fortinet, держи марку!

© Copyright Fortinet Inc. All rights reserved.

FORTISANDBOXАлексей Андрияшин

2 ноября 2015

+79859996477

[email protected]

2

ЖИЗНЕННЫЙ ЦИКЛ APT (ATA)

http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

…от 1 дня до 2+ лет…

Начальный

этап

внедрения

Создание

плацдарма

Повышение

привилегий

Сбор

информацииНачальная

разведка

Поддержка

присутствия

Основная

деятельность

Завершение

миссии

3

РЕШЕНИЯ FORTINET

FortiDBDatabase

Protectio

n

FortiClientEndpoint Protection,

VPN

FortiTokenTwo Factor

Authentication

FortiSandboxAdvanced Threat

Protection

FortiClientEndpoint Protection

FortiGateNGFW

FortiAuthenticatorUser Identity

Management

FortiManagerCentralized

Management

FortiAnalyzerLogging, Analysis,

Reporting

FortiADCApplication

Delivery Control

FortiWebWeb Application

Firewall

FortiGateDCFW

FortiGateInternal NGFW

FortiDDoSDDoS Protection

FortiMailEmail Security

FortiGateVM

XSDN, Virtual

Firewall

FortiAPSecure Access

Point

DATA CENTER

BRANCH

OFFICE

CAMPUS

FortiGateCloud

FortiWi

FiUTM

FortiGat

eTop-of-

Rack

FortiCameraIP Video Security

FortiVoiceIP PBX Phone

System

FortiGateNext Gen IPS

FortiExtenderLTE Extension

Secure Wireless

Switching

Advanced Threat Protection

Authentication & Tokens

Application Security

Application Delivery/SLB

Endpoint Security

IP PBX and Phones

IP Video Surveillance

More…

4

• Эшелонированная безопасность

• Высокая скорость реакции

СИНЕРГИЯ ПРИ ПРЕДОТВРАЩЕНИИ УГРОЗ

IPS

Antivirus

Anti-Spam

IP Reputation

Web Filtering

App Control

ОСНОВНАЯ ЗАДАЧА – РАЗОРВАТЬ ЦЕПЬ УГРОЗ И РАЗРУШИТЬ ЛОГИКУ APT

5

КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ

Пример: Фишинг

1. Anti-spam

2. Antivirus

3. Web Filtering

IPS

IP Reputation

App Control

6

Пример: Бэкдор/Бот

1. Antivirus

2. IPS

3. Web Filtering

Anti-spam

IP Reputation

App Control


7

1. Anti-spam

2. Web Filtering

3. IPS

4. Antivirus5. IP

Reputation

6. App Control

Добавьте ATP SandboxИсключите

неопределенность

угроз

Пример: ATP


8

ВОЗМОЖНЫЙ СЦЕНАРИЙ

Anti-spam

Web Filtering

Intrusion Prevention

Antivirus

App Control/

IP Reputation

9

РАЗРЫВА ЦЕПИ УГРОЗ –ШАГ 1

СпамМошенническоесообщение

Спам

Anti-spam

Web Filtering


Antivirus

App Control/

IP Reputation

10

СпамМошенническоесообщение

Спам

Anti-spam

Web Filtering


Antivirus

App Control/

IP Reputation

ФишингСайт злоумышленника

Фишинг

РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 2

11

Anti-spam

Web Filtering


Antivirus

App Control/

IP Reputation

Спам


Спам

Фишинг

Эксплойт

Мошенническоесообщение


12

Anti-spam

Web Filtering


Antivirus

App Control/

IP Reputation

Спам


Спам

Фишинг

Эксплойт



13

Anti-spam

Web Filtering


Antivirus

App Control/

IP Reputation

Спам


Вредоносное ПО

Спам

Фишинг

Эксплойт




14

Anti-spam

Web Filtering


Antivirus

App Control/

IP Reputation

Спам


Вредоносное ПОC&C Центр

Спам

Фишинг

Эксплойт


Бот активностьи кража данных




15

Спам


Эксплойт

Вредоносное ПОC&C Центр

Спам

Фишинг

Эксплойт



Sa

nd

bo

x

Anti-spam

Web Filtering


Antivirus

App Control/

IP Reputation



РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 7. ВНЕДРЯЕМ SANDBOX

16

MALWARE? GOODWARE? IDON’TKNOWWARE?

Known

Good

Known

Bad

Probably

Good

Very

Suspicious

Somewhat

Suspicious

Might be

Good

Completely

Unknown

Whitelists Reputation:

File, IP, App, Email

App Signatures

Digitally signed files

Blacklists

Signatures

Heuristics

Reputation: File, IP,

App, Email

Generic Signatures

Code

Continuum

Security

Technologies

Sandboxing

17

Known

Good

Known

Bad

Probably

Good

Very

Suspicious

Somewhat

Suspicious

Might be

Good

Completely

Unknown

Whitelists Reputation:

File, IP, App, Email

App Signatures

Digitally signed files

Blacklists

Signatures

Heuristics

Reputation: File, IP,

App, Email

Generic Signatures

Code

Continuum

Security

Technologies

Solutions

FortiGate(and/or FortiMail, FortiClient, FortiWebt, etc.)

Sandboxing

FortiSandbox

MALWARE? GOODWARE? IDON’TKNOWWARE?

18

• Prefilters objects, identifying known threats

• Runs objects/URLs, analyzing and rating activity

• Uncovers full threat lifecycle and presentsindicators of compromise

• 3 modes of operation

– Sniffer: span port mode to capture all packets

– On-demand: manual submission & analysis

– Integrated: with FortiGate, FortiMail and FortiClientto feed into and act on intelligence out of FortiSandbox

FortiSandboxОПРЕДЕЛЕНИЕ ЦЕЛЕНАПРАВЛЕННЫХ АТАК

Network Traffic

Cloud

File QueryAV

Prefilter

Code

EmulationFull

Sandbox

Callback

Detection

19

FortiSandbox – 5 STEPS TO BETTER PERFORMANCE

Call Back Detection

Full Virtual Sandbox

Code Emulation

Cloud File Query

AV Prefilter

• Quickly simulate intended activity

• OS independent and immune to evasion/obfuscation

• Apply top-rated anti-malware engine

• Examine real-time, full lifecycle activity to get the

threat to expose itself

• Check community intelligence & file reputation

• Identify the ultimate aim, call back & exfiltration

• Mitigate w/FortiGuard updates

20

• Top-rated Breach Detection (NSS Labs Recommended)

• Customizable Environment

– Preloaded with Microsoft Windows XP and 7, 32- and 64-bit, plus Office, IE and Adboe

– Ability to select specific combination or let the system choose

• Genuine Microsoft Licenses for Windows and Office

TOP RATED SANDBOX

Independent third-

party tested &

validated!

21

FORTISANDBOX DETAILS

Network Traffic

Ob

jects

fo

r In

sp

ectio

n

Up

da

ted P

rote

ction 3. Operating Environment

• Code emulation: OS-

independent

• Sandbox: Windows XP, 7, 8.1,

Server 2008/2010, IE, Office

2. File type support

• AV Prefilter: all

• Full Sandbox: as follows

Archived: .tar, .gz, .tar.g,

.tgz, .zip, .bz2, .tar.bz2,

.bz, .tar.Z, .cab, .rar, .arj

Executable: .exe, .dll,

PDF, Windows Office,

Javascript, .pd

URLs

Media: .avi, .mpeg, mp3,

mp4

1. Protocol support

• FortiGate Integrated: HTTP,

SMTP, POP3, IMAP, MAPI, FTP,

SMB, IM

and SSL encrypted equivalents

• Stand-alone: HTTP, FTP, POP3,

IMAP, SMTP, SMB

• FortiMail Integrated: SMTP,

POP3, IMAP

22

SANDBOX ONLY

Feedback

to/from FortiGuard

InternetNetwork

Traffic

Deployed in sniffer mode FortiSandbox will preflter

for known threats, sandbox unknown threats and

watch for callback activity

Inspected

Traffic

23

NGFW + SANDBOX

Feedback

to/from FortiGuard

InternetNetwork

Traffic

Full NGFW inspection performed on FortiGate.

At risk objects sent to FortiSandbox, results

received. Sandbox

Inspection

and Results

Inspected

Traffic

Deployed in integrated mode FortiSandbox will

receive objects, perform analysis and return results

24

CENTRAL SANDBOX FOR NGFW+SEG

Reputation, behavior and other analysis performed by FortiMail.

At risk messages held for FortiSandbox analysis, results acted on.

Clean emails delivered to mail

servers.

Outgoing email also inspected

Feedback

to/from FortiGuard

Email

Traffic

Internet

Inspected

Emails

Network

Traffic



received. Sandbox

Inspection

and Results

Inspected

Traffic

25

CENTRAL SANDBOX FOR NGFW + SEG + EPP

Reputation, behavior and other analysis performed by FortiMail.

At risk messages held for FortiSandbox analysis, results acted on.

Clean emails delivered to mail

servers.

Outgoing email also inspected

FortiSandbox prefilters, executes, analyzes and feeds

back to FortiGate, FortiMail, FortiClient and

FortiGuardFeedback

to/from FortiGuard

Email

Traffic

Internet

Inspected

Emails

Network

Traffic



received. Sandbox

Inspection

and Results

Full EPP inspection, new files also sent

to FortiSandbox. Results acted on.

Inspected

Traffic

26

РАЗРЫВА ЦЕПИ УГРОЗ – ШАГ 8 ПОДДЕРЖКА АКТУАЛЬНОСТИ СИСТЕМЫ ЗАЩИТЫ

Anti-spam

Web Filtering

Intrusion

Prevention

Antivirus

App Control/

IP Reputation

Sa

nd

bo

xЦОД

Предприятия и

филиальная сеть

Облако

Мобильные

Распределенная сеть

DLP

27

ОПЕРЕЖАТЬ ДЕЙСТВИЯ ЗЛОУМЫШЛЕННИКОВ

Комплексная Безопасность

Глобальная Защита

Уверенность в высокой эффективности

360

247x

100%

28

http://www.netwell.ru/events/?id_form=fortinet_security_day

Алексей Андрияшин

+79859996477

[email protected]

Илья Яблонко, CISSP,

менеджер по развитию решений ИБ

+7 912 607 55 66,

[email protected]

fortinet, держи марку!

Business