palo alto networks threat prevention. palo alto networks at a glance corporate highlights founded in...
Post on 16-Dec-2015
217 Views
Preview:
TRANSCRIPT
Palo Alto Networks Threat Prevention
Palo Alto Networks at a Glance
Corporate Highlights
Founded in 2005; First Customer Shipment in 2007
Safely Enabling Applications
Able to Address all Network Security Needs
Exceptional Ability to Support Global Customers
Experienced Technology and Management Team
850+ Employees Globally0
2,000
4,000
6,000
8,000
10,000
1,800
4,700
9,000
Jul-10 Jul-11
FY09 FY10 FY11 FY12$0
$50
$100
$150
$200
$250
$300
$13
$49
$255
$119
Revenue
Enterprise Customers
$MM
FYE July
Jul-12
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Real Attacks Employ Multiple Techniques
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
EstablishBack-Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Lifecycle of a Modern Attack - Simplified
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Attacks are Blended
Traffic and Malware
Inbound and Outbound
Designed to Evade Security
Encryption, strange ports, tunneling, polymorphic malware, etc.
Break Security Assumptions
When attackers control both ends of a connection they can hide their traffic in any way they want
Threat Prevention Requirements
1. Full Visibility of Traffic Equal analysis of all traffic across
all ports (no assumptions) Control the applications that
attackers use to hide Decrypt, decompress and
decode
2. Control the full attack lifecycle Exploits, malware, and malicious
traffic Maintain context across
disciplines Maintain predictable performance
3. Expect the Unknown Detect and stop unknown
malware Automatically manage unknown
or anomalous traffic
5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
An Integrated Approach to Threat PreventionApplications
• Visibility and control of all traffic, across all ports, all the time
Sources
• Control traffic sources and destinations based on risk
Known Threats
• Stop exploits, malware, spying tools, and dangerous files
Unknown Threats
• Automatically identify and block new and evolving threats
• Reduce the attack surface
• Control the threat vector
• Control the methods that threats use to hide
• Sites known to host malware
• Find traffic to command and control servers
• SSL decrypt high-risk sites
• NSS tested and Recommended IPS
• Stream-based anti-malware based on millions of samples
• Control threats across any port
• WildFire analysis of unknown files
• Visibility and automated management of unknown traffic
• Anomalous behaviors
R e d u c i n g R i s k
6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
App-ID
URL
IPS Threat License
Spyware
AV
Files
WildFire
Block high-risk apps
Block known malware sites
Block the exploit
Prevent drive-by-downloads
Detect unknown malware
Block malware
Bait theend-user
Exploit DownloadBackdoor
EstablishBack-Channel
Explore &Steal
Block spyware, C&C traffic
Block C&C on non-standard ports
Block malware, fast-flux domains
Block new C&C traffic
Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors
Coordinated Threat PreventionAn Integrated Approach to Threat Prevention
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Requirement: Visibility Into All Traffic
Requirements for Visibility
Any Traffic Not Fully Inspected = Threats Missed
• The Rule of All- All traffic, all ports, all the time- Mobile and roaming users
• Progressive Inspection- Decode – 190+ application and protocol decoders- Decrypt – based on policy- Decompress
• Stop the methods that attackers use to hide- Proxies- Encrypted tunnels- Peer-to-peer
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Evasion is Common in Applications
Non-Standard Ports- Evasive Applications – Standard application
behavior - Security Best Practices – Moving internet facing
protocols off of standard ports (e.g. RDP)
Tunneling Within Allowed Protocols- SSL and SSH - HTTP- DNS
Circumventors- Proxies- Anonymizers (Tor)- Custom Encrypted Tunnels (e.g. Freegate,
Ultrasurf)
568Applications that can dynamically use non-standard ports.
260Applications that can tunnel other apps and protocols
82Applications designed to avoid security
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Evasive Traffic Observed in Malware
• Malware in Live Networks Detected by WildFire- Use of non-standard ports, dynamic DNS, use of proxies and custom traffic
were most common techniques
13,256 samples generated Internet
traffic
Of those samples, 7,918 generated evasive traffic
16,497 Newly Discovered Malware Samples (1 month)
59%80%66%
Undetected by traditional AV vendors
11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Evasion is Standard in Malware
Requirement: Threat Prevention That Performs
Traditionally, More Security = Poor Performance
Traditional Security
Each security box or blade robs the network of performance
Threat prevention technologies are often the worst offenders
Leads to the classic friction between network and security
Best Case Performance
Firewall
Anti-Malware
IPS
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Single-Pass Pattern Match
Single-pass pattern match engine can provide multiple matches with one pass through the engine. Look once, get many answers.
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Stream-Based Malware Analysis
In-line threat prevention is stream based, because it’s the only method that maintains performance.
Only Palo Alto Networks and Fortinet have stream-based malware analysis (requires specialized processors).
15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Validated in 3rd Party Testing
“Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost…”
-NetworkWorld, 2012
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Requirement: Expect the Unknowns
Systematically Manage Knowns and Unknowns
Applications Users Content
Known • Decoders (190+)• Signatures• Port and protocol• Decryption
• Active Directory• LDAP• eDirectory• Terminal Services• Exchange• GlobalProtect
• Decoders (190+)• Stream-based
scanning • Uniform signature
format
All Apps, All Ports, All the
Time
All Users, All Locations, Any
Repository
All Exploits, Malware, Files,
and URLs
Unknown • Unknown Decoders• Heuristics• Override• Custom App-ID
• XML API• Captive Portal
• Behavioral Botnet Report
• WildFire
Policy Control: Identify, Allow, Enable, Deny
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The Gaps in Traditional Antivirus Protection
☣ Targeted and custom malware
☣ Polymorphic malware
☣ Newly released malware
Highly variable time to protection
Modern malware is increasingly able to: - Avoid falling into traditional AV honey-pots- Evolve before protection can be delivered via
polymorphism, re-encoding, and crypting
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Architecture
• 10 Gbps Threat Prevention and file scanning
• All traffic, all ports• Web, email, FTP and
SMB
• Running in the cloud lets the malware do things that you wouldn’t allow in your network.
• Updates to sandbox logic without impacting the customer
• Stream-based malware engine to perform true inline enforcement
20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
EPS\Pitch\Palo Alto Networks - 601955643© 2012 Palo Alto Networks. Proprietary and Confidential.
Page 21 |
Daily Coverage of Top AV VendorsM
alw
are
Sam
ple
Coun
t
New Malware Coverage Rate by Top 6 AV Vendors
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Real-World Spread of 0-Day Malware
23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Analysis of 50 0-Day malware samples
• Captured by WildFire in live customer networks
• Tracked the spread and number of infections by hour following the initial infection
Att
empt
ed M
alw
are
Infe
ctio
ns
Hours
Real-World Spread of 0-Day Malware
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Subscription
Hours
Tota
l Att
empt
ed M
alw
are
Infe
ctio
ns
Looking at the first 48 hours of malware propagation, 95% of infections occur in the first 24 hours
95%
5%
Real-World Spread of 0-Day Malware
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Subscription Threat Prevention
Hours
Att
empt
ed M
alw
are
Infe
ctio
ns
Sample WildFire Analysis
26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• Detailed analysis of malware behaviors including
• Malware actions
• Domains visited
• Registry changes
• File changes
Integrated WildFire Logging
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
• WildFire logs integrated to the Palo Alto Networks user interface
• Malware verdict
• User
• Application
• Related logs
App-ID
URL
IPS Threat License
Spyware
AV
Files
WildFire
Block high-risk apps
Block known malware sites
Block the exploit
Prevent drive-by-downloads
Detect unknown malware
Block malware
Bait theend-user
Exploit DownloadBackdoor
EstablishBack-Channel
Explore &Steal
Block spyware, C&C traffic
Block C&C on non-standard ports
Block malware, fast-flux domains
Block new C&C traffic
Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors
Coordinated Threat PreventionAn Integrated Approach to Threat Prevention
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Questions?
top related