We got to the last product from our Check Point Forensics article series. This time we will talk about cloud protection. It is difficult to imagine a company that does not use cloud services (the so-called SaaS). Office 365, GSuite, Slack, Dropbox, etc. And of greatest interest here is cloud-based email and cloud-based file storage. What our employees use every day. However, cloud services are located outside our network and there is no perimeter for them, as such. This, in turn, greatly increases the likelihood of an attack on our users. There are not many security options for cloud applications. Below we look at the Check Point CloudGuard SaaS solution, which it protects against and, most importantly, what forensics and reporting it provides. It may be interesting to those who want to spend security audit of their cloud services.
Check Point CloudGuard SaaS
The principle of operation of CloudGuard SaaS is quite simple. The service is a cloud platform that integrates through the API with other SaaS services (office365, GSuite, box, dropbox, etc.).
In essence, CloudGuard SaaS is a layer between the cloud service and the user. All letters or files are checked by various CheckPoint engines before they reach the user. The platform itself is naturally integrated with Check Point ThreatCloud and the SandBlast cloud sandbox. You can also configure integration with various user authentication services (Centryfy, okta, Azure AD, etc.) to fully check connecting devices. All control takes place through an intuitive web interface.
Key Features of Check Point CloudGuard SaaS:
- Zero-Day Threat Protection
- Phishing protection
- Identity protection
- Data Leakage Prevention
- SaaS Shadow IT Discovery
- Intuitive Cloud Management
More details about these functions can be found in the excellent webinar by Alexei Beloglazov (Check Point company):
We will immediately proceed to forensics.
Forensics CloudGuard SaaS
We will start as usual with the main CloudGuard SaaS dashboard, this is the first thing you will see when you enter the platform. The total number of threats by viruses, phishing, anomalies, DLP, etc. There you will see a map of incidents, the total number of users and services:
Of most interest is the Events tab, where you can see statistics on incidents, as well as their general list with the ability to filter by category, reaction, etc.:
By clicking on a specific incident we can “fail” into details, for example, analytics at a specific email address of an attacker:
Or a description of the phishing activity itself:
In the Events tab, you can filter events by threats like Malware:
and see detailed virus analytics:
As you can see in our example, the letter contained an attachment (.xlam file). By clicking on it we will see a report on it:
There are two interesting points here. Firstly, you can immediately see the analytics for this file in VirusTotal (Search this hash in VirusTotal). Sometimes this information is very interesting. In our example, only 3 antiviruses identified it as viral:
There you can see what exactly this file can do:
There is even a graph of relationships:
The second interesting opportunity is to see the sandbox report (View Report). And here we will see a report type that is already familiar to us:
As in the case of the SandBlast Network, there is also the opportunity to watch the video (slide show) of the launch of this file in the sandbox.
In addition to the classic report, we can see general analytics by mail, file share, etc.
At the same time, we can generate our own reports according to ready-made templates:
with the possibility of very fine sampling and filtering by various fields:
And of course, the system has a quarantine of letters and files, which is missing from the Check Point classic sandbox (which they promised to fix):
I highly recommend an article from Anti-Malware.ru magazine as additional material
I don’t think it’s worth explaining how much more convenient, affordable and reliable are cloud services these days. However, the “clouds” are a real challenge for the “safety net”. Often you have to seek a compromise or completely abandon their use. Check Point CloudGuard SaaS is a great tool to keep your cloud infrastructure under control.
Another important detail is the ease of integration of CloudGuard SaaS. This is much easier than using classic gateways and sandboxes. Settings in just a few clicks in the browser. You can use free trial version (30 days) of this service in order to audit the current level of security of your cloud services. In Detect mode, you will receive full reporting on all threats, without affecting your infrastructure. A trial license, as well as advice on using CloudGuard SaaS, can be requested from us.
In the near future we plan to launch a small video course on Check Point CloudGuard SaaS. So stay tuned (Telegram, Facebook, VK, TS Solution Blog, Yandex.Zen).