Network Detection and Response with Check Point SandBlast/CloudGuard Now: Video, Slides, and Q&A
Materials for this session available to CheckMates members:
Selected Q&A below.
Is there a specific solution for email security from a "behaviour" point of view inside NOW?
There isn't a specific solution around the content of mails, but SandBlast Now will detect anomalous email traffic. An example would be random hosts attempting to send mails - a possible indicator of a botnet infection. SBN is looking at all the e-mail ports and performing anomalies detection on them.
Is Now available On-Premise and/or in the Cloud?
Both. SandBlast Now is available for physical appliances, CloudGuard Now is available for cloud (Public Cloud + on-premise VMware).
CloudGuard Now is currently available for AWS and GCP, how about Azure?
It is dependent on Azure releasing the relevant monitor capabilities. Once available, we plan to release CloudGuard Now in Azure.
Is it possible to run CG Now in detect mode for a few days/weeks and then create any required exclusions via the Cyber Defense Center and change to prevent mode?
Yes. In fact, this is exactly how most customers start their deployment: in detect mode. Later, they move to inline mode, then prevent/block the identified malicious traffic.
Which Check Point license packet include SandBlast/CloudGuard Now?
To purchase a NOW sensor, you need to purchase the appropriate physical appliance or virtual instance with an NGTX Subscription. In addition, you apply a specific SandBlast NOW sensor license, and a cloud management license for the portal.
Firmly believe SandBlast NOW is one of Check Point's best kept secrets, you could not event find it on the Check Point website. When will Check Point put more focus on sales and marketing on this?
We are working on marketing materials, including a web page and a product brief. This TechTalk is also part of the overall marketing efforts.
Will the ThreatMap and Threat Topology be included into Infinity SOC?
SBN joins InfinitySOC in many usecases, so you get it for free .
What about other devices, are you required to integrate with third party devices?
There isn't an integration required to make SandBlast NOW work, but you can integrate it with external solutions. For example you can export IoCs from NOW to be consumed by the rest of your security infrastructure such as Security Gateways and Endpoint security clients.
In the future, will this be integrated with SmartConsole?
It is planned. It's best to deploy SandBlast Now for all the new up-to-date features though.
Not sure how granular is the Cyber Defense Center portal when it comes to prevent/block any malicious traffic.
Smart Intel is granular to the level of a single indicator or a feed - and the specific target. And can be shared across all the security products active. It's extremely granular
How does it work with SSL traffic? How we can inspect that traffic?
There are three main options:
- Anomalies detection can be done without decrypting the traffic.
- Cooperative HTTPS Inspection, which is in EA
- Regular MITM solution
At the level of the laws and government statutes (of each country) for the implementation of these solutions, there are limitations, restrictions in relation to these validations, monitoring and detection of possible attacks? Some government regulations require that the solution be in the locality or in local cloud resources in its local presence.
We have a clear GDPR statement for customers in the public cloud. Unless specifically enabled Identity Awareness, there is no PII data. For customers that can't upload data to the cloud, we can work with their on-premise cloud. We are also working on putting CloudGuard Now into AWS GovCloud.
How are exported/imported IOC, Check Point proprietary or open format?
Currently it is exported via CSV, but we also plan STIIX and Snort formats.
When we identify a malware that infected a host, can we retrieve the forensic report from ThreatCloud if SBA already identified and generated the report?
Planned for the future. SBA has also new capabilities like full EDR.
Is this on-prem device essentially a CP security gateway repurposed for SBN?
Yes, and it runs a slightly different image from a regular security gateway. Also applies to cloud-based sensors as well.
Does the appliance need to sit between your network and WAN connection? Does all traffic need to travel through the appliance?
The traffic can't be analyzed if not seen by the sensor. We have customers that protect at both perimeter and in east/west scenarios.
Which Gateways can support being set up as an on-premise Sandblast-Now box?
Most appliances can be used with SandBlast Now with the exception of SMB appliances and Scalable Platforms. We have a product sheet here where you can review all the models: https://community.checkpoint.com/t5/SandBlast-Now/SandBlast-Now-Product-Brief/m-p/86405#M14
Is this somehow a successor for the public or private ThreatCloud or will Sandblast Now enrich these two products?
Yes, with a lot of additions.
Will SandBlast Now be an option for newly released AWS Gateway Load Balancer?
It is in early availability, reach out to your local Check Point office for more details.