Simon Wong and Chris Cram, Scalar security experts, discuss how Palo Alto Networks technology disrupts the entire malware kill chain. Attendees will also gain insight on flexible deployment options to better serve their mobile users, and how to get the most out of their Palo Alto Networks deployment.
7. What’s Changed?
Known Threats
OrganizationalRisk
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Evasive Command-and-Control
Lateral Movement
Changing Application Environment
SSL Encryption
Mobile Threats
THE EVOLUTION OF THE ATTACK
9. App-ID
User-ID
URL
IPS
Spyware
AV
Files
Unknown
Threats
Bait the end-user Exploit
Download
Backdoor Command/Control
Block high-risk
apps – User
control
decryption
Block known
malware sites
Email links
Block the
exploit
Block malware
Prevent drive-
by-downloads
Detect 0-day
malware
Block new C2
traffic
Block spyware,
C2 traffic
Block fast-flux,
bad domains
Block C2 on
open ports
1 2 3 4 5
Lateral Movement /
Zero Trust
6
Exfiltration
Of Data
Block the
exploit
Block malware
Detect 0-day
malware
Block fast-flux,
bad domains
Block Files
Data Filtering
Block high-risk
apps – User
control
decryption
Block high-risk
apps – User
control
decryption
Breaking the Kill Chain at Every step
10. DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE
ORGANIZATION – NOT JUST THE INTERNET EDGE
At the internet
edge
Between
employees and
devices within the
LAN
At the data center
edge, and
between VM’s
At the mobile
device
Cloud
Within private,
public and hybrid
clouds
Requirements for the Future
11. 1. Application based security rules
Including the ability to decrypt flows
2. Rules based on User Identity/User Groups
3. Wildfire subscription to detect unknown malware
4. Threat Prevention subscription to enable dynamic prevention signatures for malware
5. URL (PAN-DB) subscription to enable dynamic prevention of malware Command &
Control
6. GlobalProtect to secure against the threat of time and to help assert Identity
Requirements for Security in Today’s Threat Landscape
14. Prevention of One Technique in the Chain will Block the Entire Attack
DLL
Security
IE Zero Day
CVE-2013-3893
Heap Spray
DEP
Circumvention
UASLR
ROP/Utilizing
OS Function
ROP
Mitigation/
DLL Security
Adobe Reader
CVE-2013-3346
Heap Spray
Memory Limit
Heap Spray
Check and
Shellcode
Preallocation
DEP
Circumvention
UASLR
Utilizing
OS Function
DLL
Security
Adobe Flash
CVE-2015-
3010/0311
ROP
ROP
Mitigation
JiT Spray J01
Utilizing
OS Function
DLL
Security
Memory
Limit Heap
Spray Check
Exploit Prevention Case Study
Unknown Exploits Utilize Known Techniques
15. Begin
Malicious
Activity
Normal Application
Execution
Heap
Spray
DEP
Circumvention
Utilizing
OS Function
Gaps Are
Vulnerabilities
Activate key logger
Steal critical data
More…
Exploit Attack
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
1. Exploit attempt contained in a PDF
sent by “known” entity.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.
Exploit Techniques
16. Normal Application
Execution
Heap
Spray
Traps
EPM
No Malicious
Activity
Exploit Attack
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
1. Exploit attempt contained in a PDF
sent by “known” entity.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.
Traps Exploit Prevention
Modules (EPM)
1. Exploit attempt blocked. Traps
requires no prior knowledge of the
vulnerability.
Exploit Techniques
17. Normal Application
Execution
Heap
Spray
DEP
Circumvention
No Malicious
Activity
Traps
EPM
Exploit Attack
2. PDF is opened and exploit
techniques are set in motion to
exploit vulnerability in Acrobat
Reader.
1. Exploit attempt contained in a PDF
sent by “known” entity.
3. Exploit evades AV and drops a
malware payload onto the target.
4. Malware evades AV, runs in
memory.
Traps Exploit Prevention
Modules (EPM)
1. Exploit attempt blocked. Traps
requires no prior knowledge of the
vulnerability.
2. If you turn off EPM #1, the first
technique will succeed but the next
one will be blocked, still preventing
malicious activity.
Exploit Techniques
22. Your DC is the target!
21% MS-RPC
15%
Web
Browsing
11% SMB
10% MS-SQL
Monitor
10%
MS-Office
Communicato
r
4%
SIP
3% Other
2% Active
Directory
2% RPC
1% DNS
25%
MS-SQL
10 out of 1,395
applications generated 97%
of the exploit logs
9of these were datacenter
applications
Source -- “Application Usage and Threat Report” (Palo Alto Networks) 2013 and 2014
24. VM-Series for AWS
Identify and control
applications traversing the
VPC
Prevent known and unknown
threats, inbound and EC2-to-
EC2
Streamline policy updates,
simplify management
Full next-generation firewall functionality for AWS
25. Identify and control applications traversing the VPC
Visibility: Classify all VPC traffic based on application identity
Control: Enable those applications you want, deny those you don’t
Authorize: Grant access based on user identity
RDP
SharePoint
Administrators
Marketing
26. Streamline management and policy updates
Centrally manage configuration and policy deployment of the VM-Series for AWS
Manage all Palo Alto Networks next-generation firewall instances, both
hardware and virtualized form factor
Aggregate traffic logs across multiple VM-Series for AWS instances for visibility,
forensics and reporting
Streamline policy updates with VM-Monitoring, Dynamic Address Groups and an
API
MS SQLSharePointWeb FE
Credit Card /
Intellectual Property / PII
Panorama
27. Deployment Scenarios
1. Gateway: Full NGFW security for all traffic traversing the AWS deployment
• Visibility, application control, prevention of known/unknown threats, access control based on user
2. Hybrid cloud (IPSec VPN)
• Extend enterprise datacenter to AWS: IPSec VPN + full NGFW feature set
3. VPC-to-VPC protection
• Control traffic between VPCs; block known and unknown threats from moving laterally
• A combination of gateway and hybrid within the VPC
4. GlobalProtect Gateway: Use VM-Series deployed across various AWS regions as a VPN gateway
• Secure mobile users anywhere by leveraging AWS infrastructure around the world
IPSec
VPN
IPSec VPN
End-Users over Internet
Corporate Network
28. GlobalProtect: Consistent Security Everywhere
•Headquarters •Branch Office
malware
botnets
exploits
• VPN connection to a purpose built firewall
• Automatic protected connectivity for users both inside and outside
• Unified policy control, visibility, compliance & reporting
39. Our unique approach makes us the only solution that…
Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network,
reduce the attack surface area, and provide context for forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control,
and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and automatically creates
signatures for global customer base
Identify & control
Prevent known
threats
Detect unknown
threats
Rapid, global sharing
All applications
Turning the Unknown into the Known
40. Segment your network with a “zero-trust” model as the foundation for
defense
Only allow content to be accessed:
By a limited and identifiable set of users
Through a well-defined set of applications
Blocking everything else
Block all known threats:
Threat Prevention would have identified and stopped parts of the attack
Across known vulnerability exploits, malware, URLs, DNS queries
And command-and-control activity
Identify and block all unknown threats:
WildFire had identified members of the “BlackPOS” malware family in the past
Using Behavioral characteristics such as
Communicating over often-abused ports (139 or 445)
Using WebDev to share information,
Changing the security settings of Internet Explorer
Modifying Windows registries and many more
Breaking the Attack Kill Chain at Multiple Points
INFRASTRUCTURE: Industry leader in infrastructure and next generation data centre technologies. (INTEGRATION OF EMERGING TECHNOLOGIES: )SECURITY: - Canada’s #1 provider of security, risk and compliance solutions. (CONTEXT BASED SECURITY)CLOUD: Leading architect for the design, deployment and management of hybrid cloud solutions.
THIS IS OUR GO-TO-MARKET STRATEGY We help our customers PREPARE to address today’s security challenges by Understanding risks to their critical business assetsBuilding effective security programs including people, process and technology, andAttracting and retaining (or hiring) top security talent, both leadership and technicalScalar leverages its pedigree and core competency as an integrator of emerging technology to help customers DEFEND their critical business assets and data byImplementing the most robust security defensesLeveraging leading technologies and integrating & configuring them in a way to optimize performance and effectivenessMaximizing the use of technologies to gain visibility, understanding and control over security eventsMost organizations will suffer a breach eventually. We help our customers by:Monitoring critical business assetsResponding rapidly when we see indicators of compromise or confirmed security incidents, andProviding ongoing validation of the effectiveness of security controls. 1
The key points here are:Most security studies are global in nature and do not apply well to the size and cultural uniqueness of Canadian businesses.We took 650 results from over 2,000 respondents to ensure the data is validWe asked questions about:a) what risks impact Canadian businessesb) what measures they have taken to address security riskc) what are the most effective ways to reduce security riskd) overall, how prepared do Canadian businesses believe they are in reducing security riskWe identified “Top Performers” – those companies that reported a reduction in risk: a) we examined the data from Top Performers to understand what investments they made in people, process and technology b) we found that TOP PERFORMERS WERE 28% LESS LIKELY TO SUFFER A SECURITY BREACH.We transfer this knowledge to all of our security customers1
Over the last two years in particular we’ve seen a dramatic change in both the attacker and the techniques they use. By many estimates cybercrime is now a $1+ trillion industry. And like any industry, opportunity fuels more investment and it is clear this “industry” isn’t being deprived. But like any industry investment decisions are made based on the expectation of profit. The best way to get an industry to collapse on itself is take away that potential for profit. Our strategy is quite simple - make it so unbelievably hard for cybercriminals to achieve their objectives that their only recourse is to invest more and more resources to stage a successful attack, or give up and move on to someone else.
Today there are more than 100 nations who are actively building cyber military capabilities. Out of the 100 there are about 20 who are considered serious players. These nation states follow a completely different set of motives, and are not concerned about profit. These new units are accelerating the weaponization of vulnerabilities. They’re launching sophisticated campaigns at our employees looking to take advantage of weak defensive links. They are not motivated by profit. They’re motivated by warfare, terrorism, theft of secrets that may give their country an advantage. Equally so, we need to make it unbelievably hard for these nations to achieve their objectives.
To achieve this we must consider a new approach.
---------------------------------------------------------
Facts & Credits
Peter W. Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution, said 100 nations are building cyber military commands, and of that there are about 20 that are serious players and a smaller number could carry out a complete cyberwar campaign.
The barrier to entry for attackers has come down significantly in the last couple of years with the accessibility of exploit kits that may be easily purchased online with full support.
This new approach must account for the realities that today’s attacks are not only multi-dimensional in nature, but also use an increasingly sophisticated set of techniques that are constantly in a state of change. As these techniques evolve the risk of breach increases. And as we all know an organization is only as strong as its weakest entry point, therefore an effective strategy must include multiple kill-points working together to prevent all aspects of an attack. This includes
Blocking the different techniques attackers might use to evade detection and establish command-and-control channels
Preventing installation of malware – including unknown and polymorphic malware
Blocking the different techniques that attackers must follow in order to exploit a vulnerability
Closely monitoring and controlling communications within the organization to protect against the unabated lateral movement when legitimate identities are hijacked
With the evolution of the attack and the attacker as a backdrop, let’s take a quick look at where some of the breakdowns in approaches are occurring.
---------------------------------------------------------
Facts & Credits
Today we detect and analyze over 2M forms of new malware within WildFire. This trend line is increasing monthly.
Malvertising hosted in Azure
Angler Exploit kit
Bedep & Cryptowall
Reconnaissance
We bring multiple security disciplines into a single context / single threat prevention engine.
See beyond individual security events and recognize the full extent of a threat.
In a uniform context, you can see the interconnection of: Applications, Exploits, Malware, URLs, DNS queries, Anomalous network behaviors, Targeted malware
It is the unique value of our integrated solution that allows us to see this interconnection.
This should be our main talking point to customers… and have them realize that their strategy should not be based on ‘best of breed products’ any longer.
Your architecture must also be able to detect and prevent threats at every point across the organization:
Attacks targeting your mobile workers
Attacks targeting your perimeter
Attacks moving between employees and devices within your LAN, or from guests or other 3rd party contractors that might have access to your network
Attacks targeting the heart of your virtualized data center
Attacks targeting your cloud-based infrastructure, both private and public
We’d like to help you build a prevention-focused architecture that stops at nothing short of complete visibility into all traffic; is natively integrated in such a way that no gaps exist and context is delivered so you only have to react to the threats that are critically important; is highly automated to reduce or remove manual response; and enables you to drive seamless policy throughout your organization to reduce your attack surface and eliminate unnecessary risk.
How do we do that?
If you go back in time, the first thing we said we were going to do as a company was safely enable the use of all applications on your network. Why is that important? Attackers know that one of the easiest ways to get into your network is through an application. Back in the mid-90’s our founder, Nir Zuk, created the first stateful inspection firewall. Stateful inspection firewalls use port, protocol and IP addresses to make security policy decisions. That was OK in the mid-90’s when you had only two applications on your network – email and web that communicated over a very predictable set of ports. At the time there was also a very limited number of devices to contend with on your network. Fast forward to the early-2000’s and Nir could see that the number of applications landing on the network was about to explode, and that stateful-based firewalls would be incapable of handling this new environment where these applications utilized significantly more ports and followed non-standard patterns that the stateful firewall simply couldn’t anticipate. Mega trends like BYOD, mobility and cloud computing added further complications. Nir made the decision to re-invent the firewall and develop a new approach that took the guessing out of security, and provided a much more robust solution for managing applications, users and devices. That approach led to the formation of Palo Alto Networks in 2005, and the creation of the industries first next-generation firewall in 2007. The big different between stateful firewalls and next-generation firewalls is we don’t guess. We don’t guess about applications, we don’t guess about users, we don’t guess about content, and we don’t guess about devices. We definitively inspect and identify all applications, users, content, and devices operating across your network. That means you get real visibility on your network which leads to better security.
The next thing we said we were going to do was prevent both known and unknown cyber threats for all users on any device across any network. To achieve this we developed a series of cloud-based services that integrate closely with the next-generation firewall and deliver automated threat detection and prevention. We have four cloud-based services today – Threat Prevention, URL Filtering, WildFire and GlobalProtect for mobile security. Let’s pick one of these services, WildFire, to demonstrate to power of this integrated approach. Now, if an attacker attempts to breach your organization using a known threat we’re going to automatically block that attack using a combination of our next-generation firewall and cloud-based services (Threat Prevention, URL Filtering and GlobalProtect). If the threat is unknown we’re going to quickly turn it into a known threat using WildFire which detects and analyzes potentially malicious files looking for new forms of malware, malicious URLs or command-and-control sites. As those unknown threats are detected, WildFire automatically develops new protections and within minutes routes those tools back to your cloud based services. We don’t just route those tools to your systems, we route them to the global customer base so you benefit from the multiplier effect of a large threat intelligence community. This automated process ensures that your platform can delivery the highest levels of security for all users on any device across your entire network.
The newest technology we’ve brought to market is advanced endpoint protection. Let me tell you why we went down this path. Legacy providers have not been able to keep up with the challenges associated with advanced threats that have been finding their way onto the endpoint, then working their way into the network. We looked across the market, at all of the different approaches and decided something truly disruptive had to happen. Many of the “newer” technologies have effectively given up on prevention and instead focus their efforts on detection and remediation. Other prevention-based approaches were simply ineffective at stopping advanced threats, or imposed too much operational overhead to be viable on a large scale basis. We came up with a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities. And we do this with a very lightweight and scalable technology. This approach has proven to be highly effective at protecting endpoints from advanced attacks – including laptops, servers, industrial control systems, bank ATMs, medical devices and retail point of sale systems.
So, to wrap it up our core value proposition is that we provide an enterprise security platform that safely enables all applications through granular use of controls and prevention of known and unknown cyber threats for all users on any device across any network. In doing so we’re able to deliver superior security with superior TCO.
Go to Whiteboard!
<Optional slide>
This is yet another proof point that your DC and infrastructure apps are heavily targetted. This data comes from one of our recent Application usage and threat reports.
It’s a global view into enterprise application usage and the associated threats summarized from network traffic assessments conducted across more than 3,000 global organizations. This isn’t a survey, it is real data collected from live traffic. We share our insights in our “Application Usage and Threat Report”.
The 2013 report reveals 10 of the 1,395 applications represented 97% of the 60 Million exploit logs found.
9 of those applications are business critical. - internal or infrastructure-related applications that are integral to many business functions.
Here are the most heavily targeted – [list a few of them off] – “let me see a show of hands – how many of you can say you are not using any of these applications?”
In the example we are allowing access to the environment for admins using RDP, and marketing to use sharepoint.
VM Monitoring for AWS
Extends existing VM Monitoring function in PAN-OS to poll VPC EC2 instances
Tags include: IDs, state, subnet, type, placement, DNS names, and custom tags
What are customers using VM-Series for in AWS?
Gateway: Protect applications and services hosted in AWS where users are coming in over the open Internet
Hybrid cloud: This is about extending the private data center into the cloud to take advantage of the on-demand pricing, scalability and elasticity of a public cloud. This today is of strongest interest for enterprises.
VPC to VPC: A VPC is a virtual private cloud, i.e. a virtual data center in AWS, and a VPC to VPC is one architecture pattern.
GP: leveraging the AWS infrastructure to secure a global workforce
We’d like to help you build a prevention-focused architecture that stops at nothing short of complete visibility into all traffic; is natively integrated in such a way that no gaps exist and context is delivered so you only have to react to the threats that are critically important; is highly automated to reduce or remove manual response; and enables you to drive seamless policy throughout your organization to reduce your attack surface and eliminate unnecessary risk.
How do we do that?
If you go back in time, the first thing we said we were going to do as a company was safely enable the use of all applications on your network. Why is that important? Attackers know that one of the easiest ways to get into your network is through an application. Back in the mid-90’s our founder, Nir Zuk, created the first stateful inspection firewall. Stateful inspection firewalls use port, protocol and IP addresses to make security policy decisions. That was OK in the mid-90’s when you had only two applications on your network – email and web that communicated over a very predictable set of ports. At the time there was also a very limited number of devices to contend with on your network. Fast forward to the early-2000’s and Nir could see that the number of applications landing on the network was about to explode, and that stateful-based firewalls would be incapable of handling this new environment where these applications utilized significantly more ports and followed non-standard patterns that the stateful firewall simply couldn’t anticipate. Mega trends like BYOD, mobility and cloud computing added further complications. Nir made the decision to re-invent the firewall and develop a new approach that took the guessing out of security, and provided a much more robust solution for managing applications, users and devices. That approach led to the formation of Palo Alto Networks in 2005, and the creation of the industries first next-generation firewall in 2007. The big different between stateful firewalls and next-generation firewalls is we don’t guess. We don’t guess about applications, we don’t guess about users, we don’t guess about content, and we don’t guess about devices. We definitively inspect and identify all applications, users, content, and devices operating across your network. That means you get real visibility on your network which leads to better security.
The next thing we said we were going to do was prevent both known and unknown cyber threats for all users on any device across any network. To achieve this we developed a series of cloud-based services that integrate closely with the next-generation firewall and deliver automated threat detection and prevention. We have four cloud-based services today – Threat Prevention, URL Filtering, WildFire and GlobalProtect for mobile security. Let’s pick one of these services, WildFire, to demonstrate to power of this integrated approach. Now, if an attacker attempts to breach your organization using a known threat we’re going to automatically block that attack using a combination of our next-generation firewall and cloud-based services (Threat Prevention, URL Filtering and GlobalProtect). If the threat is unknown we’re going to quickly turn it into a known threat using WildFire which detects and analyzes potentially malicious files looking for new forms of malware, malicious URLs or command-and-control sites. As those unknown threats are detected, WildFire automatically develops new protections and within minutes routes those tools back to your cloud based services. We don’t just route those tools to your systems, we route them to the global customer base so you benefit from the multiplier effect of a large threat intelligence community. This automated process ensures that your platform can delivery the highest levels of security for all users on any device across your entire network.
The newest technology we’ve brought to market is advanced endpoint protection. Let me tell you why we went down this path. Legacy providers have not been able to keep up with the challenges associated with advanced threats that have been finding their way onto the endpoint, then working their way into the network. We looked across the market, at all of the different approaches and decided something truly disruptive had to happen. Many of the “newer” technologies have effectively given up on prevention and instead focus their efforts on detection and remediation. Other prevention-based approaches were simply ineffective at stopping advanced threats, or imposed too much operational overhead to be viable on a large scale basis. We came up with a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities. And we do this with a very lightweight and scalable technology. This approach has proven to be highly effective at protecting endpoints from advanced attacks – including laptops, servers, industrial control systems, bank ATMs, medical devices and retail point of sale systems.
So, to wrap it up our core value proposition is that we provide an enterprise security platform that safely enables all applications through granular use of controls and prevention of known and unknown cyber threats for all users on any device across any network. In doing so we’re able to deliver superior security with superior TCO.
-Reduce the attack surface
-
-We use information learned while running files through WildFire to improve our signature-based threat prevention capabilities. E.g. We can harvest bad domains, malicious URLs, Command & Control information, etc. to build new DNS signatures, C&C signatures, and add to the malware category in PAN-DB.
Timely and accurate threat intelligence data is the only way to remain up to date with emerging threats and bad actors/attackers. We use this data to detect early warning signs of potential threats and attacks that may impact our customers. Early warning helps stop attacks before they propagate and result in data loss.We apply advanced analytics to understand how threats are impacting our customers. We do this by correlating the data from our threat feeds with security event data generated within our customers’ environments. We also aggregate data across our customer base to identify trends that may be specific to certain industries or technologies so we can focus our efforts on proactive protection measures and rapid detection & response.Protecting critical assets is key to an effective security strategy. We see millions of security data points per day, and the only way to effectively reduce these into meaningful information we can analyze is to apply advanced automation and analytics focusing on the most critical assets that require protection.When incidents occur, we need trained professionals who can rapidly confirm incidents, assess the impact to our customer’s business, and respond effectively. Often, incident handling goes beyond simply reconfiguring or rebuilding systems, but also looking at what other systems or data may have been affected, what the impact has been on customers, business partners, and key stakeholders, and any communication and legal steps required. Most importantly, we need to continuously validate the effectiveness of the security controls in place. Validation occurs on a regular basis, monthly for example. It is also critically important following an incident to ensure measures have been taken to ensure known risks are mitigated effectively. The only way to demonstrate effectiveness of security controls is through robust reporting – customers need metrics on key data that demonstrates that security risks are identified, measured, and reduced. 1
Successful outcomes:Reduced risk at the enterprise level – again, focused on business criticality for maximum impactLower breach cost – not limited to direct costs, but indirect costs such as reputational damage which is often the highest component according to the study we conducted in 2015Return on investment – through proper design, deployment, integration and tuning – to maximize value of spendEnable business – by providing secure solutions, the business is free to provide innovative services to the marketplace within acceptable risk toleranceMeasurable outcomes – the only way to demonstrate effectiveness of security spend is to measure key performance indicators and report on a regular basis. 1
This slide is quite straightforward – the talk track follows prepare-defend-respond.Follows the Scalar approach of Prepare, Defend, Respond.first step in preparedness is to perform a risk assessment to understand gaps in current security posture and build an effective program to manage enterprise security risk.Next, deploy a security infrastructure to provide visibility, understanding and control – maximize the effectiveness through proper configuration and tuningFinally, when security incidents happen, respond quickly to contain and remediate – then continuously validate the effectiveness of controls and changes that are made on an ongoing basis. 1