Sky ATP Overview
Sky ATP is a cloud-based solution that integrates with Policy Enforcer. Cloud environments are flexible and scalable, and a shared environment ensures that everyone benefits from new threat intelligence in near real-time. Your sensitive data is secured even though it is in a cloud shared environment. Security administrators can update their defenses when new attack techniques are discovered and distribute the threat intelligence with very little delay.
Sky ATP offers the following features:
Communicates with firewalls and switches to simplify threat prevention policy deployment and enhance the anti-threat capabilities across the network.
Delivers protection against “zero-day” threats using a combination of tools to provide robust coverage against sophisticated, evasive threats.
Checks inbound and outbound traffic with policy enhancements that allow users to stop malware, quarantine infected systems, prevent data exfiltration, and disrupt lateral movement.
Provides deep inspection, actionable reporting, and inline malware blocking.
Provides feeds for GeoIP, C&C, allowlist and blocklist, infection hosts, custom configured feeds and file submission.
Whitelist and allowlist has been used interchangeably throughout this document. Similarly, blacklist and blocklist are also used interchangeably.
Figure 1 lists the Sky ATP components.
Table 1 briefly describes each Sky ATP component’s operation.
Table 1: Sky ATP Components
Command and control (C&C) cloud feeds
C&C feeds are essentially a list of servers that are known command and control for botnets. The list also includes servers that are known sources for malware downloads. See Command and Control Servers Overview.
GeoIP cloud feeds
GeoIP feeds is an up-to-date mapping of IP addresses to geographical regions. This gives you the ability to filter traffic to and from specific geographies in the world.
Infected host cloud feeds
Infected hosts indicate local devices that are potentially compromised because they appear to be part of a C&C network or other exhibit other symptoms. See Infected Hosts Overview.
Lists you customize by adding IP addresses, domains, and URLs to your own lists. See Custom Feed Sources Overview.
Allowlist and blocklists
An allowlist is simply a list of known IP addresses that you trust and a blocklist is a list that you do not trust. See Creating Allowlist and Blocklists.
Malware inspection pipeline
Performs malware analysis and threat detection.
Internal compromise detection
Inspects files, metadata, and other information.