Download to read offline
Uploaded byLan & Wan Solutions
Lan & Wan
This document discusses advanced threat protection and FortiSandbox. It notes that prevention techniques sometimes fail, so detection and response tools are needed to reduce the time it takes to find, investigate, and remediate incidents. Sandboxing is introduced as an effective technique that runs suspicious objects in a contained virtual environment to analyze behavior and uncover threats. FortiSandbox is highlighted as a solution that integrates with FortiGate and other Fortinet products to provide detection, analysis, and sharing of threat intelligence across the network to improve security.
More Related Content
![Het ecosysteem als complete bescherming tegen cybercriminaliteit [pvh]](https://cdn.slidesharecdn.com/ss_thumbnails/hetecosysteemalscompletebeschermingtegencybercriminaliteitpvh-160621130244-thumbnail.jpg?width=640&height=640&fit=bounds)
More from Lan & Wan Solutions
Lan & Wan
- 1. © Copyright FortinetInc. All rights reserved. Advanced Threat Protection Alessandro Berta – Systems Engineer 15 Aprile 2016
- 2. 2 Why Talk aboutAdvanced Threat Protection “New Studies Reveal Companies are Attacked an Average of 17,000 Times a Year.” “Companies like J.P. Morgan Plan to Double Spending on Cyber security…” “Cybercrime Will Remain a Growth Industry for the Foreseeable Future.” “The Reality of the Internet of Things is the Creation of More Vulnerabilities.” “43% of firms in the United States have experienced a data breach in the past year.”
- 3. 3 Companies should beconcerned Prevention techniques sometimes fail, so detection and response tools, processes, & teams must be added FACT: GOAL: Reduce time to Find/Detect incidents Reduce time to Investigate incidents Reduce time to Remediate incidents 229days Average time attackers were on a network before detection 67% Victims were notified by an external entity
- 4. 4 Random Detection (average ~200days, prior to response) DURATION IMPACT The Impact: Extended Compromise, Data Loss, Headlines…
- 5. 5 Kill Chain ofan Advanced Attack Spam Malicious Email Malicious Web Site Exploit Malware Command & Control Center Bots leverage legitimate IPs to pass filters. Social engineering fools recipient. Malicious Link Bot Commands & Stolen Data Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation Fast flux stays ahead of web ratings Zero-days pass IPS Compression passes static inspection Encrypted communication passes controls
- 6. 6 Idon’tknowware Is ABig Part of Problem Known Good Known Bad Probably Good Very Suspicious Somewhat Suspicious Might be Good Completely Unknown Whitelists Reputation: File, IP, App, Email App Signatures Digitally signed files Blacklists Signatures Heuristics Reputation: File, IP, App, Email Generic Signatures Code Continuum Security Technologies Sandboxing Sources: Verizon 2015 Data Breach Investigations Report, April 2015
- 7. 7 Enter Sandboxing Spam Malicious EmailMalicious Link Malicious Web Site Exploit Malware BotCommands & Stolen Data Command & Control Center Spam Malicious Link Exploit Malware Bot Commands & Stolen Data Sandbox Anti-spam Web Filtering Intrusion Prevention Antivirus App Control/ IP Reputation
- 8. 8 Random Detection (average 200days, prior to response) DURATION IMPACT Sandbox Only Detection & Response (days) A Good Sandbox Reduces Dwell Time, Risk, Impact
- 9. 9 Introducing FortiSandbox Flagsobjects within traffic for more inspection Runs objects in a contained environment, analyzing activity Provides a malicious or low/medium/ high risk rating Uncovers and distributes threat intelligence for remediation/protection Detects call back attempts related to sophisticated attacks 3 modes of operation » Sniffer: span port mode to capture all packets » On-demand: manual submission & analysis of files » Integrated: with FortiGate, FortiMail, FortiWeb, FortiSwitch and/or FortiClient Network Traffic Cloud File Query AV Prefilter Code Emulation Full Sandbox Callback Detection
- 10. 10 VMs NA 2+8 28 Form Cloud service integrated with FortiGate Virtual appliance Physical appliance Physical appliance FortiSandbox 1000D FortiSandbox Platform Options FortiSandbox VM FortiSandbox 3000D FortiSandbox Cloud
- 11. 11 FortiSandbox – 5Steps to Better Performance Call Back Detection Full Virtual Sandbox Code Emulation Cloud File Query AV Prefilter • Quickly simulate intended activity – Fortinet patented CPRL • OS independent & immune to evasion – high catch rate • Apply top-rated anti-malware engine • Examine real-time, full lifecycle activity in the sandbox to get the threat to expose itself • Check community intelligence & file reputation • Identify the ultimate aim, call back & exfiltration • Mitigate w/ analytics & FortiGuard updates
- 12. 12 Top-rated BreachDetection (NSS Labs Recommended) » 99% detection » Results delivered w/in 1 min most of the time Top Rated Sandbox Independent third-party tested & validated!
- 13. 13 FortiGuard FortiOS FortiClient FortiManager FortiWebFortiAnalyzer FortiMail FortiSandboxFortiGate ADVANCED THREAT PROTECTION FRAMEWORK 5.4 CloudVirtual Physical
- 14. 14 ATP Framework inAction Unknown URLs and Files submission to FortiSandbox FortiSandbox FortiGate FortiWeb FortiMail FortiClient Web Server Mail Server Extended and fast protection Internet Full NGFW inspection performed on FortiGate. At risk objects sent to FortiSandbox Reputation, behavior and other analysis performed by FortiMail. At risk messages held for additional FortiSandbox analysis.
- 15. 15 Detect to Mitigateto Prevent Updates to Preventative Security Updated IP sender reputations New web site ratings used for web filtering New IPS rules and botnet detection to block command and control traffic Updated anti-malware detection for this and similar attachments Detection and analysis Sandbox object behavior analysis & details Suspicious activity: privilege modification, file creation, modification & deletion Malicious activity: initiated traffic, encrypted traffic, DNS query File names, URLs, IP addresses Immediate Remediation Block email sender IP from delivering any other messages to employees. Prevent communication with this command & control Quarantine recipient devices Confirm compromise and remove malicious files
- 16. 16 How To MoveFrom Detection/Response To Prevention? Random Detection (average 229 days, prior to response) DURATION IMPACT Sandbox Only Detection & Response (days) Sandbox + FortiMail/ FortiClient Prevention (0-second) Sandbox + FortiGate/FortiWe b Detect & Respond (minutes)
- 17. 17 Only ATP SolutionNSS Recommended Edge to Endpoint
- 18.
- 19.
- 20. COMPLEXITY IS THE ENEMY OFSECURITY
- 21. Single Framework FortiAP, FortiSwitchFortiGate FortiWeb FortiMail FortiGuard Threat Intelligence & Services Advanced Threat Protection FortiSandbox USERS NETWORK DATA CENTER FortiClient Fortinet Cloud #1 UNIT SHARE WORLDWIDE In Network Security (IDC) OVER 2MILLION DEVICES SHIPPED MARKET LEADING TECHNOLOGY 257 PATENTS 228 PENDING FortiOS 5.4
- 22. Advanced Security Network Performance SECURITY FOR ANEW WORLD IS SECURITY WITHOUT COMPROMISE
Editor's Notes
- #2 Hello. Today we are going to talk about advanced attacks and advanced threat protection from Fortinet. We’ll also go into some detail on FortiSandbox, a key element of Fortinet’s complete advanced threat protection solution.
- #3 The threat landscape just keeps escalating and these days there is a lot of scrutiny over IT security because a successful data breach can be headline news. Certainly we’ve seen many very high profile companies and brands in the news with massive data breaches. The risk environment has made a lot of organizations start to pay more attention to their security measures. Viruses and hackers are not new, so what’s changed? There are many more different types of devices attacked to the network than ever before. And this Internet of Things includes many devices that do not have the ability to maintain regular security updates and it includes many devices and applications made for consumer use that are now being used within the enterprise. The cybercrime economy has matured and is a profitable industry that is more accessible than ever to black hat entrepreneurs. There is much higher awareness of the risk due to laws requiring public disclosure of a breach and the subsequent press coverage some breaches get. Hackers are getting even more sophisticated in how they orchestrate attacks in order to get around existing security coverage.
- #4 You may have any number of excellent security technologies in place already in your organization – things such as firewalls, VPNs, authentication, antivirus, web filtering, IPS, and antispam. This is good and these solutions will prevent a lot of threats from ever impacting your organization. However, nothing is 100% and sometimes advanced attacks will find a way to get through these prevention techniques. You need to be ready to deal with these types of advanced targeted attacks. In recent breaches it took 229 days on average to detect an attack that’s gotten on the network if it has managed to slip past existing defenses. And in 67% of the time the victim organizations only learned about the breach from an external entity. Clearly no organization wants to be part of this statistic. The goal behind advanced threat detection is to prevent what attacks you can and then, accepting that some things will get through, to reduce the time to find and detect an attack. And once youv’e identified an attack, reduce the time it takes to investigate and analyze the threat. Finally, with this intelligence in hand you can more quickly remediate any impact on your organization.
- #6 So how does an advanced attack work? Here’s a snapshot of a typical kill chain for an advanced attack and the typical security technologies that are in play in order to block that attack and break the kill chain. The number one, most popular method for initiating an advanced attack is to send a malicious email to the target. This email may have a malicious file attachment or a URL that connects to a malicious web site. You hope your anti-spam will stop this email from ever reaching an end user target. However there are ways to get around antispam and other email gateway security techniques. For example Bots may leverage legitimate (but compromised) IPs from which to send the email or they may use targeted spear phishing techniques and social engineering to get through filters and to entice an end users to click on a URL. They may encrypt a malicious attachment to hide it from AV scanning. If an email with a malicious URL gets through and an end user clicks on that URL link, you hope your web filtering protection will stop the user from ever connecting to that malicious web site and in many cases this will work. However, some attackers use a fast flux approach, only using a site for a few days or a few hours – harvesting what they can before moving on to another URL. If the end user connects with the malicious web site, that site will launch exploits at the user and you hope your Intrusion prevention will block the attack. However exploits can slip through by taking advantage of zero-day vulnerabilities, new variants, and encryption. If an exploit gets through, you hope you will catch any malware it tries to deliver with your antivirus. And many times this will work but sometimes it doesn’t. Malware can use file compression, encryption, and new malware variants to get through an AV filter. If that malware gets into the organization, it will try to proliferate and it will look for valuable data to collect. Eventually it will try to exfiltrate stolen data or simply go out to try to pull more threats into the organization and here’s where your application control and IP reputation controls may be able to identify and stop a connection to a command & control center. But if it doesn’t (maybe because the traffic was encrypted) your organization is breached.
- #8 Here’s how the addition of sandboxing changes the protection game in an enterprise. It’s still a very good idea to have all those traditional preventative techniques in place. They are the fastest, most efficient way to prevent attacks from ever getting into your organization. However, by adding sandbox to back up these techniques you now have the chance to catch all those threats that can slip by because it is unknown by your preventative techniques such as antispam, IPS, AV, etc. And once your sandbox has analyzed a threat, you get useful insights that can be used to mitigate the threat. Both by remediating any exposure to it you may have had and by using that new threat intelligence to improve the preventative technologies you have in place.
- #10 Flags suspicious (or high risk) objects within network traffic for more inspection Runs objects in a secure virtual environment, analyzing system, site, communication and download activity Provides a low, medium or high risk rating, leveraging packaged FortiGuard expertise Uncovers threat lifecycle information for remediation and updated protection Allows for information sharing with FortiGuard experts and global intelligence network Fortinet’s FortiOS network security platform provides the foundation for the Advanced Threat Protection Framework, while the deep security expertise of its FortiGuard Labs pervades the framework: Highlights Top performance (Ixia, NSS Labs) firewall appliance platforms for access control of high performance networks Top-rated (NSS Labs, Virus Bulletin, AV Comparatives), real-world threat prevention Top-rated (NSS Labs), real-world threat detection- 99% effectiveness for breach detection Leading security expertise (140+ zero-day discovers) to speed incident response and underpin the entire Framework A broad range of partners who contribute to the continuous monitoring and improvement of security
- #11 You have your choice of platform for FortiSandbox. It is available as a physical or virtual appliance. There are two physical appliance options, the 1000D with 8 VMs and the 3000D with 28 VMs, and the highly flexible virtual appliance that scales from a few as 2 VMs up to 56 VMs. For organization that may not want to manage an on-premise solution, there is the FortiSandbox Cloud service available as an integrated option on the FortiGate. There are pros and cons for both the cloud and appliance options. FortiSandbox Cloud may easier to add to an existing FortiGate installation. It can process an unlimited number of files/hour but because it is a cloud service it may introduce some latency. The cloud service is only available as an integrated solution with FortiGate. FortiSandbox Appliances may deliver results faster and they don’t send files to the cloud for analysis but they also require some additional hardware management and have limits on the number of files they can process per hour. Appliances can be deployed as standalone solutions, in a lab for on-demand analysis or as an integrated solution with FortiGate. Fortinet believes it benefits customers to give them the flexibility to choose the platform they want.
- #12 However, sandboxing is resource and time intensive. It takes time to let a file run so you can analyze its behavior. Fortinet’s FortiSandbox solution is architected to optimize both security effectiveness and speed to results. It is not simply a sandbox, it uses a multi step approach to evaluate and analyze objects, starting with the most efficient technologies and stepping up to more resource intensive approaches as needed. FortiSandbox goes through 5 steps. Step 1: objects are run though Fortinet’s top-rated AV engine. This AV prefilter uses a larger, more extended threat database from FortiGuard Labs in order to catch more variants and older variants of malware. Step 2: FortiSandbox performs a cloud query to see if this file has been previously identified (in some systems this is referred to as a file reputation check) Step 3: the code is put through a simulator and Fortinet’s patented Compact Pattern Recognition Language is used to analyze the code to see if any malicious or suspicious patterns can be identified Steps 1 through 3 are typically performed in just a few seconds. On average these three steps are able to identify over 60% of threats. Step 4: the code is placed in a full virtual sandbox environment and allowed to run. The behavior lifecycle of the code is observed and if the object is malicious, it will expose itself. Step 5: The activity in the sandbox is analyzed to identify if it is malicious or suspicious and the activity is documented. The object is assigned a risk rating and is then reported out. New findings from this analysis can be shared with FortiGuard Labs in order to create new security updates in order to improve the extended FortiGuard security ecosystem.
- #13 Fortinet also participates in NSS Labs testing for NGFW and Breach Detection Systems. These are the results of the Breach Detection Systems industry tests in 2014. As you can see in the chart, Fortinet tested high for effectiveness and well for performance and value, detecting 99% of threats and delivering results in under 1 minute the majority of the time. The vertical axis shows the security effectiveness results from the test and the horizontal axis shows the performance/value results. Fortinet’s FortiSandbox fell into the upper right quadrant in results and thus earned a Recommended rating from NSS Labs.
- #14 Left box Label FortiClient Label the different sandbox icons Physical Virtual Cloud and leave ‘FortiSandbox’ below them Delete “All modules communicate” and related icon. Make TimeToProtect bigger, centered more
- #16 By implementing an Advanced Threat Protection Framework the process of learning, remediating and improving security follows a natural flow. In the Detection and Analysis phase the sandbox identifies suspicious threat activities such as privilege modification and file creation or deletion as well as known malicious behavior such as initiated network traffic or DNS queries. The sandbox can learn details from its analysis in form of file names, URLs, IP addresses and more that can be used in remediation and added to security updates. With the details of a threat attack, including its source and destination from FortiSandbox, it is much easier to instigate immediate remediation activities such as blocking an email sender IP from sending more messages to employees, preventing communications with known command & control addresses, and to quarantine compromised devices within the network to prevent the spread of malware. Finally, the threat information learned by the sandbox has multiple uses. Malicious IP addresses and URLs identified can be added to web filtering and IP reputation lists. File characteristics can be used to create new IPS rules and anti-malware signatures. All this feeds into security updates to improve the protection delivered by all the solutions in the framework.
- #18 In fact, organizations looking to take a coordinate approach to combating advanced threats benefit from NSS Labs Recommended components including: FortiGate as NGFW and NGIPS in the data center and at the edge FortiWeb in front of external-facing web servers that often serve as entry points to the network FortiClient for Enterprise Endpoint Protection covering users on and off the network FortiSandbox for continuous analysis of seemingly benign objects and sites to detect the most sophisticated attacks that might slip through your defenses.