Upload
tristan-bun
View
227
Download
2
Tags:
Embed Size (px)
Citation preview
Dynamic Computing & Dynamic Threats Requires Dynamic Security
Palo Alto Networks at a Glance
Corporate Highlights
Founded in 2005; First Customer Shipment in 2007
Safely Enabling Applications
Able to Address all Network Security Needs
Exceptional Ability to Support Global Customers
Experienced Technology and Management Team
850+ Employees Globally0
2,000
4,000
6,000
8,000
10,000
1,800
4,700
9,000
Jul-10 Jul-11
FY09 FY10 FY11 FY12$0
$50
$100
$150
$200
$250
$300
$13
$49
$255
$119
Revenue
Enterprise Customers
$MM
FYE July
Jul-12
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Agenda
Today’s Dynamic Enterprise Computing Environment
An Equally Dynamic Threat Landscape
The Tension between Security and Productivity
What to do About It
3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
A long time Ago…………Security was Simpler
wired
Employee
On Premise Data Center
• Apps in one place
• Users in one place
• Data in one place
• Devices Controlled
• Devices Dumb
• Network Simple
• IT Controls it all
• …..
Complexity Has Grown..…A Lot
Cloud
Internet Content / tools
Modern threats – targeted, multi-
vector, persistent
wireless VPN “VDI” Guest Mobile
employeePartner/contractor
wiredEmployee
The “Network”
On Premise
• Apps all over the place• Users all over place• Data all over the place• Devices not controlled• Devices Smart• Network is Complex• IT Controls only some of it• User’s control increased• Risks are FAR higher
From the Classroom……
6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
to the Playground
The Emergence of the User Kingdom
Devices Most often very small and mobile More devices are now in the control and ownership of end users Users are people, people are different, so the diversity of devices
is expanding
Applications Users are discovering new ways to get work done Multiple tools being used to do the same thing Many applications are risky – introduces threats, potential data loss Many applications are costly – consumes lots of computing and
network resources IT is not participating in selecting
Location Work gets done in and out of the office On-demand is essential
7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Mobile Climate and Challenges
IT SECURITY NEEDS
WHAT EMPLOYEES
WANT
Access to corporate and personal applications
Want the full features of their mobile devices, not watered down functionality
Don’t want boundaries and restrictions
Keep users, network, devices, and data safe
Keep users productiveAllow use of business-owned or
personal devices
•Page 8 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Evolution Towards Cloud Networks Bring New Challenges (even within our own data centers)
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 9 |
How do you have visibility into the virtualized environment?How do you track rogue virtual machine creation?
How do you embrace the dynamic nature of virtualization?
What Does virtualized Data Centers Look Like
• Segmentation deployments:
• DMZ/Corporate/PCI/R&D• Application Tiers
• Limitations in design:
• Not optimized for hardware (spare CPUs may be idle)
• Not ideal because traffic routed north bound (latency)
• Expensive – Vlans and ports
Limitations of Classic Data Center Architecture
Virtual Host 1
DB
vSwitch
DB DB
Virtual Host 2
App
vSwitch
App App
Virtual Host 3
Web
vSwitch
Web Web
Applications of the same trust
levels on a server
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 10 |
Considerations Towards “Cloud” Model
Shared “pools of resources”
• Optimizes hardware
• Reduce latency
• Delivers applications on-demand
• Security Issues
• Safely enable East-West traffic
• Track policies to VM adds, moves, changes
• Automation so security does not slow down the virtual workload
Virtual Host 1
vSwitch
Virtual Host 2
vSwitch
Virtual Host 3
vSwitch
DB DBDBAppApp AppWebWebWeb
Applications of different trust
levels on a server
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 11 |
So that’s a snapshot of the modern computing “Ecosystem”.
Next, the threat environment…………
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Modern Attacks are Targeted, Stealthy and Multi-StepWhat Has Changed / What is the Same
The attacker has changed Nation-states Criminal organizations Political groups
Attack strategy has evolved Patient, multi-step process Compromise a user, then expand
Attack techniques have evolved New applications as the threat vector Avoidance of traditional AV signatures Hiding malware communications
Date Motive
NY Times Jan 31, 2013 State-sponsored
CIA Feb 10, 2012 Hacktivism
Symantec Feb 8, 2012 Extortion
Zappos Jan 15, 2012 Cybercrime
Danish Government
Aug 22, 2011 Government practices
Sony PSN April 19, 2011 Hacktivism
Epsilon April 1, 2011 Financial
RSA March 17, 2011 State-sponsored
Real Attacks Employ Multiple Techniques
Bait theend-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
DownloadBackdoor
3
Secondary payload is downloaded in the background. Malware installed
EstablishBack-Channel
4
Malware establishes outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
The Gaps in Traditional Antivirus Protection
☣ Targeted and custom malware
☣ Polymorphic malware
☣ Newly released malware
Highly variable time to protection
Page 15 |
Modern malware is increasingly able to:
- Avoid falling into traditional AV honey-pots
- Evolve before protection can be delivered
(Note: WildFire finds 200 – 400 unique new malware samples undetectable by leading antivirus software every day.)
Applications Bypassing Port- and Protocol-based Security
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
97% of Exploits Come From Business Not Social Applications
Applications Leveraging Non-standard Ports, Random Ports, Encryption
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
All These Challenges! Where do I Start?
Lots and Lots of Security Tools! Yea!! (Or Boo?)
Tools for Servers
Tools for End Points
Tools for Networks
Tools for Tools
Firewall Fuzzers Anti-Virus Anti-Malware NIPS HIPS MDM DLP WAF SIEM Authentication Encryption Sniffers Forensics Packet Crafters Port Scanners Rootkit Detectors Vulnerability Scanners Web Proxies Wireless Security Etc…………………………………..
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
All These Solutions! Where do I Start?
There is a good place to start…….
20 | ©2013, Palo Alto Networks. Confidential and Proprietary.
The Network is the Common
Denominator
We should start here!
Applications
Users Devices
DATA DATAD
ATA
Requirements for Security in a Brave New World
1. See All Traffic – reduce or eliminate blind spots
2. Safe Application Enablement
• Identify Applications by deep inspection, not by port filtering
• Control Application Use by User/group-based Policies
• Inspect that traffic which you allow - protect against known and unknown threats
3. Segment all parts of the network
4. Be nimble - Address the moving parts
• Tie security policies to VM Orchestration – VM creation / movement
• Give mobile users controlled access
• Rapidly deploy protections against new threats
Reducing the Scope of Attack – App Control
»The ever-expanding universe of applications, services and threats
»Traffic limited to approved business use cases based on App and User
»Attack surface reduced by orders of magnitude
»Port, protocol Agnostic
»Complete threat library with no blind spots
Bi-directional inspectionScans inside of SSLScans inside compressed
filesScans inside proxies and
tunnelsScans unknown files
Only allow the apps you need
Clean the allowed traffic of all threats in a single pass
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 22 |
1. Known Traffic is controlled using positive enforcement Allow the good, block everything else Positive control reduces endless “Whack-a-Mole” of finding/stopping
unwanted apps
2. Identify Unknown Applications Anything non-compliant or custom should be known and approved When the vast majority of traffic is identified, the unknowns become
manageable
3. Unknown traffic is common – every network has some New publicly available commercial applications Internally developed, custom applications Rogue or malicious applications (malware)
4. Unknowns are manageable Investigate unknowns Aggressively control or block remaining unknown traffic
Identify Unknowns
Identify All Users
Do NOT Trust, always verify all access
Base security policy on users and their roles, not IP addresses.
For groups of users, tie access to specific groups of applications
Limit the amount of exfiltration via network segmentation
24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Scan All Content
25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Full Visibility of Traffic Equal analysis of all traffic across all ports
(no assumptions)
Control the applications that attackers use to hide
Decrypt, decompress and decode
Control the full attack lifecycle Exploits, malware, and malicious traffic
Maintain context across disciplines
Maintain predictable performance
Expect the Unknown Detect and stop unknown malware
Automatically manage unknown or anomalous traffic
If it’s unknown, how can I stop it?
Behavioral Analysis of Potential Malware
✓ ✓
✓
Malware Analysis
Potentially malicious files from Internet
Protection delivered to all customer firewallsUnknown files are
forwarded for deeper analysis
Sandbox-based analysis that finds malware based on behaviors
Generates detailed forensics reportCreates malware and C&C signatures
Daily Coverage of Top AV VendorsM
alw
are
Sam
ple
Coun
t
New Malware Coverage Rate by Top 5 AV Vendors
27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Daily AV Coverage Rates for Newly Released Malware (50 Samples)
Network Segmentation – A Great Best Practice
• Implement security zones in your network
• For each zone, group systems by risk and desired control point:
• Systems that share similar risk factors• Systems that share security classifications
• Communication between zones is only via the firewall
• Every zone should be restricted by:• User• Applications• All content is scanned
• Integrated reporting, logging for auditing purposes
28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Zero Trust Model
Ensure all resources are accessed in a secure manner
Access control is strictly enforced (Verify and never trust)
Inspect and log all traffic
Forrester Research
FW
IPS
CF
AC
Cryp
to
AM
Control Users and Their Devices with The Network
•Page 29 | © 2013 Palo Alto Networks. Proprietary and Confidential.
Consistent policy App policy Data filtering URL filtering
Protect device & traffic Malware detection Vulnerability protection
Managed/Monitored devices
Ensure device is “OK” Security Settings
Passcode Encryption
State Jailbroken
Actions Lock/Wipe
Alw
ays
on V
PN
MDM
Physical and Virtual (where to do what to reduce latency) •Flexible Deployments to Protect East-West Traffic
Inter-host Segmentation
Intra-host Segmentation
Physical ServersVirtualized servers
HA
Physical Firewalls
Virtualized Firewalls
Security
Network
Applicatio
n
Orchestration systems
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 30 |
Why It Has to Be a Next-Generation Firewall?
• Only next-generation firewalls can safely enable applications and understands:• Applications• Users• Content
• Designed from the ground up to tackle threat protection without performance impact
• Addresses emerging challenges including virtualization and cloud
31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications
Users Devices
DATA DATA
DA
TA
Next-Generation Firewalls
© 2012 Palo Alto Networks. Proprietary and Confidential.Page 32 |