fortinet, держи марку!
TRANSCRIPT
![Page 1: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/1.jpg)
© Copyright Fortinet Inc. All rights reserved.
FORTISANDBOXАлексей Андрияшин
2 ноября 2015
+79859996477
![Page 2: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/2.jpg)
2
ЖИЗНЕННЫЙ ЦИКЛ APT (ATA)
http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
…от 1 дня до 2+ лет…
Начальный
этап
внедрения
Создание
плацдарма
Повышение
привилегий
Сбор
информацииНачальная
разведка
Поддержка
присутствия
Основная
деятельность
Завершение
миссии
![Page 3: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/3.jpg)
3
РЕШЕНИЯ FORTINET
FortiDBDatabase
Protectio
n
FortiClientEndpoint Protection,
VPN
FortiTokenTwo Factor
Authentication
FortiSandboxAdvanced Threat
Protection
FortiClientEndpoint Protection
FortiGateNGFW
FortiAuthenticatorUser Identity
Management
FortiManagerCentralized
Management
FortiAnalyzerLogging, Analysis,
Reporting
FortiADCApplication
Delivery Control
FortiWebWeb Application
Firewall
FortiGateDCFW
FortiGateInternal NGFW
FortiDDoSDDoS Protection
FortiMailEmail Security
FortiGateVM
XSDN, Virtual
Firewall
FortiAPSecure Access
Point
DATA CENTER
BRANCH
OFFICE
CAMPUS
FortiGateCloud
FortiWi
FiUTM
FortiGat
eTop-of-
Rack
FortiCameraIP Video Security
FortiVoiceIP PBX Phone
System
FortiGateNext Gen IPS
FortiExtenderLTE Extension
Secure Wireless
Switching
Advanced Threat Protection
Authentication & Tokens
Application Security
Application Delivery/SLB
Endpoint Security
IP PBX and Phones
IP Video Surveillance
More…
![Page 4: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/4.jpg)
4
• Эшелонированная безопасность
• Высокая скорость реакции
СИНЕРГИЯ ПРИ ПРЕДОТВРАЩЕНИИ УГРОЗ
IPS
Antivirus
Anti-Spam
IP Reputation
Web Filtering
App Control
ОСНОВНАЯ ЗАДАЧА – РАЗОРВАТЬ ЦЕПЬ УГРОЗ И РАЗРУШИТЬ ЛОГИКУ APT
![Page 5: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/5.jpg)
5
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ
Пример: Фишинг
1. Anti-spam
2. Antivirus
3. Web Filtering
IPS
IP Reputation
App Control
![Page 6: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/6.jpg)
6
Пример: Бэкдор/Бот
1. Antivirus
2. IPS
3. Web Filtering
Anti-spam
IP Reputation
App Control
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ
![Page 7: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/7.jpg)
7
1. Anti-spam
2. Web Filtering
3. IPS
4. Antivirus5. IP
Reputation
6. App Control
Добавьте ATP SandboxИсключите
неопределенность
угроз
Пример: ATP
КОМПЛЕКСНЫЙ ПОДХОД К ОПРЕДЕЛЕНИЮ УГРОЗ
![Page 8: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/8.jpg)
8
ВОЗМОЖНЫЙ СЦЕНАРИЙ
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
![Page 9: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/9.jpg)
9
РАЗРЫВА ЦЕПИ УГРОЗ –ШАГ 1
СпамМошенническоесообщение
Спам
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
![Page 10: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/10.jpg)
10
СпамМошенническоесообщение
Спам
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
ФишингСайт злоумышленника
Фишинг
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 2
![Page 11: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/11.jpg)
11
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Спам
Фишинг
Эксплойт
Мошенническоесообщение
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 3
![Page 12: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/12.jpg)
12
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Спам
Фишинг
Эксплойт
Мошенническоесообщение
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 4
![Page 13: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/13.jpg)
13
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Вредоносное ПО
Спам
Фишинг
Эксплойт
Вредоносное ПО
Мошенническоесообщение
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 5
![Page 14: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/14.jpg)
14
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Спам
ФишингСайт злоумышленника
Вредоносное ПОC&C Центр
Спам
Фишинг
Эксплойт
Вредоносное ПО
Бот активностьи кража данных
Мошенническоесообщение
Бот активностьи кража данных
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 6
![Page 15: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/15.jpg)
15
Спам
ФишингСайт злоумышленника
Эксплойт
Вредоносное ПОC&C Центр
Спам
Фишинг
Эксплойт
Вредоносное ПО
Бот активностьи кража данных
Sa
nd
bo
x
Anti-spam
Web Filtering
Intrusion Prevention
Antivirus
App Control/
IP Reputation
Мошенническоесообщение
Бот активностьи кража данных
РАЗРЫВ ЦЕПИ УГРОЗ –ШАГ 7. ВНЕДРЯЕМ SANDBOX
![Page 16: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/16.jpg)
16
MALWARE? GOODWARE? IDON’TKNOWWARE?
Known
Good
Known
Bad
Probably
Good
Very
Suspicious
Somewhat
Suspicious
Might be
Good
Completely
Unknown
Whitelists Reputation:
File, IP, App, Email
App Signatures
Digitally signed files
Blacklists
Signatures
Heuristics
Reputation: File, IP,
App, Email
Generic Signatures
Code
Continuum
Security
Technologies
Sandboxing
![Page 17: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/17.jpg)
17
Known
Good
Known
Bad
Probably
Good
Very
Suspicious
Somewhat
Suspicious
Might be
Good
Completely
Unknown
Whitelists Reputation:
File, IP, App, Email
App Signatures
Digitally signed files
Blacklists
Signatures
Heuristics
Reputation: File, IP,
App, Email
Generic Signatures
Code
Continuum
Security
Technologies
Solutions
FortiGate(and/or FortiMail, FortiClient, FortiWebt, etc.)
Sandboxing
FortiSandbox
MALWARE? GOODWARE? IDON’TKNOWWARE?
![Page 18: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/18.jpg)
18
• Prefilters objects, identifying known threats
• Runs objects/URLs, analyzing and rating activity
• Uncovers full threat lifecycle and presentsindicators of compromise
• 3 modes of operation
– Sniffer: span port mode to capture all packets
– On-demand: manual submission & analysis
– Integrated: with FortiGate, FortiMail and FortiClientto feed into and act on intelligence out of FortiSandbox
FortiSandboxОПРЕДЕЛЕНИЕ ЦЕЛЕНАПРАВЛЕННЫХ АТАК
Network Traffic
Cloud
File QueryAV
Prefilter
Code
EmulationFull
Sandbox
Callback
Detection
![Page 19: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/19.jpg)
19
FortiSandbox – 5 STEPS TO BETTER PERFORMANCE
Call Back Detection
Full Virtual Sandbox
Code Emulation
Cloud File Query
AV Prefilter
• Quickly simulate intended activity
• OS independent and immune to evasion/obfuscation
• Apply top-rated anti-malware engine
• Examine real-time, full lifecycle activity to get the
threat to expose itself
• Check community intelligence & file reputation
• Identify the ultimate aim, call back & exfiltration
• Mitigate w/FortiGuard updates
![Page 20: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/20.jpg)
20
• Top-rated Breach Detection (NSS Labs Recommended)
• Customizable Environment
– Preloaded with Microsoft Windows XP and 7, 32- and 64-bit, plus Office, IE and Adboe
– Ability to select specific combination or let the system choose
• Genuine Microsoft Licenses for Windows and Office
TOP RATED SANDBOX
Independent third-
party tested &
validated!
![Page 21: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/21.jpg)
21
FORTISANDBOX DETAILS
Network Traffic
Ob
jects
fo
r In
sp
ectio
n
Up
da
ted P
rote
ction 3. Operating Environment
• Code emulation: OS-
independent
• Sandbox: Windows XP, 7, 8.1,
Server 2008/2010, IE, Office
2. File type support
• AV Prefilter: all
• Full Sandbox: as follows
Archived: .tar, .gz, .tar.g,
.tgz, .zip, .bz2, .tar.bz2,
.bz, .tar.Z, .cab, .rar, .arj
Executable: .exe, .dll,
PDF, Windows Office,
Javascript, .pd
URLs
Media: .avi, .mpeg, mp3,
mp4
1. Protocol support
• FortiGate Integrated: HTTP,
SMTP, POP3, IMAP, MAPI, FTP,
SMB, IM
and SSL encrypted equivalents
• Stand-alone: HTTP, FTP, POP3,
IMAP, SMTP, SMB
• FortiMail Integrated: SMTP,
POP3, IMAP
![Page 22: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/22.jpg)
22
SANDBOX ONLY
Feedback
to/from FortiGuard
InternetNetwork
Traffic
Deployed in sniffer mode FortiSandbox will preflter
for known threats, sandbox unknown threats and
watch for callback activity
Inspected
Traffic
![Page 23: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/23.jpg)
23
NGFW + SANDBOX
Feedback
to/from FortiGuard
InternetNetwork
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Inspected
Traffic
Deployed in integrated mode FortiSandbox will
receive objects, perform analysis and return results
![Page 24: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/24.jpg)
24
CENTRAL SANDBOX FOR NGFW+SEG
Reputation, behavior and other analysis performed by FortiMail.
At risk messages held for FortiSandbox analysis, results acted on.
Clean emails delivered to mail
servers.
Outgoing email also inspected
Feedback
to/from FortiGuard
Traffic
Internet
Inspected
Emails
Network
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Inspected
Traffic
![Page 25: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/25.jpg)
25
CENTRAL SANDBOX FOR NGFW + SEG + EPP
Reputation, behavior and other analysis performed by FortiMail.
At risk messages held for FortiSandbox analysis, results acted on.
Clean emails delivered to mail
servers.
Outgoing email also inspected
FortiSandbox prefilters, executes, analyzes and feeds
back to FortiGate, FortiMail, FortiClient and
FortiGuardFeedback
to/from FortiGuard
Traffic
Internet
Inspected
Emails
Network
Traffic
Full NGFW inspection performed on FortiGate.
At risk objects sent to FortiSandbox, results
received. Sandbox
Inspection
and Results
Full EPP inspection, new files also sent
to FortiSandbox. Results acted on.
Inspected
Traffic
![Page 26: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/26.jpg)
26
РАЗРЫВА ЦЕПИ УГРОЗ – ШАГ 8 ПОДДЕРЖКА АКТУАЛЬНОСТИ СИСТЕМЫ ЗАЩИТЫ
Anti-spam
Web Filtering
Intrusion
Prevention
Antivirus
App Control/
IP Reputation
Sa
nd
bo
xЦОД
Предприятия и
филиальная сеть
Облако
Мобильные
Распределенная сеть
DLP
![Page 27: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/27.jpg)
27
ОПЕРЕЖАТЬ ДЕЙСТВИЯ ЗЛОУМЫШЛЕННИКОВ
Комплексная Безопасность
Глобальная Защита
Уверенность в высокой эффективности
360
247x
100%
![Page 28: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/28.jpg)
28
http://www.netwell.ru/events/?id_form=fortinet_security_day
![Page 29: Fortinet, держи марку!](https://reader031.vdocuments.mx/reader031/viewer/2022021921/58f26e611a28ab35218b45ab/html5/thumbnails/29.jpg)
Алексей Андрияшин
+79859996477
Илья Яблонко, CISSP,
менеджер по развитию решений ИБ
+7 912 607 55 66,