Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
•Télécharger en tant que PPTX, PDF•
3 j'aime•2,436 vues
Simon Wong and Chris Cram, Scalar security experts, discuss how Palo Alto Networks technology disrupts the entire malware kill chain. Attendees will also gain insight on flexible deployment options to better serve their mobile users, and how to get the most out of their Palo Alto Networks deployment.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Similaire à Disrupting the Malware Kill Chain - What's New from Palo Alto Networks. (20)
Plus de Scalar Decisions
Plus de Scalar Decisions (20)
Dernier
Dernier (20)
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
- 1. Presenter’s Name: Simon Wong + Chris Cram, Scalar Date: October 1st, 2015 Disrupting the Malware Kill Chain
- 2. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 2 Scalar Client Solutions Security Context-Based Enterprise Security Infrastructure Integration of Emerging Technologies Cloud Hybrid Cloud Solutions
- 3. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 3 Scalar Security Capabilities Prepare Defend Respond Monitor critical business assets Respond rapidly to incidents Validate effectiveness of security controls Implement robust defences Integrate leading technologies Maximize visibility, understanding and control Understand risks Build an effective security program Source top security talent
- 4. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 4 Organizational Maturity: Security Credit: Demetrios “Laz” Lazarikos, Blue Lava
- 5. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 5 We Asked Canadian Security Experts 46% Suffered a Loss of Data $200,000 Breaches Cost 34 Average Attacks Annually 41% Believe they are Winning the Cyber Security War 28% Top Performers Reduce Risk
- 6. What’s Changed? THE EVOLUTION OF THE ATTACKER $445 CYBERCRIME NOW 100+ nations CYBER WARFARE
- 7. What’s Changed? Known Threats OrganizationalRisk Zero-Day Exploits/Vulnerabilities Unknown & Polymorphic Malware Evasive Command-and-Control Lateral Movement Changing Application Environment SSL Encryption Mobile Threats THE EVOLUTION OF THE ATTACK
- 8. Ultra recent examples 6.9B visits/mo Angler Bedep Cryptowall 39 compromised iOS apps
- 9. App-ID User-ID URL IPS Spyware AV Files Unknown Threats Bait the end-user Exploit Download Backdoor Command/Control Block high-risk apps – User control decryption Block known malware sites Email links Block the exploit Block malware Prevent drive- by-downloads Detect 0-day malware Block new C2 traffic Block spyware, C2 traffic Block fast-flux, bad domains Block C2 on open ports 1 2 3 4 5 Lateral Movement / Zero Trust 6 Exfiltration Of Data Block the exploit Block malware Detect 0-day malware Block fast-flux, bad domains Block Files Data Filtering Block high-risk apps – User control decryption Block high-risk apps – User control decryption Breaking the Kill Chain at Every step
- 10. DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION – NOT JUST THE INTERNET EDGE At the internet edge Between employees and devices within the LAN At the data center edge, and between VM’s At the mobile device Cloud Within private, public and hybrid clouds Requirements for the Future
- 11. 1. Application based security rules Including the ability to decrypt flows 2. Rules based on User Identity/User Groups 3. Wildfire subscription to detect unknown malware 4. Threat Prevention subscription to enable dynamic prevention signatures for malware 5. URL (PAN-DB) subscription to enable dynamic prevention of malware Command & Control 6. GlobalProtect to secure against the threat of time and to help assert Identity Requirements for Security in Today’s Threat Landscape
- 12. NATIVELY INTEGRATED EXTENSIBLE AUTOMATED NEXT-GENERATION FIREWALL ADVANCED ENDPOINT PROTECTION THREAT INTELLIGENCE CLOUD Delivering the Next-Generation Security Platform
- 13. The endpoint
- 14. Prevention of One Technique in the Chain will Block the Entire Attack DLL Security IE Zero Day CVE-2013-3893 Heap Spray DEP Circumvention UASLR ROP/Utilizing OS Function ROP Mitigation/ DLL Security Adobe Reader CVE-2013-3346 Heap Spray Memory Limit Heap Spray Check and Shellcode Preallocation DEP Circumvention UASLR Utilizing OS Function DLL Security Adobe Flash CVE-2015- 3010/0311 ROP ROP Mitigation JiT Spray J01 Utilizing OS Function DLL Security Memory Limit Heap Spray Check Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques
- 15. Begin Malicious Activity Normal Application Execution Heap Spray DEP Circumvention Utilizing OS Function Gaps Are Vulnerabilities Activate key logger Steal critical data More… Exploit Attack 2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader. 1. Exploit attempt contained in a PDF sent by “known” entity. 3. Exploit evades AV and drops a malware payload onto the target. 4. Malware evades AV, runs in memory. Exploit Techniques
- 16. Normal Application Execution Heap Spray Traps EPM No Malicious Activity Exploit Attack 2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader. 1. Exploit attempt contained in a PDF sent by “known” entity. 3. Exploit evades AV and drops a malware payload onto the target. 4. Malware evades AV, runs in memory. Traps Exploit Prevention Modules (EPM) 1. Exploit attempt blocked. Traps requires no prior knowledge of the vulnerability. Exploit Techniques
- 17. Normal Application Execution Heap Spray DEP Circumvention No Malicious Activity Traps EPM Exploit Attack 2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader. 1. Exploit attempt contained in a PDF sent by “known” entity. 3. Exploit evades AV and drops a malware payload onto the target. 4. Malware evades AV, runs in memory. Traps Exploit Prevention Modules (EPM) 1. Exploit attempt blocked. Traps requires no prior knowledge of the vulnerability. 2. If you turn off EPM #1, the first technique will succeed but the next one will be blocked, still preventing malicious activity. Exploit Techniques
- 18. Zero Trust
- 19. All resources are accessed in a secure manner regardless of location. Access control is on a “need-to- know” basis and is strictly enforced. Verify and never trust. Inspect and log all traffic. The network is designed from the inside out. Source: Forrester Research 19 | ©2015, Palo Alto Networks Zero-Trust Model
- 20. Virtualized servers Physical servers corporate network/DMZ Security Network Applicatio n Segment North South (physical) and East West (virtual) traffic Tracks virtual application provisioning and changes via dynamic address groups Automation and orchestration support via REST-API Host VM and Core Security
- 21. Hypervisor Based Security Architecture
- 22. Your DC is the target! 21% MS-RPC 15% Web Browsing 11% SMB 10% MS-SQL Monitor 10% MS-Office Communicato r 4% SIP 3% Other 2% Active Directory 2% RPC 1% DNS 25% MS-SQL 10 out of 1,395 applications generated 97% of the exploit logs 9of these were datacenter applications Source -- “Application Usage and Threat Report” (Palo Alto Networks) 2013 and 2014
- 24. VM-Series for AWS Identify and control applications traversing the VPC Prevent known and unknown threats, inbound and EC2-to- EC2 Streamline policy updates, simplify management Full next-generation firewall functionality for AWS
- 25. Identify and control applications traversing the VPC Visibility: Classify all VPC traffic based on application identity Control: Enable those applications you want, deny those you don’t Authorize: Grant access based on user identity RDP SharePoint Administrators Marketing
- 26. Streamline management and policy updates Centrally manage configuration and policy deployment of the VM-Series for AWS Manage all Palo Alto Networks next-generation firewall instances, both hardware and virtualized form factor Aggregate traffic logs across multiple VM-Series for AWS instances for visibility, forensics and reporting Streamline policy updates with VM-Monitoring, Dynamic Address Groups and an API MS SQLSharePointWeb FE Credit Card / Intellectual Property / PII Panorama
- 27. Deployment Scenarios 1. Gateway: Full NGFW security for all traffic traversing the AWS deployment • Visibility, application control, prevention of known/unknown threats, access control based on user 2. Hybrid cloud (IPSec VPN) • Extend enterprise datacenter to AWS: IPSec VPN + full NGFW feature set 3. VPC-to-VPC protection • Control traffic between VPCs; block known and unknown threats from moving laterally • A combination of gateway and hybrid within the VPC 4. GlobalProtect Gateway: Use VM-Series deployed across various AWS regions as a VPN gateway • Secure mobile users anywhere by leveraging AWS infrastructure around the world IPSec VPN IPSec VPN End-Users over Internet Corporate Network
- 28. GlobalProtect: Consistent Security Everywhere •Headquarters •Branch Office malware botnets exploits • VPN connection to a purpose built firewall • Automatic protected connectivity for users both inside and outside • Unified policy control, visibility, compliance & reporting
- 29. One more thing: Cloud/SaaS
- 30. Next-Gen FW for SaaS Enforcement
- 31. Inherent Risks with SaaS
- 32. Inherent Risks with SaaS
- 36. NATIVELY INTEGRATED EXTENSIBLE AUTOMATED NEXT-GENERATION FIREWALL ADVANCED ENDPOINT PROTECTION THREAT INTELLIGENCE CLOUD Delivering the Next-Generation Security Platform
- 37. Thank You
- 38. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 38 Governance, Risk and Compliance Advisory Assess & Advise Implementation & Execution Monitor & Maintain Audit & Assurance • SSAE 16 / ISAE 16 / CSAE 3416 Readiness Assessment • Privacy Impact Assessment • SysTrust / WebTrust • Contractual • Controls Implementation • Privacy Governance • Governance Framework • Internal Audit Virtual • Privacy Office Virtual • Compliance Team Information Security • PCI DSS Assessment • ISO 27001 Gap/Risk Assessment • Application Security Testing • Vulnerability Assessment • Penetration Testing • Threat Risk Assessment • OSFI Cybersecurity Assessment • ISMS Implementation • Policy and Procedure Development • Virtual CSO • Virtual Security Team • Security Operations IT Service Management • COBIT Gap/Maturity Assessment • ITIL Gap/Maturity Assessment • ISO 20000 Gap/Maturity Assessment • Business Impact Assessment • Business Resiliency Assessment • IT Operational Risk Assessment • Service Continuity Management • BCP & DRP Development • IT Governance Implementation • ITIL Process Implementation • Implementation Rescue • Cherwell ITSM Tool Implementation • ITSM Managed Services • Technology Management • Cherwell ITSM SaaS Technology Advisory • Architecture Review • Network Review • Cloud Review • Security Device Review • Application Migration • VOIP / VOIP Security • PKI • Two-Factor Authentication Deployment • Security Device Deployment (FW/IDS/VPN) • BYOD Security • Secure Logging and Analysis • IT Management • Technology Management • Staff Augmentation
- 39. Our unique approach makes us the only solution that… Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base Identify & control Prevent known threats Detect unknown threats Rapid, global sharing All applications Turning the Unknown into the Known
- 40. Segment your network with a “zero-trust” model as the foundation for defense Only allow content to be accessed: By a limited and identifiable set of users Through a well-defined set of applications Blocking everything else Block all known threats: Threat Prevention would have identified and stopped parts of the attack Across known vulnerability exploits, malware, URLs, DNS queries And command-and-control activity Identify and block all unknown threats: WildFire had identified members of the “BlackPOS” malware family in the past Using Behavioral characteristics such as Communicating over often-abused ports (139 or 445) Using WebDev to share information, Changing the security settings of Internet Explorer Modifying Windows registries and many more Breaking the Attack Kill Chain at Multiple Points
- 41. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 41 Next Generation Security Operations Global Threat Intelligence & Research Advanced Analytics Protect Critical Assets Robust Incident Handling Understand Business Impact Continuous Validation of Controls
- 42. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 42 Successful Client Outcomes Reduced Risk Lower Cost Higher Return Measurable Outcomes Enable Business
- 43. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 43 Getting Started Prepare Perform a risk assessment Build an effective security program Defend Deploy security infrastructure Properly configure and continuously tune security tools Respond Detect & respond to incidents quickly Continuously validate the effectiveness of security controls
- 44. © 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 44 Looking for more information? Check out how we helped the Medical Council of Canada streamline their remote access management for employees, committee members, and physicians with the help of Palo Alto Networks technology. https://www.scalar.ca/en/client-stories/medical-council-of-canada-streamlines-remote- access-management-for-employees-committee-members-and-physicians/
Notes de l'éditeur
- INFRASTRUCTURE: Industry leader in infrastructure and next generation data centre technologies. (INTEGRATION OF EMERGING TECHNOLOGIES: )SECURITY: - Canada’s #1 provider of security, risk and compliance solutions. (CONTEXT BASED SECURITY)CLOUD: Leading architect for the design, deployment and management of hybrid cloud solutions.
- THIS IS OUR GO-TO-MARKET STRATEGY We help our customers PREPARE to address today’s security challenges by Understanding risks to their critical business assetsBuilding effective security programs including people, process and technology, andAttracting and retaining (or hiring) top security talent, both leadership and technicalScalar leverages its pedigree and core competency as an integrator of emerging technology to help customers DEFEND their critical business assets and data byImplementing the most robust security defensesLeveraging leading technologies and integrating & configuring them in a way to optimize performance and effectivenessMaximizing the use of technologies to gain visibility, understanding and control over security eventsMost organizations will suffer a breach eventually. We help our customers by:Monitoring critical business assetsResponding rapidly when we see indicators of compromise or confirmed security incidents, andProviding ongoing validation of the effectiveness of security controls. 1
- The key points here are:Most security studies are global in nature and do not apply well to the size and cultural uniqueness of Canadian businesses.We took 650 results from over 2,000 respondents to ensure the data is validWe asked questions about:a) what risks impact Canadian businessesb) what measures they have taken to address security riskc) what are the most effective ways to reduce security riskd) overall, how prepared do Canadian businesses believe they are in reducing security riskWe identified “Top Performers” – those companies that reported a reduction in risk: a) we examined the data from Top Performers to understand what investments they made in people, process and technology b) we found that TOP PERFORMERS WERE 28% LESS LIKELY TO SUFFER A SECURITY BREACH.We transfer this knowledge to all of our security customers1
- Over the last two years in particular we’ve seen a dramatic change in both the attacker and the techniques they use. By many estimates cybercrime is now a $1+ trillion industry. And like any industry, opportunity fuels more investment and it is clear this “industry” isn’t being deprived. But like any industry investment decisions are made based on the expectation of profit. The best way to get an industry to collapse on itself is take away that potential for profit. Our strategy is quite simple - make it so unbelievably hard for cybercriminals to achieve their objectives that their only recourse is to invest more and more resources to stage a successful attack, or give up and move on to someone else. Today there are more than 100 nations who are actively building cyber military capabilities. Out of the 100 there are about 20 who are considered serious players. These nation states follow a completely different set of motives, and are not concerned about profit. These new units are accelerating the weaponization of vulnerabilities. They’re launching sophisticated campaigns at our employees looking to take advantage of weak defensive links. They are not motivated by profit. They’re motivated by warfare, terrorism, theft of secrets that may give their country an advantage. Equally so, we need to make it unbelievably hard for these nations to achieve their objectives. To achieve this we must consider a new approach. --------------------------------------------------------- Facts & Credits Peter W. Singer, director of the Center for 21st Century Security and Intelligence at the Brookings Institution, said 100 nations are building cyber military commands, and of that there are about 20 that are serious players and a smaller number could carry out a complete cyberwar campaign. The barrier to entry for attackers has come down significantly in the last couple of years with the accessibility of exploit kits that may be easily purchased online with full support.
- This new approach must account for the realities that today’s attacks are not only multi-dimensional in nature, but also use an increasingly sophisticated set of techniques that are constantly in a state of change. As these techniques evolve the risk of breach increases. And as we all know an organization is only as strong as its weakest entry point, therefore an effective strategy must include multiple kill-points working together to prevent all aspects of an attack. This includes Blocking the different techniques attackers might use to evade detection and establish command-and-control channels Preventing installation of malware – including unknown and polymorphic malware Blocking the different techniques that attackers must follow in order to exploit a vulnerability Closely monitoring and controlling communications within the organization to protect against the unabated lateral movement when legitimate identities are hijacked With the evolution of the attack and the attacker as a backdrop, let’s take a quick look at where some of the breakdowns in approaches are occurring. --------------------------------------------------------- Facts & Credits Today we detect and analyze over 2M forms of new malware within WildFire. This trend line is increasing monthly.
- Malvertising hosted in Azure Angler Exploit kit Bedep & Cryptowall
- Reconnaissance We bring multiple security disciplines into a single context / single threat prevention engine. See beyond individual security events and recognize the full extent of a threat. In a uniform context, you can see the interconnection of: Applications, Exploits, Malware, URLs, DNS queries, Anomalous network behaviors, Targeted malware It is the unique value of our integrated solution that allows us to see this interconnection. This should be our main talking point to customers… and have them realize that their strategy should not be based on ‘best of breed products’ any longer.
- Your architecture must also be able to detect and prevent threats at every point across the organization: Attacks targeting your mobile workers Attacks targeting your perimeter Attacks moving between employees and devices within your LAN, or from guests or other 3rd party contractors that might have access to your network Attacks targeting the heart of your virtualized data center Attacks targeting your cloud-based infrastructure, both private and public
- We’d like to help you build a prevention-focused architecture that stops at nothing short of complete visibility into all traffic; is natively integrated in such a way that no gaps exist and context is delivered so you only have to react to the threats that are critically important; is highly automated to reduce or remove manual response; and enables you to drive seamless policy throughout your organization to reduce your attack surface and eliminate unnecessary risk. How do we do that? If you go back in time, the first thing we said we were going to do as a company was safely enable the use of all applications on your network. Why is that important? Attackers know that one of the easiest ways to get into your network is through an application. Back in the mid-90’s our founder, Nir Zuk, created the first stateful inspection firewall. Stateful inspection firewalls use port, protocol and IP addresses to make security policy decisions. That was OK in the mid-90’s when you had only two applications on your network – email and web that communicated over a very predictable set of ports. At the time there was also a very limited number of devices to contend with on your network. Fast forward to the early-2000’s and Nir could see that the number of applications landing on the network was about to explode, and that stateful-based firewalls would be incapable of handling this new environment where these applications utilized significantly more ports and followed non-standard patterns that the stateful firewall simply couldn’t anticipate. Mega trends like BYOD, mobility and cloud computing added further complications. Nir made the decision to re-invent the firewall and develop a new approach that took the guessing out of security, and provided a much more robust solution for managing applications, users and devices. That approach led to the formation of Palo Alto Networks in 2005, and the creation of the industries first next-generation firewall in 2007. The big different between stateful firewalls and next-generation firewalls is we don’t guess. We don’t guess about applications, we don’t guess about users, we don’t guess about content, and we don’t guess about devices. We definitively inspect and identify all applications, users, content, and devices operating across your network. That means you get real visibility on your network which leads to better security. The next thing we said we were going to do was prevent both known and unknown cyber threats for all users on any device across any network. To achieve this we developed a series of cloud-based services that integrate closely with the next-generation firewall and deliver automated threat detection and prevention. We have four cloud-based services today – Threat Prevention, URL Filtering, WildFire and GlobalProtect for mobile security. Let’s pick one of these services, WildFire, to demonstrate to power of this integrated approach. Now, if an attacker attempts to breach your organization using a known threat we’re going to automatically block that attack using a combination of our next-generation firewall and cloud-based services (Threat Prevention, URL Filtering and GlobalProtect). If the threat is unknown we’re going to quickly turn it into a known threat using WildFire which detects and analyzes potentially malicious files looking for new forms of malware, malicious URLs or command-and-control sites. As those unknown threats are detected, WildFire automatically develops new protections and within minutes routes those tools back to your cloud based services. We don’t just route those tools to your systems, we route them to the global customer base so you benefit from the multiplier effect of a large threat intelligence community. This automated process ensures that your platform can delivery the highest levels of security for all users on any device across your entire network. The newest technology we’ve brought to market is advanced endpoint protection. Let me tell you why we went down this path. Legacy providers have not been able to keep up with the challenges associated with advanced threats that have been finding their way onto the endpoint, then working their way into the network. We looked across the market, at all of the different approaches and decided something truly disruptive had to happen. Many of the “newer” technologies have effectively given up on prevention and instead focus their efforts on detection and remediation. Other prevention-based approaches were simply ineffective at stopping advanced threats, or imposed too much operational overhead to be viable on a large scale basis. We came up with a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities. And we do this with a very lightweight and scalable technology. This approach has proven to be highly effective at protecting endpoints from advanced attacks – including laptops, servers, industrial control systems, bank ATMs, medical devices and retail point of sale systems. So, to wrap it up our core value proposition is that we provide an enterprise security platform that safely enables all applications through granular use of controls and prevention of known and unknown cyber threats for all users on any device across any network. In doing so we’re able to deliver superior security with superior TCO.
- Go to Whiteboard!
- <Optional slide> This is yet another proof point that your DC and infrastructure apps are heavily targetted. This data comes from one of our recent Application usage and threat reports. It’s a global view into enterprise application usage and the associated threats summarized from network traffic assessments conducted across more than 3,000 global organizations. This isn’t a survey, it is real data collected from live traffic. We share our insights in our “Application Usage and Threat Report”. The 2013 report reveals 10 of the 1,395 applications represented 97% of the 60 Million exploit logs found. 9 of those applications are business critical. - internal or infrastructure-related applications that are integral to many business functions. Here are the most heavily targeted – [list a few of them off] – “let me see a show of hands – how many of you can say you are not using any of these applications?”
- In the example we are allowing access to the environment for admins using RDP, and marketing to use sharepoint.
- VM Monitoring for AWS Extends existing VM Monitoring function in PAN-OS to poll VPC EC2 instances Tags include: IDs, state, subnet, type, placement, DNS names, and custom tags
- What are customers using VM-Series for in AWS? Gateway: Protect applications and services hosted in AWS where users are coming in over the open Internet Hybrid cloud: This is about extending the private data center into the cloud to take advantage of the on-demand pricing, scalability and elasticity of a public cloud. This today is of strongest interest for enterprises. VPC to VPC: A VPC is a virtual private cloud, i.e. a virtual data center in AWS, and a VPC to VPC is one architecture pattern. GP: leveraging the AWS infrastructure to secure a global workforce
- We’d like to help you build a prevention-focused architecture that stops at nothing short of complete visibility into all traffic; is natively integrated in such a way that no gaps exist and context is delivered so you only have to react to the threats that are critically important; is highly automated to reduce or remove manual response; and enables you to drive seamless policy throughout your organization to reduce your attack surface and eliminate unnecessary risk. How do we do that? If you go back in time, the first thing we said we were going to do as a company was safely enable the use of all applications on your network. Why is that important? Attackers know that one of the easiest ways to get into your network is through an application. Back in the mid-90’s our founder, Nir Zuk, created the first stateful inspection firewall. Stateful inspection firewalls use port, protocol and IP addresses to make security policy decisions. That was OK in the mid-90’s when you had only two applications on your network – email and web that communicated over a very predictable set of ports. At the time there was also a very limited number of devices to contend with on your network. Fast forward to the early-2000’s and Nir could see that the number of applications landing on the network was about to explode, and that stateful-based firewalls would be incapable of handling this new environment where these applications utilized significantly more ports and followed non-standard patterns that the stateful firewall simply couldn’t anticipate. Mega trends like BYOD, mobility and cloud computing added further complications. Nir made the decision to re-invent the firewall and develop a new approach that took the guessing out of security, and provided a much more robust solution for managing applications, users and devices. That approach led to the formation of Palo Alto Networks in 2005, and the creation of the industries first next-generation firewall in 2007. The big different between stateful firewalls and next-generation firewalls is we don’t guess. We don’t guess about applications, we don’t guess about users, we don’t guess about content, and we don’t guess about devices. We definitively inspect and identify all applications, users, content, and devices operating across your network. That means you get real visibility on your network which leads to better security. The next thing we said we were going to do was prevent both known and unknown cyber threats for all users on any device across any network. To achieve this we developed a series of cloud-based services that integrate closely with the next-generation firewall and deliver automated threat detection and prevention. We have four cloud-based services today – Threat Prevention, URL Filtering, WildFire and GlobalProtect for mobile security. Let’s pick one of these services, WildFire, to demonstrate to power of this integrated approach. Now, if an attacker attempts to breach your organization using a known threat we’re going to automatically block that attack using a combination of our next-generation firewall and cloud-based services (Threat Prevention, URL Filtering and GlobalProtect). If the threat is unknown we’re going to quickly turn it into a known threat using WildFire which detects and analyzes potentially malicious files looking for new forms of malware, malicious URLs or command-and-control sites. As those unknown threats are detected, WildFire automatically develops new protections and within minutes routes those tools back to your cloud based services. We don’t just route those tools to your systems, we route them to the global customer base so you benefit from the multiplier effect of a large threat intelligence community. This automated process ensures that your platform can delivery the highest levels of security for all users on any device across your entire network. The newest technology we’ve brought to market is advanced endpoint protection. Let me tell you why we went down this path. Legacy providers have not been able to keep up with the challenges associated with advanced threats that have been finding their way onto the endpoint, then working their way into the network. We looked across the market, at all of the different approaches and decided something truly disruptive had to happen. Many of the “newer” technologies have effectively given up on prevention and instead focus their efforts on detection and remediation. Other prevention-based approaches were simply ineffective at stopping advanced threats, or imposed too much operational overhead to be viable on a large scale basis. We came up with a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities. And we do this with a very lightweight and scalable technology. This approach has proven to be highly effective at protecting endpoints from advanced attacks – including laptops, servers, industrial control systems, bank ATMs, medical devices and retail point of sale systems. So, to wrap it up our core value proposition is that we provide an enterprise security platform that safely enables all applications through granular use of controls and prevention of known and unknown cyber threats for all users on any device across any network. In doing so we’re able to deliver superior security with superior TCO.
- -Reduce the attack surface - -We use information learned while running files through WildFire to improve our signature-based threat prevention capabilities. E.g. We can harvest bad domains, malicious URLs, Command & Control information, etc. to build new DNS signatures, C&C signatures, and add to the malware category in PAN-DB.
- Timely and accurate threat intelligence data is the only way to remain up to date with emerging threats and bad actors/attackers. We use this data to detect early warning signs of potential threats and attacks that may impact our customers. Early warning helps stop attacks before they propagate and result in data loss.We apply advanced analytics to understand how threats are impacting our customers. We do this by correlating the data from our threat feeds with security event data generated within our customers’ environments. We also aggregate data across our customer base to identify trends that may be specific to certain industries or technologies so we can focus our efforts on proactive protection measures and rapid detection & response.Protecting critical assets is key to an effective security strategy. We see millions of security data points per day, and the only way to effectively reduce these into meaningful information we can analyze is to apply advanced automation and analytics focusing on the most critical assets that require protection.When incidents occur, we need trained professionals who can rapidly confirm incidents, assess the impact to our customer’s business, and respond effectively. Often, incident handling goes beyond simply reconfiguring or rebuilding systems, but also looking at what other systems or data may have been affected, what the impact has been on customers, business partners, and key stakeholders, and any communication and legal steps required. Most importantly, we need to continuously validate the effectiveness of the security controls in place. Validation occurs on a regular basis, monthly for example. It is also critically important following an incident to ensure measures have been taken to ensure known risks are mitigated effectively. The only way to demonstrate effectiveness of security controls is through robust reporting – customers need metrics on key data that demonstrates that security risks are identified, measured, and reduced. 1
- Successful outcomes:Reduced risk at the enterprise level – again, focused on business criticality for maximum impactLower breach cost – not limited to direct costs, but indirect costs such as reputational damage which is often the highest component according to the study we conducted in 2015Return on investment – through proper design, deployment, integration and tuning – to maximize value of spendEnable business – by providing secure solutions, the business is free to provide innovative services to the marketplace within acceptable risk toleranceMeasurable outcomes – the only way to demonstrate effectiveness of security spend is to measure key performance indicators and report on a regular basis. 1
- This slide is quite straightforward – the talk track follows prepare-defend-respond.Follows the Scalar approach of Prepare, Defend, Respond.first step in preparedness is to perform a risk assessment to understand gaps in current security posture and build an effective program to manage enterprise security risk.Next, deploy a security infrastructure to provide visibility, understanding and control – maximize the effectiveness through proper configuration and tuningFinally, when security incidents happen, respond quickly to contain and remediate – then continuously validate the effectiveness of controls and changes that are made on an ongoing basis. 1