Embed Size (px)
Citation preview
© Copyright Fortinet Inc. All rights reserved.
Advanced Threat Protection Alessandro Berta – Systems Engineer15 Aprile 2016
2
Why Talk about Advanced Threat Protection
“New Studies Reveal Companies are Attacked an Average of 17,000 Times a Year.”
“Companies like J.P. Morgan Plan to Double Spending on Cyber security…”
“Cybercrime Will Remain a Growth Industry for the Foreseeable Future.”
“The Reality of the Internet of Things is the Creation of More Vulnerabilities.”
“43% of firms in the United States have experienced a data breach in the past year.”
3
Companies should be concerned
Prevention techniques sometimes fail, so detection and response tools, processes, & teams must be added
FACT:
GOAL: Reduce time to Find/Detect incidentsReduce time to Investigate incidentsReduce time to Remediate incidents
229 daysAverage time attackers were on a network before detection
67%Victims were notified by an external entity
4
Random Detection(average ~200 days,
prior to response)
DURATION
IMPA
CT
The Impact: Extended Compromise, Data Loss, Headlines…
5
Kill Chain of an Advanced Attack
SpamMaliciousEmail
MaliciousWeb Site
Exploit
MalwareCommand &Control Center
Bots leverage legitimate IPs to pass filters. Social engineering fools recipient.
MaliciousLink
Bot Commands& Stolen Data
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/IP Reputation
Fast flux stays ahead of web ratings
Zero-days pass IPS
Compression passes static inspection
Encrypted communicationpasses controls
6
Idon’tknowware Is A Big Part of Problem
KnownGood
Known Bad
ProbablyGood
Very Suspicious
SomewhatSuspicious
Might beGood
CompletelyUnknown
Whitelists Reputation: File, IP, App, EmailApp SignaturesDigitally signed files
BlacklistsSignatures
HeuristicsReputation:
File, IP, App, Email
Generic Signatures
CodeContinuum
SecurityTechnologies
Sandboxing
Sources: Verizon 2015 Data Breach Investigations Report, April 2015
7
Enter Sandboxing
Spam MaliciousEmailMalicious
Link
MaliciousWeb Site
Exploit
Malware
Bot Commands& Stolen Data
Command &Control Center
Spam
MaliciousLink
Exploit
Malware
Bot Commands& Stolen Data
Sand
box
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/IP Reputation
8
Random Detection(average 200 days, prior to response)
DURATION
IMPA
CT
Sandbox OnlyDetection &
Response (days)
A Good Sandbox Reduces Dwell Time, Risk, Impact
9
Introducing FortiSandbox
Flags objects within traffic for more inspection Runs objects in a contained environment,
analyzing activity Provides a malicious or low/medium/
high risk rating Uncovers and distributes threat
intelligence for remediation/protection Detects call back attempts related
to sophisticated attacks
3 modes of operation » Sniffer: span port mode to capture all packets» On-demand: manual submission & analysis of files» Integrated: with FortiGate, FortiMail, FortiWeb, FortiSwitch and/or FortiClient
Network Traffic
CloudFile Query
AVPrefilter
Code Emulation
Full Sandbox
CallbackDetection
10
VMs NA 2+ 8 28
Form Cloud service integrated with FortiGate Virtual appliance Physical appliance Physical appliance
FortiSandbox 1000D
FortiSandbox Platform Options
FortiSandbox VM
FortiSandbox 3000D
FortiSandbox Cloud
11
FortiSandbox – 5 Steps to Better Performance
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
• Quickly simulate intended activity – Fortinet patented CPRL• OS independent & immune to evasion – high catch rate
• Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity in the sandbox to get the threat to expose itself
• Check community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration• Mitigate w/ analytics & FortiGuard updates
12
Top-rated Breach Detection (NSS Labs Recommended)» 99% detection» Results delivered w/in 1 min most of
the time
Top Rated Sandbox
Independent third-party tested & validated!
13
FortiGuard FortiOS
FortiClient FortiManager
FortiWeb FortiAnalyzer
FortiMail
FortiSandboxFortiGate
ADVANCED THREAT PROTECTION FRAMEWORK
5.4
CloudVirtual
Physical
Time to Protect
Real-time Intelligence and Response
FortiSandbox
FortiWeb
FortiMail
FortiGate
FortiClient
14
ATP Framework in Action
Unknown URLs and Files submission to FortiSandbox
FortiSandbox
FortiGate
FortiWeb
FortiMail
FortiClient
Web Server
Mail Server
Extended and fast protection
Internet
Full NGFW inspection performed on FortiGate. At risk objects sent to FortiSandbox
Reputation, behavior and other analysis performed by FortiMail. At risk messages held for additional FortiSandbox analysis.
15
Detect to Mitigate to Prevent
Updates to Preventative Security Updated IP sender
reputations New web site ratings
used for web filtering New IPS rules and
botnet detection to block command and control traffic
Updated anti-malware detection for this and similar attachments
Detection and analysis Sandbox object behavior
analysis & details Suspicious activity: privilege
modification, file creation, modification & deletion
Malicious activity: initiated traffic, encrypted traffic, DNS query
File names, URLs, IP addresses
Immediate Remediation Block email sender IP from delivering any other messages to employees. Prevent communication with this command & control Quarantine recipient devices Confirm compromise and remove malicious files
16
How To Move From Detection/Response To Prevention?
Random Detection(average 229 days, prior to response)
DURATION
IMPA
CT
Sandbox Only
Detection & Response (days)
Sandbox + FortiMail/FortiClient
Prevention (0-second)
Sandbox + FortiGate/FortiWe
b Detect & Respond (minutes)
17
Only ATP Solution NSS Recommended Edge to Endpoint
TODAY’S SECURITY IS BORDERLESS
19
SLOW ISBROKEN
COMPLEXITYIS THE ENEMYOF SECURITY
Single Framework
FortiAP, FortiSwitch FortiGate FortiWebFortiMail
FortiGuard Threat Intelligence & Services
Advanced Threat Protection
FortiSandboxUSERS
NETWORK
DATA CENTER
FortiClient Fortinet Cloud
#1 UNIT SHAREWORLDWIDE
In Network Security (IDC)
OVER2 MILLIONDEVICES SHIPPED
MARKET LEADING TECHNOLOGY257 PATENTS228 PENDING
FortiOS 5.4
Advanced Security
Network Performance
SECURITY FOR A NEW WORLD IS SECURITY WITHOUT COMPROMISE
