The document provides information about Check Point's Compliance Software Blade, which allows users to monitor security and compliance across their network in real-time. The Compliance Software Blade integrates fully with Check Point's security management platform and provides visibility into security best practices mapped to various regulations. It also offers out-of-the-box audit preparation and compliance reporting to help streamline regulatory compliance efforts.
The blade is responsible for 3 main activities:Identifying bot infected machines in the organization (most orgs today are unable to detect bot infections)preventing their damages by blocking bot communication to C&C sites, making sure no sensitive information can be stolen and sent out of the organizationand providing the organization with threat visibility to asses damages and decide on next steps (again most orgs today have limited visibility to malware infections)
Simple deployment: Ready to protect any network in minutes!Transparent network device easily fits into existing network topology (layer 2 bridge) Can also be deployed in Learning Mode for adjusting the Behavioral Analysis Engine to the protected network and applicationsMinimal maintenance after initial configuration
There are 3 DDoS protection deployment types: on the customer premises, off-site, or bothOn-Premise solutions can have better response times and can be customized to each networkOff-Site deployment helps with moving the problem away from the protected network - Fits when attack is on bandwidthA deployment of both types of solution can leverage advantages of the two deployment options
High-Availability on DefenseProTo support high availability (HA), you can configure two compatible DefensePro devices to operate in a two-node cluster.To be compatible, both cluster members must be of the same platform, software version, software license, throughput license, and Radware signature file. One member of the cluster is the primary; the other member of the cluster is the secondary.When you configure a cluster and commit the configuration, the newly specified primary device configures the required parameterson the secondary device.You can configure a DefensePro high-availability cluster in the following ways:• To configure the primary device of the cluster, the failover parameters, and the advanced parameters, you can use the High Availability pane (Configuration perspective > Setup > High Availability). When you specify the primary device, you specify the peer device, which becomes the secondary member of the cluster.• To configure only the basic parameters of a cluster (Cluster Name, Primary Device, andAssociated Management Ports), you can use the Configuration perspective main navigation pane System tab.The members of a cluster work in an active-passive architecture.When a cluster is created:• The primary device becomes the active member.• The secondary device becomes the passive member.• The primary device transfers the relevant configuration objects to the secondary device.A secondary device maintains its own configuration for the device users, IP interfaces, and routing.A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users).The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.The following situations trigger the active device and the passive device to switch states (active to passive and passive to active):• The passive device does not detect the active device according to the specified HeartbeatTimeout.• All links are identified as down on the active device according to the specified Link DownTimeout.• Optionally, the traffic to the active device falls below the specified Idle Line Threshold for thespecified Idle Line Timeout.• You issue the Switch Over command. To switch the device states, in the Monitoring & Control perspective navigation pane System tab, right-click the cluster node; and then select Switch over. You can perform only the following actions on a secondary device:• Switch the device state (that is, switch over active to passive and passive to active)• Break the cluster if the primary device is unavailable• Configure management IP addresses and routing• Manage device users• Download a device configuration• Upload a signature file• Download the device log file• Download the support log file• Reboot• Shut down• Change the device name• Change the device time• Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.Notes:You can initiate a baseline synchronization if a cluster member is passive, using CLI or Web Based Management.In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require.If the devices of a cluster belong to different sites, APSolute Vision creates the cluster node under the site where the primary device resides; and APSolute Vision removes thesecondary device from the site where it was configured.APSolute Vision issues an alert if the state of the device clusters is ambiguous. For example, if there has been no trigger for switchover and both cluster members detect traffic. This state is normal during the initial synchronization process.There is no failback mechanism. There is only the automatic switchover action and the manual Switch Over command.When a passive device becomes active, any grace time resets to 0 (for example, the time of the Graceful Startup Mode Startup Timer).You can monitor high-availability operation in the High Availability pane of the Monitoring & Control perspective.For more details please refer to the DefensePro User Guide
Have you ordered a product online and seen a product shipping email that looked like this? If you didn’t look closely, you might think it was legitimate.This attempt to deliver malware is not unusual.Around Valentine’s day, infected e-cards were making the rounds. If you received a message with ValentineCard4you.zip and opened it, you would become infected with backdoor.trojan.--CKthe Wall Street Journal stated that “Over 90% of targeted emails use malicious file attachments as the payload or infection source”.
The attacks are especially dangerous when they leverage zero-day vulnerabilities. One example that leverages such vulnerabilities is Duqu.--CKDuqu, as some have named “son of stuxnet” used zero-day vulnerabilities in business documents such as MS Word files to compromise target Windows operating systems to harvest information The tell-tale signs included process injection, downloading an installing additional software drivers, modifications to the registry, and contact to C&C servers using HTTP and HTTPS
What are Zero-Day attacks and why should we be concerned? These attacks that have no known defenses.In 2012, there were over 200 new vulnerabilities in applications we use every day, and malware variants like SpyEye can be created with a click of a button. In the time I described this slide, someone could have created 60 malware variants. To put this in perspective, Dark Reading reported that up to 100,000 new malware samples are created each day. --CKIf we are only using signature based detections, how are security teams supposed to keep up with the new exploits and new malware? New challenges need new solutions.Oct 15, 2012Dark Reading
On May 2013 a customer noticed that a file is being detected as a zero day attack. It was an email coming from citibank, with the title “statement id”. The customer was expecting such an email from this bank, and did not understand why the system blocks it. After talking and providing this email to check point – our analysts detected this file as malicious – that exploiting a vulnerability in MS word, installing a bot agent and trying to communicate with a CnC. Threat Emulation detected and prevented this attack, that at this time was known only to 2 AV vendors in the entire industry (our of almost 50 AV vendors). At the following week – the Threat Emulation system detected this exact same file at additional organizations running the system – and this time stopped it as it was shared with ThreatCloud.
This discovery and prevention happens in 1 to 2 minutes. In case you’re worried that Threat Emulation might block good documents, or interrupt business access to key files… we have good news--CKWe use patent pending technologies that has been proven to emulate over a quarter million files with zero false positives--CKWe built in heuristics in file inspection (such as positive elimination of files) that assure that only suspicious files are emulated –completing the process as fast as possible and optimizing performance
Threat Emulation is provided as a cloud service.Organizations can set up any gateway running R77 in their environment to inspect incoming files over email or web (HTTP & HTTPS). In case that the file is suspicious – the gateway will send the file to the Threat Emulation Cloud Service for emulation. The cloud service allows the organization to use a global-quota of files that can be inspected, and any security gateway can send files for emulation. We are also introducing an Exchange Agent that can inspect incoming emails on the mail server, and will send files for emulation in the cloud. The exchange agent allows organizations that don’t have Check Point gateways (or not upgrading to R77) to inspect files.
In addition to the cloud service, Check Point offers a local-emulation solution – as an appliance. We will provide two dedicated appliances for threat emulation – a small solution and a larger one. Our appliances can be placed on several locations at the organization, such as inline, as a mail transfer agent or as a tap. This appliance can receive files from several or even all gateway at the organization and emulate them.
And, for those of you who want to try it now,--CKYou can try Threat Emulation in action by sending a file to the email shown, or uploading to the URL shown.--CKYou will receive a report like the one I should you a few moments ago.This is open to the public now, and I encourage you to try it and even let your customers try it to get a feel for the information summary and detail that we report to you.
Threat Emulation is a new and important part of the Check Point multi-layer solution.
אנחנו חושבים שזה הזמן למצוא דרך לפשט את העבודה ולחבר בין best practices של סקיורטי לבין הדרישות הרגולטוריות החלות על אירגונים
Today we present Check Point’s Compliance blade which changes the way organizations manage compliance!