application visibility and risk...
TRANSCRIPT
Application Visibility and Risk Report
Prepared for: Sample A customer
Prepared by: Data Integration
Thursday, May 28, 2015
Data Integration (Xchanging Technology)The Walbrook Building25 WalbrookLondonEC4N 8AQ+44 (0)20 8875 6500
1
Why Palo Alto Networks?
Fundamental shifts in the application and threat landscape, user behavior, and network infrastructure have steadily eroded the security thattraditional port-based firewalls once provided. Users are accessing all types of applications, using a range of device types, often times to gettheir job done. Datacenter expansion, virtualization, mobility, and cloud-based initiatives are forcing organizations to re-think how to enableapplication access yet protect the network. Palo Alto Networks next-generation firewalls can help organizations safely enable applications, for allusers, regardless of location, resulting in a reduction in the associated business and security risks.
Classifying all applications, across all ports, all the time. App-ID applies multiple classification mechanisms to the traffic stream, as soonas the firewall sees it, to determine the exact identity of application, regardless of port, encryption (SSL or SSH) or evasive techniqueemployed. The knowledge of exactly which applications are traversing the network, not just the port and protocol, becomes the basis for allsecurity policy decisions. Unidentified applications, typically a small percentage of traffic, yet high in potential risk, are automaticallycategorized for systematic management – which can include policy control and inspection, threat forensics, creation of a custom App-ID, or apacket capture for Palo Alto Networks App-ID development.
Tying users and devices, not just IP addresses, to policies. Security policies that are based on the application and the user identity,regardless of device or location, are a more effective means of protecting the network than relying solely on port and IP address. Integrationwith a wide range of enterprise user repositories provides the identity of the Microsoft Windows, Mac OS X, Linux, Android, or iOS useraccessing the application. Users who are traveling or working remotely are seamlessly protected with the same, consistent policies that arein use on the local, or corporate network. The combined visibility and control over a user’s application activity means organizations cansafely enable the use of Oracle, BitTorrent, or Gmail, or any other application traversing your network, no matter where or how the user isaccessing it.
Prevent against all threats, both known and unknown. Coordinated threat prevention can be applied to known malware sites, vulnerabilityexploits, viruses, spyware and malicious DNS queries can all be blocked in a single pass while custom or otherwise unknown malware isactively analyzed and identified by executing the unknown files and directly observing more than 100 malicious behaviors in a virtualizedsandbox environment. When new malware is discovered, a signature for the infecting file and related malware traffic is automaticallygenerated and delivered. All threat prevention analysis uses full application and protocol context, ensuring that threats are caught even ifthey attempt to hide from security in tunnels, compressed content or on non-standard ports.
Safe application enablement policies can help organizations improvetheir security posture, in the following ways. At the perimeter, the threatfootprint can be reduced by blocking unwanted applications and theninspecting the allowed applications for both known and unknownthreats. In the traditional or virtualized datacenter, applicationenablement translates to ensuring only datacenter applications are inuse by authorized users, protecting the content from threats andaddressing security challenges introduced by the dynamic nature ofthe virtual infrastructure. Enterprise branch offices and remote userenablement policies can be extensions of the same policies deployedat the headquarters location, thereby ensuring policy consistency.
2
Summary and Key Findings
Data Integration conducted an application visibility and risk analysis for Sample A customer using the Palo Alto Networks next-generation firewall. This report summarizes the Sample A customer analysis beginning with key findings and an overall business risk
assessment; it then discusses the applications and types of content found, closing with a summary and recommended actions.
Key findings that should be addressed by Sample A customer:
Personal applications are being installed and used on the network.End-users are installing and using a variety of non-work related applications that can elevate business and security risks.
Applications that can be used to conceal activity were found.IT savvy employees are using applications that can conceal their activity. Examples of these types of applications include externalproxies, remote desktop access and non-VPN related encrypted tunnel. Visibility into who is using these applications, and for whatpurpose should be investigated.
Applications that can lead to data loss were detected.File transfer applications (peer-to-peer and/or browser-based) are in use, exposing Sample A customer to significant security, dataloss, compliance and possible copyright infringement risks.
Applications used for personal communications were found.Employees are using a variety of applications that enable personal communications. Examples include instant messaging, webmail,and VoIP/video conferencing. These types of applications can introduce productivity loss, compliance and business continuity risks.
Bandwidth hogging, time consuming applications are in use.Media and social networking applications were found. Both of these types of applications are known to consume corporatebandwidth and employee time.
3
Business Risks Introduced by High Risk Application Traffic
The potential business risks that can be introduced by the applicationstraversing the network are determined by looking at the behavioralcharacteristics of the high risk applications (those that carry a risk ratingof 4 or 5 on a scale of 1-5). Each of the behavioral characteristics canintroduce business risks. Application file transfer can lead to dataleakage; ability to evade detection or tunnel other applications can leadto compliance risks; high bandwidth consumption equates to increasedoperational costs and applications that are prone to malware orvulnerabilities can introduce business continuity risks. Identifying therisks an application poses to is the first step towards effectivelymanaging the related business risks.
A summary of the business risk calculation is shown in figure 1.Appendix A has a complete description of the business risks.
Productivity 20%
BusinessContinuity 21%
Operational Cost 15%
Compliance 24%
Data Loss 21%
Figure 1: Business risk breakdown of Top High Risk Applications
Top High Risk Applications in Use
The high risk applications (risk rating of 4 or 5) sorted by category, subcategory and bytes consumed are shown below. The ability toview the application along with its respective category, subcategory and technology can be useful when discussing the business value
and the potential risks that the applications pose with the respective users or groups of users.
Key observations on the 166 high risk applications:
Activity Concealment:Proxy (8) and remote access (7) applications were found. In addition, non-VPN related encrypted tunnel applications were detected.IT savvy employees are using these applications with increasing frequency to conceal activity and in so doing, can expose Sample Acustomer to compliance and data loss risks.
File transfer/data loss/copyright infringement:P2P applications (24) and browser-based file sharing applications (16) were found. These applications expose Sample A customer todata loss, possible copyright infringement, compliance risks and can act as a threat vector.
Personal communications:A variety of applications that are commonly used for personal communications were found including instant messaging (10), webmail(13), and VoIP/video (4) conferencing. These types of applications expose Sample A customer to possible productivity loss,compliance and business continuity risks.
Bandwidth hogging:Applications that are known to consume excessive bandwidth including photo/video (29), audio (2) and social networking (13) weredetected. These types of applications represent an employee productivity drain and can consume excessive amounts of bandwidthand can act as potential threat vectors.
4
Risk Category Sub-Category Technology Bytes SessionsApplication
4 business-systems general-business client-server 780,599 141activesync
4 business-systems general-business browser-based 147,812 14concur
4 business-systems management browser-based 12,375,394 78synology-dsm
5 business-systems office-programs browser-based 15,350,472,349 38,434google-docs-base
4 business-systems office-programs peer-to-peer 107,603,754 1,378ms-groove
4 business-systems software-update client-server 107,556,615,688 103,116ms-update
4 business-systems storage-backup client-server 393,683,148,433 227crashplan
4 collaboration email client-server 114,810,462,577 149,344ms-exchange
5 collaboration email client-server 75,973,820,383 1,045,594smtp
4 collaboration email browser-based 29,456,414,703 396,071gmail-base
4 collaboration email client-server 1,982,911,103 21,030pop3
4 collaboration email client-server 1,900,013,224 14,220imap
4 collaboration email browser-based 371,648,961 4,750aim-mail
4 collaboration email browser-based 206,963,815 14,165hotmail
4 collaboration email browser-based 129,227,557 3,456gmx-mail
4 collaboration email browser-based 87,014,720 2,464netease-mail
4 collaboration email browser-based 81,570,261 6,318qq-mail
4 collaboration email browser-based 61,408,944 64roundcube
4 collaboration email browser-based 24,449,574 620squirrelmail
4 collaboration email browser-based 7,166,395 113outlook-web
5 collaboration email client-server 1,988,812 29lotus-notes-base
4 collaboration email browser-based 380,987 1vkontakte-mail
4 collaboration email browser-based 152,189 17web-de-mail
4 collaboration email browser-based 133,508 53daum-mail
5 collaboration email browser-based 71,195 6horde
4 collaboration email client-server 64,471 15blackberry
4 collaboration instant-messaging client-server 3,418,496,987 64,225msn-base
5 collaboration instant-messaging client-server 360,139,514 7,554jabber
4 collaboration instant-messaging client-server 173,391,453 21,870qq-base
4 collaboration instant-messaging browser-based 36,461,480 1,917boldchat-logmein
4 collaboration instant-messaging client-server 8,301,258 976yahoo-im-base
4 collaboration instant-messaging client-server 6,281,398 16google-talk-base
5 collaboration instant-messaging client-server 1,163,703 27irc-base
4 collaboration instant-messaging browser-based 1,060,643 72imo
4 collaboration instant-messaging browser-based 646,832 7im-plus
4 collaboration instant-messaging browser-based 5,712 2mibbit
4 collaboration internet-conferencing client-server 15,938 2att-connect
4 collaboration social-networking browser-based 458,238,547,883 2,803,212facebook-base
4 collaboration social-networking browser-based 172,174,536 4,901myspace-base
4 collaboration social-networking browser-based 116,633,736 25,065sina-weibo-base
4 collaboration social-networking browser-based 79,669,090 3,197vkontakte-base
4 collaboration social-networking browser-based 33,737,076 2,970mail.ru-base
5 collaboration social-networking browser-based 15,839,744 3,156stumbleupon
5 collaboration social-networking browser-based 2,795,346 81netlog
4 collaboration social-networking browser-based 1,322,161 122odnoklassniki-base
4 collaboration social-networking browser-based 280,491 11reddit-posting
4 collaboration social-networking browser-based 83,599 10plaxo
4 collaboration social-networking browser-based 76,333 2bebo-posting
4 collaboration social-networking browser-based 64,950 17facebook-apps
4 collaboration social-networking browser-based 27,174 11twitter-posting
5 collaboration voip-video peer-to-peer 59,618,467,085 3,221,776skype
4 collaboration voip-video peer-to-peer 1,995,779,196 3,230,430sip
4 collaboration voip-video peer-to-peer 573,677 72yahoo-voice
4 collaboration voip-video client-server 3,054 1ringcentral
5
4 collaboration web-posting browser-based 1,307,236,533 1,600blog-posting
4 general-internet file-sharing client-server 283,528,206,867 238,713dropbox
4 general-internet file-sharing browser-based 46,563,876,790 138,023skydrive-base
5 general-internet file-sharing peer-to-peer 28,881,153,929 3,097,339bittorrent
4 general-internet file-sharing client-server 11,871,957,485 3,210sugarsync
5 general-internet file-sharing client-server 5,845,003,647 89,572ftp
5 general-internet file-sharing browser-based 1,695,791,662 9,248google-drive-web
4 general-internet file-sharing browser-based 1,445,623,483 8574shared
4 general-internet file-sharing browser-based 479,259,068 812mediafire
5 general-internet file-sharing browser-based 431,462,025 11,021webdav
4 general-internet file-sharing client-server 129,266,634 2,049mendeley-base
5 general-internet file-sharing client-server 88,556,032 46qq-file-transfer
4 general-internet file-sharing browser-based 81,613,115 467docstoc-base
4 general-internet file-sharing browser-based 68,963,056 18filedropper
4 general-internet file-sharing client-server 32,188,254 413tftp
4 general-internet file-sharing browser-based 11,903,152 27sharefile-base
4 general-internet file-sharing client-server 7,613,421 599live-mesh-base
5 general-internet file-sharing browser-based 6,528,254 14filemail
4 general-internet file-sharing browser-based 4,181,493 4boxnet-uploading
5 general-internet file-sharing peer-to-peer 3,227,736 1,082imesh
5 general-internet file-sharing browser-based 1,642,823 25transferbigfiles
4 general-internet file-sharing browser-based 716,670 119putlocker
4 general-internet file-sharing browser-based 548,940 6amazon-cloud-drive-uploading
4 general-internet file-sharing client-server 104,285 31bittorrent-sync
5 general-internet file-sharing peer-to-peer 103,118 9xunlei
5 general-internet file-sharing peer-to-peer 54,645 42ares
5 general-internet file-sharing peer-to-peer 45,262 6perfect-dark
4 general-internet file-sharing peer-to-peer 25,701 8qq-download
4 general-internet file-sharing browser-based 3,647 1amazon-cloud-drive-base
4 general-internet file-sharing browser-based 2,881 1sendspace
5 general-internet file-sharing peer-to-peer 2,184 5manolito
4 general-internet file-sharing browser-based 1,367 1megaupload
5 general-internet file-sharing peer-to-peer 1,162 1flashget
5 general-internet file-sharing peer-to-peer 736 8gnutella
5 general-internet file-sharing peer-to-peer 320 4emule
4 general-internet internet-utility browser-based 1,631,386,835,655 24,677,404web-browsing
4 general-internet internet-utility client-server 261,150,104,235 18,239apple-appstore
4 general-internet internet-utility browser-based 136,731,505,886 290,959flash
4 general-internet internet-utility browser-based 3,542,694,341 22,862web-crawler
5 general-internet internet-utility client-server 2,510,740,695 41,336rss
4 general-internet internet-utility browser-based 54,116,785 71zamzar
4 general-internet internet-utility client-server 10,352,470 435opera-mini
4 general-internet internet-utility browser-based 4,041,059 23puffin
5 general-internet internet-utility client-server 3,528,989 510yunpan360-base
4 general-internet internet-utility peer-to-peer 1,476,028 123bitcoin
4 general-internet internet-utility client-server 447,634 48atom
4 general-internet internet-utility client-server 387,719 56google-desktop
5 general-internet internet-utility peer-to-peer 256 4trinoo
5 media audio-streaming browser-based 41,333,822,037 12,619http-audio
4 media audio-streaming browser-based 457,438 14pandora-tv
4 media gaming client-server 164,638,546 387source-engine
4 media gaming client-server 14,349,877 143second-life-base
4 media gaming client-server 5,301,827 35all-slots-casino
4 media gaming browser-based 208,340 2poker-stars
4 media gaming browser-based 120,413 14hangame
4 media gaming browser-based 11,870 1party-poker
6
4 media gaming client-server 1,167 1nintendo-wfc
5 media photo-video browser-based 670,778,391,845 149,378http-video
4 media photo-video browser-based 185,675,090,016 325,651youtube-base
4 media photo-video browser-based 137,455,420,981 8,789rtmp
4 media photo-video browser-based 118,829,682,387 10,684twitch
4 media photo-video browser-based 103,797,717,032 55,105facebook-video
4 media photo-video browser-based 83,688,892,961 2,276rtmpe
4 media photo-video browser-based 38,174,183,085 4,060limelight
5 media photo-video browser-based 23,868,318,628 23,772vimeo-base
4 media photo-video browser-based 13,087,350,538 8,120dailymotion
4 media photo-video browser-based 11,963,436,033 66youtube-uploading
4 media photo-video browser-based 10,501,125,096 14,492imgur-base
5 media photo-video browser-based 5,800,646,184 703youku-base
5 media photo-video peer-to-peer 4,174,432,873 16,813sopcast
4 media photo-video browser-based 2,921,185,382 30,598rtmpt
5 media photo-video client-server 2,900,209,687 34,881funshion
4 media photo-video peer-to-peer 2,716,855,394 47,741pplive
4 media photo-video peer-to-peer 730,205,163 486qvod
4 media photo-video client-server 522,525,240 1,292sky-player
5 media photo-video browser-based 491,496,536 5asf-streaming
4 media photo-video peer-to-peer 177,333,186 1,547baofeng
5 media photo-video browser-based 92,645,324 1,524brightcove
4 media photo-video browser-based 59,139,254 18niconico-douga
4 media photo-video peer-to-peer 8,883,348 1,157ppstream
5 media photo-video browser-based 7,456,776 229tudou
4 media photo-video browser-based 428,361 12veetle
4 media photo-video browser-based 331,122 3yahoo-douga
4 media photo-video peer-to-peer 91,330 158qqlive
4 media photo-video browser-based 74,762 10metacafe
4 media photo-video browser-based 6,201 2socialtv
4 networking encrypted-tunnel browser-based 4,352,702,784,981 30,771,692ssl
4 networking encrypted-tunnel client-server 17,923,979,163 191,538ssh
4 networking encrypted-tunnel client-server 744,854,189 18,856hola-unblocker
4 networking encrypted-tunnel client-server 315,442,990 1frozenway
4 networking encrypted-tunnel client-server 22,845,550 50tor
5 networking encrypted-tunnel peer-to-peer 11,244,503 11,313freenet
5 networking encrypted-tunnel peer-to-peer 1,212,995 20hamachi
5 networking encrypted-tunnel client-server 505,358 1,586packetix-vpn
4 networking encrypted-tunnel client-server 222,680 10tcp-over-dns
4 networking infrastructure network-protocol 30,909,552,049 78,364,019dns
4 networking ip-protocol network-protocol 7,434,661 49,798icmp
5 networking proxy browser-based 717,221,024 25,868http-proxy
4 networking proxy client-server 147,742,139 4,286freegate
5 networking proxy browser-based 38,995,174 118glype-proxy
4 networking proxy browser-based 91,889 20labnol-proxy
5 networking proxy browser-based 14,277 1phproxy
5 networking proxy network-protocol 3,411 6socks
5 networking proxy browser-based 1,369 1cgiproxy
4 networking proxy browser-based 971 1vtunnel
4 networking remote-access client-server 658,816,248,414 13,792,960ms-rdp
4 networking remote-access client-server 637,837,735 2,197logmein
5 networking remote-access client-server 583,873,516 624,891vnc-base
4 networking remote-access client-server 34,822,274 32screenconnect
4 networking remote-access client-server 15,399,002 11bomgar
4 networking remote-access network-protocol 4,860,488 171pptp
4 networking remote-access client-server 31,644 6remoteview
7
Figure 2: High risk applications (rating of 4 or 5) that are traversing the network.
8
Application Characteristics That Determine Risk
The Palo Alto Networks research team uses the application behavioral characteristics to determine a risk rating of 1 through 5. Thecharacteristics are an integral piece of the application visibility that administrators can use to learn more about a new application thatthey may find on the network and in turn, make a more informed decision about how to treat the application.
Application Behavioral Characteristic Definitions
Prone to misuse used for malicious purposes or is easily configured to expose more than intended. Examples include externalproxy, remote access, and P2P filesharing applications.
Tunnels other applications able to transport other applications. Examples include SSH and SSL as well as UltraSurf, TOR andRTSP, RTMPT.
Has known vulnerabilities the application has had known vulnerability exploits.
Transfers files able to transfer files from one network to another. Examples include filesharing and file transfer applications of alltypes, as well as IM and email.
Used by malware has been used to propagate malware, initiate an attack or steal data. Applications that are used by malwareinclude collaboration (email, IM, etc) and general Internet categories (filesharing, Internet utilities).
Consumes bandwidth application consumes 1 Mbps or more regularly through normal use. Examples include P2P, streamingmedia, as well as software updates and other business applications.
Evasive uses a port or protocol for something other than its intended purpose with intent to ease deployment or hide from existingsecurity infrastructure.
With the knowledge of which applications are traversing the network, their individual characteristics and which employees are usingthem, Sample A customer is enabled to more effectively decide how to treat the applications traffic through associated security policies.Note that many applications carry multiple behavioral characteristics.
Application Behavorial Characteristics
Evasive
Consumes Bandwidth
Prone to Misuse
Tunnels Other Applications
Has Known Vulnerablities
Transfers Files
Used By Malware
0 20 40 60 80 100 120 140 160 180
Number of Applications
103
76
69
76
147
145
94
Figure 3: Behavioral characteristics of the high risk applications detected
9
Top Applications Traversing the Network
The top 35 applications (based on bandwidth consumption), sorted by category and subcategory are shown below. The ability to viewthe application category, subcategory and technology is complemented by the behavioral characteristics (previous page), resulting in a
more complete picture of the business benefit an application may provide.
Risk Category Sub-Category Technology Bytes SessionsApplication
2 business-systems database client-server 82,837,503,040 177,494oracle
2 business-systems management client-server 30,076,404,190,296 909,029vmware
4 business-systems software-update client-server 107,556,615,688 103,116ms-update
3 business-systems software-update client-server 99,718,049,051 10,267apple-update
1 business-systems storage-backup client-server 29,501,840,855,278 39,910hp-data-protector
3 business-systems storage-backup client-server 4,491,294,505,732 1,454,391ms-ds-smb
4 business-systems storage-backup client-server 393,683,148,433 227crashplan
3 business-systems storage-backup client-server 53,762,037,619 117rsync
3 collaboration email browser-based 244,088,023,745 529,622outlook-web-online
4 collaboration email client-server 114,810,462,577 149,344ms-exchange
5 collaboration email client-server 75,973,820,383 1,045,594smtp
2 collaboration instant-messaging client-server 177,722,654,812 98,827snapchat
4 collaboration social-networking browser-based 458,238,547,883 2,803,212facebook-base
2 collaboration social-networking browser-based 68,123,679,860 138,566tumblr-base
5 collaboration voip-video peer-to-peer 59,618,467,085 3,221,776skype
4 general-internet file-sharing client-server 283,528,206,867 238,713dropbox
4 general-internet file-sharing browser-based 46,563,876,790 138,023skydrive-base
4 general-internet internet-utility browser-based 1,631,386,835,655 24,677,404web-browsing
4 general-internet internet-utility client-server 261,150,104,235 18,239apple-appstore
4 general-internet internet-utility browser-based 136,731,505,886 290,959flash
2 media audio-streaming client-server 55,529,545,174 82,053soundcloud-base
3 media audio-streaming client-server 52,590,177,073 383,687itunes-base
3 media audio-streaming client-server 47,211,179,679 2,587itunes-mediastore
5 media photo-video browser-based 670,778,391,845 149,378http-video
3 media photo-video browser-based 353,311,988,035 7,266netflix-streaming
4 media photo-video browser-based 185,675,090,016 325,651youtube-base
2 media photo-video client-server 158,963,368,452 822,701instagram
4 media photo-video browser-based 137,455,420,981 8,789rtmp
4 media photo-video browser-based 118,829,682,387 10,684twitch
4 media photo-video browser-based 103,797,717,032 55,105facebook-video
4 media photo-video browser-based 83,688,892,961 2,276rtmpe
3 media photo-video browser-based 62,858,954,539 62,900bbc-iplayer
4 networking encrypted-tunnel browser-based 4,352,702,784,981 30,771,692ssl
1 networking infrastructure browser-based 174,739,105,602 2,827,050quic
4 networking remote-access client-server 658,816,248,414 13,792,960ms-rdp
Figure 4: Top applications that are consuming the most bandwidth, sorted by category, subcategory and technology
Key observations on top 35 (out of 674) applications in use:
The most common types of applications are photo-video and storage-backup.
10
Application Subcategories
The subcategory breakdown of all the applications found, sorted by bandwidth consumption provides an excellent summary of where the
application usage is heaviest. These data points can help IT organizations more effectively prioritize their application enablement efforts.
Number of Applications Bytes Consumed Sessions ConsumedSub-Category
10 34,440,620,476,748 1,497,686storage-backup
51 30,099,962,605,750 1,860,331management
21 4,416,401,572,459 31,032,263encrypted-tunnel
57 2,092,937,777,279 35,163,279internet-utility
78 2,076,345,607,808 1,734,334photo-video
27 669,894,173,893 14,481,326remote-access
50 632,257,236,928 4,102,693social-networking
30 480,148,284,942 2,316,240email
59 428,628,539,987 3,669,760file-sharing
24 282,824,882,663 639,829software-update
26 269,137,369,979 521,549audio-streaming
30 252,768,501,367 86,812,626infrastructure
39 207,045,275,023 615,912instant-messaging
11 111,155,149,363 428,252database
29 97,408,688,396 11,669,794voip-video
11 38,118,048,763 94,867office-programs
11 35,457,107,927 1,772internet-conferencing
6 26,380,855,882 2,951,790auth-service
25 21,266,317,263 96,922gaming
12 20,683,349,506 76,916social-business
32 16,737,758,706 197,675general-business
3 15,819,548,267 17,390routing
10 13,249,981,773 11,995erp-crm
9 4,700,735,611 37,700proxy
9 1,763,745,746 42,050web-posting
4 1,713,792,682 110,550ip-protocol
674 76,753,427,384,711 200,185,501
Figure 5: Subcategory breakdown of all the applications found, sorted by bytes consumed.
Grand Total
Key observations on application subcategories:
The application subcategories that are consuming the highest amount of bandwidth are: storage-backup, management, encrypted-tunnel.
11
Applications That Use HTTP
The top 25 applications (based on bandwidth consumed) that use HTTP in some way, shape or form (but may not use port 80) areshown below. Many applications use HTTP to speed deployment and simplify access while non-business applications may use it to
bypass security. Knowing exactly which applications use HTTP is a critical datapoint when assembling an application enablement policy.
Risk Technology Bytes SessionsHTTP Application
2 client-server 30,076,404,190,296 909,029vmware
1 client-server 29,501,840,855,278 39,910hp-data-protector
4 browser-based 1,631,386,835,655 24,677,404web-browsing
5 browser-based 670,778,391,845 149,378http-video
4 browser-based 458,238,547,883 2,803,212facebook-base
3 browser-based 353,311,988,035 7,266netflix-streaming
4 client-server 283,528,206,867 238,713dropbox
4 client-server 261,150,104,235 18,239apple-appstore
3 browser-based 244,088,023,745 529,622outlook-web-online
2 client-server 177,722,654,812 98,827snapchat
2 client-server 158,963,368,452 822,701instagram
4 browser-based 136,731,505,886 290,959flash
4 browser-based 118,829,682,387 10,684twitch
4 client-server 114,810,462,577 149,344ms-exchange
4 client-server 107,556,615,688 103,116ms-update
4 browser-based 103,797,717,032 55,105facebook-video
3 client-server 99,718,049,051 10,267apple-update
2 browser-based 68,123,679,860 138,566tumblr-base
3 browser-based 62,858,954,539 62,900bbc-iplayer
5 peer-to-peer 59,618,467,085 3,221,776skype
2 client-server 55,529,545,174 82,053soundcloud-base
3 client-server 52,590,177,073 383,687itunes-base
3 client-server 47,211,179,679 2,587itunes-mediastore
4 browser-based 46,563,876,790 138,023skydrive-base
2 browser-based 44,298,631,343 700,753twitter-base
Figure 6: Top HTTP applications identified ranked in terms of bytes consumed.
Key observations on top 25 (out of 521) HTTP applications in use:
There is a mix of both work and non-work related applications traversing the network that can use HTTP in some way or another.
12
Top URL Categories in Use
Identifying and controlling both the applications traversing the network and the web sites a user is allowed to visit is an ideal approach tosafely enabling applications. As a result, organizations are protected from a full spectrum of legal, regulatory, productivity and resource
utilization risks. The most commonly visited URL categories are shown in the table below.
CountURL Category
57not-resolved
Figure 7: Top URL categories visited
Key observations on the top 25 most frequently visited URLs visited:
The URL category report shows a mix of work and non-work related web activity.
13
Application Vulnerabilities Discovered
The increased visibility into the applications on the network, regardless of port hopping, tunneling or other evasive tactics that may beused, extends into vulnerability exploit protection to ensure that the threat is detected and blocked. The application vulnerabilities
discovered on the network, ranked by severity and count are shown in the table below.
Category Severity CountThreat Name Application
Critical 240WordPress Login BruteForce Attempt http-proxy
Critical 199WordPress Login BruteForce Attempt web-browsing
Critical 44Bash Remote Code Execution Vulnerability web-browsing
Critical 3Microsoft Internet Explorer XSS Filter Bypass Vulnerability web-browsing
Critical 1Bash Remote Code Execution Vulnerability adobe-meeting
Critical 1Fiesta Exploit Kit Detection web-browsing
Critical 1Bash Remote Code Execution Vulnerability web-browsing
brute-force High 10,581SSH User Authentication Brute-force Attempt ssh
brute-force High 882HTTP Unauthorized Brute-force Attack sharepoint-base
brute-force High 882HTTP: User Authentication Brute-force Attempt sharepoint-base
brute-force High 744SIP Register Message Brute-force Attack sip
brute-force High 682HTTP Unauthorized Brute-force Attack web-browsing
brute-force High 661HTTP: User Authentication Brute-force Attempt web-browsing
brute-force High 137SMB: User Password Brute-force Attempt ms-ds-smb
code-execution High 106Generic HTTP Cross Site Scripting Attempt web-browsing
brute-force High 54MS-RDP Brute-force Attempt ms-rdp
brute-force High 41HTTP Unauthorized Brute-force Attack flash
brute-force High 41HTTP: User Authentication Brute-force Attempt flash
brute-force High 19HTTP Unauthorized Brute-force Attack silverlight
brute-force High 19HTTP: User Authentication Brute-force Attempt silverlight
code-execution High 15PHP CGI Query String Parameter Handling Code InjectionVulnerability
web-browsing
brute-force High 12MAIL: User Login Brute-force Attempt pop3
brute-force High 12Telnet Authentication Brute-force Attempt telnet
dos High 9Microsoft IIS Server SChannel Denial of Service Vulnerability ssl
overflow High 8MailEnable IMAP Server Long Tag anomaly imap
Figure 8: Top vulnerabilities identified, sorted by severity and count.
Key observations on the 25 most commonly detected (out of 198) exploits:
The Palo Alto Networks next-generation firewall is providing visibility into vulnerability exploits traversing the network regardless ofport or protocol.
Of the 198 vulnerabilities found, 2% are critical, 8% are high and 7% are medium severity. The remainder are low severity orinformational.
14
Spyware and Viruses Discovered on the Network
The increased visibility into the applications on the network, regardless of port hopping, tunneling or other evasive tactics that may beused, helps ensure that spyware, the associated command and control traffic and viruses are detected and blocked. Examples of
spyware and viruses discovered on the network are shown in figures 9 and 10 below.
Type Severity CountThreat Name Application
spyware phone home Critical 16,402ZeroAccess.Gen Command and Control Traffic unknown-udp
spyware phone home Critical 270Kazy Detection -- Malformed SSL Client Hello Message ssl
spyware phone home Critical 73Suspicious.Gen Command And Control Traffic web-browsing
spyware phone home Critical 14Win32.Conficker.C p2p unknown-udp
spyware phone home Critical 3Command and Control Traffic to Sinkhole MalwareDomain
web-browsing
spyware phone home Critical 2Ramnit.Gen Command and Control Traffic ssl
spyware phone home Critical 2WGeneric.Gen Command and Control Traffic web-browsing
spyware phone home Critical 1Suspicious.Gen Command And Control Traffic web-browsing
spyware phone home Critical 1WireLurker.Gen Command and Control Traffic web-browsing
spyware phone home Critical 1WGeneric.Gen Command And Control Traffic web-browsing
Suspicious DNS Medium 8,028Suspicious DNS Query (generic:iwjmvnwsxyq.com) dns
Suspicious DNS Medium 7,936Suspicious DNS Query (generic:raptr.com) dns
Suspicious DNS Medium 2,046Suspicious DNS Query (generic:icanhazip.com) dns
Suspicious DNS Medium 1,411Suspicious DNS Query (generic:nlchyjjdmuij.com) dns
Suspicious DNS Medium 850Suspicious DNS Query (generic:tpmskqqx.info) dns
Suspicious DNS Medium 795Suspicious DNS Query (generic:amtuvy.com) dns
Suspicious DNS Medium 690Suspicious DNS Query (generic:imdgfdt.net) dns
Suspicious DNS Medium 636Suspicious DNS Query (generic:www.alshaiji.ws) dns
Suspicious DNS Medium 520Suspicious DNS Query (generic:iliefx.com) dns
Suspicious DNS Medium 482Suspicious DNS Query (generic:mhmizpootnblhcs.com) dns
Suspicious DNS Medium 392Suspicious DNS Query (generic:meceus.com) dns
Suspicious DNS Medium 198Suspicious DNS Query (generic:unbkfmwopmx.net) dns
Suspicious DNS Medium 181Suspicious DNS Query (generic:softwareziip.info) dns
Suspicious DNS Medium 169Suspicious DNS Query (generic:fsatkajrwi.com) dns
Suspicious DNS Medium 92Suspicious DNS Query (generic:glhwhy.com) dns
Figure 9: Most common spyware found, sorted by severity and count.
15
Most Common Viruses Discovered
CountThreat Name Application
31Trojan-Downloader/Win32.upatre.l smtp
23SoftwareBundler/Win32.gofileexpress.w ms-ds-smb
20Trojan/Win32.prek.c smtp
16Trojan-Downloader/Win32.upatre.l smtp
16Virus/Win32.WGeneric.cbyli web-browsing
16Trojan/MSWord.agent.dmcat smtp
12Virus/Win32.WGeneric.excpt ms-ds-smb
12Trojan-Downloader/Win32.agent.dl smtp
12Virus/Win32.WGeneric.excpm ms-ds-smb
10Virus/Win32.WGeneric.fjylv smtp
9Trojan-Downloader/Win32.upatre.l smtp
8Virus/Win32.dloader.aqvi smtp
8Trojan/Win32.re.dh smtp
7Virus/Win32.WGeneric.fgffo flash
5Virus/Win32.WGeneric.fhnnv ms-ds-smb
4Virus/Win32.dloader.aqvj smtp
4Virus/Win32.WGeneric.esqua web-browsing
4Virus/Win32.WGeneric.finjk web-browsing
4Trojan-Downloader/Win32.upatre.mqi smtp
3Trojan-Dropper/Win32.agent.djvam ms-ds-smb
3Trojan/Win32.spnr.aqqd web-browsing
3Virus/Win32.sality.daqvp web-browsing
3Trojan-Downloader/Win32.upatre.m pop3
3Virus/Win32.WGeneric.fixht web-browsing
3Trojan/Win32.Itsproc.a netease-mail
Figure 10: Most common viruses found, sorted by count.
Key observations on the most commonly detected (out of 145) spyware and viruses:
The Palo Alto Networks next-generation firewall is providing visibility into the viruses and spyware traversing the network, regardlessof port or protocol.
The most common type of malware found is Suspicious DNS.
16
Modern Malware Discovered on the Network
A summary of the 155 files analyzed by WildFire during the seven days prior to 20 May 2015 shows that there were 92 pieces ofmalware found.
Modern Malware Antivirus Vendor Coverage Summary
A summary of the antivirus (AV) vendors who had coverage for the malware found by WildFire, based on VirusTotal (VT) statistics, isshown below.
Modern Malware Detected by Day
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
9
41
33
24
70
22
2
1
1
1
Covered by 4+ Coverage from 1 to 3 No Coverage in VirusTotal
Figure 11: Antivirus vendor coverage for malware detected by WildFire based on VirusTotal statistics.
Sample Malware Detected by WildFire
The list below provides some examples of the malicious files detected by WildFire along with the VirusTotal vendor coverage. The first30 characters of the filename are shown along with the MD5 checksum which can be used to investigate sample in more detail usingthe WildFire console.
MD5Filename Application AV VendorCoverage
eDraw_Max_6.0.0.1901_with_CRAC 0a1f11d84a22c02553f0d0e6e34b9dca web-browsing Unknown to VT
PO#22-15PFI IKF MSC Belgium NV 4d694324baf2f2f5f30905c363b2004c pop3 Unknown to VT
cfutmxv.exe 8c0c76d301217c9be5cb4e8d5dbc8585 smtp Unknown to VT
trip.zip 8c0c76d301217c9be5cb4e8d5dbc8585 smtp Unknown to VT
fax_data.exe b3e5cd2a85b6dbe49539fe53286697f0 pop3 Unknown to VT
Figure 12: Examples of malicious files detected by WildFire.
Key observations on the modern malware discovered by WildFire:
The data above shows the presence of 89 malicious files traversing the network that would not have been detected without WildFireanalysis. These modern threats are often the leading edge of a sophisticated attack, making detection and remediation a keycomponent of any layered defense strategy.
17
Files and File Types Traversing the Network
Applications that transfer files have are an integral part of today’s business environment. Knowing which types of files and content aretraversing the network can help organizations mitigate a range of business and security threats. The table below shows the mostcommon file and content types along with the associated application.
File/Content Name Data or File Transfer Direction Application Used Count
Microsoft PE File file Download ms-ds-smb 46,680
Microsoft PE File file Upload ms-ds-smb 19,863
Microsoft PE File file Download web-browsing 12,337
Microsoft PE File file Download google-update 3,800
Microsoft PE File file Download ms-update 3,311
Microsoft PE File file Download silverlight 1,758
Microsoft PE File file Download avg-update 1,121
Microsoft PE File file Upload smtp 356
Microsoft PE File file Download symantec-av-update 145
Microsoft PE File file Download http-audio 112
Microsoft PE File file Download google-cloud-storage-base 67
Microsoft PE File file Download pop3 47
Microsoft PE File file Download ms-sms 47
Microsoft PE File file Download logmein 42
Microsoft PE File file Download sourceforge-file-transfer 40
Microsoft PE File file Download netflix-base 40
Microsoft PE File file Download java-update 36
Microsoft PE File file Download shoutcast 34
Microsoft PE File file Download adobe-update 30
Microsoft PE File file Download flash 28
Microsoft PE File file Download web-crawler 24
Microsoft PE File file Download avast-av-update 22
Microsoft PE File file Download sharepoint-base 20
Microsoft PE File file Download skype 16
Microsoft PE File file Download funshion 12
Microsoft PE File file Download apple-appstore 9
Microsoft PE File file Download mediafire 7
Microsoft PE File file Download ftp 7
Microsoft PE File file Download netease-mail 7
Microsoft PE File file Download apple-update 6
Figure 13: File and content types traversing the network, sorted by type, then by count.
Key observations on the files and content traversing the network:
Files based on type (as opposed to looking only at the file extension) and confidential data patterns (credit card and socialsecurity numbers) were detected during the evaluation.
18
Application Usage by Underlying Technology and Category
The resources consumed (sessions and bytes) based on underlying technology and application subcategory complement the granularapplication and threat data to provide a more complete summary of the network activity. The charts below show the sessions consumed,
based on the underlying application technology and the bytes consumed, based on the application subcategory.
Figure 13: Application usage by category and by technology.
Usage by technology in sessions as a percentage of total
network-protocol
browser-based
client-server
peer-to-peer
0 5 10 15 20 25 30 35 40 45 50
43%
32%
15%
8%
Usage by category in bytes as a percentage of total
storage-backup
management
encrypted-tunnel
internet-utility
photo-video
0 5 10 15 20 25 30 35 40 45
41%
36%
5%
2%
2%
Key observations on application usage by category and technology:
During the evaluation, network-protocol applications consumed 43% of the sessions.
In terms of application usage by category, storage-backup applications consumed 41% of the overall bandwidth.
19
Findings:
During the planning phase for the Palo Alto Networks analysis, the Sample A customer team explained that their environment isrelatively open but the inability to see which applications were traversing the network introduces a wide range of business and securityrisks. The analysis uncovered the following items.
Activity concealment applications were found. Applications that allowed IT savvy users to conceal their activity and bypass securitywere found on the network.
P2P and browser-based filesharing application usage. P2P and browser-based file sharing applications were found, exposingSample A customer to security, data loss and copyright infringement risks.
Streaming media and social networking application usage. Applications that are used for entertainment and socializing (media,audio, social networking) were found on the network. These applications represent secure enablement challenges to IT – how tobalance morale, recruitment/retention and end-user satisfaction with productivity, threat exposure, compliance, and data loss risks.
Use of Webmail, IM and VoIP. Examples of these personal use applications were found on the network. Many of these applicationscan easily bypass firewalls and act as threat vectors as well as being an avenue for data leakage.
Recommendations:
Implement safe application enablement policies.Like most organizations, Sample A customer lacks fine-grained policy governing application use - because it hasn't historically beennecessary or enforceable. With the growth in user-controlled applications, their tendency to carry evasive characteristics to simplifyaccess, and the threats that take advantage of them, we recommend implementing safe application enablement policies that allow, ina controlled manner, the application use.
Address high risk areas such as P2P and browser-based filesharing.The security and compliance risks associated with these applications may present problems for Sample A customer as employeesuse these applications to bypass existing traditional controls. Without understanding, categorizing, and mitigating risk in these areas,Sample A customer exposes itself possible unauthorized data transfer, compliance violations and the associated application levelthreats.
Implement policies dictating use of activity concealment applications.Proxy, remote access and encrypted tunnel applications are sometimes used by employees who want to conceal their activity. Thisrepresents both business and security risks to Sample A customer. Policies dictating the use of these applications should beimplemented.
Regain control over streaming media applications.Sample A customer should look at applying policies to rein in the use of these applications without offending the user community.Possible options would be a time-based schedule, or QoS marking to limit consumption.
Seek Application Visibility and ControlThe only way to mitigate the application-level risk is first to know which applications are being used what their business and securityrisks are, and finally to create and enforce an appropriate firewall policy . There are a few technologies that offer some of the visibilityrequired for certain types of applications, but only next-generation firewalls enable organizations to gain visibility across allapplication traffic and offer the understanding, control, and scalability to suit enterprises. Accordingly, our recommendation involvesdeploying a Palo Alto Networks firewall in Sample A customer network and creating safe application enablement policies to ensurethat the network is being used according to the organization’s priorities.
20
ComplianceMost organizations must comply with an array of government and business regulations – in the US, this includes GLBA, HIPAA, FD,SOX, FISMA, and PCI. Most of these focus on safeguarding an organization’s operational, financial, customer, or employee data.Many of the personal-use applications represent compliance risks to that information either from a data loss perspective or a threatdelivery perspective.
Operational CostsRisks to operational costs come in two flavors – one, having applications and infrastructure that is used inappropriately to such anextent that more must be bought (e.g., WAN circuits upgraded due to streaming video) to ensure that business processes work, andtwo, incidents and exploits resulting in IT expense (e.g., rebuilding servers or networks following a security incident involving anexploit or virus).
Business ContinuityBusiness continuity risks refer to applications (or the threats they carry) that can bring down or otherwise make unavailable criticalcomponents of certain business processes. Examples include email, transaction processing applications, or public-facingapplications harmed by threats or effectively denied service via excessive consumption of resources by non-business applications.
Data LossThe risk of data loss is the traditional information security set of risks – those associated with the theft, leakage, or destruction of data.Examples include many public thefts of customer data, theft or inadvertent leak of intellectual property, or destruction of data due to asecurity threat/breach. A variety of threats play a role, including exploits borne by applications (e.g., social media, P2P filesharing,IM, webmail), and non-business-related applications running on enterprise resources (e.g., P2P filesharing, instant messaging,personal webmail).
·· employees are using non-work-related applications instead of doing their job (e.g. social media, personal email, videostreaming)
·· non-work applications consume so much bandwidth that legitimate applications function poorly (e.g., P2P filesharing, videostreaming,)
Appendix A: Business Risk Definitions
When developing the business risk analysis presented on page 3, the potential impact the application could have on the enterprise andthe processes within were taken into account. The resultant risks to the business are defined below.
ProductivityRisk to productivity stems from misuse that can take one of two forms:
21
Appendix B: Key Palo Alto Networks Technologies and Services
Palo Alto Networks next-generation firewalls safely enable applications, users and content across the entire organization using a
combination of technologies and services delivered in either a purpose-built hardware platform or in a virtualized form factor.
App-ID: Using multiple traffic classification mechanisms, App-ID accurately identifies the application as soon as the firewall sees it,regardless of which port the application is using or other evasive technique employed. The application identity becomes the basis forall security policy decisions. Unknown applications are categorized for analysis and systematic management.
User-ID: Allows organizations to extend user-based application enablement polices to any user, regardless of which platform theyare using. User-ID seamlessly integrates with a wide range of enterprise directories (Microsoft Active Directory, eDirectory, and OpenLDAP) and terminal services offerings (Citrix and Microsoft Terminal Services). Integration with Microsoft Exchange, a CaptivePortal, and an XML API enable organizations to extend policy to Apple Mac OS X, Apple iOS, and UNIX users that typically resideoutside of the domain.
GlobalProtect: Delivers the same safe application enablement policies that are used at the headquarters site, to all users,regardless of location or device. Remote users are automatically and securely connected to the nearest gateway using strongauthentication and as long they are online, they are connected to the corporate network and protected as if they never left thecorporate campus. The result is a consistent set of policies, an improved security posture and a reduction in operational costs.
Content-ID: Prevents vulnerability exploits, malware and the related malware generated command-and-control traffic using auniform signature format and a single pass scanning engine that reduces latency. Threat prevention is applied in full application andprotocol context to ensure threats are detected and blocked regardless of evasion techniques used. URL filtering enables policycontrol over web browsing activity, while file and data filtering help control unauthorized data transfer.
WildFire: Identifies custom malware that is not controlled through traditional signatures by directly executing the files in a cloud-based, virtualized sandbox environment. WildFire observes and monitors more than 100 malicious behaviors and the result isdelivered to the administrator. If the file is malicious, a signature is automatically developed and delivered to the user community.
Panorama: Enables organizations to manage a network of Palo Alto Networks firewalls from a central location, balancing the needfor global, centralized control with local policy flexibility using features such as templates, and shared policy. With Panorama, allfunctions of the devices and/or virtual systems under management can be controlled centrally.
Purpose-built hardware or virtualized platform: The entire set of safe application enablement features is available on a family ofpurpose-built hardware platforms that range from the PA-200, designed for enterprise branch offices, to the PA-5060, which is a high-speed datacenter firewall. The platform architecture is based on a single pass software engine and uses function specific processingfor networking, security, threat prevention and management to deliver predictable performance. The exact same firewall functionalitythat is available in the hardware platforms is also available in the VM-Series virtual firewall, allowing organizations to securevirtualized and cloud-based computing environments.
22
Appendix C: About Data Integration
Data Integration specialise in managed networks, security services, mobility solutions and high performance hosting solutions, deliveringscalable and optimal bandwidth applications over a secure and high performance network infrastructure. With 15 years’ experience,Data Integration trust and work with the leading product technology vendors to design, implement and manage networks for itscustomers to add value to their organisation, meet business demands and protect against networking threats.
Data Integration plays an important role in supporting its customer through business changes and challenges by providing a fullyscalable and flexible infrastructure for complete security protection, visibility and control of their network.
Acquired by Xchanging in 2011, the business process and technology services provider, the company is now part of Xchanging’sTechnology business.
For more information on Data Integration, please call +44 (0)20 8875 6500 or visit www.dataintegration.com/@Data_Int_UK.
23