©2015 check point software technologies ltd. 1 rich comber sme, threat prevention check point...
TRANSCRIPT
©2015 Check Point Software Technologies Ltd. 1
Rich Comber
SME, Threat Prevention
Check Point Software
Technologies
Moving to a Prevent Based Security Posture
©2015 Check Point Software Technologies Ltd. 3
According to IBM X-Factor Threat Intelligence, roughly:
1,000,000,000
Personal Records were leaked in 2014 due to Online Threats and Cyberattacks.
http://www.zdnet.com/article/one-billion-records-leaked-designer-vulnerability-use-rose-in-2014/
©2015 Check Point Software Technologies Ltd. 4[Restricted] ONLY for designated groups and individuals
2015 Security Report Sources:
16,000+ Organizations
Over 300,000 monitoring hours1,300 Security Checkup Reports
1 Million Smartphones
3,000 Security Gateways 122 Countries and Various Industries
©2015 Check Point Software Technologies Ltd. 10
Let’s start with a true storyA German steel mill – thousands of employees
Source: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/
©2015 Check Point Software Technologies Ltd. 11[Restricted] ONLY for designated groups and individuals
The story startswith a spear-phishing attack on the steel mill’s business network
©2015 Check Point Software Technologies Ltd. 12[Restricted] ONLY for designated groups and individuals
Phase 1: Infiltration
Attackers send a targetedemail that appears to come from a trusted source trickingemployee to open a malicious attachment.
©2015 Check Point Software Technologies Ltd. 13[Restricted] ONLY for designated groups and individuals
The malware exploited a vulnerability on the employee computers
©2015 Check Point Software Technologies Ltd. 14[Restricted] ONLY for designated groups and individuals
Phase 2: Lateral Movement
This established a beachhead for horizontal movement
©2015 Check Point Software Technologies Ltd. 15[Restricted] ONLY for designated groups and individuals
Phase 3: Compromised Control Systems
Failures accumulated in individualcontrol components and entiresystems.
©2015 Check Point Software Technologies Ltd. 16[Restricted] ONLY for designated groups and individuals
Phase 4: Unable to shut down a blast furnace. Massive damage to the factory.
©2015 Check Point Software Technologies Ltd. 17
2014KEY FINDINGS
UNKNOWN MALWARE
KNOWN MALWARE
MOBILITY
HIGH-RISK APPLICATIONS
DATA LOSS
©2015 Check Point Software Technologies Ltd. 18[Restricted] ONLY for designated groups and individuals
2014
2013
2012
2011
2010
2009
142M
83M
34M
18.5M
18M
12M
142MNew Malware in 2014 and a
71% increase versus 2013
2015 Security Report Statistics
©2015 Check Point Software Technologies Ltd. 19[Restricted] ONLY for designated groups and individuals
Unknown Known
©2015 Check Point Software Technologies Ltd. 20
Known Unknown
• IPS/Anti Virus work by: ̶I Looking for specific patterns̶I Enforce compliance of protocols to standards̶I Detect variations from the protocols
• Attackers evade signature based detection by obfuscating the attacks and creating attacks variants
• So how tough is it?̶IZeus and SpyEye ‘builder’s, generating Zeus or Spyeye
variants in a click, are sold at 1-10K$̶Iwww.styx-crypt.com will obfuscate HTML, Javascript,
Executable files, PDF & Flash files at 5-25$ per file, quantity discounts apply.
©2015 Check Point Software Technologies Ltd. 21[Restricted] ONLY for designated groups and individuals
41% of organizations downloaded at least one unknown malware
34 secunknown malware is downloaded
Unknown Malware
©2015 Check Point Software Technologies Ltd. 22[Restricted] ONLY for designated groups and individuals
Bots
1Command and Control
min
Infected organizations
201373%
201483%
Known Malware
©2015 Check Point Software Technologies Ltd. 23[Restricted] ONLY for designated groups and individuals
DDoS
Known Malware
2014 2013
TOP ATTACK VECTORS
30 DDoS attackmin
©2015 Check Point Software Technologies Ltd. 24[Restricted] ONLY for designated groups and individuals
Known Malware: Top IPS Events
Percent of Total
60%
40%
CLIENT
SERVER
NO ONE TO BLAME BUT OURSELVES
©2015 Check Point Software Technologies Ltd. 25[Restricted] ONLY for designated groups and individuals
Known Malware: EndpointVulnerabilities and Misconfigurations
©2015 Check Point Software Technologies Ltd. 26[Restricted] ONLY for designated groups and individuals
Mobility: Corporate Data at Risk
©2015 Check Point Software Technologies Ltd. 27[Restricted] ONLY for designated groups and individuals
Mobile Threat Research
60%
40%
ANDROID
iOS
SURVEY: 500K+ Android and 400K iOS devices in 100+ countries
42% Suffered mobile security incidentscosting more than $250,000
©2015 Check Point Software Technologies Ltd. 28[Restricted] ONLY for designated groups and individuals
Mobile Threat Research
20+ Malware variants
18 MRAT families found
©2015 Check Point Software Technologies Ltd. 29[Restricted] ONLY for designated groups and individuals
201375%
201477%
P2P File Sharing Applications
©2015 Check Point Software Technologies Ltd. 30[Restricted] ONLY for designated groups and individuals
305x per day,
Once every 5 mins
High-risk
Applications used
201356%
201462%
Anonymizer Proxy Applications
©2015 Check Point Software Technologies Ltd. 31[Restricted] ONLY for designated groups and individuals
Data Loss
36sensitive data sent
min
201388%
201481%
©2015 Check Point Software Technologies Ltd. 32[Restricted] ONLY for designated groups and individuals
sent credit card data
30%sent sensitive
personal information
25%
Data Sent Outside Organization byEmployees
% of Organizations
©2015 Check Point Software Technologies Ltd. 33[Restricted] ONLY for designated groups and individuals
EVERY 24 SECONDSa host accesses
a malicious website
EVERY 34 SECONDSan unknown malware
is downloaded
EVERY 1 MINUTEa bot communicates with its command and control center
EVERY 5 MINUTESa high risk
application is used
EVERY 6 MINUTESa known malware
is downloaded
EVERY 36 MINUTESsensitive data is sent
outside the organization
AN AVERAGE DAY
©2015 Check Point Software Technologies Ltd. 34[Restricted] ONLY for designated groups and individuals
SummarySecurity Statistics in 2014
• New malware increased 71%
• 106 downloads of unknown malware occurred per hour
• 86% of organizations accessed a malicious site
• 83% of organizations had existing bot infections
©2015 Check Point Software Technologies Ltd. 35[Restricted] ONLY for designated groups and individuals
SummarySecurity Statistics in 2014
• 42% of businesses suffered mobile security incidents costing more than $250,000 to remediate
• 96% of organizations used at least one high-risk application
• 81% of organizations suffered a data loss incident
• Loss of proprietary information increased 71% over the past three years
©2015 Check Point Software Technologies Ltd. 37
• Segments reduce the size of the challenge
• Limit the scope of a breach
Segmentation
©2015 Check Point Software Technologies Ltd. 38
Weaponized PDFThreat Emulation (CPU and OS level) / Threat Extraction
Command and Control Anti - Bot
Malware infestation IPS and Anti-Malware
Multi-Layered Threat Prevention
©2015 Check Point Software Technologies Ltd. 39
High-Risk ApplicationsApplication Control / Mobile Threat Prevention
Malicious WebsitesURL Filtering / Mobile Threat Prevention
Data LossDLP and Data/Document Security
Access Control & Data Protection
©2015 Check Point Software Technologies Ltd. 40
A question:Who configures their security
technologies to preventand not just detect?
©2015 Check Point Software Technologies Ltd. 43
Ora
cleCisc
oIB
M
Micr
osof
t
Goo
gleApp
le
Redha
t
Linux
SUN
Moz
illa
Adobe HP
Novell
Wire
shar
k
Ffmpe
g
Canon
ical
Apach
eEM
CXEN
Mys
ql0
100
200
300
400
500
600
Top 20 Vendors: Vulnerabilities
Source: http://www.cvedetails.com/top-50-vendors.php?year=2013
©2015 Check Point Software Technologies Ltd. 44
College – Server Compromise• Incident Response Team (IRT) investigates possible server compromise
• Server in DMZ was flooding external hosts with UDP traffic
• Application control log detected IRC over HTTPS to machine in Russia
• IRT finds JSP RAT and Bitcoin Mining Malware on server
• College IPS was configured for Detect mode only (IDS).
• IPS Logs show Oracle server was exploited via JSP injection vulnerability
IPS Signatures specific to the environment should be
configured to Prevent
©2015 Check Point Software Technologies Ltd. 45
Large Pharmaceutical – Malware Infection
• IRT contacted about possible Bot infection
• Examination of Anti-Bot logs show events with critical severity configured for Detect mode
©2015 Check Point Software Technologies Ltd. 46
Large Pharmaceutical – Malware Infection• IRT Identifies specific malware
• IRT investigates traffic
• #TotalHash shows 2151 unique malware hashes hosted on this IP
• Customer finds malware on host
• VirusTotal shows 29 AV products identify as malicious and confirms
H-Worm malware
H-Worm Ponmocup Conficker
Critical Anti-Bot events should be configured to
Prevent
©2015 Check Point Software Technologies Ltd. 47
Professional Sports Team – Ransomware• Customer infected with CryptoWall Ransomware
• Correlating source IP and user info with time of infection shows Cubby Cloud File Sharing application detected
• Intelligence sources confirm CryptoWall campaign uses Cubby Cloud for distribution
IP of Infected Host
Username
Time of Infection
Allowed
High Risk
High Risk Application Control events should be
configured to Prevent
Back-ups are Critical in recovery from Crypto Malware
©2015 Check Point Software Technologies Ltd. 48
Leveraging IPS to address known exploits
CVE-2013-2471Vulnerability specific
signatures provide protection until
systems are patched
©2015 Check Point Software Technologies Ltd. 49
And why Threat Prevention incorporates integrated Anti-Virus.
URLs with Malware:Gateway blocks access to known infected websites
Viruses:Gateway scans
traffic for known viruses and malware
Anti-Malware
©2015 Check Point Software Technologies Ltd. 50
Botnet Protections
Checks for URLs, IPs, Domain reputation
Looks for unique patterns in files or
in the network
Finds infected machines
Looks for such as C&C patterns
Blocks outbound C&C traffic
©2015 Check Point Software Technologies Ltd. 51
ThreatEmulation
Emulated OSsThreat Emulation provides a closed environment to analyze files for
unknown attacks
Focus is on behaviorHow a file interacts with the operating system gives a view
into malicious content
©2015 Check Point Software Technologies Ltd. 52
Take the leap of faith
Configure your security to “Prevent”
Apply the protections to
everything