The Check Point ThreatCloud

In This Section: Updating IPS Protections Scheduling Updates Updating Threat Emulation

Check Point ThreatCloud is a dynamically updated service that is based on an innovative global network of threat sensors and organizations that share threat data and collaborate to fight against modern malware. Customers can send their own threat data to the ThreatCloud and benefit from increased security and protection and enriched threat intelligence. The ThreatCloud distributes attack information, and turns zero-day attacks into known signatures that the Anti-Virus Software Blade can block. The Security Gateway does not collect or send any personal data.

Participation in Check Point information collection is a unique opportunity for Check Point customers to be a part of a strategic community of advanced security research. This research aims to improve coverage, quality, and accuracy of security services and obtain valuable information for organizations.

The ThreatCloud repository contains more than 250 million addresses that were analyzed for bot discovery and more than 2,000 different botnet communication patterns. The ThreatSpect engine uses this information to classify bots and viruses.

For the reputation and signature layers of the ThreatSpect engine, each Security Gateway also has:

• A local database, the Malware database that contains commonly used signatures, URLs, and their related reputations. You can configure automatic or scheduled updates for this database.
• A local cache that gives answers to 99% of URL reputation requests. When the cache does not have an answer, it queries the ThreatCloud repository.
  • For Anti-Virus - the signature is sent for file classification.
  • For Anti-Bot - the host name is sent for reputation classification.

Access the ThreatCloud repository from:

• SmartConsole - You can add specific malwares to rule exceptions when necessary. From the Threat Prevention Rule Base in SmartConsole, click the plus sign in the Protection column in the rule exceptions, and the Protection viewer opens.
• ThreatWiki - A tool to see the entire Malware database. Open ThreatWiki in SmartConsole or access it from the Check Point website.

Data which Check Point Collects

When you enable information collection, the Check Point Security Gateway collects and securely submits event IDs, URLs, and external IPs to the Check Point Lab regarding potential security risks.

For example:

<entry engineType="3" sigID="-1" attackName="CheckPoint - Testing Bot" sourceIP="7a1ec646fe17e2cd" destinationIP="d8c8f142" destinationPort="80" host="www.checkpoint.com" path="/za/images/threatwiki/pages/TestAntiBotBlade.html" numOfAttacks="20" />

This is an example of an event that was detected by a Check Point Security Gateway. It includes the event ID, URL, and external IP addresses. Note that the data does not contain confidential data or internal resource information. The source IP address is obscured. Information sent to the Check Point Lab is stored in an aggregated form.

Updating IPS Protections

Check Point constantly develops and improves its protections against the latest threats. You can immediately update IPS with real-time information on attacks and all the latest protections. You can manually update the IPS protections and also set a schedule when updates are automatically downloaded and installed. IPS protections include many protections that can help manage the threats against your network. Make sure that you understand the complexity of the IPS protections before you manually modify the settings.

Note - To enforce the IPS updates, you must install policy.

To update IPS Protections:

1. In SmartConsole, click Security Policies > Threat Prevention.
2. In the Threat Tools section, click Updates.
3. In the IPS section > Update Now, from the drop-down menu, select:
   • Download using SmartConsole (if your Security Management Server has no internet access), or
   • Download using Security Management Server.
4. Install Policy.

Scheduling Updates

You can change the default automatic schedule for when updates are automatically downloaded and installed. If you have Security Gateways in different time zones, they are not synchronized when one updates and the other did not yet update.

To configure Threat Prevention scheduled updates:

1. In SmartConsole, go to the Security Policies page and select Threat Prevention.
2. In the Threat Tools section of the Threat Prevention Policy, click Updates.
3. In the section for the applicable Software Blade, click Schedule Update.

   The Scheduled Update window opens.

4. Make sure Enable <feature> scheduled update is selected.
5. Click Configure.
6. In the window that opens, set the Update at time and the frequency:
   • Daily - Every day
   • Days in week - Select days of the week
   • Days in month - Select dates of the month
7. Optional, for IPS only:
   • Select Perform retries on update failure - lets you configure how many tries the Scheduled Update makes if it does not complete successfully the first time.
   • Select On successful update perform Install Policy - automatically installs the policy on the devices you select after the IPS update is completed. Click Configure to select these devices.
8. Click OK.
9. Click Close.
10. Install Policy.

Updating Threat Emulation

Threat Emulation connects to the ThreatCloud to update the engine and the operating system images. The default setting for the Threat Emulation appliance is to automatically update the engine and images.

The default setting is to download the package once a day.

Best Practice - Configure Threat Emulation to download the package when there is low network activity.

Update packages for the Threat Emulation operating system images are usually more than 2GB. The actual size of the update package is related to your configuration.

To enable or disable Automatic Updates for Threat Emulation:

1. In SmartConsole, select Security Policies > Threat Prevention.
2. From the Threat Tools section, click Updates.

   The Updates page opens.

3. Under Threat Emulation, click Schedule Update.
4. Select or clear these settings:
   • Enable Threat Emulation engine scheduled update
   • Enable Threat Emulation images scheduled update
5. Click Configure to configure the schedule for Threat Emulation engine or image updates.
6. Configure the automatic update settings to update the database:
   • To update once a day, select At and enter the time of day
   • To update multiple times a day, select Every and set the time interval
   • To update once or more for each week or month:
   1. Select At and enter the time of day.
   2. Click Days.
   3. Click Days of week or Days of month.
   4. Select the applicable days.
7. Click OK and then install the Threat Prevention policy.

To Learn More About Threat Prevention

To learn more about configuring a Threat Prevention Policy, see the R80.10 Threat Prevention Administration Guide.