Palo Alto Networks
Download
Report
Transcript Palo Alto Networks
Expose The Underground
Advanced Persistent Threats
Jeff Baker
The problem
• Today’s cyber attackers are utilizing
an increasingly sophisticated set of
evasion tactics
• Disjointed techniques rely on a
“whack-a-mole” approach for
detection and prevention, leaving
enterprises prone to risk
• Volume of attacks is rapidly
accelerating, applying strain on a
limited population of security
specialists
•2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
What is an APT?
Human entity
Targeted
Persistent
•3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Modern Attacks are changing...
•Attackers:
•Nation-states
•Organized Crime
•Political groups
•Easier IT Targets:
•New Vectors
•Extended IT Access
•Escalating Tactics
•Concealment:
•Evasion Techniques
•Polymorphic Attacks
Target
Date
Motive
Target
Nov 27, 2013
Financial
NY Times
Jan 31, 2013
Statesponsored
CIA
Feb 10, 2012
Hacktivism
Symantec
Feb 8, 2012
Extortion
Zappos
Jan 15, 2012
Cybercrime
Danish
Government
Aug 22, 2011
Government
practices
Sony PSN
April 19, 2011
Hacktivism
Epsilon
April 1, 2011
Financial
RSA
March 17, 2011
Statesponsored
•High
Volume some say, is that it reacts to
•“The biggest problem with
thatAnalysis
older technology,
threats rather than anticipating them.”
•– Austin American Statesman Jan 19th, 2014
Example: Modern Malware Attack
Targeted malicious
email sent to user
Steal
Signature
Detection
Malicious website exploits
client-side vulnerability
IPS
Behavioral
Analysis
URL
Filtering
User clicks on link to a
malicious website
•6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Drive-by download of
malicious payload
Control
Relay
Understanding the Cyber Attack Kill Chain
1
Bait the
end-user
2
3
4
5
•Exploit
•Download
Backdoor
Back
•Explore
& Steal
Infected
End-user
content
lured to a
exploits the
dangerous
application or
•Infiltrateend-user,
often without
website
their
containing
knowledge
malicious
content
Channel
Secondary
Malware
payload is
establishes an
downloaded
outbound
in the
connection to
background.
the attacker
•Lateral
Movement
Malware
for ongoing
installed
control
Remote attacker
has control
inside the
network and
escalates the
attack
•Remove Data
Need to break it at different points in the chain!
Best-of-breed, disparate solutions or integrated intelligence?
Goal: Break the Kill Chain at Every Possible Step (Automatically)
1
Bait the enduser
App-ID
URL
IPS
2
3
•Exploit
•Download
Backdoor
5
Command/Control
•Block high-risk
apps
•Block C2 on
open ports
•Block known
malware sites
•Block fast-flux,
bad domains
•Block the
exploit
•Block
spyware, C2
traffic
Spyware
AV
•Block malware
Files
•Prevent driveby-downloads
Unknown
Threats
•Detect 0-day
malware
•8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
4
•Block new C2
traffic
When the world was simple
•Stateful inspection addresses:
•
Two applications: browsing and email
•
With predictable application behavior
•
9 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
In a basic threat environment
Challenge, More Security = Poor Performance
Traditional Security
•Network Performance
Best Case
Performance
Each security box, blade, or
software module robs the
network of performance
Firewall
Threat prevention technologies
are often the worst offenders
Leads to the classic friction
between network and security
IPS
Anti-Malware
•Increased Complexity/Cost
•10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Technology sprawl and creep aren’t the answer
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address applications and new cyber threats
Internet
Enterprise
Network
•11 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
UTM’s and blades aren’t the answer either
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address applications and cyber threats
UTM or
blades
Internet
Enterprise
Network
•12 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Multi-Step Scanning Ramifications
Firewall
App-Control
Add-on
Allow port 80
Applications
•Policy
Decision #1
•Open ports to
•Policy
Decision #2
•300+ applications allowed*
•allow the application
•Allow Facebook
•Facebook allowed…what
about the other 299 apps?
Key Difference
Ramifications
Two separate policies
•
•
More Work. Two policies = double the admin effort (data entry, mgmt, etc)
Possible security holes. No policy reconciliation tools to find potential holes
Two separate policy decisions
•
Weakens the FW deny all else premise. Applications allowed by port-based FW
decision.
Two separate log databases
•
Less visibility with more effort. informed policy decisions require more effort ,
slows reaction time
No concept of unknown traffic
•
•
Increased risk. Unknown is found on every network = low volume, high risk
More work, less flexible. Significant effort to investigate; limited ability to
manage if it is found.
•13 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
•*Based on Palo Alto Networks Application Usage and Risk Report
Tectonic shifts create the perfect storm
•Cloud + SaaS
•Social + consumerization
•Massive opportunity
for cyber criminals
•Mobile + BYOD
•Cloud + virtualization
•All These
Challenges! Where do
I Start?
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Our fundamentally new approach to enterprise security
•App-ID
•Identify the application
•Content-ID
•Scan the content
•User-ID
•Identify the user
16 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Architectural Differences
Palo Alto Networks
Operations Once per packet
Competitor Products
Several Operations per packet introduce
performance degradation
App-ID, User-ID, Content-ID
Parallel Processing (Single Pass-Through)
Serial Processing (Switching between Modules)
Single Policy
Multiple Policies
Includes App-ID, User-ID and Content-ID
Single Log Entry for one session
Firewall(Ports), IPS, App-Control, AV…
Separate Log entries for on session
How do we reduce risk with this platform approach?
Achieve 100% Visibility into Network Traffic (at speed)
Todays Network
•0
Full Visibility •1
Limit network traffic to business-relevant
applications based on actual usage (App-ID)
“Safely enable is the new
Block”
•2
•RISK
Eliminate all types of known
threats/vectors
(AV, AS, IPS, URL)
•LEVEL
•3
Eliminate
unknown
threats
(WildFire)
•Single Security Policy
•18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Safely Enabling Applications, Users & Content
Applications: Safe enablement begins with
application classification by App-ID
Users: Tying users and devices, regardless of
location, to applications with User-ID
Content: Scanning content and protecting
against all threats – both known and unknown;
with Content-ID
The Benefits of Classifying Traffic in the Firewall
•X
Firewall
Allow Facebook
App-ID
•Policy Decision
Key Difference
Benefit
Single firewall policy
•
Less work, more secure. Administrative effort is reduced; potential
reconciliation holes eliminated.
Positive control model
•
Allow by policy, all else is denied. It’s a firewall.
Single log database
•
Less work, more visibility. Policy decisions based on complete information.
Systematic management of
unknowns
•
Less work, more secure. Quickly identify high risk traffic and systematically
manage it.
•20 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
NGFW vs. Legacy Firewalls
•App-ID
•Legacy Firewalls
•Firewall Rule: ALLOW SMTP
SMTP
✔
SMTP
•Firewall Rule: ALLOW Port 25
SMTP
Firewall
Bittorrent
✗
•SMTP=SMTP:•Allow
•Bittorrent≠SMTP:•Deny
•Visibility: Bittorrent detected and blocked
✔
SMTP
Firewall
Bittorrent
✔
Bittorrent
•Packet on Port 25:•Allow
•Packet on Port 25: •Allow
•Visibility: Port 25 allowed
NGFW vs. Legacy Firewall + App IPS
•App-ID
•Legacy Firewalls
•Firewall Rule: ALLOW SMTP
SMTP
✔
SMTP
•Firewall Rule: ALLOW Port 25
•Application IPS Rule: Block Bittorrent
SMTP
Firewall
Bittorrent
✗
•SMTP=SMTP:•Allow
•Bittorrent ≠ SMTP:•Deny
•Visibility: Bittorrent detected and blocked
✔
✔
SMTP
App IPS
Firewall
Bittorrent
✔
SMTP
Bittorrent
✗
•Packet on Port 25:•Allow
•Bittorrent: •Deny
•Visibility: Bittorrent detected and blocked
NGFW vs. Legacy Firewall + App IPS
•App-ID
•Legacy Firewalls
•Firewall Rule: ALLOW SMTP
✔
✗
✗
•Firewall Rule: ALLOW Port 25
•Application IPS Rule: Block Bittorrent
Firewall
SMTP
Bittorrent
SSH, Skype,
Ultrasurf
✔
✔
✔
SMTP
•SMTP=SMTP:•Allow
•Skype≠SMTP: •Deny
•SSH≠SMTP: •Deny
Ultrasurf≠SMTP: •Deny
•Visibility: each app detected and blocked
SMTP
Bittorrent
SSH, Skype,
Ultrasurf
✔
✗
✔
App IPS
Firewall
SMTP
Bittorrent
SSH, Skype,
Ultrasurf
•Packet on Port 25:•Allow
•Packet ≠ Bittorrent:•Allow
•Visibility: Packets on Port 25 allowed
SMTP
SSH, Skype,
Ultrasurf
NGFW vs. Legacy Firewall + App IPS
•App-ID
•Legacy Firewalls
•Firewall Rule: ALLOW SMTP
✔
✗
✗
•Firewall Rule: ALLOW Port 25
•Application IPS Rule: Block Bittorrent
Firewall
SMTP
Bittorrent
C&C
✔
✔
✔
SMTP
•SMTP=SMTP:•Allow
•Command & Control ≠ SMTP:•Deny
•Visibility: Unknown traffic
detected and blocked
SMTP
Bittorrent
C&C
✔
✗
✔
App IPS
Firewall
SMTP
Bittorrent
C&C
•Packet on Port 25: •Allow
•C & C ≠ Bittorrent: •Allow
•Visibility: Packet on Port 25 allowed
SMTP
C&C
We safely enable the business and manage the risks
25 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
User
Safely enable
Prohibited use
Financial
advisor
Post info to a
prospect’s wall
Sales
rep
Sharing
opportunities with
channel partner
Sharing customer
lists externally
Marketing
specialist
Exchange of
Photoshop files
with agencies
Downloading
malware
HR
recruiter
Communication
with candidates
Exposing lists of
employees and
their salaries
Chatting
Clicking on
infected links
Security Context from Integration
•
Allowing 10.1.2.4 to 148.62.45.6 on port 80 does not provide context.
•Allowing Sales Users on Corporate LAN to access Salesforce.com but look for threats and
malware inside the decrypted SSL tunnel, and easily seeing you have done so is context.
•
Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware sites no context.
•Seeing Dave Smith visited a malware site, downloaded 0-day Malware, and his device is
visiting other known malware sites, and using tunneling apps that is context.
COMPROMISED CREDIT CARDS – APTs IN ACTION
•Recon on
companies
Target works with
•Spearphishing
third-party HVAC
contractor
•Breached Target
network with
stolen payment
system
credentials
•Moved laterally
within Target
network and
installed POS
Malware
•Maintain access
•Compromised
internal server
to collect
customer data
•Exfiltrated data
command-andcontrol servers
over FTP
Palo Alto Networks at a Glance
Revenues
Company highlights
$MM
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Addressing the entire $10B+ network security market
$396
$400
$350
$300
$250
$200
$150
$100
$50
$0
$255
$119
$13
FYE July
$49
FY09 FY10 FY11 FY12 FY13
Enterprise customers
Enterprise leadership position & rapid customer growth
13,500
14,000
12,000
9,000
10,000
Experienced team of 1,900+ employees
8,000
6,000
4,700
4,000
Over 21,000 Enterprise customers
2,000
0
Jul-11
28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Jul-12
Jul-13
Gartner -- Enterprise Firewall Magic Quadrant
•December 2011
•February 2013
•We pushed the competitors back
Gartner -- Enterprise Firewall Magic Quadrant
Next-generation enterprise security platform
Palo Alto Networks
Threat Intelligence Cloud
•Next-Generation Firewall
•
Inspects all traffic
•
Blocks known threats
•
•
•Threat Intelligence Cloud
Gathers potential threats from
network and endpoints
Sends unknown to cloud
Analyzes and correlates threat
intelligence
Extensible to mobile & virtual
networks
Disseminates threat intelligence
to network and endpoints
•Advanced Endpoint Protection
Palo Alto Networks
Next-Generation
Firewall
31 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Inspects all processes and files
Palo Alto Networks
Prevents both known & unknown exploits
Integrates with cloud to prevent known &
unknown malware
Advanced
Endpoint Protection
Detect and Defend: Turning the Unknown into Known
•Rapid, global sharing
•Identify & control
•Prevent known
threats
•Detect unknown
threats
•All applications
Our unique approach makes us the only solution that…
Scans ALL applications (including SSL traffic) to secure all avenues in/out of
a network, reduce the attack surface area, and provide context for forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS,
command & control, and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and
automatically creates signatures to defend our global customer base
•32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
We have pioneered the next generation of security
•Next generation:
•Safely enable all applications
•Prevent all cyber threats
•Legacy:
•Allow or block some apps
•Detect some malware
•Allow
•Block
•Mid 1990’s – today
33 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
•Today+
Palo Alto Networks Next Generation Firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
34 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Covering the entire enterprise
Network location
Data center/cloud
Enterprise perimeter
Distributed/BYOD
Endpoint
Next-generation
appliances
•
Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050
WildFire: WF-500
•
Virtual: VM-Series & VM-Series-HV for NSX
Threat Prevention
URL Filtering
GlobalProtect™
Subscriptions
WildFire™
Endpoint (Traps)
Use cases
Next-Generation
Firewall
Cybersecurity:
IDS / IPS / APT
Web gateway
Management system
Panorama, M-100 appliance, GP-100 appliance
Operating system
PAN-OS™
35 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
VPN
Our core value proposition
An enterprise security platform
that safely enables all applications
through granular use control
and prevention of known and unknown cyber threats
for all users on any device across any network.
Superior security with superior TCO
36 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Thank You
Page 37 |
© 2012 Palo Alto Networks. Proprietary and Confidential.