The recent WannaCry outbreak clearly demonstrates just how damaging ransomware can be, and how quickly such attacks can disrupt vital services. View the slides from our webinar to learn about WannaCry’s inner-workings, understand how to effectively protect from this threat and what you should do to be prepared for future attacks.
For more information: http://pages.checkpoint.com/anti-ransomware.html
The training takes place in CP labs. The resulting neural network powers the dynamic exe emulation of both the both cloud and our TE appliances.
The wanacry epidemic : 10 new infections every 1 second, which are 860K infections everyday!
The wanacry epidemic : 10 new infections every 1 second, which are 860K infections everyday!
Hi,
I’m going to talk about how you should protect your organizations – not only from WannaCr,y but from all ransomware attacks. And indeed, from all advanced attacks.
So what can we do?
Well, there’s a lot we can do…
First of all, education.
You should educate your users.
User awareness definitely reduces infections
<CLICK>
Secondly, backup.
Solid backups should let you restore encrypted data in case of a ransomware attack.
I should note here we’ve seen cases where backups fail at the moment of truth, and we’ve also seen cases of ransomware encrypting backups.
Also, think of a network-wide infection – like we’ve seen with WannaCry. Your systems are going to be down for a loooong time while your busy restoring a system-wide infection from your backups.
<CLICK>
Next, Patching.
I know patching can be a very painful task. But constantly patching all systems and software is always important, and WannaCry is an excellent example of why it’s important.
<CLICK>
And finally, protection!
Yes, applying advanced protection technologies is the most effective way to prevent advanced attacks
I’ll talk about protection in a moment, but first let’s review the common ways, in which ransomware, and other forms of malware penetrate.
<CLICK>
One way is by infecting users who are browsing the internet. Infections can come from malicious web sites that perform browser exploitation, or by seducing users to download and execute malicious files.
<CLICK>
Another very common method is to send an email to an unsuspecting user.
The mail could contain either a malicious attachment, or a link to a malicious web site. And, …with a bit of social engineering, hackers trick users into clicking through and they get infected
<CLICK>
Infections can also enter through removable storage – like a USB stick.
<CLICK>
And finally, some infections go directly after your online servers. Attackers will often look for unpatched web servers,
Or… in the WannaCry case, any exposed Windows host, that isn’t fully patched, will do.
Check Point’s comprehensive solution for Advanced Threats is SANDBLAST
So, … let’s have a look at SandBlast
SandBlast offers a wide-range of advanced protections; I’ve listed a few of them on this slide.
These technologies provide a multi-layered, 360-degree protection from all forms of advanced attacks, … and from all the attack vectors I showed on the previous slide.
These technologies work together on the endpoint as well as on the network, to provide a complete multi-layered protection for your organization.
All of these technologies will prevent ransomware attacks, and specifically, they prevent WannaCry.
Talking about WannaCry: Threat Emulation – our evasion-resistant sandbox, and the Threat Extraction file sanitation technology, prevent the initial WanaCry infection via mail or web.
…and our IPS technology prevents WannaCry’s propagation using the notorious SMB vulnerability.
Of course, these protections also prevent numerous other forms of advanced cyber threats.
I should stress here: Most of these attack vectors will be blocked by SandBlast on the network - before the attack even hits the endpoint.
<CLICK>
Last but not least: Anti Ransomware is our newest addition to the SandBlast family.
So… let’s take a closer look at Anti-Ransomware…!
Check Point Anti-Ransomware is an endpoint protection. It’s part of our SandBlast Agent product.
Anti-Ransomware uses a set of purpose-built advanced technologies that are designed to prevent even the most evasive and sophisticated ransomware attacks.
We’ve put a very strong emphasis in creating a future-proof technology that can identify and block new, unknown and zero-day ransomware attacks.
<CLICK>
The most important thing to all of us, is our data.
And Anti-Ransomware will safely recover our data, if any was encrypted during the attack – before it was quarantined.
Next, I’m going to switch to a short video, that shows Anti-Ransomware in action.
Let’s see Anti-Ransomware protecting an endpoint from a WannaCry infection.
{Demo… switch to video. 2 minutes}
So, how does Anti-Ransomware do it’s magic?
At the core of our detection engine we utilize a range of advanced behavioral algorithms.
The behavioral algorithms are specifically tuned to detect ransomware.
We look for generic malicious behavior, but we also look for a wide range of behaviors, that are unique to ransomware. Things like attempting to delete shadow-copies and backups, creating ransom notes, and ultimately we constantly monitor the file-system, and we can identify early-on any activity that is illegitimately and systematically encrypting files on the file system.
<CLICK>
Upon detection, we utilize SandBlast Agent’s unique and advanced ability to automatically analyze incidents with its Automated Forensic Analysis technology.
<CLICK>
The analysis phase identifies all the malicious elements of the malware, allowing us to automatically quarantine it – even if it’s a new attack that we’ve never seen before.
<CLICK>
In some cases, like we saw in the video, some data could get encrypted before the quarantine is complete.
In order to mitigate this case, we’ve built an ongoing mechanism that creates temporary snapshots of data files - before granting any change that we suspect may be illegitimate.
<CLICK>
As we saw in the demo, if some data was encrypted during the attack, then once we’ve completed the quarantine, our data snapshots allow us to automatically restore the files.
So how effective is Check Point Anti Ransomware?
To answer this question, we’ve been putting Anti-Ransomware through very rigorous testing.
Our goal is to test it’s prevention of unknown and zero-day ransomware.
So, we built a dedicated ransomware test lab with PCs that are protected only by our Anti-Ransomware technology, without any additional endpoint or network protections.
The lab is kept offline without any access to signature updates.
<CLICK>
And we created an automated process that collects fresh ransomware samples from Virus Total every day.
Now, because ransomware is so prevalent, there is actually no shortage of new samples.
In fact we’ve been testing over 200 samples a day for the past six months.
<CLICK>
And we are very proud of our catch-rate – to date it its 99.3%!!
<CLICK>
Now, one more point: In our lab we’ve disabled all other protections in order to isolate Anti-Ransomware’s detection metrics. But in your environment you should be deploying a wider set of protections. We always recommend implementing a multi-layered defense strategy, and with the advanced protections we offer, you can actually be very effective in preventing ransomware attacks before they hit their final target and your last line of defense on the endpoint.
To understand this point better, I’m going to talk a bit about attack vectors.
Back to SandBlast,
SandBlast is a family of products.
We offer protection for the network with our gateways,
for endpoints – with SandBlast Agent,
for Office 365 mail - with SandBlast Cloud
… and for iOS and Android devices with SandBlast Mobile,
Finally, the SandBlast API lets you to integrate SandBlast directly with virtually any system.
Our SandBlast product family is a major success in the market, and is also very well recognized in the industry as the leading solution to advanced threats.
You can see here a few of the awards and rankings that we’ve received from NSS Labs, Network Computing, SC magazine and Forrester.
The SandBlast solution includes a Service element for Threat Emulation sandboxing, and in some case also for Threat Extraction.
You can choose, as a configuration option, whether to send files for Emulation on the Check Point cloud, or you can host the service within your own data center with the SandBlast TE appliance.
As a network protection, SandBlast is available on our entire range of Check Point gateways – all you need is the NGTX software license.
And, it protects your incoming mail, users accessing the internet and your various network segments.
On the endpoint side, we offer several options for SandBlast Agent:
First SandBlast Anti-Ransomware is available as a dedicated product.
Next, SandBlast Agent – which includes all our advanced protections and is designed to be deployed alongside any third-party end point protection suite
And finally, the Endpoint Complete Suite – which offers comprehensive endpoint protection with firewall, VPN, FDE, AV, and all of SandBlast features
We’ve talked about the WannaCry outbreak and reviewed an analysis of it’s inner workings.
And we’ve looked at SandBlast and explained how it can help you address the challenge of protecting from all forms of ransomware and advanced threats – including WannaCry.
Next were going to take a few questions, so back to you Michelle… and thank you all for listening till now.