forcepoint advanced malware detection appliance 3 · forcepoint advanced malware detection...
TRANSCRIPT
Forcepoint Advanced Malware Detection Appliance 3.4ONE OF THE WORLD’S MOST ROBUST, ON-PREMISES AND AUTOMATED MALWARE ANALYSIS SOLUTIONS
www.forcepoint.com
For years, Security and Risk (SR) professionals made major investments in signature-based defenses of email, network and endpoint security solutions. The methodology of these solutions has proven itself ineffective against today’s evasive malware being developed by highly sophisticated and well-funded adversaries. As a response, SR professionals are turning to Automated Malware Analysis (AMA) technologies in order to arm themselves against zero day and Advanced Persistent Threats (APTs) attacking their organizations. AMA tools automate the unique skill set of malware analysis traditionally done only by highly qualified manual practitioners. Due to the shortage of this expertise, manual processes have been replaced with automation that performs a combination of static and behavioral analysis to detect and prevent the entry of known malware and brand-new exploits.
Forcepoint Advanced Malware Detection Appliance 3.4Forcepoint Advanced Malware Detection Appliance is an on-premises, automated malware analysis framework developed for organizations needing to add detection and prevention against stealthy and advanced threats to their existing Forcepoint Web and Email Security solutions. Forcepoint Advanced Malware Detection Appliance framework’s unmatched efficacy processes files through seven distinct static analytic agents and a dual-sandboxing process. Its ecosystem analyses malware behavior with a combination of best-of-breed open source and Forcepoint proprietary static and dynamic technologies. Unique to the market is the defense-grade anti-evasion technology within Forcepoint’s proprietary ThINK sandbox, stopping malware typically capable of circumventing commercially available sandboxes.
Forcepoint Advanced Malware Detection Appliance 3.4ONE OF THE WORLD’S MOST ROBUST, ON-PREMISES AND AUTOMATED MALWARE ANALYSIS SOLUTIONS
Forcepoint Advanced Malware Detection Appliance EfficacyThe Forcepoint Advanced Malware Detection Appliance automated malware analysis technology was initially developed by Forcepoint’s parent company, Raytheon, an international government contractor. Raytheon is responsible for protecting highly classified materials experiencing constant cyber attacks by the stealthiest APT actors in the world. The sophistication in the attack vectors targeting Raytheon is so advanced that Raytheon could not purchase a commercially available solution to fight such sophisticated adversaries, and Forcepoint Advanced Malware Detection Appliance was born. Today, Forcepoint Advanced Malware Detection Appliance is used to defend the integrity of highly valuable national security secrets and financial institutions’ critical data.
Forcepoint Advanced Malware Detection Appliance has an extensive ecosystem leveraging today’s best available open source and proprietary technology. It is capable of analyzing any and ALL file types (PDF files, Windows executables, Office documents, HTML files, Windows shortcut (.lnk) files, zip files, jar files and more) with exclusive sandboxing representing multiple combinations of operating systems and applications; it’s able to customize multiple baselines in order to mimic your organization’s infrastructure more accurately than any other on the market. Forcepoint Advanced Malware Detection Appliance’s ecosystem processes files through the following analysis:
3
FIG 1: Extensive ecosystem that leverages the best-of-breed open source and proprietary technology available today.
FORCEPOINT ADVANCED MALWARE DETECTION APPLIANCE DETECTION FRAMEWORK
STATIC DETECTION AGENTS
Completed static detections andtwo sandboxesincluded
Threat Protection Appliance Detection Framework
ClamAVSignature
CyanceMachine Learning
File ContextPDF, EXE, Offfice
SSDeepFuzzy Hashes (CTPH)
YaraHeuristics
CUCKOO BEHAVIORAL AGENTSBehavioral Sandboxing Solution
K12 BEHAVIORAL AGENTS
RISK SCORE
Behavioral Sandboxing SolutionMachine-level observations
Time warp for faster observationAlmost impossible to detect by evasion technique
High Confidence Result
+
+
=
www.forcepoint.com
CYLANCE With our highly respected partner, Cylance, files are put through a four-phase machine learning process (collection, extraction, learning & classification) in milliseconds with extreme accuracy. Cylance uses feeds to collect millions of files from a plethora of industry sources, extracting over 20,000 attributes from these files. These attributes are learned by Cylance through normalization and conversion to numerical values that can then be used in statistical models. Machine learning is applied during the learning phase, which delivers a set of models that can predict whether a file is valid or malicious. Any unknown files are then classified.
SSDEEP Because today’s problem is much bigger than trying to identify malicious files that are identical, Forcepoint Advanced Malware Detection Appliance leverages ssdeep’s Fuzzy Hashing. Fuzzy Hashing uses Context Triggered Piecewise Hashes (CTPH), a combination of traditional hashes whose boundaries are determined by the context of input. These signatures are used to identify modified versions of known files even if data has been inserted, modified or deleted.
YARA The highly acclaimed Yara heuristics technology does a powerful job of applying “rules” to malware knowledge captured from the world’s malicious activities. Yara applies a strong foundation of sharing knowledge of “if – then” equations of code strings, allowing for the file to be identified when meeting this specific mathematical condition. Rules are then applied to files.
SEVEN STATIC ANALYSIS ENGINES GIVE ONE HIGHLY CONFIDENT RISK SCOREDifferent file types require distinct types of malware analysis to ensure efficacy in threat detection and prevention. Our multifaceted approach for detecting a broad spectrum of threats combines seven distinct static detection methodologies that are a combination of open source and proprietary technologies. This allows Forcepoint Advanced Malware Detection Appliance to maximize the industry’s most advanced and up-to-date static
analysis techniques to identify malware prior to using resources in the sandbox. Forcepoint Advanced Malware Detection Appliance’s seven static analysis agents provide distinct risks scores that Forcepoint Advanced Malware Detection Appliance’s risk scoring algorithm combines to provide the security team with one highly confident risk score. Files are processed across the following seven methodologies:
Forcepoint Advanced Malware Detection Appliance 3.4
5
FORCEPOINT PDF FILE CONTEXT (PDFS)
As PDF files continue to grow in popularity, Forcepoint had to build its own proprietary technology that is faster and more efficient than what is available in the market today. Forcepoint’s PDFS decodes, decompresses and de-obfuscates PDF files to determine validity or corruption.
CLAMAV Signature scanning and anti-virus heuristics by ClamAV are used to detect malicious code.
CHECKEXE Addresses the problem of malicious binaries masking themselves as something else. It examines the icon associated with a binary to ensure the icon is the correct one—if not the file is flagged.
OFFICECHECKER Forcepoint’s proprietary agent OfficeChecker is a file context agent that is an expert at examining MS Office documents. It decodes, decompresses and de-obfuscates Office files to determine if they contain malicious code.
www.forcepoint.com
CUCKOO OPEN SOURCE SANDBOX
The sandboxing process begins with Forcepoint Advanced Malware Detection Appliance sending the file to Cuckoo’s malware analysis system. Cuckoo can analyze the behavior of a wide array of malicious files (executables, document exploits, Java applets), as well as malicious websites, in Windows, OS X, Linux, and Android virtualized environments. Cuckoo is able to trace API calls and general behavior of the file, dump and analyze encrypted network traffic and perform advanced memory analysis of the infected virtualized system with integrated support for Volatility**. Followed by Cuckoo’s analysis the file is sent to ThINK, Raytheon’s proprietary sandbox.
ThINK PROPRIETARY SANDBOX
ThINK behavioral analysis is one of the most comprehensive sandboxes that exists in the world today. ThINK is a custom hypervisor that provides a fully integrated system-level debugger and an integrated malware sandbox. The sandbox executes files within a virtualized environment to contain and isolate malicious files before they can infect production systems. ThINK does not require any custom software on the guest OS. This helps avoid altering guest performance and prevents malware from detecting virtualization.
ThINK monitors all incoming and outgoing guest machine network traffic and flags hardware and software exceptions that are likely to indicate an attempted exploit and uses hardware breakpoints to monitor file, registry, process, thread creation and destruction from outside of the guest. ThINK also implements heap-spray analytics to highlight entropy changes to the process heap that are indicative of a heap-spray attack, a common component of browser and Acrobat Reader exploits.
DUAL SANDBOXING IDENTIFIES THE MOST ADVANCED ADVERSARIES IN THE WORLD:Forcepoint Advanced Malware Detection Appliance leverages best-of-breed open source technology Cuckoo with Raytheon’s defense-grade ThiNK, proprietary sandboxing technology. Adding dual behavioral analysis to the above mentioned seven step static analysis process makes Forcepoint Advanced
Malware Detection Appliance one of the most robust automated malware analysis solutions in the world. In addition, it lowers the cost and complexity of managing 2 distinct sandboxes or having to manually integrate multiple sandboxes into one system*, maximizing the ability to catch malicious code.
**www.cuckoo.com
*Fedscoop Cyber Alert Overload, Gaining the Upper Hand, 2016
Forcepoint Advanced Malware Detection Appliance 3.4
Proprietary Anti-Evasion Technique Built from Experience with Cyberwarfare-Style Attacks
One Highly Confident Risk Score
7
Forcepoint Advanced Malware Detection Appliance’s proprietary anti-evasion capabilities discover highly sophisticated malware developed to circumvent sandboxing technology. Unique to Forcepoint’s proprietary technique is the fact that malware
To identify threats and minimize false positives, all of these detection methodologies return independent risk scores, along with confidence information and other data. An overall composite score is determined and passed back to the submitting security applications (Forcepoint Email Security or Forcepoint Web Security) to take action, but these details are recorded to help IT to understand the nature of the threat. Individual event details or threat trends observed may help the organization identify campaigns to other targeted activity and enable them to proactively make adjustments to their overall security posture.
authors do not have the ability to test their malware’s evasion technology within its environment. Having proprietary technology greatly reduces the chances of malware detecting that it is running in Forcepoint’s sandbox.
FIG 2: Seven distinct static analysis processes, dual
sandboxing, and one highly confident risk score.
www.forcepoint.com
INTEGRATION WITH FORCEPOINT WEB SECURITY & FORCEPOINT EMAIL SECURITY
Organizations have a holistic view of threats throughout the network. As the complete solution provides security teams with a consolidated view on advanced threats from multiple channels, it quickly prioritizes alerts for faster remediation of the biggest risks.
STAND ALONE WEB CONSOLE
Today, one-third of organizations are reporting that their IT divisions receive more than 1,000 cyber alerts per day (1) — so an alert risk score must be highly confident with minimal false positives. To ensure this is achieved, Forcepoint Advanced Malware Detection Appliance has a stand-alone user interface that allows for the customization of malware analysis to mold specifically to the unique organization it runs in. In addition, the user interface is designed for enabling security practitioners to drill down on the analytic processes, allowing for a better understanding of the risk factors within an organization.
CUSTOMIZATION OF POLICIES SECTION
Malware evolves and certain methodologies become better at analyzing certain file types over others. As cybersecurity and malware evolves, security teams go to this location to adapt and further customize their threat environment to their unique situations. Easily configure which Agent will be called to analyze particular mime type. Choose to ignore certain file types or URLs. Modify a file’s status based on results returned from Agents or set the risk level of URLs detected and assigned to a category.
THE DASHBOARD This section provides a high-level visualization of what has occurred within the most recent 24 hours. In one view, analysts can absorb a quantified representation of risk across the organization by Events, System and Metrics.
Integration with Forcepoint Web and Email Security Ensures a Consolidated Threat ViewForcepoint Advanced Malware Detection Appliance integrates seamlessly with Forcepoint Web Security and Forcepoint Email Security gateways to incorporate Forcepoint Advanced Malware Detection Appliance’s risk assessments into one centralized platform. In turn, this reduces risk and boosts efficacy of existing security investments. In addition to integration with
TRITON Architecture, Forcepoint Advanced Malware Detection Appliance provides security practitioners with the ability to highly customize their malware analysis as the company grows and malware evolves. This is via Forcepoint Advanced Malware Detection Appliance’s standalone threat management console.
Forcepoint Advanced Malware Detection Appliance 3.4
9
EVENTS SECTION This section speeds incident response with a dynamic and interactive screen, providing information by threat channel category such as Email, File, URL, Network or External. Analysts are capable of dissecting the threat landscape to have a more thorough understanding of the attack vector.
TOOLS & ADMINISTRATION FEATURES
Multiple tools and administration features provide flexibility for customizing the ecosystem to meet unique needs. Role based access and privilege information controls are extremely flexible. Agent and file type management and system health monitoring are easily performed through use of the console.
FORENSIC TOOLS Investigative analytics tools address the security professional’s need to quickly respond to incidents and launch forensic investigations. Forcepoint Advanced Malware Detection Appliance’s link analysis visualization feature instantly unearths relationships between events, sender/receiver, files and other information in order to find an association where the naked eye cannot. Typically a daunting manual process, with one click, the analyst can now see relationships across multiple variables as one picture, enabling them to instantly assess what happened, when, where and how, and determine why.
FIG 3: Forensic Tools provide advanced visualizations for teams to quickly and easily examine complex threat data and bring forward hidden relationships between events, sender, files and other information.
www.forcepoint.com
Technical Specifications CONTROLLER NODE SMALL CONTROLLER NODE LARGE BEHAVIORAL NODES
Model Name M5000C M10000C M5000BAM5000BB
Files Per Day <300,000 <750,000 N/A
Form Factor 1U 1U 1U
Hardware Platform Dell PowerEdge R430 Dell PowerEdge R430 Dell PowerEdge R430
Memory 64 GB 128 GB 32 GB
Processor (2) Intel E5-2650 v3 (2) Intel E5-2650 v3 (2) Intel E5-2650 v3
On Board NIC 4 Port LOM 4 Port LOM 4 Port LOM
Hard Drives (4) 1.2 TB 10K (4) 1.2 TB 10K (4) 300GB 15K
Raid Setting RAID 10 RAID 10 RAID 10
iDRAC License Enterprise Enterprise Enterprise
Hardware SupportProSupport: 7x24 HW/SW w/Keep Your Drive
ProSupport: 7x24 HW/SW w/Keep Your Drive
ProSupport: 7x24 HW/SW w/Keep Your Drive
CONTACTwww.forcepoint.com/contact
© 2017 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. Raytheon is a registered trademark of Raytheon Company. All other trademarks used in this document are the property of their respective owners.[BROCHURE_FORCEPOINT_ADVANCED_MALWARE_DETECTION_APPLIANCE_EN]-400014.030117