Dynamic Computing & Dynamic Threats Requires Dynamic Security

Dynamic Computing & Dynamic Threats Requires Dynamic Security

Palo Alto Networks at a Glance

Corporate Highlights

Founded in 2005; First Customer Shipment in 2007

Safely Enabling Applications

Able to Address all Network Security Needs

Exceptional Ability to Support Global Customers

Experienced Technology and Management Team

850+ Employees Globally0

2,000

4,000

6,000

8,000

10,000

1,800

4,700

9,000

Jul-10 Jul-11

FY09 FY10 FY11 FY12$0

$50

$100

$150

$200

$250

$300

$13

$49

$255

$119

Revenue

Enterprise Customers

$MM

FYE July

Jul-12

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Agenda

Today’s Dynamic Enterprise Computing Environment

An Equally Dynamic Threat Landscape

The Tension between Security and Productivity

What to do About It


A long time Ago…………Security was Simpler

wired

Employee

On Premise Data Center

• Apps in one place

• Users in one place

• Data in one place

• Devices Controlled

• Devices Dumb

• Network Simple

• IT Controls it all

• …..

Complexity Has Grown..…A Lot

Cloud

Internet Content / tools

Modern threats – targeted, multi-

vector, persistent

wireless VPN “VDI” Guest Mobile

employeePartner/contractor

wiredEmployee

The “Network”

On Premise

• Apps all over the place• Users all over place• Data all over the place• Devices not controlled• Devices Smart• Network is Complex• IT Controls only some of it• User’s control increased• Risks are FAR higher

From the Classroom……


to the Playground

The Emergence of the User Kingdom

Devices Most often very small and mobile More devices are now in the control and ownership of end users Users are people, people are different, so the diversity of devices

is expanding

Applications Users are discovering new ways to get work done Multiple tools being used to do the same thing Many applications are risky – introduces threats, potential data loss Many applications are costly – consumes lots of computing and

network resources IT is not participating in selecting

Location Work gets done in and out of the office On-demand is essential


Mobile Climate and Challenges

IT SECURITY NEEDS

WHAT EMPLOYEES

WANT

Access to corporate and personal applications

Want the full features of their mobile devices, not watered down functionality

Don’t want boundaries and restrictions

Keep users, network, devices, and data safe

Keep users productiveAllow use of business-owned or

personal devices

•Page 8 | © 2013 Palo Alto Networks. Proprietary and Confidential.

Evolution Towards Cloud Networks Bring New Challenges (even within our own data centers)

© 2012 Palo Alto Networks. Proprietary and Confidential.Page 9 |

How do you have visibility into the virtualized environment?How do you track rogue virtual machine creation?

How do you embrace the dynamic nature of virtualization?

What Does virtualized Data Centers Look Like

• Segmentation deployments:

• DMZ/Corporate/PCI/R&D• Application Tiers

• Limitations in design:

• Not optimized for hardware (spare CPUs may be idle)

• Not ideal because traffic routed north bound (latency)

• Expensive – Vlans and ports

Limitations of Classic Data Center Architecture

Virtual Host 1

DB

vSwitch

DB DB

Virtual Host 2

App

vSwitch

App App

Virtual Host 3

Web

vSwitch

Web Web

Applications of the same trust

levels on a server


Considerations Towards “Cloud” Model

Shared “pools of resources”

• Optimizes hardware

• Reduce latency

• Delivers applications on-demand

• Security Issues

• Safely enable East-West traffic

• Track policies to VM adds, moves, changes

• Automation so security does not slow down the virtual workload

Virtual Host 1

vSwitch

Virtual Host 2

vSwitch

Virtual Host 3

vSwitch

DB DBDBAppApp AppWebWebWeb

Applications of different trust

levels on a server


So that’s a snapshot of the modern computing “Ecosystem”.

Next, the threat environment…………


Modern Attacks are Targeted, Stealthy and Multi-StepWhat Has Changed / What is the Same

The attacker has changed Nation-states Criminal organizations Political groups

Attack strategy has evolved Patient, multi-step process Compromise a user, then expand

Attack techniques have evolved New applications as the threat vector Avoidance of traditional AV signatures Hiding malware communications

Date Motive

NY Times Jan 31, 2013 State-sponsored

CIA Feb 10, 2012 Hacktivism

Symantec Feb 8, 2012 Extortion

Zappos Jan 15, 2012 Cybercrime

Danish Government

Aug 22, 2011 Government practices

Sony PSN April 19, 2011 Hacktivism

Epsilon April 1, 2011 Financial

RSA March 17, 2011 State-sponsored

Real Attacks Employ Multiple Techniques

Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

Exploit

2

Infected content exploits the end-user, often without their knowledge

DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

EstablishBack-Channel

4

Malware establishes outbound connection to the attacker for ongoing control

Explore & Steal

5

Remote attacker has control inside the network and escalates the attack

The Gaps in Traditional Antivirus Protection

☣ Targeted and custom malware

☣ Polymorphic malware

☣ Newly released malware

Highly variable time to protection

Page 15 |

Modern malware is increasingly able to:

- Avoid falling into traditional AV honey-pots

- Evolve before protection can be delivered

(Note: WildFire finds 200 – 400 unique new malware samples undetectable by leading antivirus software every day.)

Applications Bypassing Port- and Protocol-based Security


97% of Exploits Come From Business Not Social Applications

Applications Leveraging Non-standard Ports, Random Ports, Encryption


All These Challenges! Where do I Start?

Lots and Lots of Security Tools! Yea!! (Or Boo?)

Tools for Servers

Tools for End Points

Tools for Networks

Tools for Tools

Firewall Fuzzers Anti-Virus Anti-Malware NIPS HIPS MDM DLP WAF SIEM Authentication Encryption Sniffers Forensics Packet Crafters Port Scanners Rootkit Detectors Vulnerability Scanners Web Proxies Wireless Security Etc…………………………………..



All These Solutions! Where do I Start?

There is a good place to start…….


The Network is the Common

Denominator

We should start here!

Applications

Users Devices

DATA DATAD

ATA

Requirements for Security in a Brave New World

1. See All Traffic – reduce or eliminate blind spots

2. Safe Application Enablement

• Identify Applications by deep inspection, not by port filtering

• Control Application Use by User/group-based Policies

• Inspect that traffic which you allow - protect against known and unknown threats

3. Segment all parts of the network

4. Be nimble - Address the moving parts

• Tie security policies to VM Orchestration – VM creation / movement

• Give mobile users controlled access

• Rapidly deploy protections against new threats

Reducing the Scope of Attack – App Control

»The ever-expanding universe of applications, services and threats

»Traffic limited to approved business use cases based on App and User

»Attack surface reduced by orders of magnitude

»Port, protocol Agnostic

»Complete threat library with no blind spots

Bi-directional inspectionScans inside of SSLScans inside compressed

filesScans inside proxies and

tunnelsScans unknown files

Only allow the apps you need

Clean the allowed traffic of all threats in a single pass


1. Known Traffic is controlled using positive enforcement Allow the good, block everything else Positive control reduces endless “Whack-a-Mole” of finding/stopping

unwanted apps

2. Identify Unknown Applications Anything non-compliant or custom should be known and approved When the vast majority of traffic is identified, the unknowns become

manageable

3. Unknown traffic is common – every network has some New publicly available commercial applications Internally developed, custom applications Rogue or malicious applications (malware)

4. Unknowns are manageable Investigate unknowns Aggressively control or block remaining unknown traffic

Identify Unknowns

Identify All Users

Do NOT Trust, always verify all access

Base security policy on users and their roles, not IP addresses.

For groups of users, tie access to specific groups of applications

Limit the amount of exfiltration via network segmentation


Scan All Content


Full Visibility of Traffic Equal analysis of all traffic across all ports

(no assumptions)

Control the applications that attackers use to hide

Decrypt, decompress and decode

Control the full attack lifecycle Exploits, malware, and malicious traffic

Maintain context across disciplines

Maintain predictable performance

Expect the Unknown Detect and stop unknown malware

Automatically manage unknown or anomalous traffic

If it’s unknown, how can I stop it?

Behavioral Analysis of Potential Malware

✓ ✓

✓

Malware Analysis

Potentially malicious files from Internet

Protection delivered to all customer firewallsUnknown files are

forwarded for deeper analysis

Sandbox-based analysis that finds malware based on behaviors

Generates detailed forensics reportCreates malware and C&C signatures

Daily Coverage of Top AV VendorsM

alw

are

Sam

ple

Coun

t

New Malware Coverage Rate by Top 5 AV Vendors


Daily AV Coverage Rates for Newly Released Malware (50 Samples)

Network Segmentation – A Great Best Practice

• Implement security zones in your network

• For each zone, group systems by risk and desired control point:

• Systems that share similar risk factors• Systems that share security classifications

• Communication between zones is only via the firewall

• Every zone should be restricted by:• User• Applications• All content is scanned

• Integrated reporting, logging for auditing purposes


Zero Trust Model

Ensure all resources are accessed in a secure manner

Access control is strictly enforced (Verify and never trust)

Inspect and log all traffic

Forrester Research

FW

IPS

CF

AC

Cryp

to

AM

Control Users and Their Devices with The Network

•Page 29 | © 2013 Palo Alto Networks. Proprietary and Confidential.

Consistent policy App policy Data filtering URL filtering

Protect device & traffic Malware detection Vulnerability protection

Managed/Monitored devices

Ensure device is “OK” Security Settings

Passcode Encryption

State Jailbroken

Actions Lock/Wipe

Alw

ays

on V

PN

MDM

Physical and Virtual (where to do what to reduce latency) •Flexible Deployments to Protect East-West Traffic

Inter-host Segmentation

Intra-host Segmentation

Physical ServersVirtualized servers

HA

Physical Firewalls

Virtualized Firewalls

Security

Network

Applicatio

n

Orchestration systems


Why It Has to Be a Next-Generation Firewall?

• Only next-generation firewalls can safely enable applications and understands:• Applications• Users• Content

• Designed from the ground up to tackle threat protection without performance impact

• Addresses emerging challenges including virtualization and cloud


Applications

Users Devices

DATA DATA

DA

TA

Next-Generation Firewalls


Documents

Dynamic Computing & Dynamic Threats Requires Dynamic Security