ThreatCloud Managed Security Service

IPS, Anti-Bot and Antivirus Software Blades defend your network against both external and internal (bot) threats.

The IPS Software Blade provides industry-leading IPS protection with breakthrough performance. This full-featured IPS solution provides real-time and preemptive protection against emerging threats and vulnerabilities.

The Anti-Bot Software Blade detects infected hosts on your network with its unique multi-tier ThreatSpect™ engine. Receiving up-to-the-minute bot intelligence from the ThreatCloud knowledge base, it combines information on remote operator hideouts, botnet communication patterns and attack behavior to accurately identify bot outbreaks. It also prevents damage by blocking bot communication between infected hosts and the botnet’s command and control centers.

The Antivirus Software Blade uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the gateway, before users are affected.

ThreatCloud is a collaborative network and cloud-driven knowledge base that delivers real-time dynamic security intelligence to security gateways. That intelligence is used to identify emerging outbreaks and threat trends. Since processing is done in the cloud, millions of signatures and malware protection can be scanned in real time.

ThreatCloud’s knowledge base is dynamically updated using feeds from a network of global threat sensors, attack information from gateways around the world, Check Point research labs and the industry’s best malware feeds. Based on the resulting security intelligence, updated protections and signatures are created and transmitted to your Check Point gateway. In addition, correlated security threat information is available in your web-based Service Portal so that you can maintain a regional and global perspective of current threats.

Your security logs are uploaded and securely stored at the Check Point SOC for automated threat analysis – without generating any noticeable load on your Internet connection.

The logs are processed by an analytics engine that normalizes them into events, stores them in the database. They are then correlated with previous events and alerts on both your and other service subscribers’ gateways. A variety of rules are applied to decide whether a new alert needs to be generated.

You can choose a service level that fits your needs:

• Monitoring & Alert Service (Standard and Premium) – The Standard level provides automated IPS log analysis and provides alerts to you when a significant event is detected. The Premium level adds the benefit of a Check Point analyst reviewing all alerts in order to determine if immediate action is required; if this occurs, a ticket is generated (see below). Both levels have the option of  adding the Threat Prevention feature, which includes Anti-Bot and Antivirus log analysis.
• Fully-Managed Threat Prevention Service (Elite) – Includes a dedicated Check Point security appliance, premium support including on-site replacement, licenses for the IPS, Anti-Bot, and Antivirus Software Blades, and remote management of the appliance.

For subscribers to the Premium and Elite versions of the ThreatCloud Managed Security Service, a Check Point expert analyst reviews all of your alerts, in order to verify the criticality of each one, and determine whether an immediate action is required.

If the analyst judges the alert to be critical (e.g., a real attack is now occurring, a vulnerability in your network has been discovered, or an infection is evident), the analyst opens a “ticket”.

Tickets document the interaction between the service SOC and you, and are kept open until the issue is resolved. All past tickets are available for review and discussion in the service portal. In cases that require immediate response, the SOC expert can also contact you by phone at your option.

The Web Portal securely connects to the service’s web server, and provides you with several informative views of the activity on your gateway, event and alert occurrences, as well as the real-time security intelligence that ThreatCloud provides.

• The Overview tab provides a summary of your status with the service: last 24 hours events and alerts, open tickets, pending alerts, blocked events, activity map, etc.
• Information about current and past alerts that have been generated by the Service are searchable on the Alerts tab. You can quickly filter results using parameters such as Severity, time frame, source and destination IP address, etc.
• The Events tab provides a similar capability for viewing security events that have occurred.
• Premium and Elite subscribers have access to the Tickets tab, which shows past and present tickets and allows you to interact with the analyst handling a current ticket.
• The Reports tab of the portal offers a variety of predefined reports about protections, events, alerts and attacks. Reports can run immediately, or you can schedule certain reports to run at a certain frequency and to be sent to specific users.
• The Global tab of the portal provides attack information from the Check Point ThreatCloud intelligence database. It also offers you the option to run a report that compares your security statistics vs. the global one, as a benchmark for your organization’s security posture. In addition, it offers access to several blacklists of bad reputation IP addresses.

A Check Point security expert tunes your gateway’s protection policy periodically, optimizing your security and throughput performance.

The frequency of tuning varies with the service level; for Standard customers, tuning is performed yearly. Premium and Elite customers receive quarterly protection tuning.