Threat Emulation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 35 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> [MUSIC] This module we will cover Threat Emulation,
00:00
Check Point's sandboxing technology.
00:00
With Threat Emulation,
00:00
we will take files that are
00:00
potentially might be compromised,
00:00
send them to the ThreatCloud,
00:00
have them emulated and if there are threats,
00:00
get notified and block those connections.
00:00
We can set the emulation connection
00:00
handling mode for SMTP,
00:00
IMAP, IMAP secure, and POP3.
00:00
We also can change the location to
00:00
remote emulation device instead
00:00
of the default public ThreatCloud.
00:00
The Threat Emulation engine settings.
00:00
We can set the protection scope to
00:00
either all traffic or
00:00
just incoming traffic from DMZ or external.
00:00
We can set the protocol to scan HTTP over any port,
00:00
SMTP, IMAP, IMAP secure, and POP3.
00:00
We can configure which file types we want to scan.
00:00
Another configuration is the emulation handling mode
00:00
: background where connections are
00:00
allowed until emulation is complete,
00:00
or hold where connections
00:00
are blocked until emulation is complete.
00:00
Threat Emulation file types,
00:00
we can select the file types
00:00
for Threat Emulation and we can
00:00
choose if you want to inspect or bypass each type.
00:00
We also have sandboxing reports.
00:00
You can login to
00:00
your user center account and you can click on
00:00
the license for Threat Emulation
00:00
and open up Threat Emulation reports.
00:00
We can see the numbers here,
00:00
how many were scanned,
00:00
how many were emulated and how many were malicious,
00:00
what types they were and more.
00:00
The private Cloud with
00:00
GAiA Embedded gateway supports a Private ThreatCloud.
00:00
Essentially, you can have an on-premises,
00:00
SandBlast, Threat Emulation,
00:00
>> Threat Extraction appliance.
00:00
>> The private Threat Emulation appliance
00:00
can be configured via the WebUI.
00:00
The default is going to be public cloud,
00:00
and you can see it can easily be changed.
00:00
To set the Threat Emulation scopes,
00:00
you will need to go to threat prevention.
00:00
Here we can see that all the blades are
00:00
currently enabled and up-to-date.
00:00
If we go to IPS protections,
00:00
I can see all of the current protections and
00:00
here we have settings for IPS,
00:00
antivirus, anti [inaudible] and Threat Emulation.
00:00
I can see the scope.
00:00
The current scope is to scan incoming files
00:00
from external and DMZ interfaces.
00:00
I can click on that and customize the interfaces
00:00
or I can just scan both incoming and outgoing files,
00:00
scan protocols, HTTP and male protocols.
00:00
The file types policy, I can go ahead and
00:00
configure specific file types.
00:00
We have the handling mode that we've mentioned before.
00:00
Background work connections are
00:00
allowed until emulation handling is complete,
00:00
or hold where connections are
00:00
blocked until emulation handling is complete,
00:00
which is more strict and the
00:00
>> option for detect only mode.
00:00
>> Don't forget if you're making
00:00
>> any changes hit ''Apply.''
00:00
>> That concludes the Threat Emulation module.
00:00
[MUSIC]
Up Next