SlideShare une entreprise Scribd logo

Fortinet sandboxing

Télécharger en tant que PPTX, PDF
N
Nick Straughan

Fortinet Sandboxing presentation for TBJ Consulting

Technologie
1  sur  34
1 June 9, 2015 FortiSandbox Sandboxing Modern Threats
2 FortiGuard Services FORTIGUARD ANTIVIRUS SERVICE FORTIGUARD ANTISPAM SECURITY SERVICE FORTIGUARD WEB SECURITY SERVICE FORTIGUARD DATABASE SECURITY SERVICE FORTIGUARD IP REPUTATION SERVICE FORTIGUARD VULNERABILITY MANAGEMENT SERVICE FORTIGUARD WEB FILTERING SERVICE FORTIGUARD INTRUSION PREVENTION SERVICE FORTIGUARD APPLICATION CONTROL SERVICE What is FortiGuard? Advanced Defense
3 Sandbox 101 Sandbox has many meanings… • Container to hold sand to improve rail adhesion • Shallow playground construction to hold sand • Virtual container in which untrusted programs can be safely run • Soviet Anti-Ship Missile (SS-N-12) SS-N-12 Sandbox The Sandbox What do we mean?
4 Sandbox 101 VIRTUAL END-USER ENVIRONMENT • Code is executed in an contained, virtual environment • Goal is to replicate typical workstations • Output is analyzed to determine characteristics • Some characteristics are malicious • Known virus downloads • Registry modifications • Outbound connection to malicious IPs • Infection of processes Unsafe action, escape attempt Controlled communication inspection X What is Sandboxing? Virtual analysis – nothing new
5 Sandbox 101 BEHAVIOR BASED DETECTION vs. SIGNATURE • Signature based detection can’t catch everything • Run time analysis can catch things static (signature) inspection may not • Inspection is ran post-execution so all aspects are examined BUT WAIT, THERE’S MORE … • Malware often downloads more malware • Sandboxing catches this and inspects the lifecycle Why Sandbox? Modern threats (APT / ATAs) are tough to detect
6 Advanced Persistent Threats DISGUISE • Advanced threats focus on disguise to slip past security detection SURVIVABILITY • Persistent threats aim to survive on systems as long as possible IMPACT • Threat to Hard drive data • Stolen IP, customer data • Blackmail & Ransom • Critical infrastructure Detect Disguise, Kill the Chain Reduce Survivability, Break Impact Something Different? Disguise, Survive, Impact
7 Advanced Persistent Threats ADVANCED • AV evasion • Crypters • IPS/App evasion • Obfuscation • Custom protocol • Piggybacking • Dynamic Decryption • Code decrypted at runtime PERSISTENT • Rootkits • Hide threats at O/S layer • Bootkits • Invoke at startup • Process killers THREATS • Keyloggers • Steal data • Ransomware • Encrypt data and hold for ransom • HD Wipers So what do they do? Disguise, Survive, Impact
8 Sandbox 101 VISIBILITY & REPORTS – FOR THE SOC • New viral families may not have existing signatures • Shows potentially unwanted activity on a system • Output and characteristics gathered • Useful for reports • Correlate connected components INCIDENT RESPONSE • Infection is likely underway, how to deal with it? Why Sandbox? It completes the puzzle
9 Sandbox 101 Sandbox Evasion Techniques • VM detection • Time bombs • Debug loops • Event triggers • Mouse clicks • System reboots Common Sandbox Problems • Fixed operating systems • Only a few to pick from, and it’s slow • Fixed software versions • Adobe reader, Java • Attacks very specific to certain versions • IE: Some require newest version of Java • Malware won’t execute in Sandbox • Will execute once passed through The Sandbox Challenge Bring Your Own Sandbox … Evasion Techniques that are used widely
10 FortiSandbox FortiGuard Labs - On Top of It • Discover latest evasion techniques • Intelligent Evasion Inspection • IE: VM detection code • Quickly address any new measures • via AV Engine • And FortiSandbox • All in house! The Only All-In-One Sandbox • World Class Fortinet Antivirus • Scan & Sandbox (EXE, PDF, JS) • Integrated Webfiltering • Scan connected domains • Drill Down Reports: PCAP & Behavior • Unified Sandbox • Local scan to detect sandbox evasion • Fall back to full sandbox • Local file upload supported Introducing FortiSandbox Complements existing Fortinet technology
11 FortiSandbox FSA 3000D All In One Sandbox
12 FortiSandbox FortiSandbox – Best of Breed Patent pending CPRL, industry leading AV all in one! STREAM •98.6% Effective PROXY •99.82% Effective PROXY •99.81% Effective STREAM •28.18% Effective WILDLIST 573 18,165
13 The Fortinet Advantage – Security & Performance Multi-tiered file processing optimize resource usage that improves security, capacity and performance Virtual OS Sandbox Real Time Sandbox AV Engine • OS independent • Not subjected to VM evasion techniques • Lightweight • Industry’s validated with superior RAP score (ability to detect variants, proactive detection) • Real time updated
14 Branch Offices (Distributed Enterprise) Data Center The Fortinet Advantage - Deployment Flexible Deployment Options • Offers most suitable implementation depends on requirements and infrastructure • Allow protection of investment by allowing different deployment modes as requirement changes Headquarters (Enterprise Core) Standalone Mode – Ideal for scalable requirements Integrated Mode – Ideal for centralized gateway with inline protection Distributed Mode – Ideal for protection in distributed environment
15 The Fortinet Advantage - ROI WEB MAIL FILE Competitors Solution • Multiple appliance is required for each applications • Poor ROI, high TCO • Adds more management burden Fortinet Solution • Central file scanning from various applications and sources, including mobile devices • Simplifies threat management, provide faster ROI FILE MAIL WEB Instant Messenger
16 Deep AV Scan & RTS • 96% RAP before Sandbox • No need toSandbox if caught FortiSandbox Solving the Sandbox Problem Look first for what we know, then inspect suspicious Cloud Check Real time check on latest malware rating Full Sandbox Catch anything not caught by signature detection Forensics Behavior Report Downloaded & Dropped Files Recursively Scanned
17 FortiCloud Sandbox Where’s Your Data? FortiOS AV Engine Provides Local Sandbox 1 Still Suspicious Samples Sent for Cloud Sandbox Analysis 2 Results are correlated across all FortiGuard Services 3 4 Updates pushed out by FortiGuard Network
18 FortiSandbox Where’s Your Data? Files Processed Through FortiGate 1 Sent to FortiSandbox for AV & Sandbox 2 Files collected, scanned3 5 Updates pushed out by FortiGuard Network (To FortiGates, FortiSandbox) 4 Results sent to FortiGuard for Updates
19 FortiSandbox FortiGuard Learning Signatures created to update global devices Global Intelligence Network • Where is your Data? • FortiSandbox is local (cloud optional) • FortiGuard Cloud is external • Global Sandbox Updates  AV, WCF and Botnet DB’s updated  System Utilities (Behavior Engine)  Rating Engine  Traffic Sniffer
20 KNOW Filter known Malware (No Sandboxing Required) Detect Sandbox Evading Malware (Real Time Sandbox) Full Sandbox Incident Response Update Devices Refactor (Incident Response) Raise Awarness SUSPECT LEARN SHARE FortiGuard: The Sandbox Fit
21 Incident Response Service How Does it Work? 1) LOGIN & SUBMIT • http://premier.fortiguard.com • Communicate message • Attach binary / PCAP sample 2) UPDATE & MITIGATE • View and correspond • Get signature updates •Manual, FDN Supicious Activity 0 Hours Incident Reported Zero Day Attack FortiGuard – Premier Services 3) ANALYZE & RESPOND • Threat remediation • Understand nature of threat • Take action 4 Hours Malware Spread Mitigated AV Signatures, Brief Analysis 8 Hours Feedback & Follow up 12 Hours IPS Signatures Exploit Spread Mitigated Feedback & Follow up 48 Hours Full Analysis
22 Practical Sandbox Applications Case Studies: Sandbox Visibility Low Volume, Targeted Threat Cases • Generally harder to get samples Targeted Industrial Plants Low Volume Operation Aurora December 2009 Victim RSA SecurID March 2011 South Korea Wiper March 2013 Crime Services QA (AV Scanning Undetected) Zero Day IPS Vulnerability FortiSandbox Detects vs. Crime Services and QA Flame May 2012
23 Examples
24 FortiSandbox – FortiGate Integration
25 FortiSandbox – FortiGate Integration Mail Server Setup – Fully Automated Reports
26 FortiSandbox – Dashboard View
27 FortiSandbox – What’s On Your Network?
28 FortiSandbox – FortiGuard Updates Antivirus, System Utilities and Rating Updates
29 FortiSandbox – On Demand Manual Scan System & Malware Logging Support
30 FortiSandbox – Virtual Environments Virtual Environment Pool & Status
31 FortiSandbox – Logging System & Malware Logging Support
32 FortiSandbox – Drill Down Report
33 FortiSandbox – Drill Down Report
34 FortiSandbox – Drill Down Report, PDFs

Recommandé

FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxNajahIdrissiMoulayRa
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
FortiWeb
FortiWebFortiWeb
FortiWebAlireza Akrami
 
4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptxaungyekhant1
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 

Recommandé

FortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxFortiGate_Sec_02_Security Fabric (1).pptx
FortiGate_Sec_02_Security Fabric (1).pptxNajahIdrissiMoulayRa
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
FortiWeb
FortiWebFortiWeb
FortiWebAlireza Akrami
 
4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptxaungyekhant1
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Fortinet k
Fortinet kFortinet k
Fortinet kmrehan2k2
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsUtpal Sinha
 
Fortinet
FortinetFortinet
FortinetPetre-doru Dragus
 
Secure sd wan
Secure sd wanSecure sd wan
Secure sd wanDr. (Engr.) OLUGBENGA BABATUNDE(FBCS,CPMP,FCIPM,FIPMA,FIMC,CMC,MNSE)
 
IBM Qradar
IBM QradarIBM Qradar
IBM QradarCoenraad Smith
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 

Contenu connexe

Tendances

Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationNCS Computech Ltd.
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationPCCW GLOBAL
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Deivid Toledo
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsUtpal Sinha
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlowLancope, Inc.
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 

Tendances (20)

Fortinet k
Fortinet kFortinet k
Fortinet k
 
Fortinet FortiOS 5 Presentation
Fortinet FortiOS 5 PresentationFortinet FortiOS 5 Presentation
Fortinet FortiOS 5 Presentation
 
BIG IP F5 GTM Presentation
BIG IP F5 GTM PresentationBIG IP F5 GTM Presentation
BIG IP F5 GTM Presentation
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Big ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methodsBig ip f5 ltm load balancing methods
Big ip f5 ltm load balancing methods
 
Fortinet
FortinetFortinet
Fortinet
 
Secure sd wan
Secure sd wanSecure sd wan
Secure sd wan
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Siem ppt
Siem pptSiem ppt
Siem ppt
 
Network Security and Visibility through NetFlow
Network Security and Visibility through NetFlowNetwork Security and Visibility through NetFlow
Network Security and Visibility through NetFlow
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 

Similaire à Fortinet sandboxing

Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesPriyanka Aash
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
Novosco Zero day protection webinar
Novosco Zero day protection webinarNovosco Zero day protection webinar
Novosco Zero day protection webinarNovosco
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabSyed Ubaid Ali Jafri
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Windows IoT: Accelerate the Intelligent Edge with the Windows AI Platform
Windows IoT: Accelerate the Intelligent Edge with the Windows AI PlatformWindows IoT: Accelerate the Intelligent Edge with the Windows AI Platform
Windows IoT: Accelerate the Intelligent Edge with the Windows AI PlatformMicrosoft Tech Community
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedFelipe Prado
 
B sep ds-21194634.en-us
B sep ds-21194634.en-usB sep ds-21194634.en-us
B sep ds-21194634.en-usPelos TCHIKAYA
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmHiveMQ
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxssuserfb92ae
 
How to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control SystemsHow to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control SystemsReal-Time Innovations (RTI)
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 

Similaire à Fortinet sandboxing (20)

Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Kernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical DefensesKernel Mode Threats and Practical Defenses
Kernel Mode Threats and Practical Defenses
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
 
Novosco Zero day protection webinar
Novosco Zero day protection webinarNovosco Zero day protection webinar
Novosco Zero day protection webinar
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
 
Requirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing LabRequirement for creating a Penetration Testing Lab
Requirement for creating a Penetration Testing Lab
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
Windows IoT: Accelerate the Intelligent Edge with the Windows AI Platform
Windows IoT: Accelerate the Intelligent Edge with the Windows AI PlatformWindows IoT: Accelerate the Intelligent Edge with the Windows AI Platform
Windows IoT: Accelerate the Intelligent Edge with the Windows AI Platform
 
Malware for Red Team
Malware for Red TeamMalware for Red Team
Malware for Red Team
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
 
B sep ds-21194634.en-us
B sep ds-21194634.en-usB sep ds-21194634.en-us
B sep ds-21194634.en-us
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
 
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptxCIRA Labs - Secure Home Gateway Project 2019-03.pptx
CIRA Labs - Secure Home Gateway Project 2019-03.pptx
 
How to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control SystemsHow to Design Distributed Robotic Control Systems
How to Design Distributed Robotic Control Systems
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Dernier (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Fortinet sandboxing

  • 2. 2 FortiGuard Services FORTIGUARD ANTIVIRUS SERVICE FORTIGUARD ANTISPAM SECURITY SERVICE FORTIGUARD WEB SECURITY SERVICE FORTIGUARD DATABASE SECURITY SERVICE FORTIGUARD IP REPUTATION SERVICE FORTIGUARD VULNERABILITY MANAGEMENT SERVICE FORTIGUARD WEB FILTERING SERVICE FORTIGUARD INTRUSION PREVENTION SERVICE FORTIGUARD APPLICATION CONTROL SERVICE What is FortiGuard? Advanced Defense
  • 3. 3 Sandbox 101 Sandbox has many meanings… • Container to hold sand to improve rail adhesion • Shallow playground construction to hold sand • Virtual container in which untrusted programs can be safely run • Soviet Anti-Ship Missile (SS-N-12) SS-N-12 Sandbox The Sandbox What do we mean?
  • 4. 4 Sandbox 101 VIRTUAL END-USER ENVIRONMENT • Code is executed in an contained, virtual environment • Goal is to replicate typical workstations • Output is analyzed to determine characteristics • Some characteristics are malicious • Known virus downloads • Registry modifications • Outbound connection to malicious IPs • Infection of processes Unsafe action, escape attempt Controlled communication inspection X What is Sandboxing? Virtual analysis – nothing new
  • 5. 5 Sandbox 101 BEHAVIOR BASED DETECTION vs. SIGNATURE • Signature based detection can’t catch everything • Run time analysis can catch things static (signature) inspection may not • Inspection is ran post-execution so all aspects are examined BUT WAIT, THERE’S MORE … • Malware often downloads more malware • Sandboxing catches this and inspects the lifecycle Why Sandbox? Modern threats (APT / ATAs) are tough to detect
  • 6. 6 Advanced Persistent Threats DISGUISE • Advanced threats focus on disguise to slip past security detection SURVIVABILITY • Persistent threats aim to survive on systems as long as possible IMPACT • Threat to Hard drive data • Stolen IP, customer data • Blackmail & Ransom • Critical infrastructure Detect Disguise, Kill the Chain Reduce Survivability, Break Impact Something Different? Disguise, Survive, Impact
  • 7. 7 Advanced Persistent Threats ADVANCED • AV evasion • Crypters • IPS/App evasion • Obfuscation • Custom protocol • Piggybacking • Dynamic Decryption • Code decrypted at runtime PERSISTENT • Rootkits • Hide threats at O/S layer • Bootkits • Invoke at startup • Process killers THREATS • Keyloggers • Steal data • Ransomware • Encrypt data and hold for ransom • HD Wipers So what do they do? Disguise, Survive, Impact
  • 8. 8 Sandbox 101 VISIBILITY & REPORTS – FOR THE SOC • New viral families may not have existing signatures • Shows potentially unwanted activity on a system • Output and characteristics gathered • Useful for reports • Correlate connected components INCIDENT RESPONSE • Infection is likely underway, how to deal with it? Why Sandbox? It completes the puzzle
  • 9. 9 Sandbox 101 Sandbox Evasion Techniques • VM detection • Time bombs • Debug loops • Event triggers • Mouse clicks • System reboots Common Sandbox Problems • Fixed operating systems • Only a few to pick from, and it’s slow • Fixed software versions • Adobe reader, Java • Attacks very specific to certain versions • IE: Some require newest version of Java • Malware won’t execute in Sandbox • Will execute once passed through The Sandbox Challenge Bring Your Own Sandbox … Evasion Techniques that are used widely
  • 10. 10 FortiSandbox FortiGuard Labs - On Top of It • Discover latest evasion techniques • Intelligent Evasion Inspection • IE: VM detection code • Quickly address any new measures • via AV Engine • And FortiSandbox • All in house! The Only All-In-One Sandbox • World Class Fortinet Antivirus • Scan & Sandbox (EXE, PDF, JS) • Integrated Webfiltering • Scan connected domains • Drill Down Reports: PCAP & Behavior • Unified Sandbox • Local scan to detect sandbox evasion • Fall back to full sandbox • Local file upload supported Introducing FortiSandbox Complements existing Fortinet technology
  • 12. 12 FortiSandbox FortiSandbox – Best of Breed Patent pending CPRL, industry leading AV all in one! STREAM •98.6% Effective PROXY •99.82% Effective PROXY •99.81% Effective STREAM •28.18% Effective WILDLIST 573 18,165
  • 13. 13 The Fortinet Advantage – Security & Performance Multi-tiered file processing optimize resource usage that improves security, capacity and performance Virtual OS Sandbox Real Time Sandbox AV Engine • OS independent • Not subjected to VM evasion techniques • Lightweight • Industry’s validated with superior RAP score (ability to detect variants, proactive detection) • Real time updated
  • 14. 14 Branch Offices (Distributed Enterprise) Data Center The Fortinet Advantage - Deployment Flexible Deployment Options • Offers most suitable implementation depends on requirements and infrastructure • Allow protection of investment by allowing different deployment modes as requirement changes Headquarters (Enterprise Core) Standalone Mode – Ideal for scalable requirements Integrated Mode – Ideal for centralized gateway with inline protection Distributed Mode – Ideal for protection in distributed environment
  • 15. 15 The Fortinet Advantage - ROI WEB MAIL FILE Competitors Solution • Multiple appliance is required for each applications • Poor ROI, high TCO • Adds more management burden Fortinet Solution • Central file scanning from various applications and sources, including mobile devices • Simplifies threat management, provide faster ROI FILE MAIL WEB Instant Messenger
  • 16. 16 Deep AV Scan & RTS • 96% RAP before Sandbox • No need toSandbox if caught FortiSandbox Solving the Sandbox Problem Look first for what we know, then inspect suspicious Cloud Check Real time check on latest malware rating Full Sandbox Catch anything not caught by signature detection Forensics Behavior Report Downloaded & Dropped Files Recursively Scanned
  • 17. 17 FortiCloud Sandbox Where’s Your Data? FortiOS AV Engine Provides Local Sandbox 1 Still Suspicious Samples Sent for Cloud Sandbox Analysis 2 Results are correlated across all FortiGuard Services 3 4 Updates pushed out by FortiGuard Network
  • 18. 18 FortiSandbox Where’s Your Data? Files Processed Through FortiGate 1 Sent to FortiSandbox for AV & Sandbox 2 Files collected, scanned3 5 Updates pushed out by FortiGuard Network (To FortiGates, FortiSandbox) 4 Results sent to FortiGuard for Updates
  • 19. 19 FortiSandbox FortiGuard Learning Signatures created to update global devices Global Intelligence Network • Where is your Data? • FortiSandbox is local (cloud optional) • FortiGuard Cloud is external • Global Sandbox Updates  AV, WCF and Botnet DB’s updated  System Utilities (Behavior Engine)  Rating Engine  Traffic Sniffer
  • 20. 20 KNOW Filter known Malware (No Sandboxing Required) Detect Sandbox Evading Malware (Real Time Sandbox) Full Sandbox Incident Response Update Devices Refactor (Incident Response) Raise Awarness SUSPECT LEARN SHARE FortiGuard: The Sandbox Fit
  • 21. 21 Incident Response Service How Does it Work? 1) LOGIN & SUBMIT • http://premier.fortiguard.com • Communicate message • Attach binary / PCAP sample 2) UPDATE & MITIGATE • View and correspond • Get signature updates •Manual, FDN Supicious Activity 0 Hours Incident Reported Zero Day Attack FortiGuard – Premier Services 3) ANALYZE & RESPOND • Threat remediation • Understand nature of threat • Take action 4 Hours Malware Spread Mitigated AV Signatures, Brief Analysis 8 Hours Feedback & Follow up 12 Hours IPS Signatures Exploit Spread Mitigated Feedback & Follow up 48 Hours Full Analysis
  • 22. 22 Practical Sandbox Applications Case Studies: Sandbox Visibility Low Volume, Targeted Threat Cases • Generally harder to get samples Targeted Industrial Plants Low Volume Operation Aurora December 2009 Victim RSA SecurID March 2011 South Korea Wiper March 2013 Crime Services QA (AV Scanning Undetected) Zero Day IPS Vulnerability FortiSandbox Detects vs. Crime Services and QA Flame May 2012
  • 25. 25 FortiSandbox – FortiGate Integration Mail Server Setup – Fully Automated Reports
  • 27. 27 FortiSandbox – What’s On Your Network?
  • 28. 28 FortiSandbox – FortiGuard Updates Antivirus, System Utilities and Rating Updates
  • 29. 29 FortiSandbox – On Demand Manual Scan System & Malware Logging Support
  • 30. 30 FortiSandbox – Virtual Environments Virtual Environment Pool & Status
  • 31. 31 FortiSandbox – Logging System & Malware Logging Support
  • 34. 34 FortiSandbox – Drill Down Report, PDFs