IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY

ForgeRockUsing Network Security and Identity Management to

Empower CISOs TodayThe Case For A Comprehensive Enterprise Security Policy

The Stolen Data EpidemicTarget Replaces CEO Steinhafel Following Massive Holiday Breach- Wall Street Journal

‘Heartbleed Bug Exposes Millions of Web Sites To Security Risks- NBC News April 8, 2014

18 million email addresses and passwords stolen in Germany- ZDNet April 7, 2014

360m newly stolen passwords on the black market - The London Free Press

Data breaches surge with 93,000 passwords stolen every hour- Computer Business Review

Bitcoin miners unearth 30,000 college student SSNs- Next Gov April 24, 2014

To be truly effective,

you need to see all

applications, all user

identities and most

importantly, all threats

But traditional firewalls only

gave you ports, protocols,

and IP addresses – missing

the malware threat completely

Traditional Firewalls Had Limitations

Confidential Data

Command & Control Traffic

Regulated Data

Exploits

Copyrighted Material

Malware

Palo Alto Networks Reinvented Network SecurityIt’s no longer be about Ports and Protocols but instead it’s about User Identity, Applications, and how they communicate

But without User Identity and Context, You Cannot Create a True Comprehensive Security Policy For the End User

5

FAILURE OF LEGACY SECURITY ARCHITECTURES

Anti-APT for port 80 APTs

Anti-APT for port 25 APTs

Endpoint AV

DNS protection cloud

Network AV

DNS protection for outbound

DNS

Anti-APT cloud

Internet

Enterprise Network

UTM/Blades

Limited visibility Manual responseLacks correlation

Vendor 1

Vendor 2

Vendor 3

Vendor 4

Internet Connection

Malware Intelligence

DNS AlertEndpoint

Alert

AV Alert

SMTP Alert

AV Alert

Web Alert

Web Alert

SMTP Alert

DNS Alert

AV Alert

DNS Alert

Web Alert

Endpoint Alert

Palo Alto Networks Next-Generation Threat Cloud

Palo Alto Networks Next-Generation Endpoint

Palo Alto Networks Next-Generation Firewall

Next-Generation Firewall Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks network based threats

Next-Generation Threat Cloud Gathers potential threats from

network and endpoints

Analyses and correlates threat intelligence

Disseminates threat intelligence to network and endpoints

Next-Generation Endpoint Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual, and mobile endpoints Lightweight client and cloud based

Next-Generation Security Platform

• ~500,000 Wildfire samples/day• ~5% determined to be Malware• 1 new Android Malware App every 20 minutes• 48% of all unknown PE files are Malware

7

Next-Generation Identity ManagementHighly Scalable, Modular, Easy To Deploy Architecture

“All-in-One” solution delivered as a single platform

Access to any application – Enterprise, SaaS, Social, Mobile

Flexible and extensible architecture

Social sign-on and one-time mobile password

Architected for consumer scale +100M users

FORGEROCK.COM | CONFIDENTIAL

Combine Capabilities To Reinvent SecurityCreating A Unified Enterprise-wide Security Platform

Next-gen Network Security & Identity Functions Natively Integrated In One Solution

Centralized Management

Access Management

Threat

Prevention

User Identity

Managem

entA

uthe

ntic

atio

n &

Aut

hori

zatio

n

App

Vi

sibi

lity

&

Con

trol

9FORGEROCK.COM | CONFIDENTIAL

The Vision

Deliver the only unified identity security platform that can make hyper intelligent

decisions based on both network security and user identity context.

10

Key Benefits■ Understand more about the user before granting them access to

corporate resources

■ Create a feedback loop to take appropriate action on both ends:

– The network blocks traffic when suspicious identity activity occurs

– The identity platform blocks access when suspicious network activity occurs

■ Real-time, automated remediation of malicious activity

■ Organizations are much, much safer!!!!


Security/Identity Feedback Loop

Data Center

Establish Identity

Assert Identity



Data Center

Legitimate Traffic

As defined by user rights



Data Center

Malware/Inappropriate Traffic

Block & Alarm

Feedback Identity of Malicious Traffic



Data Center

Change Identity Rights-Restrict User Traffic to all resources

■ Network violations modify Identity Rights

■ Feedback changes ID state and security state

15

€

Identity & Security2 sides of the same coin

$

■ Identity Assertion is the first step to contextual security– Simplify IdM infrastructure– Ensure ID can be multifactor authenticated as

needed– Stay connected to security to manage ID changes

■ NG Security enforces policy based on Application & on User Identity– Valid Identity allows for appropriate security– Changes in ID state can directly change security

state– Direct linkages between security & Identity ensures

that rules remain contextual

16

Target data breach – APTs in action

Maintain access

Spearphishing third-party HVAC

contractor

Moved laterally within Target network and

installed POS Malware

Exfiltrated data command-and-control servers

over FTP

Recon on companies

Target works with

Compromised internal server

to collect customer data

Breached Target network with

stolen payment system

credentials

Centralized Management

Any location

All Key Identity & Network Security

Functions Natively Integrated in One

Solution

Innovative Approach To Securing Today’s EnterpriseEliminate Security Silios For A Unified Enterprise-wide Security Policy

Visibility & Control

Threat prevention

Any Infrastructure

Closed Loop Single Enterprise Wide Policy

ProvisioningIdentity Management

Unify Your Enterprise Security Strategy

Protect the enterprise from known threats and zero-day attacks

Gain full control over your identity and network security investments

Make informed decisions based upon correlated events & data points

Adaptable closed loop security policy enforcement

Drive top line business initiatives faster


Thank You!

Software

IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY