©2015 Check Point Software Technologies Ltd. 1 Rich Comber SME, Threat Prevention Check Point Software Technologies Moving to a Prevent Based Security

©2015 Check Point Software Technologies Ltd. 1

Rich Comber

SME, Threat Prevention

Check Point Software

Technologies

Moving to a Prevent Based Security Posture


1,000,000,000


According to IBM X-Factor Threat Intelligence, roughly:

1,000,000,000

Personal Records were leaked in 2014 due to Online Threats and Cyberattacks.

http://www.zdnet.com/article/one-billion-records-leaked-designer-vulnerability-use-rose-in-2014/

©2015 Check Point Software Technologies Ltd. 4[Restricted] ONLY for designated groups and individuals

2015 Security Report Sources:

16,000+ Organizations

Over 300,000 monitoring hours1,300 Security Checkup Reports

1 Million Smartphones

3,000 Security Gateways 122 Countries and Various Industries







Let’s start with a true storyA German steel mill – thousands of employees

Source: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/


The story startswith a spear-phishing attack on the steel mill’s business network


Phase 1: Infiltration

Attackers send a targetedemail that appears to come from a trusted source trickingemployee to open a malicious attachment.


The malware exploited a vulnerability on the employee computers


Phase 2: Lateral Movement

This established a beachhead for horizontal movement


Phase 3: Compromised Control Systems

Failures accumulated in individualcontrol components and entiresystems.


Phase 4: Unable to shut down a blast furnace. Massive damage to the factory.


2014KEY FINDINGS

UNKNOWN MALWARE

KNOWN MALWARE

MOBILITY

HIGH-RISK APPLICATIONS

DATA LOSS


2014

2013

2012

2011

2010

2009

142M

83M

34M

18.5M

18M

12M

142MNew Malware in 2014 and a

71% increase versus 2013

2015 Security Report Statistics


Unknown Known


Known Unknown

• IPS/Anti Virus work by: ̶I Looking for specific patterns̶I Enforce compliance of protocols to standards̶I Detect variations from the protocols

• Attackers evade signature based detection by obfuscating the attacks and creating attacks variants

• So how tough is it?̶IZeus and SpyEye ‘builder’s, generating Zeus or Spyeye

variants in a click, are sold at 1-10K$̶Iwww.styx-crypt.com will obfuscate HTML, Javascript,

Executable files, PDF & Flash files at 5-25$ per file, quantity discounts apply.

http://www.styx-crypt.com/


41% of organizations downloaded at least one unknown malware

34 secunknown malware is downloaded

Unknown Malware


Bots

1Command and Control

min

Infected organizations

201373%

201483%

Known Malware


DDoS

Known Malware

2014 2013

TOP ATTACK VECTORS

30 DDoS attackmin


Known Malware: Top IPS Events

Percent of Total

60%

40%

CLIENT

SERVER

NO ONE TO BLAME BUT OURSELVES


Known Malware: EndpointVulnerabilities and Misconfigurations


Mobility: Corporate Data at Risk


Mobile Threat Research

60%

40%

ANDROID

iOS

SURVEY: 500K+ Android and 400K iOS devices in 100+ countries

42% Suffered mobile security incidentscosting more than $250,000


Mobile Threat Research

20+ Malware variants

18 MRAT families found


201375%

201477%

P2P File Sharing Applications


305x per day,

Once every 5 mins

High-risk

Applications used

201356%

201462%

Anonymizer Proxy Applications


Data Loss

36sensitive data sent

min

201388%

201481%


sent credit card data

30%sent sensitive

personal information

25%

Data Sent Outside Organization byEmployees

% of Organizations


EVERY 24 SECONDSa host accesses

a malicious website

EVERY 34 SECONDSan unknown malware

is downloaded

EVERY 1 MINUTEa bot communicates with its command and control center

EVERY 5 MINUTESa high risk

application is used

EVERY 6 MINUTESa known malware

is downloaded

EVERY 36 MINUTESsensitive data is sent

outside the organization

AN AVERAGE DAY


SummarySecurity Statistics in 2014

• New malware increased 71%

• 106 downloads of unknown malware occurred per hour

• 86% of organizations accessed a malicious site

• 83% of organizations had existing bot infections


SummarySecurity Statistics in 2014

• 42% of businesses suffered mobile security incidents costing more than $250,000 to remediate

• 96% of organizations used at least one high-risk application

• 81% of organizations suffered a data loss incident

• Loss of proprietary information increased 71% over the past three years

©2015 Check Point Software Technologies Ltd.

WHAT DO WE DO ABOUT IT?


• Segments reduce the size of the challenge

• Limit the scope of a breach

Segmentation


Weaponized PDFThreat Emulation (CPU and OS level) / Threat Extraction

Command and Control Anti - Bot

Malware infestation IPS and Anti-Malware

Multi-Layered Threat Prevention


High-Risk ApplicationsApplication Control / Mobile Threat Prevention

Malicious WebsitesURL Filtering / Mobile Threat Prevention

Data LossDLP and Data/Document Security

Access Control & Data Protection


A question:Who configures their security

technologies to preventand not just detect?


Pre-Infection


Post-Infection


Ora

cleCisc

oIB

M

Micr

osof

t

Goo

gleApp

le

Redha

t

Linux

SUN

Moz

illa

Adobe HP

Novell

Wire

shar

k

Ffmpe

g

Canon

ical

Apach

eEM

CXEN

Mys

ql0

100

200

300

400

500

600

Top 20 Vendors: Vulnerabilities

Source: http://www.cvedetails.com/top-50-vendors.php?year=2013


College – Server Compromise• Incident Response Team (IRT) investigates possible server compromise

• Server in DMZ was flooding external hosts with UDP traffic

• Application control log detected IRC over HTTPS to machine in Russia

• IRT finds JSP RAT and Bitcoin Mining Malware on server

• College IPS was configured for Detect mode only (IDS).

• IPS Logs show Oracle server was exploited via JSP injection vulnerability

IPS Signatures specific to the environment should be

configured to Prevent


Large Pharmaceutical – Malware Infection

• IRT contacted about possible Bot infection

• Examination of Anti-Bot logs show events with critical severity configured for Detect mode


Large Pharmaceutical – Malware Infection• IRT Identifies specific malware

• IRT investigates traffic

• #TotalHash shows 2151 unique malware hashes hosted on this IP

• Customer finds malware on host

• VirusTotal shows 29 AV products identify as malicious and confirms

H-Worm malware

H-Worm Ponmocup Conficker

Critical Anti-Bot events should be configured to

Prevent


Professional Sports Team – Ransomware• Customer infected with CryptoWall Ransomware

• Correlating source IP and user info with time of infection shows Cubby Cloud File Sharing application detected

• Intelligence sources confirm CryptoWall campaign uses Cubby Cloud for distribution

IP of Infected Host

Username

Time of Infection

Allowed

High Risk

High Risk Application Control events should be

configured to Prevent

Back-ups are Critical in recovery from Crypto Malware


Leveraging IPS to address known exploits

CVE-2013-2471Vulnerability specific

signatures provide protection until

systems are patched


And why Threat Prevention incorporates integrated Anti-Virus.

URLs with Malware:Gateway blocks access to known infected websites

Viruses:Gateway scans

traffic for known viruses and malware

Anti-Malware


Botnet Protections

Checks for URLs, IPs, Domain reputation

Looks for unique patterns in files or

in the network

Finds infected machines

Looks for such as C&C patterns

Blocks outbound C&C traffic


ThreatEmulation

Emulated OSsThreat Emulation provides a closed environment to analyze files for

unknown attacks

Focus is on behaviorHow a file interacts with the operating system gives a view

into malicious content


Take the leap of faith

Configure your security to “Prevent”

Apply the protections to

everything


WE SECURETHE FUTURE

Download the

2015 Security Report at:

www.checkpoint.com

Documents

©2015 Check Point Software Technologies Ltd. 1 Rich Comber SME, Threat Prevention Check Point Software Technologies Moving to a Prevent Based Security