THREAT PROTECTION APPLIANCE 3.4ONE OF THE WORLD’S MOST ROBUST, ON-PREMISES AND AUTOMATED MALWARE ANALYSIS SOLUTIONS

www.forcepoint.com

For years, Security and Risk (SR) professionals made major investments in signature-based defenses of email, network and endpoint security solutions. The methodology of these solutions has proven itself ineffective against today’s evasive malware being developed by highly sophisticated and well-funded adversaries. As a response, SR professionals are turning to Automated Malware Analysis (AMA) technologies in order to arm themselves against zero day and Advanced Persistent Threats (APTs) attacking their organizations. AMA tools automate the unique skill set of malware analysis traditionally done only by highly qualified manual practitioners. Due to the shortage of this expertise, manual processes have been replaced with automation that performs a combination of static and behavioral analysis to detect and prevent the entry of known malware and brand-new exploits.

THREAT PROTECTION APPLIANCE 3.4Forcepoint’s Threat Protection Appliance (TPA) is an on-premises, automated malware analysis framework developed for organizations needing to add detection and prevention against stealthy and advanced threats to their existing Forcepoint Secure Web and Email Gateways. The TPA framework’s unmatched efficacy processes files through seven distinct static analytic agents and a dual-sandboxing process. Its ecosystem analyses malware behavior with a combination of best-of-breed open source and Forcepoint proprietary static and dynamic technologies. Unique to the market is the defense-grade anti-evasion technology within Forcepoint’s proprietary ThINK sandbox, stopping malware typically capable of circumventing commercially available sandboxes.

THREAT PROTECTION APPLIANCE 3.4ONE OF THE WORLD’S MOST ROBUST, ON-PREMISES AND AUTOMATED MALWARE ANALYSIS SOLUTIONS

Threat Protection Appliance EfficacyThe Threat Protection Appliance automated malware analysis technology was initially developed by Forcepoint’s parent company, Raytheon, an international government contractor. Raytheon is responsible for protecting highly classified materials experiencing constant cyber attacks by the stealthiest APT actors in the world. The sophistication in the attack vectors targeting Raytheon is so advanced that Raytheon could not purchase a commercially available solution to fight such sophisticated adversaries, and Threat Protection Appliance was born. Today, TPA is used to defend the integrity of highly valuable national security secrets and financial institutions’ critical data.

Threat Protection Appliance has an extensive ecosystem leveraging today’s best available open source and proprietary technology. It is capable of analyzing any and ALL file types (PDF files, Windows executables, Office documents, HTML files, Windows shortcut (.lnk) files, zip files, jar files and more) with exclusive sandboxing representing multiple combinations of operating systems and applications; it’s able to customize multiple baselines in order to mimic your organization’s infrastructure more accurately than any other on the market. TPA’s ecosystem processes files through the following analysis:

3

FIG 1: Extensive ecosystem that leverages the best-of-breed open source and proprietary technology available today.

THREAT PROTECTION APPLIANCE DETECTION FRAMEWORK

STATIC DETECTION AGENTS

Completed static detections andtwo sandboxesincluded

Threat Protection Appliance Detection Framework

ClamAVSignature

CyanceMachine Learning

File ContextPDF, EXE, Offfice

SSDeepFuzzy Hashes (CTPH)

YaraHeuristics

CUCKOO BEHAVIORAL AGENTSBehavioral Sandboxing Solution

K12 BEHAVIORAL AGENTS

RISK SCORE

Behavioral Sandboxing SolutionMachine-level observations

Time warp for faster observationAlmost impossible to detect by evasion technique

High Confidence Result

+

+

=

www.forcepoint.com

CYLANCE With our highly respected partner, Cylance, files are put through a four-phase machine learning process (collection, extraction, learning & classification) in milliseconds with extreme accuracy. Cylance uses feeds to collect millions of files from a plethora of industry sources, extracting over 20,000 attributes from these files. These attributes are learned by Cylance through normalization and conversion to numerical values that can then be used in statistical models. Machine learning is applied during the learning phase, which delivers a set of models that can predict whether a file is valid or malicious. Any unknown files are then classified.

SSDEEP Because today’s problem is much bigger than trying to identify malicious files that are identical, TPA leverages ssdeep’s Fuzzy Hashing. Fuzzy Hashing uses Context Triggered Piecewise Hashes (CTPH), a combination of traditional hashes whose boundaries are determined by the context of input. These signatures are used to identify modified versions of known files even if data has been inserted, modified or deleted.

YARA The highly acclaimed Yara heuristics technology does a powerful job of applying “rules” to malware knowledge captured from the world’s malicious activities. Yara applies a strong foundation of sharing knowledge of “if – then” equations of code strings, allowing for the file to be identified when meeting this specific mathematical condition. Rules are then applied to files.

SEVEN STATIC ANALYSIS ENGINES GIVE ONE HIGHLY CONFIDENT RISK SCOREDifferent file types require distinct types of malware analysis to ensure efficacy in threat detection and prevention. Our multifaceted approach for detecting a broad spectrum of threats combines seven distinct static detection methodologies that are a combination of open source and proprietary technologies. This allows TPA to maximize the industry’s most advanced and

up-to-date static analysis techniques to identify malware prior to using resources in the sandbox. TPA’s seven static analysis agents provide distinct risks scores that TPA’s risk scoring algorithm combines to provide the security team with one highly confident risk score. Files are processed across the following seven methodologies:

Forcepoint™ Threat Protection Appliance 3.4

5

FORCEPOINT PDF FILE CONTEXT (PDFS)

As PDF files continue to grow in popularity, Forcepoint had to build its own proprietary technology that is faster and more efficient than what is available in the market today. Forcepoint’s PDFS decodes, decompresses and de-obfuscates PDF files to determine validity or corruption.

CLAMAV Signature scanning and anti-virus heuristics by ClamAV are used to detect malicious code.

CHECKEXE Addresses the problem of malicious binaries masking themselves as something else. It examines the icon associated with a binary to ensure the icon is the correct one—if not the file is flagged.

OFFICECHECKER Forcepoint’s proprietary agent OfficeChecker is a file context agent that is an expert at examining MS Office documents. It decodes, decompresses and de-obfuscates Office files to determine if they contain malicious code.

www.forcepoint.com

CUCKOO OPEN SOURCE SANDBOX

The sandboxing process begins with TPA sending the file to Cuckoo’s malware analysis system. Cuckoo can analyze the behavior of a wide array of malicious files (executables, document exploits, Java applets), as well as malicious websites, in Windows, OS X, Linux, and Android virtualized environments. Cuckoo is able to trace API calls and general behavior of the file, dump and analyze encrypted network traffic and perform advanced memory analysis of the infected virtualized system with integrated support for Volatility**. Followed by Cuckoo’s analysis the file is sent to ThINK, Raytheon’s proprietary sandbox.

ThINK PROPRIETARY SANDBOX

ThINK behavioral analysis is one of the most comprehensive sandboxes that exists in the world today. ThINK is a custom hypervisor that provides a fully integrated system-level debugger and an integrated malware sandbox. The sandbox executes files within a virtualized environment to contain and isolate malicious files before they can infect production systems. ThINK does not require any custom software on the guest OS. This helps avoid altering guest performance and prevents malware from detecting virtualization.

ThINK monitors all incoming and outgoing guest machine network traffic and flags hardware and software exceptions that are likely to indicate an attempted exploit and uses hardware breakpoints to monitor file, registry, process, thread creation and destruction from outside of the guest. ThINK also implements heap-spray analytics to highlight entropy changes to the process heap that are indicative of a heap-spray attack, a common component of browser and Acrobat Reader exploits.

DUAL SANDBOXING IDENTIFIES THE MOST ADVANCED ADVERSARIES IN THE WORLD:Threat Protection Appliance leverages best-of-breed open source technology Cuckoo with Raytheon’s defense-grade ThiNK, proprietary sandboxing technology. Adding dual behavioral analysis to the above mentioned seven step static analysis process makes Threat Protection Appliance one of

the most robust automated malware analysis solutions in the world. In addition, it lowers the cost and complexity of managing 2 distinct sandboxes or having to manually integrate multiple sandboxes into one system*, maximizing the ability to catch malicious code.

**www.cuckoo.com

*Fedscoop Cyber Alert Overload, Gaining the Upper Hand, 2016

Forcepoint™ Threat Protection Appliance 3.4

Proprietary Anti-Evasion Technique Built from Experience with Cyberwarfare-Style Attacks

One Highly Confident Risk Score

7

Threat Protection Appliance’s proprietary anti-evasion capabilities discover highly sophisticated malware developed to circumvent sandboxing technology. Unique to Forcepoint’s proprietary technique is the fact that malware authors do not

To identify threats and minimize false positives, all of these detection methodologies return independent risk scores, along with confidence information and other data. An overall composite score is determined and passed back to the submitting security applications (AP-EMAIL or AP-WEB) to take action, but these details are recorded to help IT to understand the nature of the threat. Individual event details or threat trends observed may help the organization identify campaigns to other targeted activity and enable them to proactively make adjustments to their overall security posture.

have the ability to test their malware’s evasion technology within its environment. Having proprietary technology greatly reduces the chances of malware detecting that it is running in Forcepoint’s sandbox.

FIG 2: Seven distinct static analysis processes, dual

sandboxing, and one highly confident risk score.

www.forcepoint.com

INTEGRATION WITH AP-WEB & AP-EMAIL

Organizations have a holistic view of threats throughout the network. As the complete solution provides security teams with a consolidated view on advanced threats from multiple channels, it quickly prioritizes alerts for faster remediation of the biggest risks.

STAND ALONE WEB CONSOLE

Today, one-third of organizations are reporting that their IT divisions receive more than 1,000 cyber alerts per day (1) — so an alert risk score must be highly confident with minimal false positives. To ensure this is achieved, Threat Protection Appliance has a stand-alone user interface that allows for the customization of malware analysis to mold specifically to the unique organization it runs in. In addition, the user interface is designed for enabling security practitioners to drill down on the analytic processes, allowing for a better understanding of the risk factors within an organization.

CUSTOMIZATION OF POLICIES SECTION

Malware evolves and certain methodologies become better at analyzing certain file types over others. As cybersecurity and malware evolves, security teams go to this location to adapt and further customize their threat environment to their unique situations. Easily configure which Agent will be called to analyze particular mime type. Choose to ignore certain file types or URLs. Modify a file’s status based on results returned from Agents or set the risk level of URLs detected and assigned to a category.

THE DASHBOARD This section provides a high-level visualization of what has occurred within the most recent 24 hours. In one view, analysts can absorb a quantified representation of risk across the organization by Events, System and Metrics.

Integration with Forcepoint Secure Web & Email Gateways Ensures a Consolidated Threat ViewThreat Protection Appliance integrates seamlessly with TRITON® AP-WEB and AP-EMAIL security gateways to incorporate TPA’s risk assessments into one centralized platform. In turn, this reduces risk and boosts efficacy of existing security investments. In addition to integration with

TRITON, TPA provides security practitioners with the ability to highly customize their malware analysis as the company grows and malware evolves. This is via TPA’s standalone threat management console.

Forcepoint™ Threat Protection Appliance 3.4

9

EVENTS SECTION This section speeds incident response with a dynamic and interactive screen, providing information by threat channel category such as Email, File, URL, Network or External. Analysts are capable of dissecting the threat landscape to have a more thorough understanding of the attack vector.

TOOLS & ADMINISTRATION FEATURES

Multiple tools and administration features provide flexibility for customizing the ecosystem to meet unique needs. Role based access and privilege information controls are extremely flexible. Agent and file type management and system health monitoring are easily performed through use of the console.

FORENSIC TOOLS Investigative analytics tools address the security professional’s need to quickly respond to incidents and launch forensic investigations. TPA’s link analysis visualization feature instantly unearths relationships between events, sender/receiver, files and other information in order to find an association where the naked eye cannot. Typically a daunting manual process, with one click, the analyst can now see relationships across multiple variables as one picture, enabling them to instantly assess what happened, when, where and how, and determine why.

FIG 3: Forensic Tools provide advanced visualizations for teams to quickly and easily examine complex threat data and bring forward hidden relationships between events, sender, files and other information.

www.forcepoint.com

Technical Specifications CONTROLLER NODE SMALL CONTROLLER NODE LARGE BEHAVIORAL NODES

Model Name M5000C M10000C M5000BAM5000BB

Files Per Day <300,000 <750,000 N/A

Form Factor 1U 1U 1U

Hardware Platform Dell PowerEdge R430 Dell PowerEdge R430 Dell PowerEdge R430

Memory 64 GB 128 GB 32 GB

Processor (2) Intel E5-2650 v3 (2) Intel E5-2650 v3 (2) Intel E5-2650 v3

On Board NIC 4 Port LOM 4 Port LOM 4 Port LOM

Hard Drives (4) 1.2 TB 10K (4) 1.2 TB 10K (4) 300GB 15K

Raid Setting RAID 10 RAID 10 RAID 10

iDRAC License Enterprise Enterprise Enterprise

Hardware SupportProSupport: 7x24 HW/SW w/Keep Your Drive

ProSupport: 7x24 HW/SW w/Keep Your Drive

ProSupport: 7x24 HW/SW w/Keep Your Drive

Forcepoint™ is a trademark of Forcepoint LLC. SureView®, ThreatSeeker® and TRITON® are registered trademarks of Forcepoint LLC. Raytheon is a registered trademark of Raytheon Company. All other trademarks and registered trademarks are property of their respective owners. [BR-TPA-ENUS]-400014.121916

CONTACTwww.forcepoint.com/contact