A zero-day attack is an attack that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Today’s threats are increasingly sophisticated and often bypass traditional malware security by masking their malicious activity. A sandbox augments your security architecture by validating threats in a separate, secure environment. Learn more from Novosco and Fortinet about using Fortisandbox for proactive advanced threat protection for your business. See Fortinet Security Fabric in action – live demonstration of the Fortinet ATP fabric defending against an unknown threat. FortiSandbox offers a powerful combination of advanced detection, automated mitigation, actionable insight, and flexible deployment to stop targeted attacks and subsequent data loss.

1. © Copyright Fortinet Inc. All rights reserved.
Protect your Organisation from Zero Day &
Unknown Threats
With the Fortinet Security Fabric
Conor Byrne 21.06.2018

2. 2
Who are we?

3. 3
Fortinet Global Network Security Leader
4,900+
EMPLOYEES WORLDWIDE
100+OFFICES
ACROSS
THE GLOBE
395PATENTS
316 IN
PROCESS
ISSUED
3.4mSHIPPED
SECURITY
DEVICES
340K
CUSTOMERS
$10bn
MARKET CAP
IN EXCESS OF
$1.46bn
IN CASH
30%
SHIPPED WORLDWIDE
OF ALL
APPLIANCES
2000BY KEN XIE
FOUNDED IN
HEADQUARTERED IN
SUNNYVALE
CALIFORNIA

4. 4
Fortinet Gaining Share in a Growing Market
-
100,000
200,000
300,000
400,000
500,000
600,000
700,000
2011 2012 2013 2014 2015 2016
Cisco
Check Point
Juniper Networks
Palo Alto Networks

5. 5
Number 1 Security Vendor in Ireland since 2012
10
1 1 1 1 11 1 1 1 1
2009 2012 2013 2014 2015 2016
Market Position

6. 6
Unequalled Third-Party Certifications
11Cisco 4
Check Point 4
Palo Alto Networks 2
DCIPSAEP WAF NGFW NGFW BDS NGIPS BPS DCSG DCSG DCIPS
#1 Certified Security Vendor
2017 & 2018 Results

7. 7
NETWORK
FortiGate VMPartner API
FortiMailFortiAP | FortiSwitch
FortiClient FortiWeb
FortiSandbox
FortiManager | FortiAnalyzer | FortiSIEM
FortiOS
FORTINET
SECURITY
FABRIC
BROAD
INTEGRATED
AUTOMATED FortiGuard
Visibility & Protection of the
Digital Attack Surface
Detection of Advanced Threats
Response & Continuous Trust
Assessment

8. 8
What are zero day threats?

9. 9
When is signature based malware
detection not enough?
“a unique hash does not mean you have been
targeted by an ultra-sophisticated group of nation
state malware ninjas”

10. 10
Threat actors have changed
Motivation: notoriety, curiosity Motivation: make money
Script Kiddie Cyber Crime Organisations

11. 11
1. DIY Crypters

12. 12
2. Managed malware crypting services

13. 13
3. Polymorphism

14. 14
Data breaches result from the unknown

15. 15
FortiSandbox
Product Overview

16. 16
How does FortiSandbox
detect unknown and zero day threats?

17. 17
FortiSandbox: Life of a Sample
Code Emulation focuses on encrypted and/or packed
malware.
No code evasion possible as this code is not run.
Step 1 – Code Emulation 1

18. 18
FortiSandbox: Life of a Sample
Realtime AV Engine decrypts, decodes then tracks
behaviors of polymorphic code.
Step 2 – Realtime AV Engine 2

19. 19
FortiSandbox: Life of a Sample
Complex Pattern Recognition Language (patented)
is used to detect suspicious code and behaviour of
a virus and all variants.
Step 3 – CPRL 3

20. 20
FortiSandbox: Life of a Sample
A hash of the file is sent to Fortiguard Service and
checked against our intelligence database.
Step 4 – Cloud Query 4

21. 21
FortiSandbox: Life of a Sample
The file is executed in a virtual machine and full
behavioural analysis takes place.
• Windows, android and mac releases supported.
• Anti Evasion techniques
• Analysis performed by a sophisticated tracer engine.
• Network activity is captured, all processes are detailed and
listed, all changes are tracked, logs and original files are
available for download.
Step 5 – VM Scan Engine 5

22. 22
Unique Multi-tiered Approach
Code Emulation
Realtime AV Engine
CPRL with full DB
Cloud Query
Execution in a VM
Fortimail AV
Code Emulation
Realtime AV Engine
CPRL with full DB
Cloud Query
Execution in a VM
Fortiweb AV
Improved Performance

23. 23
Deployment Options
Hardware Appliances
• 4 models
• 480 – 3,600 real-world
throughput (objects/hr)
SaaS
• Fortinet managed
• Supports FortiGate,
FortiMail, FortiWeb,
FortiADC
• Available as a add-on
service or in a bundle
Virtual Appliances
• CPU-based
• 4 – 792 VMs*
AWS FortiSandbox VM

24. 24
Integration with other Fortinet Products

25. 25
Integration with third party technology
Anyserver
Or share CIFS
push
poll
API
• File share scanning
• Open API
• Network Sniffer
• Fabric Partners
• ICAP

26. 26
Fortinet Security Fabric
in action

27. 27
Mail Relay
Sandbox
Firewall
Mail Server
Global share ATP
database
Without Fortinet Fabric - Patient Zero
?
?
? Infected !

28. 28
FortiSandbox
Fortigate
FortiMail
Mail Server
Global share ATP
database
With Fortinet Fabric - No Patient Zero
✓ Clean !
?
…the same with forticlient !

29. 29
Summary
• Zero day malware is easily produced these days
• Zero day malware is common and short-lived
• Traditional defences can detect known good and known bad
• Sandboxing technology is the only proven technology to detect unknown threats
• FortiSandbox has the most flexible input options of any vender solution on the
market and will integrate with all of your existing Security Fabric elements

30. QUESTIONS?