forcepoint israel tech week
TRANSCRIPT
© 2020 Forcepoint Forcepoint Proprietary
Forcepoint IsraelTech Week
Nitzan CohenRegional Director, Israel
Sep. 2020
© 2020 Forcepoint Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public
Something We Believe In-
2
“Built to Last”
• When partnership with someone
• While interacting with a customer
• While managing a Channel
• When closing a deal
• While Building a team
Forcepoint Private | Forcepoint Proprietary | Internal
Customer
ValuePerformance
Value CommitmentSystem availability &
Operation efficiency
Leveraging Forcepoint offerings to ensure accelerated Customer Value, System availability & Operation efficiency
Customer Success
Forcepoint Private | Forcepoint Proprietary | Internal
4Tech week became a Tradition
© 2020 Forcepoint
ForcePoint Israel Market Share
FY20
▪ DLP Tech- 10.9 09:00-13:00
▪ Forcepoint Virtual Summit September 15
▪ Training: DLP 13-16.9, Web Security 29.9-1.10
▪ Forcepoint System Engineer Certification
▪ 10Bis voucher 70 NIS, please send email to: [email protected]
▪ Kahoot: 1st place: 800 NIS Alcohol Package, 2nd, 3rd places- 200 NIS Vouchers
▪ Q&A- Please send us through Chat
Announcement
▪ Opening 09:00-09:20
▪ Web Security- Erez 09:20-10:50
▪ Break 10:50-11:05
▪ Email Security- Peter 11:05-12:35
▪ Q&A, Kahoot- 12:35-13:00
Todays Agenda
© 2020 Forcepoint
▪ F1E
▪ Isolation (Full/Targeted)
▪ Boldon James
▪ Cloud App DLP, Cloud Web DLP
▪ DUP (Dynamic User Protection)
▪ Edge/CSG
▪ MSP
▪ Forcepoint Advantage
What's new?
2020 Tech Week - Web
Erez EpsteinSr. Sales Engineer
© 2020 Forcepoint Public
© 2020 Forcepoint
Agenda
OnPrem & Hybrid vs Cloud
Policy Hardening
System Health Check& Maintenance
Troubleshooting
CACM (CASB)
RBI
Tips & Tricks
EOL & Roadmap
Cloud Security Gateway
Zero Trust Network Access (ZTNA)
12Public
© 2020 Forcepoint© 2020 Forcepoint
OnPrem & Hybrid Vs Cloud
13Public
© 2020 Forcepoint
Hybrid Cloud
Topology
14Public
© 2020 Forcepoint 15
© 2019 Forcepoint | 16
Global Coverage Across 128 Countries
© 2020 Forcepoint
Feature Parity
17
On Prem & Hybrid Web Main Feature Comparison On Prem Hybrid Cloud
Management Interface Local Cloud Portal
Reporting Local via ApolloLocal via Apollo
*No Real Time MonitorCloud Apollo
User Authentication & Sync KerberosIdentification via EP
*SSO via IDP also Available
Policy Management Local via FSM
Cloud Portal – One Policy
Logic instead of Multiple
Policies
Local Appliance Deployment Supported Not Applicable
Real Time Analysis Supported
DLP Module Integrated on Proxy
ETA 2021
*DLP Endpoint as mean
term solution
ETA Q4-2020
*DLP Endpoint as mean
term solution
SSL MiTm Supported
AMD Supported
Shadow IT Supported
Explicit & Transparent Redirection Supported
SIEM Supported
Public
© 2020 Forcepoint© 2020 Forcepoint
Policy Hardening
18Public
© 2020 Forcepoint
Best Practices – Security categories
19
Extended Protection
Dynamic DNS
Elevated Exposure
Emerging Exploits
Newly Registered Website ?!
Suspicious Content
Public
Miscellaneous
Uncategorized (Will be discussed soon)
Information Technology (Please don’t block me ☺ )
Hacking
Proxy Avoidance
Unauthorized MP
Web and Email Spam
Security (Fully Blocked!!)
© 2020 Forcepoint
Uncategorized
20
Why?
What is the Risk?
How?
WebcatcherWebCatcher collects uncategorized and security-related URLs to send to Security Labs for analysis, This is done to improve URL categorization and security effectiveness
And….Stay tuned for next slides….
Public
© 2020 Forcepoint
Allowing URLs
21
Re-categorize
Exceptions (But not for Security)
Public
© 2020 Forcepoint
Aggressive Analysis
22
Elevated Risk Profile: Recommended by Security Labs
The Rest: Enable Aggressive ! (Scanning → Scanning Options )
Public
© 2020 Forcepoint
File Download Blocking
23
Executablesbat
exe
pif
Threatsvbs
wmf
Customscf
cmd
and more…
And….Stay tuned for next slides….Public
© 2020 Forcepoint
Cloud App Enforcement and Reporting
24Public
Application Risk Level
© 2020 Forcepoint
Cloud App Enforcement and Reporting
25
Block by Risk Level
Permitted and Blocked List
Part of existing Policy Structure
Public
© 2019 Forcepoint | 26
AMD
[ OS LAYER ]
[ APPLICATION LAYER ]
Web Firewall CASB Email
Advanced Malware Detection
VS
Virtualization – Typical Sandbox
• Creates an isolated environmentrestricted by the underlying hardware
• Blind to deep malware activity
• Easily evaded
Full System Emulation (FUSE)
• Exact replication of multiple hardware environments from mobile devices to PCs
• Complete visibility of malicious behaviors
• Full Exposure to counter advanced evasion techniques
Typical Sandboxing
STOPS here
Forcepoint Private
© 2019 Forcepoint | 27
[ MEMORY LAYER ]
[ CPU LAYER ]
AMD The Deep Content Inspection Difference
[ OS LAYER ]
[ APPLICATION LAYER ]
Web Firewall CASB Email
Advanced Malware Detection
Inspection of malware
memory including
encrypted strings
Dynamic code analysis
elicits malicious behaviors
True Kernel visibility with
minimal OS version
dependencies
Dormant code analysis
identifies code blocks even if
they do not execute
Identification of malicious
scripts and macros
Signature-less inspection
and analysis
Forcepoint Private
© 2020 Forcepoint© 2020 Forcepoint
System Health Check & Maintenance
28Public
© 2020 Forcepoint
Proactive Actions
29
Upgrade, Upgrade and Upgrade
Public
Monitoring
Services
SNMP
Health Check URL
System Alerts FSM (A.K.A Triton)
Proxy
H/A and Fault Tolerance
Clustering
VIP
Dashboards
Alert
Malicious Events
© 2020 Forcepoint
Proactive Actions
30
Hybrid Sync Status
Public
DB Download
Log Health
WCG Alert
© 2020 Forcepoint
Proactive Actions
31
WCG Diagnostics Tool
Public
© 2020 Forcepoint
Proactive Actions
32
AV Exceptions
Public
Backups
DB
File System
Snapshots
Application Backup
© 2020 Forcepoint© 2020 Forcepoint
Troubleshooting
33Public
© 2020 Forcepoint
Realtime Monitor
34Public
Real Time ☺
Use for Debugging Only
Filter by Action
© 2020 Forcepoint
Block Page Debug
35Public
© 2020 Forcepoint
More Troubleshooting
36Public
Browser Debug (F12)
Toolbox
Authentication Bypass
Testdatabaseforcepoint.com
© 2020 Forcepoint
More Troubleshooting
37Public
Scanning Exceptions
SSL Bypass (Source, Destination)
From FSM
Last resort from Proxy
© 2020 Forcepoint
Endpoint
38Public
Disable via CLI
Goto the EP installation directory(typically C:\Program Files\Websense\Websense Endpoint\)
Submit the command:
wdeutil.exe -stop [ wspxy | wsts | wsrf | wsdlp | all ]
Enter the Antitampering password and you should be good to go!
Enable Via Cli
Goto the EP installation directory(typically C:\Program Files\Websense\Websense Endpoint\)
Submit the command:
wdeutil.exe -start [ wspxy | wsts | wsrf | wsdlp | all ]
Gather debugs for Support via UI
© 2020 Forcepoint© 2020 Forcepoint
CACM (Cloud Application Control Module)
39Public
© 2019 Forcepoint | 40
Web Security & Cloud App Control Module
I need to control
how sanctioned
cloud apps are
being used
I need to control
sanctioned cloud
apps across
managed devices.
I need full AD and
SIEM integration.
I need to protect my organization from web borne threats
+
=Forcepoint Web Security & Cloud App Control Module
I want anomaly
detection and user
behavioral analytics.
I need to know what
cloud apps are
being self-adopted
in my organization.
I need to know who
is using potentially
risky cloud app.
I need to understand
which cloud apps
are risky, and why.
I need to block
users from using
risky cloud apps.
*on-premises only.Na
tive
functio
na
lity
Clo
ud
Ap
p
Co
ntr
ol
© 2019 Forcepoint | 41
Cloud App Control ModuleWeb Security proxy is connected to the CASB service with proxy chaining.Sanctioned applications traffic is forwarded automatically from the Web Security proxy to the CASB service
• Proxy-based activity visibility, with Real-time mitigation options.• CASB Anomaly detection + UBA & Risks
Office365
CNN.com
© 2020 Forcepoint
Inline Control of Sanctioned Cloud Apps
42Public
© 2020 Forcepoint
Inline Control of Any Activity
43Public
© 2020 Forcepoint© 2020 Forcepoint 44
RBI
Public
© 2020 Forcepoint
ForcepointPartnered With
Ericom for Remote Browser Isolation
Gartner SWG MQ 2019
45Public
© 2020 Forcepoint
Forcepoint & EricomA Winning Combination
© 2020 Forcepoint
How Browser Isolation Works
Malware embedded in
active web-content
Ericom RBI executes
content in an
isolated container
Safe rendering
information sent to
endpoint
Standard browsing
experience
1 2 3 4
© 2020 Forcepoint
Enable safe access to uncategorized or risky websites
Isolation: Forcepoint Web Security + Ericom Shield
► End-user connects to Forcepoint Web Security to access the web
► Black-listed URLs are blocked, white-listed are allowed through
► Uncategorized and policy-defined URL’s are sent to Ericom Shield for added malware protection
Forcepoint
Web Security
Safe Sites: Allow
Risky Sites: Isolate
Unsafe Sites: Block
© 2020 Forcepoint
Isolation: Forcepoint Web Security + Ericom Shield
2 Policies in Forcepoint Web Security
forward risky traffic to Ericom Shield
RBI.
3 Risky sites rendered in a remote
virtual container, ensuring any
malware on the site cannot infect
endpoints.
4
1 Forcepoint Web Security allows
access to known good sites; blocks
known bad sites.
Site sent to user as a safe, fully
interactive visual stream. Users get
full web access, and IT mitigates web
security risk.
1
2
3
4
Enable safe access to uncategorized or risky websites
© 2020 Forcepoint 50Public
Forcepoint Integrations – Confirm ActionWSG (On Prem) – Web Redirection based
Once the user browses to one of the categories that are set to confirm action,it will be given the option to isolate all this traffic on the RBI solution by clicking on the link.
Configure the policy to Isolate a certain category with
Action set to Confirm.
© 2020 Forcepoint 51Public
Forcepoint and Ericom Feature Matrix
Functionality Forcepoint
Web Filtering Yes
Deep Content Inspection Yes
Data Loss Prevention DLP Yes
File Sandboxing and Analysis Yes
File Preview with text Yes
Additional Security Forcepoint + Ericom
Full Content Isolation (RBI) Yes
Anti-phishing with Read-only Mode Yes
File Content Disarm and Reconstruction (CDR)
Yes
File Preview with reader (safely in isolation container)
Yes
© 2020 Forcepoint© 2020 Forcepoint
Tips & Tricks
52Public
© 2020 Forcepoint
WebsenseAdmin
53
Used to restart services in the right order, gracefully
Go to the installation directory(typically C:\Program Files (x86)\Websense\Web Security)
Submit the command:websenseadmin.exe stop (or Start / Restart)
Public
© 2020 Forcepoint
Consolidate Realtime Monitor Logs
54
Can be sent to Main Policy Server
Ask your integrator to edit config.xml (carefully)Stop Websense Services (/opt/Websense/WebsenseAdmin stop)
Go to /opt/Websense/bin
vi config.xml
Look for UsageMonitorIP (In order to search in the VI type ‘/’ – without the ‘ and tryp UsageMonitorIP) and change it to your TRITON IP (for example <data name="UsageMonitorIp">1.1.1.1</data> )
Start Websense Services (/opt/Websense/WebsenseAdmin stop)
You need to do it on Every Proxy.
Public
© 2019 Forcepoint | 56
Block Whats app Upload & Download
WhatsApp is using specific domain for any Upload/Download
We can just block it with Forcepoint Web
This will block any kind of file upload / download
The URL list might need to be updated , if Whats App Design changes
Url List:• http://mmg.whatsapp.net• https://mmg.whatsapp.net
© 2020 Forcepoint
DTP – Read only access to site
57
Read Only Gmail Access
Made possible easily by carefully inspecting all outbound traffic
Public
© 2020 Forcepoint
Roaming User Policy
58Public
© 2020 Forcepoint
• Current status of our cloud products
• Consolidate CSG, DEP, CASB and future cloud products
• Show the history of status
• Modern, organized presentation competitive with best-in-class cloud providers
Cloud Status Portal
59Public
Now live on status.forcepoint.comReleased in June 2020
© 2020 Forcepoint
Forcepoint Web 8.5.4 – New Features
60Add Classification Label: Forcepoint Private | Forcepoint Proprietary | Public
SIEM Integration improvements
Customers with larger traffic will notice
an improvement in SIEM with reduced
lag time with data been made available
to SIEM.
Audit Logs available to SIEM by
Default
FSM portal related audit logs are now
made available by default to SIEM.
Previously this was manually
configured by customers.
Integrate with Multiple SIEM tools
Multiple SIEM integrations are now
supported to a maximum of 10.
Quality and Stability
Notable improvements with Reporting.
Customers with large data sets will
notice a significant reduction in report
loading times.
TLS 1.0 off by default
While still supported TLS v1.0 is now
disabled by default for new customers.
ESXI 6.7 now Supported
VMware ESXI 6.7 is now supported.
“Unknown” file types can be blocked
Unknown file types can now be blocked
where previously they could not.
© 2020 Forcepoint
Roadmap & Product Life Cycle (EOL)
61Public
© 2020 Forcepoint
Web Life Cycle
62Private
https://support.forcepoint.com/ProductSupportLifeCycle
© 2020 Forcepoint
Roadmap
63Private
© 2020 Forcepoint 64
CSG
Public
© 2020 Forcepoint
Cloud Security Gateway – security made simple
1SKU for product 1SKU for
support 1SKU for services+ +
© 2020 Forcepoint
Cloud Security Gateway – Web + CASB + DLP
66
Forcepoint Security Manager
at Customer Site or IaaS
• Deploy and Manage DLP Policies
• Incident management & Reporting
• Forensic Investigation
• XML import CSG web categories
DPS
DLP Instance
API
Calls/ Responses
User
Endpoint | PAC | Tunnels
CSG Admin Portal
• Configure integration DPS
• Manage web policies
• DPS/ DLP Lite
enforcement at policy level
• Manage block pages
• Transaction log/ reporting
Web Proxy
Web Logs
Events
DLP Policy
Post | http
File
DLP classifiers
• File size, name, type
• Keywords, phrases
• REGEXP
• File Meta-Data
• Fingerprinting
Block/ Allow
* No OCR support in DPS today
CASB
CSG
RBI
InternetCloud apps
AMD
© 2020 Forcepoint© 2020 Forcepoint
Zero Trust Network Access (Edge)
67Public
© 2020 Forcepoint
Connectivity for internal apps
• Inside private data centers (physical or cloud)
Same user experience everywhere
• No special UI, open apps in browser as usual
• No VPN client needed
No special firewall ports to administer
Part of DEP’s unified security policies
• Risk-adaptive access controls coming in 2021
Centralized visibility into app usage
Zero Trust Private Access – Internal Apps without VPNs
68Forcepoint Proprietary
DEPZT Private Access
Remote Workers
Branch Offices
Internal Appsin Data Center
Internal Apps in Private Enclave
© 2020 Forcepoint
DYNAMIC EDGE PROTECTION
Cloud Security Gateway (CSG)
CASBWeb Security
as a service
Threat
Protection
Data
Protectionas a service
Private Access (PA)
ZTNAFirewall
as a service
Threat
Protection
Data
Protectionas a service*
Private
Apps
Public Web &
SaaS Apps
Unified Agent
* coming H1’21
Converged security for applications and data everywhere
Risk-Adaptive Protection*