Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shay_Levin
Admin
Admin

Infinity NDR - Deep Dive

Watch @Nir_Naaman DeepDive TechTalk on Infinity NDR: DEPLOY – HUNT – PREVENT.

The slide deck is attached at the bottom of the post.

1 Reply
Nir_Naaman
Collaborator

Here a sample from the Q&A from the Deep Dive sessions (EMEA and Americas).

  • Q: In mirroring mode, how we do inspect HTTPS traffic?
    • A: Check Point Application Control blade effectively categorizes encrypted traffic using reputation data on the session peers, and the certificates and SNI exchanged as part of the SSL/TLS handshake. IPS blade can detect exploits at the TLS level.
    • A: Not all important traffic is encrypted. Notably, DNS is normally not encrypted and is matched against ThreatCloud reputation by the Anti-Virus and Anti-Bot blades. Other examples include SCADA protocols, cloud housekeeping protocols, etc.
    • A: Significant parts of attack traffic are not encrypted, revealing details like the identity of infected hosts in C&C communications.
    • A: Infinity NDR Behavioral Analytics mostly operate at the L3/L4 layers, thereby successfully identifying traffic anomalies such as data exfiltration even when the traffic is encrypted
    • A: Infinity NDR's Cooperative Inspection feature, designed for passive decryption, is not yet GA
    • A: An Infinity NDR sensor can be deployed in both mirroring and inline configurations. Standard MITM HTTPS Inspection is available in the inline mode.
  • Q: Do we have a real time sandbox/honeypot with NDR running noting? Would be super helpful to have a real live sensor listening for example in AWS always on
    • A: There are several such environments with NDR installed, you're welcome to spin one up yourself if you like.
  • Q: Is there a solution for classified networks?
    • A: Yes, we have such customers in production. The entire Infinity NDR back end is available for on premises deployment. Where the system is completely isolated from the Internet, a Private ThreatCloud appliance is used with ThreatCloud updates pushed to it through a data diode (unidirectional gateway). 
  • Q: How is Infinity NDR licensed?
  • Q: Can we use Quantum Spark Appliances as a sensor?
    • A: Not directly. Dedicated sensors are based on Gaia, not Gaia Embedded.
    • A: However, logs from either log server or SMP can be registered to be sent for Infinity NDR threat analytics, and IOC feeds from NDR can be applied on these appliances.
  • Q: Are integrations with third-party firewalls possible. in order to perform the response?
  • Q: Do you have a guide for binding NDR and Infinity SOC?
    • A: Not yet, we will post instructions on this space.
  • Q: In Views I have MITRE tab and it is empty, how to use this feature?
    • A: This tab is populated only for sensors with R81.10 and above.
  • Q: Can you share how (and when) Infinity NDR will exists with Infinity XDR ?
    • A: When: It depends on when Infinity XDR will become GA, this is currently unknown.
    • A: How: XDR integration is expected to be similar to what we're doing with SOC. In addition, customers will be provided the option to forward their network and endpoint logs cloud-to-cloud from NDR to XDR in order to enable XDR analysis on these logs. The resulting insights will be pulled back into Infinity NDR for contextual visualization and response.
  • Q: Will a MAESTRO installation be counted as one license, or do we need to license all blades individually?
    • A: Each Maestro instance has a unique CK and is counted as a GW
  • Q: Are both consoles being merged? Or customers will need to work on 2 different consoles?
    • A: Currently two different consoles are required - for NDR and SOC.
    • A: However, much of the SOC functionality (insights, intel, remediation agent) is now available within NDR.
  • Q: So infinity NDR would take logs from all of our products including Harmony Odo (now connect) & Avanan?
    • A: Product integration is work in progress. Right now these products are not supported.
    • A: Harmony Endpoint logs are in EA, contact us offline if you'd like to participate.
    • A: Harmony Mobile is in internal testing.
  • Q: Also, can we push logs from Non-Check Point vendors (i,e Cisco, Radware etc..)
    • A: Not currently supported, 3rd party log ingestion will be added based on RFEs
  • Q: What is the recommended way to perform upgrades on existing sensors?
    • A: Sensors are upgraded as part of the service.
    • A: If you'd like your sensor to be upgraded sooner rather than later, contact us offline.
  • Q: How would it work in Auzre as their Network TAP service is still hold?
    • A: An inline non NDR-managed CloudGuard Network Security gateway must be deployed
    • A: NDR threat analytics is enabled either by registering the CG NS log server; or by configuring the CG NS to Mirror and Decrypt traffic to a dedicated NDR sensor. Mirroring can be done in the clear, or over IPsec.
  • Q: How do you switch the platform from "learning" (to establish your traffic baseline) to "monitor" mode?
    • A: This is done automatically for each AI engine after it accumulates sufficient timeline.
    • A: One of Infinity NDR's competitive advantages is that it combines both AI and the standard Check Point software blades; the latter provide for immediate visibility without the need for baselining.
  • Q: Can logs/alerts be sent to a 3rd party SIEM such as Azure Sentinel?
    • A: Standard Check Point log exporter is used to export logs to SIEM.
  • Q: What is recommended for deployment in AWS when an environment has multiple accounts, within the accounts multiple VPCs and multiple Availablity Zones?
    • A: There is no one answer, however you should never cross AZ boundaries because of AWS cost considerations, so a typical configuration is one NDR sensor per AZ.
0 Kudos
Upcoming Events

    CheckMates Events