©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied well Spear Phishing

©2015 Check Point Software Technologies Ltd. 2 Statistics show: End user are vulnerable to traditional threats… especially advanced attacks spear phishing peaks on weekends

©2015 Check Point Software Technologies Ltd. 3 Detect and prevent hackers’ attempts to infect and commandeer endpoint devices STAYING ONE STEP AHEAD OF ENDPOINT INFILTRATION [Protected] Non-confidential content ©2016 Check Point Software Technologies Ltd.

©2015 Check Point Software Technologies Ltd. 4 Timing is Everything [Restricted] ONLY for designated groups and individuals​ Source: 2015 cost of data breach study: global analysis, Ponemon Institute The Longer an attack goes UNDETECTED, the more time it takes to CONTAIN it CONTAIN COST The longer it takes to CONTAIN it, the more it will COST $154 per lost record $3.79M average damage 23% increase from previous year

©2015 Check Point Software Technologies Ltd. 5 Cost over Time: Direct loss: $162,000,000 Estimated indirect loss: >$1 Billion The financial impact GROWS dramatically with TIME

©2015 Check Point Software Technologies Ltd. 6 How do we clean it? [Restricted] ONLY for designated groups and individuals​ How did it enter? Is there business impact? Has it spread? How can I block the attack vector?How do I mitigate? Who should I notify? How can I save time responding? Am I addressing the full scope? What You Really Need to Know

©2015 Check Point Software Technologies Ltd. 7 What do you do when you’ve been breached? Traditional forensic analysis Rely on AV quarantine Re-image the PC Works only for known malware AV will miss all malware elements before the detection Data could be stolen before the detection Works only for known malware AV will miss all malware elements before the detection Data could be stolen before the detection Does not bring back lost data Costly & disruptive procedure Will not prevent same malware from getting in again Does not bring back lost data Costly & disruptive procedure Will not prevent same malware from getting in again Forensic data is often long gone Forensics skill is a scarce resource Too expensive to perform on all events Forensic data is often long gone Forensics skill is a scarce resource Too expensive to perform on all events [Restricted] ONLY for designated groups and individuals​ Common Approaches to Infection Response:

©2015 Check Point Software Technologies Ltd. 8 SANDBLAST CLOUD Eliminate Zero-Day Malware at the Endpoint [Restricted] ONLY for designated groups and individuals​ Web downloads sent to SandBlast cloud 1 Sanitized version delivered promptly 2 Original file emulated in the background 3

©2015 Check Point Software Technologies Ltd. 9 Collect Forensics Data and Trigger Report Generation [Restricted] ONLY for designated groups and individuals​ FORENSICS data continuously collected from various OS sensors 1 Analysis automatically TRIGGERED upon detection of network events or AV 2 Digested INCIDENT REPORT sent to SmartEvent 4 Processes Registry Files Network Advanced ALGORITHMS analyze raw forensics data 3

©2015 Check Point Software Technologies Ltd. 10 Investigation Trigger Identify the process that accessed the C&C server Identify Attack Origin Chrome exploited while browsing From Trigger to Infection Automatically trace back the infection point Dropped Malware Dropper downloads and installs malware Exploit Code Dropper process launched by Chrome Activate Malware Scheduled task launches after boot Attack Traced Even across system boots Schedule Execution Malware registered to launch after boot [Restricted] ONLY for designated groups and individuals​ Data Breach Malware reads sensitive documents

©2015 Check Point Software Technologies Ltd. 11 Automatically requests logs from involved endpoints and generates complete view of attacks  Malware entry point  Scope of damage  Other affected hosts / users  Attack flow Automated Incident Reporting Triggers the creation of an incident report through  Existing AV products  Network detections  Endpoint Anti-bot, Threat Emulation or Anti-malware  Investigation by IRT looking at related cases Triggers the creation of an incident report through  Existing AV products  Network detections  Endpoint Anti-bot, Threat Emulation or Anti-malware  Investigation by IRT looking at related cases

©2015 Check Point Software Technologies Ltd. 12 [Restricted] ONLY for designated groups and individuals​ Malicious and suspicious activities Drill-down detail Severity How Serious is This Event? Understanding an Incident Instant Answers to Important Questions

©2015 Check Point Software Technologies Ltd. 13 [Restricted] ONLY for designated groups and individuals Infection 9:15AM What happened before? What happened after? Providing an Infection Timeline Are there similar infection attempts in my network? Telling a story

©2015 Check Point Software Technologies Ltd. 14 [Restricted] ONLY for designated groups and individuals WHAT WE DON’T CONTROL? How to protect against

©2015 Check Point Software Technologies Ltd. 15 [Restricted] ONLY for designated groups and individuals Mix of personal and business data Can’t install low level protections such as AV Can’t control individuals’ behavior MOBILE DEVICES ARE DIFFICULT TO CONTROL

©2015 Check Point Software Technologies Ltd. 16 [Restricted] ONLY for designated groups and individuals THE RESULT: A GROWING MOBILE THREAT LANDSCAPE mobile devices infected worldwide of organizations above 2000 employees have infected mobile device in their network

©2015 Check Point Software Technologies Ltd. 17 [Restricted] ONLY for designated groups and individuals THREAT PREVENTI ON FOR MOBILE Let’s think different

©2015 Check Point Software Technologies Ltd. 18 [Restricted] ONLY for designated groups and individuals Dynamic Analysis (Sandboxing) Advanced Static Code Analysis (Reverse Engineering) MOBILE APPLICATION ANALYSIS

©2015 Check Point Software Technologies Ltd. 19 [Restricted] ONLY for designated groups and individuals Should look like: Actually looks like: Developer Certificate SHA1 Fingerprint: Issuer Distinguished Name: OU=Unknown, O=Unknown, L= Unknown, ST=Unknown, C=Unknown. 342A56F9902A384B443E322AD34 Number of apps, certificate, download scoring, etc. APPLICATION REPUTATION

©2015 Check Point Software Technologies Ltd. 20 [Restricted] ONLY for designated groups and individuals REAL TIME REMEDIATION On-Device resolution Block C&C communication Disconnect from organization network while infected

©2015 Check Point Software Technologies Ltd. 21 [Restricted] ONLY for designated groups and individuals BECOME KNOWN? What to do when the unknown

©2015 Check Point Software Technologies Ltd. 22 [Restricted] ONLY for designated groups and individuals Staying one step ahead: COLLABORATION WITH MULTIPLE INTELLIGENCE SOURCES

©2015 Check Point Software Technologies Ltd. 23 WE PROVIDE PROTECTIONS AGAINST NEW THREATS EVERY DAY 10,000,000 Bad-Reputation Events 700,000 Malware Connections Events 30,000 Malware Files Events

©2015 Check Point Software Technologies Ltd. 24 [Restricted] ONLY for designated groups and individuals INTELLIGENCE COLLABORATION Security Analysis IntelliStore Sensors CERTs Security Events Analysis Security Community Malware Research

©2015 Check Point Software Technologies Ltd. 25 [Restricted] ONLY for designated groups and individuals CHECK POINT WE SECURE THE FUTURE Thank You