Transcript Document

Dynamic Computing & Dynamic
Threats Requires Dynamic Security
Palo Alto Networks at a Glance
Corporate Highlights
Revenue
$MM
Founded in 2005; First Customer Shipment in 2007
$300
$255
$250
$200
Safely Enabling Applications
$119
$150
$100
$49
$50
$13
$0
Able to Address all Network Security Needs
FYE July
FY09
FY10
FY11
FY12
Enterprise Customers
Exceptional Ability to Support Global Customers
10,000
9,000
8,000
Experienced Technology and Management Team
6,000
4,700
4,000
2,000
850+ Employees Globally
1,800
0
Jul-10
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Jul-11
Jul-12
Agenda
 Today’s Dynamic Enterprise Computing Environment
 An Equally Dynamic Threat Landscape
 The Tension between Security and Productivity
 What to do About It
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
A long time Ago…………Security was Simpler
On Premise Data Center
• Apps in one place
• Users in one place
• Data in one place
• Devices Controlled
• Devices Dumb
wired
• Network Simple
• IT Controls it all
• …..
Employee
Complexity Has Grown..…A Lot
• Apps all over the place
• Users all over place On Premise
• Data all over the place
• Devices not controlled
The “Network”
• Devices
Smart
• Network is Complex
• IT Controls only some of it
• User’s control increased
wired
• Riskswireless
are FARVPNhigher “VDI”
Cloud
Internet Content / tools
Modern threats –
targeted, multivector, persistent
Employee
Guest
Mobile
employee
Partner/contractor
From the Classroom……
6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
to the Playground
The Emergence of the User Kingdom

Devices
 Most often very small and mobile
 More devices are now in the control and ownership of end users
 Users are people, people are different, so the diversity of devices
is expanding

Applications




Users are discovering new ways to get work done
Multiple tools being used to do the same thing
Many applications are risky – introduces threats, potential data loss
Many applications are costly – consumes lots of computing and
network resources
 IT is not participating in selecting

Location
 Work gets done in and out of the office
 On-demand is essential
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Mobile Climate and Challenges
IT SECURITY
NEEDS
Keep users, network, devices, and
data safe
Keep users productive
Allow use of business-owned or
personal devices
•Page 8 | © 2013 Palo Alto Networks. Proprietary and Confidential.
WHAT
EMPLOYEES
WANT
Access to corporate and personal
applications
Want the full features of their mobile
devices, not watered down
functionality
Don’t want boundaries and
restrictions
Evolution Towards Cloud Networks Bring New Challenges
(even within our own data centers)
How do you have visibility into the virtualized environment?
How do you track rogue virtual machine creation?
How do you embrace the dynamic nature of virtualization?
Page 9 |
© 2012 Palo Alto Networks. Proprietary and Confidential.
Limitations
Classic Data
Architecture
What Doesofvirtualized
DataCenter
Centers
Look Like
•
Applications of
the same trust
levels on a
server
Segmentation deployments:
• DMZ/Corporate/PCI/R&D
• Application Tiers
•
Limitations in design:
• Not optimized for hardware
(spare CPUs may be idle)
• Not ideal because traffic routed
north bound (latency)
• Expensive – Vlans and ports
Page 10 |
© 2012 Palo Alto Networks. Proprietary and Confidential.
App App App
Web Web Web
vSwitch
vSwitch
vSwitch
Virtual Host 1
Virtual Host 2
Virtual Host 3
DB
DB
DB
Considerations Towards “Cloud” Model
Shared “pools of resources”
• Optimizes hardware
Applications of
different trust
levels on a
server
• Reduce latency
• Delivers applications on-demand
• Security Issues
• Safely enable East-West traffic
DB
App
Web
Web DB
App
vSwitch
vSwitch
Virtual Host 1
Virtual Host 2
Virtual Host 3
• Automation so security does not slow down
the virtual workload
© 2012 Palo Alto Networks. Proprietary and Confidential.
Web DB
vSwitch
• Track policies to VM adds, moves, changes
Page 11 |
App
So that’s a snapshot of the modern
computing “Ecosystem”.
Next, the threat environment…………
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Modern Attacks are Targeted, Stealthy and Multi-Step
What Has Changed / What is the Same

Attack strategy has evolved
 Patient, multi-step process
 Compromise a user, then expand

Motive
NY Times
Jan 31, 2013
Statesponsored
CIA
Feb 10, 2012
Hacktivism
Symantec
Feb 8, 2012
Extortion
Zappos
Jan 15, 2012
Cybercrime
Danish
Government
Aug 22, 2011
Government
practices
Sony PSN
April 19, 2011
Hacktivism
Epsilon
April 1, 2011
Financial
RSA
March 17, 2011
Statesponsored
The attacker has changed
 Nation-states
 Criminal organizations
 Political groups

Date
Attack techniques have evolved
 New applications as the threat vector
 Avoidance of traditional AV signatures
 Hiding malware communications
Real Attacks Employ Multiple Techniques
1
2
Bait the
end-user
Exploit
End-user lured to
a dangerous
application or
website
containing
malicious content
Infected
content exploits
the end-user,
often without
their knowledge
3
Download
Backdoor
Secondary
payload is
downloaded in
the background.
Malware installed
4
5
Establish
Back-Channel
Explore
& Steal
Malware establishes
outbound connection
to the attacker for
ongoing control
Remote attacker
has control inside
the network and
escalates the
attack
The Gaps in Traditional Antivirus Protection
Modern malware is increasingly able to:
-
Avoid falling into traditional AV honey-pots
-
Evolve before protection can be delivered
☣ Targeted and custom malware
☣ Polymorphic malware
☣ Newly released malware
Highly variable time to protection
(Note: WildFire finds 200 – 400 unique new malware samples undetectable by
leading antivirus software every day.)
Page 15 |
Applications Bypassing Port- and Protocol-based Security
Applications Leveraging Non-standard Ports,
Random Ports, Encryption
97% of Exploits Come From Business Not Social
Applications
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
All These Challenges!
Where do I Start?
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Lots and Lots of Security Tools! Yea!! (Or Boo?)
Tools for Servers
Tools for End Points
Tools for Networks
Tools for Tools
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.





















Firewall
Fuzzers
Anti-Virus
Anti-Malware
NIPS
HIPS
MDM
DLP
WAF
SIEM
Authentication
Encryption
Sniffers
Forensics
Packet Crafters
Port Scanners
Rootkit Detectors
Vulnerability Scanners
Web Proxies
Wireless Security
Etc…………………………………..
All These Solutions!
Where do I Start?
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
There is a good place to start…….
Applications
The Network is the
Common
Denominator
Devices
DATA
Users
20 | ©2013, Palo Alto Networks. Confidential and Proprietary.
We should start
here!
Requirements for Security in a Brave New World
1. See All Traffic – reduce or eliminate blind spots
2. Safe Application Enablement
• Identify Applications by deep inspection, not by port filtering
• Control Application Use by User/group-based Policies
• Inspect that traffic which you allow - protect against known and
unknown threats
3. Segment all parts of the network
4. Be nimble - Address the moving parts
• Tie security policies to VM Orchestration – VM creation / movement
• Give mobile users controlled access
• Rapidly deploy protections against new threats
Reducing the Scope of Attack – App Control
» The ever-expanding
universe of applications,
services and threats
Page 22 |
Only allow the
apps you need
Clean the allowed
traffic of all threats
in a single pass
» Traffic limited to
» Complete threat library with no
approved business
use cases based on
App and User
» Attack surface
reduced by orders of
magnitude
» Port, protocol
Agnostic
© 2012 Palo Alto Networks. Proprietary and Confidential.
blind spots
Bi-directional inspection
Scans inside of SSL
Scans inside compressed
files
Scans inside proxies and
tunnels
Scans unknown files
Identify Unknowns
1.
Known Traffic is controlled using positive enforcement


2.
Allow the good, block everything else
Positive control reduces endless “Whack-a-Mole” of finding/stopping unwanted apps
Identify Unknown Applications


Anything non-compliant or custom should be known and approved
When the vast majority of traffic is identified, the unknowns become manageable
Unknown traffic is common – every network has some
3.



4.
New publicly available commercial applications
Internally developed, custom applications
Rogue or malicious applications (malware)
Unknowns are manageable


Investigate unknowns
Aggressively control or block remaining unknown traffic
Identify All Users

Do NOT Trust, always verify all access

Base security policy on users and their roles, not IP addresses.

For groups of users, tie access to specific groups of applications

Limit the amount of exfiltration via network segmentation
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Scan All Content

Full Visibility of Traffic
 Equal analysis of all traffic across all ports
(no assumptions)
 Control the applications that attackers use to
hide
Exploits
Malware
 Decrypt, decompress and decode

Control the full attack lifecycle
 Exploits, malware, and malicious traffic
 Maintain context across disciplines
 Maintain predictable performance

Expect the Unknown
Exploits are
delivered
over the
network
Malware is
delivered
over the
network
Malware
communicates
over the
network
Encryp on,
fragmenta on
Re-encoded
and targeted
malware
Proxies,
tunneling,
encryp on,
custom traffic
 Detect and stop unknown malware
 Automatically manage unknown or anomalous
traffic
If it’s unknown, how can I stop it?
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Spyware,
C&C
Behavioral Analysis of Potential Malware
Malware Analysis
Sandbox-based analysis that finds malware based
on behaviors
Generates detailed forensics report
Creates malware and C&C signatures
Protection delivered to
all customer firewalls
Unknown files are
forwarded for deeper
analysis
✓
Potentially malicious
files from Internet
✓
✓
Daily Coverage of Top AV Vendors
Daily AV Coverage Rates for Newly Released Malware (50 Samples)
100%
90%
Malware Sample Count
80%
70%
5 vendors
60%
4 vendors
3 vendors
50%
2 vendors
40%
1 vendor
0 vendors
30%
20%
10%
0%
Day-0
Day-1
Day-2
Day-3
Day-4
Day-5
Day-6
New Malware Coverage Rate by Top 5 AV Vendors
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network Segmentation – A Great Best Practice
•
•
Implement security zones in your network
For each zone, group systems by risk and
desired control point:
•
•
Systems that share similar risk factors
Systems that share security classifications
•
Communication between zones is only via
the firewall
•
Every zone should be restricted by:
•
•
•
•
User
Applications
All content is scanned
Integrated reporting, logging for auditing
purposes
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Zero Trust Model
F
W
AC
 Ensure all resources are accessed in a
secure manner
 Access control is strictly enforced (Verify
and never trust)
 Inspect and log all traffic
Forrester Research
Control Users and Their Devices with The Network
MDM
Ensure device is “OK”
 Security Settings
 Passcode
 Encryption
 State
 Jailbroken
 Actions
 Lock/Wipe
Managed/Monitored devices
•Page 29 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Consistent policy
 App policy
 Data filtering
 URL filtering
Protect device & traffic
 Malware detection
 Vulnerability protection
•Flexible
Deployments
to to
Protect
East-West
Traffic
Physical and
Virtual (where
do what
to reduce latency)
Application
Physical Firewalls
Network
Inter-host
Segmentation
HA
Security
Orchestration
systems
Virtualized Firewalls
Intra-host
Segmentation
Virtualized servers
Page 30 |
© 2012 Palo Alto Networks. Proprietary and Confidential.
Physical Servers
Why It Has to Be a Next-Generation Firewall?
Next-Generation Firewalls
Applications
•
Only next-generation firewalls
can safely enable applications
and understands:
•
•
•
Devices
•
Designed from the ground up to
tackle threat protection without
performance impact
•
Addresses emerging
challenges including
virtualization and cloud
DATA
Users
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications
Users
Content
© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 32 |