View
226
Download
2
Category
Tags:
Preview:
Citation preview
Expose The UndergroundAdvanced Persistent Threats
Jeff Baker
The problem
• Today’s cyber attackers are utilizing an increasingly sophisticated set of evasion tactics
• Disjointed techniques rely on a“whack-a-mole” approach for detection and prevention, leaving enterprises prone to risk
• Volume of attacks is rapidly accelerating, applying strain on a limited population of security specialists
• 2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
What is an APT?
Human entity
Targeted
Persistent
• 3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Modern Attacks are changing...Target Date Motive
Target Nov 27, 2013 Financial
NY Times Jan 31, 2013 State-sponsored
CIA Feb 10, 2012 Hacktivism
Symantec Feb 8, 2012 Extortion
Zappos Jan 15, 2012 Cybercrime
Danish Government
Aug 22, 2011 Government practices
Sony PSN April 19, 2011 Hacktivism
Epsilon April 1, 2011 Financial
RSA March 17, 2011 State-sponsored
• “The biggest problem with that older technology, some say, is that it reacts to threats rather than anticipating them.”
• – Austin American Statesman Jan 19th, 2014
• Attackers:• Nation-states
• Organized Crime• Political groups
• Easier IT Targets:• New Vectors
• Extended IT Access
• Escalating Tactics
• Concealment:• Evasion Techniques
• Polymorphic Attacks
• High Analysis Volume
Example: Modern Malware Attack
Targeted malicious email sent to user1
2User clicks on link to a
malicious website
3Malicious website exploits
client-side vulnerability
4Drive-by download of
malicious payload
URL Filtering
IPS
Behavioral Analysis
Signature Detection
StealControlRelay5
• 6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Understanding the Cyber Attack Kill Chain
• 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
• Exploit
2
Infected content exploits the end-user, often without their knowledge
• DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
Back
Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
• Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
Need to break it at different points in the chain!
Best-of-breed, disparate solutions or integrated intelligence?
• Infiltrate
• Lateral Movement• Remove Data
Goal: Break the Kill Chain at Every Possible Step (Automatically)
• 8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
App-ID
URL
IPS
Spyware
AV
Files
Unknown Threats
Bait the end-user
• Exploit • Download Backdoor
Command/Control
• Block high-risk apps
• Block known
malware sites
• Block the exploit
• Block malware
• Prevent drive-by-
downloads
• Detect 0-day
malware
• Block new C2 traffic
• Block spyware, C2
traffic
• Block fast-flux, bad domains
• Block C2 on open ports
1 2 3 4 5
When the world was simple
• Two applications: browsing and email
• With predictable application behavior
• In a basic threat environment
• Stateful inspection addresses:
• Port80
• Port25
9 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Challenge, More Security = Poor Performance
Traditional Security
Each security box, blade, or software module robs the network of performance
Threat prevention technologies are often the worst offenders
Leads to the classic friction between network and security
Best Case Performance
Firewall
Anti-Malware
IPS
• 10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• Increased Complexity/Cost
•N
etw
ork
Perf
orm
ance
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address applications and new cyber threats
Technology sprawl and creep aren’t the answer
Internet
Enterprise Network
APT
• 11 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
UTM’s and blades aren’t the answer either
Internet
UTM orblades
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address applications and cyber threats
• 12 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Multi-Step Scanning Ramifications
• 300+ applications allowed*
• *Based on Palo Alto Networks Application Usage and Risk Report
• Facebook allowed…what about the other 299 apps?
• PolicyDecision #2
App-ControlAdd-on
Applications
• Allow Facebook
• PolicyDecision #1
Firewall Allow port 80
• Open ports to
• allow the application
Key Difference Ramifications
Two separate policies • More Work. Two policies = double the admin effort (data entry, mgmt, etc)• Possible security holes. No policy reconciliation tools to find potential holes
Two separate policy decisions • Weakens the FW deny all else premise. Applications allowed by port-based FW decision.
Two separate log databases • Less visibility with more effort. informed policy decisions require more effort , slows reaction time
No concept of unknown traffic • Increased risk. Unknown is found on every network = low volume, high risk• More work, less flexible. Significant effort to investigate; limited ability to
manage if it is found.
• 13 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
• Cloud + SaaS
• Mobile + BYOD • Cloud + virtualization
• Social + consumerization
Tectonic shifts create the perfect storm
• Massive opportunityfor cyber criminals
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
•All These Challenges! Where
do I Start?
Our fundamentally new approach to enterprise security
•App-ID• Identify the application
•User-ID• Identify the user
•Content-ID• Scan the content
16 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Architectural Differences
Palo Alto Networks
Operations Once per packet App-ID, User-ID, Content-ID
Parallel Processing (Single Pass-Through)
Single Policy Includes App-ID, User-ID and Content-ID
Single Log Entry for one session
Competitor Products
Several Operations per packet introduce performance degradation
Serial Processing (Switching between Modules)
Multiple Policies Firewall(Ports), IPS, App-Control, AV…
Separate Log entries for on session
How do we reduce risk with this platform approach? Achieve 100% Visibility into Network Traffic (at speed)
Eliminate unknown
threats
(WildFire)
Eliminate all types of known threats/vectors
(AV, AS, IPS, URL)
• 18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• 1
• 2
• 3
• 0 Full VisibilityLimit network traffic to business-relevant
applications based on actual usage (App-ID)
“Safely enable is the new Block”
• RISK • LEVEL
Todays Network
• Single Security Policy
Safely Enabling Applications, Users & Content
Applications: Safe enablement begins with application classification by App-ID
Users: Tying users and devices, regardless of location, to applications with User-ID
Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID
The Benefits of Classifying Traffic in the Firewall
• Policy Decision
Firewall
App-ID
Allow Facebook•XKey Difference Benefit
Single firewall policy • Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated.
Positive control model • Allow by policy, all else is denied. It’s a firewall.
Single log database • Less work, more visibility. Policy decisions based on complete information.
Systematic management of unknowns
• Less work, more secure. Quickly identify high risk traffic and systematically manage it.
• 20 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
FirewallFirewall
NGFW vs. Legacy Firewalls
• App-ID • Legacy Firewalls
• Firewall Rule: ALLOW SMTP • Firewall Rule: ALLOW Port 25
• SMTP=SMTP: • Packet on Port 25: • Allow • Allow
✔ ✔SMTP SMTP SMTP SMTP
Bittorrent ✗
• Bittorrent≠SMTP:
• Visibility: Bittorrent detected and blocked
• Deny
Bittorrent ✔
• Packet on Port 25: • Allow
• Visibility: Port 25 allowed
Bittorrent
App IPSFirewallFirewall
NGFW vs. Legacy Firewall + App IPS
• App-ID • Legacy Firewalls
• Firewall Rule: ALLOW SMTP • Firewall Rule: ALLOW Port 25
• SMTP=SMTP: • Packet on Port 25: • Allow • Allow
✔ ✔SMTP SMTP SMTP SMTP
Bittorrent ✗
• Bittorrent ≠ SMTP:
• Visibility: Bittorrent detected and blocked
• Deny
Bittorrent ✔
• Bittorrent: • Deny
• Visibility: Bittorrent detected and blocked
✔ SMTP
Bittorrent ✗
• Application IPS Rule: Block Bittorrent
App IPSFirewallFirewall
NGFW vs. Legacy Firewall + App IPS
• App-ID • Legacy Firewalls
• Firewall Rule: ALLOW SMTP • Firewall Rule: ALLOW Port 25
• SMTP=SMTP: • Packet on Port 25: • Allow • Allow
✔ ✔SMTP SMTP SMTP SMTP
✗Bittorrent ✔
• Visibility: Packets on Port 25 allowed
✔ SMTP
Bittorrent ✗
• Application IPS Rule: Block Bittorrent
Bittorrent ✗✔ ✔
• Packet ≠ Bittorrent: • Allow
• Visibility: each app detected and blocked
• Deny• Skype≠SMTP:• SSH≠SMTP:
Ultrasurf≠SMTP:• Deny• Deny
SSH, Skype, Ultrasurf
SSH, Skype, Ultrasurf
SSH, Skype, Ultrasurf
SSH, Skype, Ultrasurf
FirewallFirewall
NGFW vs. Legacy Firewall + App IPS
• App-ID • Legacy Firewalls
• Firewall Rule: ALLOW SMTP • Firewall Rule: ALLOW Port 25
• SMTP=SMTP: • Packet on Port 25: • Allow • Allow
✔ ✔SMTP SMTP SMTP SMTP
C & C ✗
• Command & Control ≠ SMTP:
• Visibility: Unknown traffic detected and blocked
• Deny
Bittorrent ✔
• Visibility: Packet on Port 25 allowed
✔ SMTP
Bittorrent ✗
• Application IPS Rule: Block Bittorrent
Bittorrent ✗C & C ✔ C & C ✔ C & C
• C & C ≠ Bittorrent: • Allow
App IPS
We safely enable the business and manage the risks
Safely enable Prohibited useUser
Post info to a prospect’s wall
Chatting
Clicking on infected links
Financial advisor
Exchange ofPhotoshop files with agencies
Downloading malware
Marketingspecialist
Communication with candidates
Exposing lists of employees and their salaries
HR recruiter
Sharing opportunities with channel partner
Sharing customer lists externally
Salesrep
25 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Security Context from Integration
• Allowing 10.1.2.4 to 148.62.45.6 on port 80 does not provide context.
• Allowing Sales Users on Corporate LAN to access Salesforce.com but look for threats and
malware inside the decrypted SSL tunnel, and easily seeing you have done so is context.
• Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware sites no context.
• Seeing Dave Smith visited a malware site, downloaded 0-day Malware, and his device is
visiting other known malware sites, and using tunneling apps that is context.
COMPROMISED CREDIT CARDS – APTs IN ACTION
• Maintain access
• Spearphishing third-party
HVAC contractor
• Moved laterally within Target network and
installed POS Malware
• Exfiltrated data
command-and-control servers over
FTP
• Recon on companies
Target works with
• Compromised internal server to collect
customer data
• Breached Target network
with stolen payment system
credentials
Palo Alto Networks at a Glance
Company highlights
Founded in 2005; first customer shipment in 2007
Safely enabling applications
Addressing the entire $10B+ network security market
Enterprise leadership position & rapid customer growth
Experienced team of 1,900+ employees
Over 21,000 Enterprise customers0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
4,700
9,000
13,500
Jul-11 Jul-12
FY09 FY10 FY11 FY12 FY13$0
$50$100$150$200$250$300$350$400
$13$49
$255
$396
$119
Revenues
Enterprise customers
$MM
FYE July
Jul-13
28 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• February 2013• December 2011
• We pushed the competitors back
Gartner -- Enterprise Firewall Magic Quadrant
Gartner -- Enterprise Firewall Magic Quadrant
Next-generation enterprise security platform
Gathers potential threats from network and endpoints
Analyzes and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
• Threat Intelligence Cloud
• Inspects all traffic
• Blocks known threats
• Sends unknown to cloud
• Extensible to mobile & virtual networks
• Next-Generation Firewall
Palo Alto Networks
AdvancedEndpoint Protection
Palo Alto Networks
Next-GenerationFirewall
Palo Alto Networks Threat Intelligence Cloud
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known & unknown malware
• Advanced Endpoint Protection
31 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Detect and Defend: Turning the Unknown into Known
Our unique approach makes us the only solution that…
Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and automatically creates signatures to defend our global customer base
• Identify & control• Prevent known
threats• Detect unknown
threats
• Rapid, global sharing
• All applications
• 32 | ©2014, Palo Alto Networks. Confidential and Proprietary.
We have pioneered the next generation of security
• Today+
• Legacy:
• Allow or block some apps
• Detect some malware
• Allow
• Block
• Next generation:
• Safely enable all applications• Prevent all cyber threats
• Mid 1990’s – today
33 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
Palo Alto Networks Next Generation Firewall
34 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Covering the entire enterprise
Data center/cloud Enterprise perimeter Distributed/BYOD Endpoint
Next-Generation Firewall
Cybersecurity:IDS / IPS / APT
Web gateway VPN
Panorama, M-100 appliance, GP-100 appliance
PAN-OS™
Network location
Next-generation appliances
Subscriptions
Use cases
Management system
• Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050WildFire: WF-500
• Virtual: VM-Series & VM-Series-HV for NSX
URL Filtering
GlobalProtect™
WildFire™
Threat Prevention
Endpoint (Traps)
Operating system
35 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Our core value proposition
An enterprise security platform
that safely enables all applicationsthrough granular use control
and prevention of known and unknown cyber threatsfor all users on any device across any network.
Superior security with superior TCO
36 | ©, 2014 Palo Alto Networks. Confidential and Proprietary.
Thank You
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 37 |
Recommended