Forcepoint NGFW

Evasions
Network Security Must Defend Against Layers within Layers

Evasions Exploits Malware

“camouflage” “delivery vehicles” “theft & compromise”
App Unpatched Ransomware Data Theft
(HTTP, SQL, etc.)
Vulnerabilities User System
TCP (SMB, Web, DB, etc.)
Compromise Corruption
(Overlapping, Extra)

IP Zero-Days
(Fragments, Ordering)

© 2019 Forcepoint | 3
Why Taking a New Approach to Security Is So Important

E1X2P3L4O5I6T7 P3L4T7O5I6E1X2 E1X2P3L4O5I6T7

Evasions Exploits Malware

“camouflage” “delivery vehicles” “theft & compromise”

© 2019 Forcepoint | 4
 The NSSLABS tests Forcepoint

NGFW (6x) NGIPS (3x)

Top Security Top Security
2017, 2018 2018, 2017

“The Forcepoint 2105 had the highest security

effectiveness in the NSS Labs 2018 NGFW
Group Test and its throughput was rated even
higher than Forcepoint’s claimed performance.”
NSS Labs 2018 NGFW Test

© 2019 Forcepoint | 5
The Evasion Gap – Most Vendors Leave Networks Exposed

100 99.95 99.7

96.50 97.50
96.00 Many NGFW & IPS fail to stop
94.00
95 evasions

90 Exploit Kits now make evasions easy

• Metasploit
85 • Shadow Brokers leaked toolkit

80 Attacks combining techniques to

spread
75 • Learning from WannaCry  Petya

70

65

60
2012 2013 2014 2016 2017 2018
Forcepoint NSS Test Average © 2019 Forcepoint | 6
Track Record
Vendor 2012 2013 2014 2016 2017 2018
Forcepoint Palo Alto 79 91 60 96 39 98.7

RECOMMENDED sixth Juniper 27.5 95 N/A 97.5 38 N/A

time in a row Cisco ASA N/A N/A N/A 96 N/A N/A
• Perfect record Forcepoint 94 96 96.5 97.5 99.9 99.7
Check Point 66 98 97 99 89 25
Some vendors still not Fortinet 73 92 94 99 78.5 99.3
handling evasions Huawei N/A N/A N/A 97.5 N/A N/A
SonicWall 94 98 97.5 98 26 98
Cisco Firepower N/A 98 99 96 95 71.8
Cyberroam N/A N/A 88 58 N/A N/A
Barracuda N/A N/A 89 92.5 25 95
WatchGuard N/A 28 97.5 N/A 88.5 89.1
Hillstone 98 N/A N/A 98 N/A N/A
Sophos N/A N/A N/A N/A 91 26
Versa Networks N/A N/A N/A N/A N/A 90.4

© 2019 Forcepoint | 7
Forcepoint Difference: Strongest Intrusion Prevention
Packet Inspection Forcepoint STREAM Inspection

EXPLOIT
Network Stack

Network Stack
EX

OI

PL T OI EX PL

Misses protocol/encoding evasions Sees actual payloads

Pattern-matching misses new variants Vulnerability-centric scanning

for preemptive protection

© 2019 Forcepoint | 8
The Strongest, Smartest IPS – Standalone or integrated
DYNAMIC STREAM INSPECTION High-Volume Targeted, Advanced
Threats Threats
Per-Connection
Analysis  CONNECTION CONTROLS
Policy-Driven Anti-Spoofing, IP Reputation,
High Performance Geo-Protection, Invalid Connections

1  USAGE CONTROLS
Control
Access

By User, URL,
2 Application (server & endpoint)

3  COMMAND CONTROLS
Whitelists for app versions & commands
Protocol Proxies to prevent direct connections
Normalization
Packet Reassembly
Decryption  VULNERABILITY INSPECTION
Inspection

Evasion Disruption Exploit & Anomaly Detection, Anti Botnet

Deep

4
 MALWARE INSPECTION
5 File Filtering & Reputation,
Antimalware Scanning,
Sandboxing

© 2019 Forcepoint | 9
How We Test For Evasions

EVADER
BY FORCEPOINT
Ready-Made
Evasion Test Lab

© 2019 Forcepoint | 10
Evader in Action

EVADER EXPLOIT
BY FORCEPOINT
Ready-Made
Evasion Test Lab

EVASION DEVICE BEING TESTED TARGET SYSTEM

GENERATOR (VARIETY OF VENDORS) (CLIENTS AND
SERVERS)

© 2019 Forcepoint | 11
© 2019 Forcepoint | 12
Evader Resources
Forcepoint.com/evader
YouTube
Demo by Forcepoint SE
Onsite Evader test by Forcepoint SE

© 2019 Forcepoint | 13