage drives How Media Encryption Works
- 72. Ensure that only authorized devices/ports can be used Get the benefit of a flexible blacklisting/whitelisting approach Use discovered devices for policy fine-tuning How Port Protection Works
- 73. Share Select the authorized users and groups Classify Classify and set permissions according to your needs Encrypt Data Protect your documents with a single click Automatic protection for seamless user experience User Education and Engagement using UserCheck How Capsule Docs Works
- 74. ©2018 Check Point Software Technologies Ltd. SECURITY MANAGEMENT
- 75. NETWORK Shared Threat Intelligence Consolidated Security Management Hybrid Cloud Headquarters Branch Access Control Multi Layered Security Advanced Threat Prevention Data Protection Access Control Multi Layered Security Advanced Threat Prevention Wi-Fi, DSL, PPoE Ready MOBILE Network Protection Device Protection App Protection Capsule WorkSpace/Docs Remote Access Secure Business Data Protect Docs Everywhere ENDPOINT Anti-Ransomware Forensics Threat Prevention Access/Data Security Access Control Secure Media Secure Documents CLOUD Advanced Threat Prevention Adaptive Security Automation and Orchestration Cross Environment Dynamic Policies Infrastructure Identity Protection Sensitive Data Protection Zero-Day Threat Protection End-to-end SaaS Security Applications Advanced Threat Prevention Adaptive Security Automation and Orchestration Cross Environment Dynamic Policies SmartEvent Compliance Unified Policy
- 76. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console
- 77. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console • Manage everywhere - all aspects of security on both physical, virtual and cloud based environments. • Manage everything from users to data to applications • Manage efficiently - All access points are now controlled in one place
- 78. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console Inline O r d e r e d Inline • Optimizing rule matching process - Only packets matching the Parent Rule will be checked against the rules of the Inline Layer • Reuse Layers in multiple Policies or multiple times in the same policy Ordered • Each layer performs one or more specific security actions • The layers will be matched top-down
- 79. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console • Concurrent Administrators can work simultaneously on the same rulebase without conflict • Workflow and Auditing - All actions are monitored, logged and can be reviewed accordingly. • Granular admin delegation – dedicated policies for specific admins
- 80. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console Provisioning of security - segmenting security into multiple virtual domains Centralized management - manage security on a global level while ensuring separation of data for each of the protected business entities Granular, role-based administration - • access policy admin • Content inspection admin • SIEM/Helpdesk operator
- 81. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console Events • Logging, monitoring, event correlation & reporting in a single view. • Filter, search and report in seconds • Predefined graphical reports and customizable event views • 3rd party plug-n-play support of SIEM solutions Logs Reports
- 82. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console • Examines environment’s Security Gateways, Blades, Policies and configuration Settings in real- time to avoid human-error according to industry (Retail, Healthcare, Financial etc..) • Compared with Check Point extensive database of regulatory standards and security best practices to ensure security at the highest level.
- 83. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console Automate daily Tasks and workflows to improve productivity e.g. • Policy installation and synchronization • using an orchestration tool deploy a new rulebase and objects). • Integrate deployment of Check Point Gateways with cloud templates Integrate Check Point products with other solutions (virtualization servers, ticketing systems etc…)
- 84. Consolidated Security Integration Compliance SIEM/SOC Scalability Layered Policy Delegation Collaboration Unified Policy & Single Console IPS Firewall Antivirus Threat Extraction Threat Emulation Anti-bot
- 85. Security Gateways Designed for Gen V Cyber Security Next Generation Threat Prevention Technologies Advanced Network Security Firewall IPS App Control Threat Emulation Threat Extraction Antivirus DLP Anti-Bot Anti- Spam VPNURL Filtering Security & Threat Management ForensicsSingle Management Full Threat Visibility Reporting Compliance Identity Aware BRANCH PRIVATE CLOUD ACI HEADQUARTERS SCADA SYSTEMS MANAGEMENT CLOUD IaaS NETWORK Access Control Advanced Threat Prevention Segmentation SMALL OFFICE
- 86. FULL RANGE OF MOST ADVANCED THREAT PREVENTION 3000 Appliances (2 models) 5000 Appliances (6 models) 15000 Appliances (2 models) 23000 Appliances (2 models) 1400 Appliances (4 models) Activate Advanced Threat Prevention Inspect encrypted (SSL) traffic Stronger and Future Proof !
- 87. Prevents Exploits of Known Vulnerabilities Enforce Protocol Specifications Detect Protocol Anomalies Signature based Engine Today IPS is seen as commodity How IPS Works
- 88. Hash based signature Engines Malware Feeds Blocks Access to Malware Sites How Antivirus Works Block Download of Known Malware
- 89. Stops traffic to remote operators Multi-tier PREVENT Bot Damage IDENTIFY Bot Infected Devices Reputation Patterns SPAM How Anti-Bot Works Identify and Isolate Infected Hosts to Prevent Bot Damage
- 90. Preconfigured tags/categories Allow, block or limit usage User identification How Application Control Works Granular Control Using Over 7,700 Pre-defined Applications
- 91. How URL Filtering Works Allow, Block or Limit Web Access Based on Time or Bandwidth
- 92. Granular Visibility of Users, Groups and Machines How Identity Awareness Works BRANCH CLOUD IaaSPRIVATE CLOUD ACI HEADQUARTERS RADIUS TERMINAL SERVER {REST} API KERBEROS AD QUERY IDENTITY AGENT REMOTE ACCESS CLIENTS IDENTITY COLLECTOR CISCO ISE TRUSTSEC Network IDENTITY SOURCES IDENTITY POLICY ENFORCEMENT
- 93. Involve UsersPrevent Data Loss Open MultiSpect Detection Language 800+ file formats 600+ data types How DLP Works Inspect Sensitive Data Leaving Organizations in Real Time Detect Proprietary Documents
- 94. ©2018 Check Point Software Technologies Ltd. BRANCH OFFICE
- 95. BRANCH LAN App Control URL Filtering Full-Featured Threat Prevention Zero Touch Provisioning Large Scale Management Large Scale site-to-site VPN Secure, Simp le, Sca la b le Advanced Protections Across The Network Firewall IPS VPN Identity Awareness Antivirus Anti-Bot Anti-Spam Sandboxing
- 96. 6400044000 Firewall Throughput 377 Gbps 880 Gbps Threat Prevention Real-world performance 21 Gbps 42 Gbps NGFW Real-world performance 29.6 Gbps 59.2 Gbps 64000Security Platform 44000Security Platform Scalable Threat Prevention Platforms high port density | single management object | designed for zero down time
- 97. Virtual Systems Max Efficiency with Hardware Virtualization Consolidate Up To 250 Gateways To Secure Multiple Network Segments Unique Virtual System Load Sharing (VSLS) For Unmatched Availability
- 98. Multiple Security Group More And More Hardware Efficiency Support Up To 8 Segregated Installations On Separate Blades - Same Chassis Each Security Group Runs An Independent SMO With Its Own Software Version And Configuration Each Security Group Can Run Up To 250 Virtual Systems: 2,000 VSs in Total
- 99. ©2018 Check Point Software Technologies Ltd. ICS/SCADA
- 100. SMB / branch solutions Wireless / Wired SMB gateways Industrial Control Systems (ICS) Over 800 SCADA commands in Application Control Security for ICS/SCADA Systems
Editor's Notes
- FOCUS ON REAL TIME PREVENTION WITH BEST TECHNOLOGIES SHARED INTERLLIGNECE ACROSS THE ENTIRE NETWORK CONSOLIDATED MANAGEMENT
- WE ARE IMPLEMENTING GEN 5 WE ALL NEED TO STEP UP AND IMPLEMENT THESE TECHNOLOGIES
- Check Point SandBlast Zero-Day Protection detects the attacks, which are Highly Motivated and Sophisticated Customized for high-value targets (specifically designed/programmed) AND Have never been used before
- As defenders, we are tasked with protecting these three elements within our organizations that attackers go after: Incoming Mail, Browsing Users and our Exposed Systems. These three elements are responsible for almost all real-world cyber-attacks we see in the wild. <CLICK> We’ll start with protecting your mail
- The two key SandBlast components that will let you protect incoming mail are Threat Emulation and Threat Extraction - which are designed to work together. Threat Emulation is our evasion-resistant sandbox, which detects and blocks advanced zero-day malware in any file type, and specifically in documents with the aid of our unique CPU-Level technology. The second component is Threat Extraction – the technology for delivering clean, sanitized documents to users. <CLICK> Extraction is built for documents, which as we saw earlier, constitute 96% of all mail attachments. So it is highly relevant and highly effective.
- A few important points to keep in mind on Threat Extraction: The technology offers two modes of operation: ‘Clean’ delivers files in their original formats while removing active content such as scripts. So for instance, a PowerPoint presentation will be delivered as a PowerPoint presentation. ‘Convert’ transforms files into PDF – it’s a more aggressive transformation, user experience is not as good as with Clean mode, but virtually no malware can survive this transformation. So you have a the classic tradeoff here between security and user-experience. <CLICK> What we normally recommend is to use Convert mode for Word documents as this normally renders good results that user have no problem using, and use ‘Clean’ mode for all other types. Keep in mind that users can always get seamless access to the original file if they need to – it’s a simple click and they get the original, of course, only if was found to be clean by the Threat Emulation sandbox.
- In order to implement strong mail defense you want to deploy the gateway as an Mail Transfer Agent – MTA. It means that the gateway doesn’t just route SMTP traffic, <CLICK> instead the gateway is defined as a formal mail relay, acting as a sort of proxy for SMTP traffic. It’s a simple configuration on your anti-spam and on the gateways to make this happen. <CLICK> Deploying the gateway as MTA guaranties that we can BLOCK malicious mail. It’s also required for Threat Extraction. It is the only way to handle encrypted mail traffic MTA also let’s us manipulate mails before delivery – for example in order to embed a link to the original if the attachment is extracted. <CLICK> We’ve been working very hard on MTA improvements and it’s come a long way. Our gateway MTA now enjoys excellent stability and performance, and will give you very good visibility and control. We have a dedicated team in RnD that is continuing to focus on this, and many more improvements will be coming later this year with R80.20.
- One important consideration is how to deploy the MTA. You can either dedicate a gateway to handle MTA traffic or reuse an existing gateway. <CLICK> While both options are fully supported, we recommend dedicating a gateway for MTA. For instance, a relatively small 5600 appliance should be able to handle mail for 10,000 users. If you do want to use an existing gateway also as your MTA then you’ll need to validate your sizing (keep in mind that MTA is I/O intensive), and take some care in the policy a SMTP is entering the gateway twice.
- That’s it for protecting your incoming mail. <CLICK> Next, let’s discuss the second attack vector that attempts to penetrate by compromising users while their browsing the web.
- Speaking of Flash, you should know that detecting zero-day malicious Flash is really hard. The Threat Emulation sandbox includes a unique, patented technology – ‘Push-forward’, which can very reliably detect evasive malicious Flash objects which can evade detection by conventional sandbox products.
- There are several ways that attackers go after browsing users: First, getting the user to download and launch a malicious attachment. Second, exploiting the browser, for instance using malicious Flash objects or other browser exploits And finally, the web is also used for phishing user credentials as a first stage in an attack. To effectively protect against all these vectors, we recommend that you apply protections on both the network and the endpoint. <CLICK> On the network, use IPS to block browser exploits and malicious file downloads. For instance, we have IPS protections for exploiting the recent Meltdown and Spectre attacks using javascript. Anti-virus will also help block malicious downloads and access to malicious web sites. Threat emulation gives you the active sandbox layer for preventing unknown and zero-day web attacks. Specifically, the unique Push-Forward technology we mentioned earlier is fundamental for preventing Flash attacks. Threat Extraction will be available as a streaming protection engine on the network for web downloads in R80.20 – giving you proactive file sanitation for extra protection. <CLICK> The endpoint adds some unique protections. Our new ‘Anti-Exploit’ technology is an important last-line-of-defense to prevent browser and other program exploitation during run-time. ‘Zero Phishing’ is essential to preventing users from surrendering their credentials to unknown phishing sites And finally, ‘Anti-Ransomware’ detects and prevents ransomware infections, and can roll recover encrypted files with the simple click of a button.
- In terms of deployment, the simple way is to reuse your perimeter gateway for inline web inspection. In this topology, the gateway will need to perform SSL termination, and you’ll have full control on the policy and full support with all threat prevention blades. An alternative that has proven quite popular with our customers, is to integrate the gateway with your web proxy using the ICAP protocol. With ICAP the proxy performs the SSL termination, offloading the gateway, and you can control what traffic goes via the gateway in the proxy configuration. Keep in mind that currently only the Threat Emulation and AV blades are supported with ICAP. We are working to add all blades – hopefully later this year.
- We’ve covered web and mail. <CLICK> Next, let’s talk about your systems.
- Your IPS is worthless if it isn’t constantly updated. So if you’re unsure – head to the Updates tab in your policy and make sure that scheduled updates are turned on. In R80.20 we’ll be improving this mechanism further so that gateways will each independently download updates without needing to push policy.
- If you are looking for the best possible IPS protection, then we give you ample tools to optimize your configuration. With R80 you can assign individual profiles to any network segment or host. Use the tags and quick search to rapidly select relevant protections and assign them to your custom profile. You can even use the output of vulnerability assessment tools to automatically build profiles with relevant protections.
- The final point we’d like to touch on is dealing with a compromise. What do you do if and when one of your systems or endpoints becomes infected? <CLICK> The key in such an event is to quickly identify and contain the infection. Anti Bot is the technology that we use for that.
- Malware will always communicate back to the attacker command and control. We call this C&C traffic. <CLICK> Anti Bot has a very simple concept – it scans outgoing traffic to identify C&C communications. The C&C traffic is intercepted and blocked - preventing malware propagation and data exfiltration. <CLICK> And the incident is written to a log. Anti-Bot logs that are the most important ones for you to monitor as they are a certain indication that a system is compromised and you must take corrective action. If you have a SOC, then make sure they know to look for these logs and that they understand what they mean. <CLICK> If you have roaming users, who are outside your network, then Anti Bot on the gateway won’t help identifying when their infected. <CLICK> That’s why we have Anti-Bot also on endpoints with SandBlast Agent – it extends your coverage to detect infected endpoints no matter where they are. SandBlast Agent adds also forensic analysis and remediation – critical elements to help your need for rapid incident containment and response.
- One common issue with Anti Bot logs is if the gateway is behind your proxy. <CLICK> Anti Bot will identify and block the command & control communication without problem, so the attacker is cut off and the malware is contained. The problem is that the source IP of the connection is the proxy – so it’s impossible to pinpoint the infected system in such a case. <CLICK> There is a simple trick to resolve this: enable the X-Forwarded-For (XFF) header feature on your proxy. <CLICK> This adds the endpoint IP to each HTTP request and let’s us write IP of the infected system to the log. <CLICK> If you don’t like the idea of legitimate requests including a header with internal Ips, then we have a feature on the gateway that will eliminate them, so you never expose this stuff to the outside world.
- Another common issue with Anti-Bot occurs when the gateway is behind your internal DNS server. <CLICK> Anti-Bot commonly identifies C&C based on the DNS query to resolve the attackers C&C domain. In this case, the DNS query will be coming to the gateway from your DNS server’s IP, and again we will log the wrong IP – that pf the DNS server. So how do you pinpoint the infected endpoint in this situation? <CLICK> DNS Trap to the rescue. <CLICK> This feature is actually enabled by default and forces a bogus response to DNS queries blocked by Anti-Bot. For it to work, you’ll need to make sure that the predefined IP we return is routed back to the gateway. The infected host will attempt connecting to the bogus IP delivered by the gateway, and at that point we can associate this IP to the Anti-Bot detection – and allow you to pinpoint the infected host.
- Bilateral Threat Emulation – files (automatic domain, URL indicators generation) and research IPS – for researches campaign purposes Anti Bot + AV – GW statistics for researchers End Point Blades – hashes updated to Threat Cloud (such as SB Agent), even AV heuristics SB Mobile – Feed to Threat Cloud URLF – feeds TC for domains and URLs – for identifying malicious indicator Updates only from TC APPI
- Cloud is becoming common in most of the organization today, many organizations have start to work either in hybrid cloud (on-prem and public together) or multi public cloud for different platforms. But still (just like the last year), the security stays the biggest challenge in moving into the cloud.
- And that is evidenced by reading through the current headlines of data breaches and attacks against cloud services. These are just a few examples but it seems we’re hearing about more and more of these incidents all the time. It seems as though in the rush to get to the cloud we may not be doing enough to understand the risks these new environments and how best to plug the gaps.
- And that is evidenced by reading through the current headlines of data breaches and attacks against cloud services. These are just a few examples but it seems we’re hearing about more and more of these incidents all the time. It seems as though in the rush to get to the cloud we may not be doing enough to understand the risks these new environments and how best to plug the gaps.
- Verizon breach – 14 million records exposed due to unprotected Amazon storage server – data was left exposed for more than 6 months TWC – records exposed on AWS server with no password Wrestling fans had their personal information exposed in July, as a database containing information on more than 3 million subscribers was stored on an unprotected AWS S3 server. While there is no clear evidence that hackers accessed the data, it was stored in plain text without a user name or password and was accessible by anyone who could access the site. Data potentially exposed included names, educational backgrounds, earnings, ethnicity, home and email addresses, and age ranges of users' children. Security researchers also discovered a second WWE database that was also incorrectly secured with information on European fans. The WWE has since moved to properly secure the AWS S3 server, it said.
- Traditional security is not good enough since it demands too much labor from different departments in the organization to work in synchronization. Another subject is the lack of knowledge wither from the IT security personal or the DevOps teams.
- The current architecture needs to changed, applications deployed spread in different environments so perimeter security can’t protect it. The cloud environment is flexible and changes all the time while legacy security is still static.
- CloudGuard is the Check Point solution for the cloud: private, public, Hybrid and SaaS.
- CloudGuard SaaS is the only preventive security solution for SaaS applications. It provides: Identity Protection to prevent SaaS account takeovers, Zero-day threats protection to prevent any type of malware and attack from accessing your cloud application, even unknown malware and phishing attacks, it keeps sensitive data secured, and it provides end-to-end SaaS security coverage that addresses other elements of the enterprise.
- All cloud providers are working in a model called: shared responsibility, this means that we as customers needs to protect our Data, connected people and the infrastructure (like OS and network configurations).
- But the cloud providers doesn’t throw you into the deep water, they provide some basic tools, but those tools doesn’t provide advanced threat protection, unified policy management inside my environment and between cloud platforms.
- The lake of advanced security in the platforms native tools can expose you to abuse of your cloud infrastructure, data breach's and more.
- Centralized management to manage your public, private, hybrid and traditional data center. Consistent policy rules for all clouds! We do prevention! – Best security Check Point can offer across clouds. N-S and E-W, this includes, AV, Anti-bot, Threat Extraction and Emulation, URL Filtering, Application Control All Clouds – We support all major cloud platforms and the ecosystem is growing, latest to announce oracle cloud support DevOps ready – We support full RESTful API and CLI access. Adaptivness and automation – Support Auto-Provisioning via ready to use templates and APIs, Auto-Scaling security with PAYG licensing and thus, Auto-Protection with zero touch hassle. vSEC Adapts policy rules to application changes automatically.
- Forensic Analysis Advanced Threat Prevention Application and Data Security Next Generation Firewall
- Forensic Analysis Advanced Threat Prevention Application and Data Security Next Generation Firewall
- Forensic Analysis Advanced Threat Prevention Application and Data Security Next Generation Firewall
- Forensic Analysis Advanced Threat Prevention Application and Data Security Next Generation Firewall
- Our principles for the cloud security blueprint: Agile, Efficient and multi-cloud.
- Our public cloud blueprint is based on hub and spoke architecture. Some spoke can be connected just to the internet, others focused on the internal traffic and of course to both.
- Our public cloud blueprint is based on hub and spoke architecture.
- With the new security architecture can work to provide automated protection to newly created spokes, deploy new gateway with templates and provide enhanced control.
- multi cloud deployments are becoming more common and our blueprint can fit to that design.
- multi cloud deployments are becoming more common and our blueprint can fit to that design.
- Check point manages security for all cloud platforms from a single policy. That ability allow us to defines connectivity, like Azure servers with NSX security groups from the on-premise data center, with a single console via a single rule. That ability helps organizations minimize the operational overhead and complexity.
- Adaptive security allow us to increase the innovation of the operations.
- Adaptive security allow us to increase the innovation of the operations.
- Grabbed and updated from a ppt file from Oded Yarkoni.
- Here are the Mobile Security Building blocks used by enterprises to protect their assets and information. MDM/EMM –are responsible for policy enforcement of the mobile devices - they give the organization some level of control to mobile devices that are accessing company resources. Secure Containers or app wrapping solutions mainly prevent Data Leakage of important Documents in the organization. They do not protect your against attacks of the none secured areas of the mobile device or if a malware accesses the credentials to the container. The Check Point Capsule Workspace solution – is a secure container that works together with SB Mobile for the full security offering. An Anti virus solution detects known threats, signature based – but mobile security is primarily around unknown and zero days threats. Therefore, although Antivirus solutions are important – they will not protect you against the common mobile threats which put your corporation at risk. What SB Mobile brings to the table is: An encompassing solution that includes the AntiVirus within, Detects zero day and unknown threats through a variety of on device and cloud based techniques, works and integrates with MDMs and containers to complement them and create a full mobile security solution needed in every corporation today.
- Here are the Mobile Security Building blocks used by enterprises to protect their assets and information. MDM/EMM –are responsible for policy enforcement of the mobile devices - they give the organization some level of control to mobile devices that are accessing company resources. Secure Containers or app wrapping solutions mainly prevent Data Leakage of important Documents in the organization. They do not protect your against attacks of the none secured areas of the mobile device or if a malware accesses the credentials to the container. The Check Point Capsule Workspace solution – is a secure container that works together with SB Mobile for the full security offering. An Anti virus solution detects known threats, signature based – but mobile security is primarily around unknown and zero days threats. Therefore, although Antivirus solutions are important – they will not protect you against the common mobile threats which put your corporation at risk. What SB Mobile brings to the table is: An encompassing solution that includes the AntiVirus within, Detects zero day and unknown threats through a variety of on device and cloud based techniques, works and integrates with MDMs and containers to complement them and create a full mobile security solution needed in every corporation today.
- How does this advanced threat detection and mitigation happen? – Here’s how our solution works: Check Point SandBlast Mobile is composed of 3 main parts: A client app called “SandBlast Protect” installed on an Android or iOS end user mobile devices A cloud based analysis and intelligence system – known as the BRE – Behavioral Risk Engine, An admin dashboard, used to monitor and control the organizational mobile threat landscape in real time. In this ecosystem, threats are detected both on device and in the cloud (with the prime objective of maximal security with no impact on usability – battery, privacy and such). The on device analysis that is done includes: Jailbreak and Root operating system exploits Wifi man-in-the-middle network attacks SMS Phishing attacks. The in depth application analysis used to detect malicious apps, conducted in the cloud – in the Behavioral Risk Engine includes in part the most advanced sophisticated technologies such as: Dynamic app sandbox emulation app reputation threat intelligence advance code flow analysis Anti-Virus feeds and more. Finally, the management console offers end to end threat landscape monitoring capabilities and alerting to administrators needed to identify potential risks to the organization and control the security of the corporate assets and network.
- How does this advanced threat detection and mitigation happen? – Here’s how our solution works: Check Point SandBlast Mobile is composed of 3 main parts: A client app called “SandBlast Protect” installed on an Android or iOS end user mobile devices A cloud based analysis and intelligence system – known as the BRE – Behavioral Risk Engine, An admin dashboard, used to monitor and control the organizational mobile threat landscape in real time. In this ecosystem, threats are detected both on device and in the cloud (with the prime objective of maximal security with no impact on usability – battery, privacy and such). The on device analysis that is done includes: Jailbreak and Root operating system exploits Wifi man-in-the-middle network attacks SMS Phishing attacks. The in depth application analysis used to detect malicious apps, conducted in the cloud – in the Behavioral Risk Engine includes in part the most advanced sophisticated technologies such as: Dynamic app sandbox emulation app reputation threat intelligence advance code flow analysis Anti-Virus feeds and more. Finally, the management console offers end to end threat landscape monitoring capabilities and alerting to administrators needed to identify potential risks to the organization and control the security of the corporate assets and network.
- Grabbed and updated from a ppt file from Oded Yarkoni.
- So how does it all come together from an architecture perspective? It’s very straight forward. The traffic coming from the Capsule Workspace on the mobile device, goes to the Mobile Access Blade. The gate-keeper of your corporate environment. Based on the policy that was dictated through the Management Console, the blade will decide whether that traffic should gain access to internal resources such as email or intranet. It’s that simple.
- Capsule Workspace bridges that gap for companies trying to secure their corporate data. It allows you to manage what is actually important: not device, but rather your corporate data such as email, intranet, or native apps. It does so by providing a single app with secondary PIN authentication and ensures that that data is encrypted at rest and in motion. That corporate data can be remotely wiped in case a device is lost or stolen, rather than wiping employee’s personal data. It can also integrate with Check Point Mobile Threat Prevention to detect any type of mobile attack whether it comes from the device, another app, or the network.
- So how does Anti-Ransomware work? At the core of our detection engine we utilize a range of advanced behavioral algorithms The algorithms are specifically tuned to detect ransomware. We look for generic malicious behavior as well as for a very wide range of behaviors that are unique to ransomware. Things like attempting to delete shadow-copies and backups, creating ransom notes, and ultimately we constantly monitor the file-system, and we can identify early-on any activity that is illegitimately and systematically encrypting files. <CLICK> Upon detection, we utilize SandBlast Agent’s unique and advanced ability to automatically analyze incidents with it’s Automated Forensic Analysis. <CLICK> The analysis phase identifies all the malicious elements of the malware, allowing us to automatically quarantine it completely – even if it’s a new attack that we’ve never seen before. <CLICK> In some rare cases, some data could get encrypted before the quarantine is complete. In order to mitigate this case, we’ve built an ongoing mechanism that creates temporary snapshots of data files before granting any change that we suspect may be illegitimate. The back-ups are maintained on the endpoint itself. In a portion of the file-system which we protect from tampering. Because we identify if there is ransomware in play very quickly, the backed-up data files are kept just for a short term. And because it is short-term, we need to allocate just 1GB of storage on each endpoint for this to be effective. Just keep in mind that data snapshots are not a replacement for your backup system. The snapshots are maintained solely to facilitate data recovery in case of a ransomware attack. <CLICK> Now back to the detection: As we saw in the demo, if some data was encrypted during the attack then once we’ve completed the quarantine, our data snapshots allow us to automatically restore the files.
- The 3 complementary components to Anti-Malware in the traditional Endpoint Protection domain are: Desktop FW Port Protection Compliance - Security Verification for achieving compliance with regulatory requirements
- Media Encryption Usability Seamless Experience - Transparent end-user experience with automatic data encryption and seamless integration. Data read from and written to an encrypted media device is done transparently and automatically, without any user interruption. Simple access to encrypted media device also for external parties and from machines not having the client installed, based on password access. Business Data Segregation - Separate and protect business data from personal data on storage devices. Education - Engage and educate users with integrated UserCheck™ messages and dialogs. Use Check Point UserCheck™ to actively engage and educate users as they access portable media to identify potential policy incidents as they occur and remediate them immediately.
- Port Protection Our computers have many ports, such as USB and Bluetooth, allowing us to connect various types of useful devices. Sometimes we need to enforce a policy allowing connections of only specific types of devices only to specific ports – our Port Protection capability provides the solution. We can define which specific devices and ports are authorized to be used, use a blacklist or a whitelist approach and utilize the already discovered devices for policy fine-tuning.
- User Experience When using Capsule Docs to protect document, the following 3 core concepts are utilized: Classify – Choose a classification, which is basically as set of allowed and denied permissions Share – Grant access only to the relevant users and groups (including both internal users and external users / business partners). Grant elevated permissions to authors and co-authors of documents. Encrypt Data – Using strong encryption algorithms (AES 256 + RSA 2048) Capsule Docs also provides automatic protection settings (without any user intervention) as well as UserCheck messages and dialog which educate users about the actions they perform with their documents.
- User Experience When using Capsule Docs to protect document, the following 3 core concepts are utilized: Classify – Choose a classification, which is basically as set of allowed and denied permissions Share – Grant access only to the relevant users and groups (including both internal users and external users / business partners). Grant elevated permissions to authors and co-authors of documents. Encrypt Data – Using strong encryption algorithms (AES 256 + RSA 2048) Capsule Docs also provides automatic protection settings (without any user intervention) as well as UserCheck messages and dialog which educate users about the actions they perform with their documents.
- Virtual Systems technology consolidate and simplify security, allow dynamically creating and deleting virtual firewalls instances on demand. Virtual Systems and scalable platform maximizing hardware utilization using patented VSLS technology. The VSLS technology allows distributing Virtual Systems between the chassis so both chassis are processing traffic and no hardware stays idle.
- Another way of maximizing hardware utilization is multiple security groups, we allow several products to be installed utilizing the same chassis, so each group of SGMs can be installed with Security Gateway, Virtual Systems or a mix. Multiple Security Groups support up to 8 groups, each with a dedicated SMO simplifying the configuration and maintenance while sharing the same networking infrastructure (SSM), the traffic is segregated by using a dedicated network interface or a VLAN interface which are assigned per security group.