CheckPoints new blade will be released Q1 2012 and is aimed to handle infected machines in the network, despite this being an Endpoint problem rather than a network problem.
The blade will identify bot-traffic passing through the security gateway and stop it, be it C&C-communication, spam or transfer for sensitive data.
The blade also has forensic analysis functionality, which gives you some statistics on how many hosts are infected, what sort of attack (sensitive data, DDoS, spam, etc).
Why should customers care about botnets
I don’t think the majority see the danger of botnets and some will perhaps not care whether or not some of their computers send out some DDoS-pings every now and again, but the threat is getting more sophisticated with bots used for criminal activities such as attacks on servers, information gathering, banking theft and so on.
Most people however, do not wish to have spam-bots in their network.
If your network is infected with spam bots, your ISP could react by blocking outgoing SMTP, your IPs could end up on reputation lists and your IP could be considered unsafe. It can be a real hassle to get yourself off these lists.
Many companies fear theft of data, and it is indeed the trend that cyber criminality has become a service-on-demand and more Advanced Persistent Threat-based (APT) where someone persistently target one entity. Stuxnet is just one example of this, which attacked PLS-systems and was used against Iranian nuclearprograms.
Or it could be more general as bots trying to gather sensitive or financial information from any company they infect.
Multi-tier ThreatSpect Engine
.. is what what we’ll find under the bonnet of CheckPoints Anti-Bot blade. This engine and functionality resides on the security gateway, as an integrated solution, and identifies and blocks bot-communication.
The engine uses multiple methods for identifying bot-traffic.
• IP/DNS/URL-reputation to block communication to known C&C sites.
• Detecting unique botnet communication patterns over multiple protocols
• Bot damage and attack behavior.
Patterns and attack behaviors is updated from CheckPoints ThreatCloud.
From what I can gather, the ThreatSpect Engine is completely signature-based without any sand-box functionality. So smaller bot nets, not caught by CheckPoints honeypot, may very well slip through.
The ThreatSpect engine can be configured to scan traffic per any user/machine, so it is normal granularity we would expect.
CheckPoint claims that during experimentation and testing of the software blade in 2011, 100% of all infected hosts were found and blocked.
The Anti-bot blade used in combination with Anti-malware/virus, Anti-spam, IPS and URL-filtering surely provides a good threat management solution.
CheckPoint claim they have a very robust forensics analysis for the Anti-bot blade, with information of hosts infected, what sort of infection, level of attack, self-distribution attempts and attack types performed by the bots.
SmartEvent will be the tool for this analysis and with SmartReporter I expect you can create executive reports for your boss.
Availability of the blade
The blade is scheduled for GA-release Q1 2012 with an EA-release Q4 2011.
More in-depth look at the Anti-bot blade will be published on this website after EA is released.