Forcepoint Reveals CASB UBA, Enhanced Cloud App controls, and the Availability of the Most Effective Zero-day Malware Detection
Forcepoint continues to deliver innovation at a rapid pace, providing enhancements to several products and enabling organizations to securely embrace business in the cloud. Security professionals should be aware of recent activity including:
- Forcepoint CASB delivers the most complete cloud behavior analytics offering of its kind, utilizing machine learning to detect risky cloud usage, anomalous behaviors and the impact of the risk.
- Powerful cloud application controls continue to evolve within Forcepoint Web Security to provide better centralized visibility and management of overall web activity.
- Recently introduced zero-day malware detection capabilities are now available for NGFW, CASB, Web Security and Email security solutions to help block the most advanced threats and optimize incident response teams.
Before getting into details on these recent developments, it is worth noting that Forcepoint’s continual innovation investment and focus on the “Human Point” of security is paying off for customers. Early investments to close gaps in Office 365’s built-in security has driven strong adoption of Forcepoint’s Email Security Cloud offering, with an install base second only to our Web Security Cloud. And years of investment in CSA STAR, ISO, FedRAMP, and other security certifications to build the industry’s most trusted cloud infrastructure offers peace of mind in a world were security services themselves are being breached.
Recent global ransomware attacks such as WannaCry and Petya have also helped by compelling many to re-evaluate their phishing defenses, as well as securing web traffic against botnets, zero-day attacks, etc.
Now let’s review these three most recent developments.
Forcepoint CASB – Cloud Security’s Behavioral Analytics and Anomaly Detection
UBA is not new. Forcepoint’s industry leading DLP has integrated a form of UBA, Incident Risk Ranking, into Web Security and Email Security as recently as May. However, detecting and reporting anomalous behavior outside your network perimeter is new and it is fundamental to how Forcepoint CASB protects your employee use of cloud applications.
Figure 1 Forcepoint CASB User Risk Dashboard
Forcepoint CASB profiles user behavior and task characteristics such as the geographic location the applications are accessed from, the device OS, the data accessed, and more. A risk score based on probability and business impact is computed to yield an overall risk for this user. A score of 100 or more may lead to an employee showing up in the User Risk dashboard along with other risky user and a watch list.
Figure 2 Forcepoint CASB Detailed Account Page
Administrators can further drill down into the Detailed Account Page to view the user behavior for up to180 days. A timeline shows the sequence of incidents and reveals the nature of the behavior, how it contributed to the user risk score, and a link to the incident.
Figure 3 Forcepoint CASB detected incident
This capability is more than a UI refactoring - it is a profound change in how organizations understand risk in a world of increasing cloud app use and BYOD, and leads to improved data protection wherever it resides.
Forcepoint Web Security – Cloud Application Controls
While some organizations are quickly adopting cloud applications, others are faced with the task of discovering and controlling Shadow IT under budget constraints. For these customers, Forcepoint Web Security now provides Cloud Application Control, an enhancement to the Cloud Application Visibility and Risk Reporting introduced earlier this year. With Cloud Application Control, organizations can block high risk cloud applications, Shadow IT, while allowing the use of sanctioned cloud applications approved for use.
Figure 4 Forcepoint Web Security Cloud App Control
Advanced Malware Defense – Arming CASB, NGFW, Web and Email Security Against Zero-day Malware
Forcepoint solutions have scored among the most effective at malware detection for years. But investments by organized crime and nation states continue to increase the complexity and evasiveness of modern malware. By exploiting the limitations of traditional ‘virtualized’ sandboxing approaches, attackers are increasingly avoiding detection. This trend demands a more exact, evasion resistant approach.
Forcepoint recently released Advanced Malware Detection (AMD), powered by Lastline technology, to provide a full ‘emulation’ environment for threat assessment. While ‘virtualization’ is designed for isolated yet high performance sharing of system resources, ‘emulation’ creates an exact replica of any desired environment including any flaws. Resources like CPUs are simply shared under virtualization, while ‘emulation’ can create any desired environment necessary to elicit malicious behavior removing any dependency on the hosting systems OS or other factors. (Think true mobile device emulation.) This eliminates the clues often used by malware to identify the sandbox and skip all malicious behavior.
Recent tests by NSS Labs gave Lastline a perfect score for detecting 100% of threats in the test, with zero-false positives. Forcepoints integration of this technology inserts this capability into every key threat vectors, supplementing the base solutions unique ability to identify other Indicator of Compromise (IoCs) such as compromised web sites, phishing emails, or suspicious web app traffic.
Zero-false positives also provides a bonus for Incident Response teams, helping ensure they do not waste time on false positive reports. Having all attack vectors use a single, unified malware detection system further simplifies the work of incident response teams and threat investigators.
Here is a graphical summary of the Deep Content Inspection possible with AMDs emulation sandbox.
Traditional Sandboxing Ends Here
After months of integration effort, Forcepoint Advanced Malware Detection is now available as an optional add-on to Forcepoint CASB, NGFW, Web Security or Email Security as a cloud service, or as software to be implemented on premises for those with technical or other restrictions.