Adallom & Check Point teamed up to Detect Advanced Threats in Cloud Apps

Adallom & Checkpoint Threat Emulation Integration

Overview

Organizations of all sizes are making the shift to cloud applications to improve efficiency and enable better IT agility. While there are clear benefits driving the move to the cloud, consideration must be given to the security of critical data in the cloud and emerging threats in this new environment. In particular, as documents are stored, shared and retrieved from cloud applications, organizations may be exposed to zero day exploits, and Advanced Persistent Threats (APTs).

Check Point and Adallom have partnered to address these challenges. Check Point ThreatCloud Emulation inspects files and runs them in a virtual sandbox to discover malicious behavior. This technology has been proven to be an effective way to find malware undetected by traditional anti-virus engines. The joint integration of Check Point’s cloud-based ThreatCloud Emulation and the Adallom cloud access security broker enables organizations to detect new exploits, zero-day and targeted advanced persistent threats in any content stored in cloud applications.

 Modern Malware Extends To The Cloud

Advanced cyber attacks are employing stealthy, persistent methods to evade traditional security measures. Many targeted attacks now begin via modern malware or unknown or undiscovered zero day exploits in files and email attachments.

As exhibited in the Sony hack, targeted attacks can easily extend to cloud environments, but the reverse is also true. Organizations are not only at risk from attacks to their cloud applications but that any attack in the cloud may make its way into the corporate network via users downloading infected files.

Cloud applications offer a unique malware environment for skilled adversaries:

• Most activities in the cloud occur outside of the boundaries of the traditional security perimeter. With the ubiquity of cloud access, users can connect from a variety of locations and devices that are unmanaged and unsecured.
• Cloud applications and content management systems in the cloud make it really easy to share and collaborate on content among internal users and external parties. Any malware infection can spread very quickly.
• Automation tools upload content to cloud applications from various sources, including cloud-to-cloud integrations. Malware may be inadvertently uploaded to cloud applications via the cloud application ecosystem.

These challenges mean that it is critical to ensure that any type of documents in cloud applications is inspected in a sandboxing environment, and detonated against a wide range of browsers, plug-ins, and applications to detect resident malware.

 The components of the Check Point and Adallom integration include:

• Check Point ThreatCloud Emulation – Check Point ThreatCloud Emulation prevents infections from undiscovered exploits, zero-day and targeted attacks. By emulating files within a virtual sandbox environment it is able to flag those that engage in suspicious or malicious behavior. ThreatCloud Emulation employs several detection engines, working side by side to ensure the highest detection rate and evasion-resistance. With its cutting-edge threat prevention engine, the Check Point ThreatCloud Emulation service is able to identify threats before they’ve had a chance to attempt any and all sandbox-evasion methods. Once new threats are discovered, their signatures are immediately added to the Check Point ThreatCloud. The new malware becomes a known and documented threat for faster catch rates and improved efficacy in future attacks.

• Adallom cloud access security broker – Adallom delivers visibility, governance and protection for cloud applications. Its innovative platform is simple to deploy, seamless and extensible, and is available as a SaaS-based or on-prem solution. Adallom can discover more than 13,000 cloud applications in use, to help organizations manage vendor selection and the procurement process, and use the results to guide users towards corporate approved cloud applications. With its comprehensive governance and security controls, organizations gain actionable insights into cloud application usage, address compliance requirements and protect users in real-time. Adallom’s platform is extensible, delivering core controls that integrate with existing enterprise security systems.

Adallom integrates with cloud applications via API or SmartProxy? deployment modes. Organizations define governance policies around files including content inspection policies on the Adallom platform. When malware sandboxing policies are configured, Adallom integrates with the Check Point ThreatCloud services to scan documents in cloud applications for malware.

 The integration works as follows:

1. Deployment: Adallom is deployed to secure an organization’s cloud applications in less than 8 minutes via its API connectors. Adallom then connects to the Check Point ThreatCloud service via an API key generated for an organization’s account.
2. Policy creation: A file policy is created in Adallom to inspect files-at-rest or files uploaded to cloud applications with the Check Point ThreatCloud service. Granular file inspection policies can be defined for example:
   • File metadata - file type, file size, sharing level and file owner
   • File source attributes - files uploaded from an external IP address, files modified by an external user

Basic threat detection capabilities such as antivirus scan and signature checks can also be configured.

1. Malware detected: Once files are inspected, and malware is identified, a detailed analysis report is generated and an alert is triggered on the Adallom platform. The alert allows for different actions to be taken such as cloud remediation actions (quarantine file, remove sharing etc.), as well as administrator and end user notifications.
2. Monitoring: Alerts will also be pushed to an organization’s security information and events management (SIEM) system. Check Point customers can use their existing SmartEvent to monitor and track SaaS threat prevention activities. The Check Point ThreatCloud Emulation service sends events to the local on-premises SmartEvent.

Benefits of Check Point and Adallom Integration

The joint integration delivers a number of benefits:

• Enables secure cloud collaboration by identifying unknown malware, zero day exploits and advanced persistent threats in any documents stored in and uploaded to cloud applications
• Delivers proactive security by turning unknown malware into known threats and extending protections to any Adallom and Check Point customers globally
• Seamlessly extends alerts to any existing threat analytics or SIEMs to preserve investment protection.

 Summary

The joint Check Point and Adallom integration ensures protection of organizations from modern malware, zero day exploits and APTs via infected cloud documents. Granular policies can be implemented based on file attributes, and the solution works seamlessly with any existing SIEM and threat analytics platform. The joint integration allows IT organizations to unlock the benefits of SaaS applications without compromising security.