The document discusses Fortinet's security solutions and how they work together to disrupt threat chains. It describes how multiple security layers like antivirus, IPS, sandboxing, etc. each block parts of the attack lifecycle. Later stages involve more advanced techniques like behavioral analysis in the sandbox to detect even unknown threats. The full solution provides centralized protection across networks, endpoints, and cloud from a single management interface.

1. © Copyright Fortinet Inc. All rights reserved.
FORTISANDBOX
Алексей Андрияшин
2 ноября 2015
+79859996477
aandriyashin@fortinet.com

2. 2
ЖИЗНЕННЫЙ ЦИКЛ APT (ATA)
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
…от 1 дня до 2+ лет…
Начальный
этап
внедрения
Создание
плацдарма
Повышение
привилегий
Сбор
информацииНачальная
разведка
Поддержка
присутствия
Основная
деятельность
Завершение
миссии

3. 3
РЕШЕНИЯ FORTINET
FortiDB
Database
Protectio
n
FortiClient
Endpoint Protection,
VPN
FortiToken
Two Factor
Authentication
FortiSandbox
Advanced Threat
Protection
FortiClient
Endpoint Protection
FortiGate
NGFW
FortiAuthenticator
User Identity
Management
FortiManager
Centralized
Management
FortiAnalyzer
Logging, Analysis,
Reporting
FortiADC
Application
Delivery Control
FortiWeb
Web Application
Firewall
FortiGate
DCFW
FortiGate
Internal NGFW
FortiDDoS
DDoS Protection
FortiMail
Email Security
FortiGateVM
X
SDN, Virtual
Firewall
FortiAP
Secure Access
Point
DATA CENTER
BRANCH
OFFICE
CAMPUS
FortiGate
Cloud
FortiWi
Fi
UTM
FortiGat
e
Top-of-
Rack
FortiCamera
IP Video Security
FortiVoice
IP PBX Phone
System
FortiGate
Next Gen IPS
FortiExtender
LTE Extension
Secure Wireless
Switching
Advanced Threat Protection
Authentication & Tokens
Application Security
Application Delivery/SLB
Endpoint Security
IP PBX and Phones
IP Video Surveillance
More…

4. 4
• Эшелонированная безопасность
• Высокая скорость реакции
СИНЕРГИЯ ПРИ ПРЕДОТВРАЩЕНИИ УГРОЗ
IPS
Antivirus
Anti-Spam
IP
Reputation
Web
Filtering
App Control
ОСНОВНАЯ ЗАДАЧА – РАЗОРВАТЬ ЦЕПЬ УГРОЗ И
РАЗРУШИТЬ ЛОГИКУ APT

5. 5
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ
Пример: Фишинг
1. Anti-
spam
2. Antivirus
3. Web
Filtering
IPS
IP
Reputation
App Control

6. 6
Пример: Бэкдор/Бот
1. Antivirus
2. IPS
3. Web
Filtering
Anti-spam
IP
Reputation
App Control
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ

7. 7
1. Anti-spam
2. Web
Filtering
3. IPS
4. Antivirus
5. IP
Reputation
6. App
Control
Добавьте
ATP SandboxИсключите
неопределенность
угроз
Пример: ATP
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ

8. 8
ВОЗМОЖНЫЙ СЦЕНАРИЙ
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation

9. 9
РАЗРЫВА ЦЕПИ УГРОЗ –
ШАГ 1
Спам Мошенническое
сообщение
Спам
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation

10. 10
Спам
Мошенническое
сообщениеСпам
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Фишинг
Сайт
злоумышленника
Фишинг
РАЗРЫВ ЦЕПИ УГРОЗ –
ШАГ 2

11. 11
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
Фишинг
Сайт
злоумышленника
Спам
Фишинг
Эксплойт
Мошенническое
сообщение
РАЗРЫВ ЦЕПИ УГРОЗ –
ШАГ 3

12. 12
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
Фишинг
Сайт
злоумышленника
Спам
Фишинг
Эксплойт
Мошенническое
сообщение
РАЗРЫВ ЦЕПИ УГРОЗ –
ШАГ 4

13. 13
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
Фишинг
Сайт
злоумышленника
Вредоносное ПО
Спам
Фишинг
Эксплойт
Вредоносное ПО
Мошенническое
сообщение
РАЗРЫВ ЦЕПИ УГРОЗ –
ШАГ 5

14. 14
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
Фишинг
Сайт
злоумышленника
Вредоносное ПО
C&C Центр
Спам
Фишинг
Эксплойт
Вредоносное ПО
Бот активность
и кража данных
Мошенническое
сообщение
Бот активность
и кража данных
РАЗРЫВ ЦЕПИ УГРОЗ –
ШАГ 6

15. 15
Спам
Фишинг
Сайт
злоумышленника
Эксплойт
Вредоносное ПО
C&C Центр
Спам
Фишинг
Эксплойт
Вредоносное ПО
Бот активность
и кража данных
Sandbox
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Мошенническое
сообщение
Бот активность
и кража данных
РАЗРЫВ ЦЕПИ УГРОЗ –
ШАГ 7. ВНЕДРЯЕМ SANDBOX

16. 16
MALWARE? GOODWARE? IDON’TKNOWWARE?
Known
Good
Known
Bad
Probably
Good
Very
Suspicious
Somewhat
Suspicious
Might be
Good
Completely
Unknown
Whitelists Reputation:
File, IP, App, Email
App Signatures
Digitally signed files
Blacklists
Signatures
Heuristics
Reputation:
File, IP,
App, Email
Generic Signatures
Code
Continuum
Security
Technologies
Sandboxing

17. 17
Known
Good
Known
Bad
Probably
Good
Very
Suspicious
Somewhat
Suspicious
Might be
Good
Completely
Unknown
Whitelists Reputation:
File, IP, App, Email
App Signatures
Digitally signed files
Blacklists
Signatures
Heuristics
Reputation:
File, IP,
App, Email
Generic Signatures
Code
Continuum
Security
Technologies
Solutions
FortiGate
(and/or FortiMail, FortiClient, FortiWebt, etc.)
Sandboxing
FortiSandbox
MALWARE? GOODWARE? IDON’TKNOWWARE?

18. 18
• Prefilters objects, identifying known threats
• Runs objects/URLs, analyzing and rating activity
• Uncovers full threat lifecycle and presents
indicators of compromise
• 3 modes of operation
– Sniffer: span port mode to capture all packets
– On-demand: manual submission & analysis
– Integrated: with FortiGate, FortiMail and FortiClient
to feed into and act on intelligence out of FortiSandbox
FortiSandbox
ОПРЕДЕЛЕНИЕ ЦЕЛЕНАПРАВЛЕННЫХ АТАК
Network Traffic
Cloud
File Query
AV
Prefilter
Code
Emulation
Full
Sandbox
Callback
Detection

19. 19
FortiSandbox – 5 STEPS TO BETTER PERFORMANCE
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
• Quickly simulate intended activity
• OS independent and immune to evasion/obfuscation
• Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity to get the
threat to expose itself
• Check community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration
• Mitigate w/FortiGuard updates

20. 20
• Top-rated Breach Detection (NSS Labs
Recommended)
• Customizable Environment
– Preloaded with Microsoft Windows XP and 7,
32- and 64-bit, plus Office, IE and Adboe
– Ability to select specific combination or let the
system choose
• Genuine Microsoft Licenses for
Windows
and Office
TOP RATED SANDBOX
Independent third-
party tested &
validated!

21. 21
FORTISANDBOX DETAILS
Network Traffic
ObjectsforInspection
UpdatedProtection
3. Operating Environment
• Code emulation: OS-
independent
• Sandbox: Windows XP, 7, 8.1,
Server 2008/2010, IE, Office
2. File type support
• AV Prefilter: all
• Full Sandbox: as follows
Archived: .tar, .gz, .tar.g,
.tgz, .zip, .bz2, .tar.bz2,
.bz, .tar.Z, .cab, .rar, .arj
Executable: .exe, .dll,
PDF, Windows Office,
Javascript, .pd
URLs
Media: .avi, .mpeg, mp3,
mp4
1. Protocol support
• FortiGate Integrated: HTTP,
SMTP, POP3, IMAP, MAPI, FTP,
SMB, IM
and SSL encrypted equivalents
• Stand-alone: HTTP, FTP, POP3,
IMAP, SMTP, SMB
• FortiMail Integrated: SMTP,
POP3, IMAP

22. 22
SANDBOX ONLY
Feedback
to/from FortiGuard
Internet
Network
Traffic
Deployed in sniffer mode FortiSandbox will preflter
for known threats, sandbox unknown threats and
watch for callback activity
Inspected
Traffic

23. 23
NGFW + SANDBOX
Feedback
to/from FortiGuard
Internet
Network
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Inspected
Traffic
Deployed in integrated mode FortiSandbox will
receive objects, perform analysis and return results

24. 24
CENTRAL SANDBOX FOR NGFW+SEG
Reputation, behavior and other analysis performed by FortiMail.
At risk messages held for FortiSandbox analysis, results acted on.
Clean emails delivered to mail
servers.
Outgoing email also inspected
Feedback
to/from FortiGuard
Email
Traffic
Internet
Inspected
Emails
Network
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Inspected
Traffic

25. 25
CENTRAL SANDBOX FOR NGFW + SEG + EPP
Reputation, behavior and other analysis performed by FortiMail.
At risk messages held for FortiSandbox analysis, results acted on.
Clean emails delivered to mail
servers.
Outgoing email also inspected
FortiSandbox prefilters, executes, analyzes and feeds
back to FortiGate, FortiMail, FortiClient and
FortiGuard
Feedback
to/from FortiGuard
Email
Traffic
Internet
Inspected
Emails
Network
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Full EPP inspection, new files also sent
to FortiSandbox. Results acted on.
Inspected
Traffic

26. 26
РАЗРЫВА ЦЕПИ УГРОЗ – ШАГ 8
ПОДДЕРЖКА АКТУАЛЬНОСТИ СИСТЕМЫ ЗАЩИТЫ
Anti-spam
Web Filtering
Intrusion
Prevention
Antivirus
App Control/
IP Reputation
Sandbox
ЦОД
Предприятия и
филиальная сеть
Облако
Мобильные
Распределенная сеть
DLP

27. 27
ОПЕРЕЖАТЬ ДЕЙСТВИЯ ЗЛОУМЫШЛЕННИКОВ
Комплексная Безопасность
Глобальная Защита
Уверенность в высокой эффективности
360
24
7x
100%

28. 28
http://www.netwell.ru/events/?id_form=fortinet_security_day

29. Алексей Андрияшин
+79859996477
aandriyashin@fortinet.com
Илья Яблонко, CISSP,
менеджер по развитию решений ИБ
+7 912 607 55 66,
IYablonko@USSC.ru