PRACTICAL PREVENTION

MAXIMUM ZERO-DAY PROTECTION

WITHOUT COMPROMISING PRODUCTIVITY
ANTI-PHISHING WORKING GROUP (APWG) FOR CHECK OINT RESEARCH MOBILE DEVICE PHISHING THREATS ON THE RISE | 2

INTRODUCTION
Cybersecurity professionals face the persistent challenge
of maximizing security without disrupting user productivity.
Most would admit it’s an untenable balancing act. Overly
aggressive security can cause users to balk. Weak security
doesn’t offer the defense needed to combat today’s
sophisticated zero-day cyberattacks.

Is there a happy medium?

This paper introduces a hybrid prevention approach to

successfully use dynamic sandbox technology to prevent
zero-day cyberattacks, and avoid latency that can impact
user and business productivity. The approach allows you
to use sandboxing and content disarm and reconstruction
(CDR) technology, or file sanitization, elevating your
cybersecurity from passive malware detection to proactive
multi-threat prevention.
 PRACTICAL PREVENTION: MAXIMUM ZERO-DAY PROTECTION WITHOUT COMPROMISING PRODUCTIVITY | 3

PROTECTING AGAINST KNOWN AND UNKNOWN THREATS

IT security is expected to defend against the entire gamut of known and unknown
threats. Ask any security manager and they’ll tell you that today’s threat actors have
devised attacks in various forms, from infecting websites and web file downloads
to phishing emails and infected attachments, and malware embedded in common
business files.

Known file malware is verifiable against large

signature-based threat intelligence databases. SANDBOX TECHNOLOGIES
These databases detect malware and its variants DIFFER GREATLY IN
meant to evade detection. Security vendors THEIR ABILITY TO:
offer signature-matching capabilities, relying
• Detect malware evasion
on their threat research teams to collect and
process threat intelligence. • Keep a low level of
false positives
Security vendors are focused on the detection
and prevention of unknown file-based attacks, or • Perform effectively to make
zero-day attacks. Most solutions use sandboxing fast decisions
where files are safely isolated and tested and • Maintain a high detection rate
used as “bait” to get embedded exploits to
execute. Once the malicious code executes, it’s measured and classified by multiple
machine learning-based engines. This allows the organization’s security operations
center (SOC) and incident and response teams to investigate and/or remediate files.
The file download is then blocked and any potential damage from the malware is
proactively prevented.
 PRACTICAL PREVENTION: MAXIMUM ZERO-DAY PROTECTION WITHOUT COMPROMISING PRODUCTIVITY | 4

SACRIFICING SECURITY TO ACHIEVE PRODUCTIVITY

IS A HIGH PRICE TO PAY
As seen with independent product testing such as the NSS Breach Prevention System
(BPS) test, leading security companies are improving prevention rates. However,
as noted earlier, latency can be an issue with sandboxing. Running a broad set of
simulated environments and baiting the exploit takes time, sometimes up to several
minutes. While most businesses can tolerate short delays when receiving emails,
most would reject a similar delay with a web download. Users expect transparency
with file handling: anything less raises red flags within the business. IT security can
be put into situations where advanced threat prevention measures are rolled back
into a detection and response mode.

TRADEOFFS WITH FILE SANITIZATION

CDR technology proactively removes all active or exploitable content, whether
it’s malicious or not, and sanitizes files before delivering them to end users. The
CDR process benefits an organization when sanitized files are:

• Free from all hidden exploits

• Remain identical to the original file

• Received instantaneously with the process taking only a couple of seconds

However, the downside is users may not receive a file’s original components. For
instance, a user receives an Excel spreadsheet only to find a needed macro is
missing from the ‘clean’ version. Or, users are simply more comfortable working
with an original, unaltered file. CDR improves security by removing infections, but
sometimes it comes at a price.
 PRACTICAL PREVENTION: MAXIMUM ZERO-DAY PROTECTION WITHOUT COMPROMISING PRODUCTIVITY | 5

ADVANTAGES OF A HYBRID PREVENTION APPROACH

To achieve maximum security, productivity, and usability, organizations should use
security gateways that employ a hybrid prevention approach that combines advanced
sandboxing and file sanitization. This approach has been used by Check Point
Software in the development of network and endpoint threat prevention solutions.

The graphic below shows how it works.

User receives or downloads a file. Security gateway sends the file to the
sandbox where it is sanitized.

After inspection, a watermark and Hybrid prevention offers

link to original file are included. malware-free files in real time.

As a result, the user immediately receives a malware-free file. Should the user need
the original file (after it’s certified to be free from malware), then the original file is
available for download. The organization benefits from this effective layered defense
against zero-day attacks, as both the sanitization and sandbox engines prevent the
malware from being executed.
 PRACTICAL PREVENTION: MAXIMUM ZERO-DAY PROTECTION WITHOUT COMPROMISING PRODUCTIVITY | 6

THE BENEFITS OF HYBRID PREVENTION

Detection-only cybersecurity detects malware only after it has penetrated your
perimeter. It may have spread laterally within your network to infect other assets.
Your security gateway identifies an attack, but it does not prevent it. If an attack is
successful, the organization believes it can either absorb its damage or send an
incident-and-response team to clean-up the mess.

In today’s cyber threat landscape, a

BENEFITS OF A HYBRID detection-only approach is insufficient.
PREVENTION APPROACH Cyberattacks can be targeted and
• Layered security against zero-day evasive and if data is stolen, the costs
threats combines CDR with sandboxing to the organization will be high. Threat
prevention is required.
• Prevents attacks, rather than merely
detecting them The hybrid approach presented here,
and used in Check Point’s threat
• Zero impact on productivity and
prevention solutions, is a practical way
business agility
for organizations to elevate their threat
• Unified management and monitoring prevention capabilities and complement
improves user productivity existing detection and response security.
Pairing advanced sandboxing technology
and CDR file sanitization is just one example of how you can balance security and
productivity. The approach ensures your business runs without file handling latency
and you’re free to implement cybersecurity that can effectively prevent evasive, zero-
day cyberattacks.

Worldwide Headquarters
5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: info@checkpoint.com
U.S. Headquarters
959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233
www.checkpoint.com
© 2019 Check Point Software Technologies Ltd. All rights reserved.