La seguridad no está al día con la evolución de las empresas, la inversión en seguridad se siente infinito, sin una clara reducción de riesgo. Las herramientas de seguridad tradicionales no fueron diseñadas para la automatización y requieren esfuerzos manuales y limitados, conozca el futuro del consumo de ciberseguridad con Palo Alto Networks
13. Wildfire
Bare
Metal
Analysis
Static
Analysis
Dynamic
Analysis
Dynamic
Unpacking
Detect known exploits,
malware, and variants
Find new zero-day exploits
& malware through
execution
Heuristic Engine
Steer evasive malware
to bare metal
Identify VM-aware threats
using hardware systems
Memory analysis
Machine learning
File anomalies
Malicious patterns
Known malicious code
Custom hypervisor
Behavioral scoring
Multi-version analysis
Full dynamic analysis
Real desktop hardware
No virtual environment
No hypervisor
14. 300M+
Nuevas muestras mensuales
26,000+
WildFire Customers growing
every month
45%
Malware detected por
WildFire es desconocido en
Virus Total
40%Zero-day malware detectado por
WildFire no ha sido visto por los
principales 6 AVs
230KNuevas protecciones cada 5 minutos
1- PE, PE64 (Windows)
2- Android APK
3- DLL (Windows)
4- PDF (Adobe)
5- ELF (Linux)
IP, DNS, C2, URL, WF-AV
Top file type trends
Malware entregado por aplicaciones
distintas a web y correo electrónico
(FTP, SMB)
8%
1.1MVariantes de malware cubiertas por una
única firma de Wildfire
Protections Delivered:
WildFirebytheNumbers
23. GRACIAS
Fernando Gamero, Sales Engineer, Perú y Ecuador
fgamero@paloaltonetworks.com
Kenneth Tovar, Regional Sales Manager, Perú y Ecuador
ktovar@paloaltonetworks.com
Notes de l'éditeur
Technology is part of our lives. Our phones are with us all the time, and are the way we communicate with family and friends, doctors and banks..
Organizations are constantly improving services through applications. These apps can improve user experience and deliver significant competitive advantage.
At Palo Alto Networks our mission is to protect our digital way of life
And as we know, security is not working so well today. You see it in the news -- business disruption due to cyberattacks is a reality.
We see examples every week of breaches that expose private information and endanger our trust in these applications and companies.
Additional Context:
Cloud security is a big concern (endanger trust)
Accidental Exposure
Legal and Regulatory Compliance
Data Sovereignty/control
Recent Incidents that endanger trust:
Facebook Cambridge Analytica 87 million accounts exposed : https://www.theatlantic.com/technology/archive/2018/04/facebook-cambridge-analytica-victims/557648/
Saks, Lord & taylor hit with Data Breach – Millions impacted : https://www.wsj.com/articles/saks-lord-taylor-hit-with-data-breach-1522598460
Hack of Baltimore’s 911 dispatch system – Ransomware attack: http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-hack-folo-20180328-story.html
Under Armour data hacked from 150M MyFitnessPal app accounts: https://www.nbcnews.com/tech/security/under-armour-says-data-hacked-150m-myfitnesspal-app-accounts-n861406
We understand the problem. IT security leaders are spending more on security both on tools and people without a clear return for that investment.
Your teams are highly skilled, but there just aren’t enough hours in the day to get to everything they should be doing.
You are worried about threats that may be hiding in your network. Spending on security feels endless, without clear risk reduction.
Even then they are not sure if they are more secure
The legacy security tools and techniques designed for the traditional datacenter don’t work for public cloud.
Most security vendors offer point products, which worked fine when you had a few tools, but now you have 10, 20, maybe 30 security tools that simply don’t work together.
Your analysts have to manually stitch together insights from these disjoint tools to create a picture of what is happening in their environment and only then take action – in a much-delayed and highly ineffective way.
This approach is not working today in the data center…
It definitely does not work for distributed environments with cloud deployments and a mobile workforce.
We need a different approach.
Talking points
Distributed mobile workforce and apps
More SaaS application (Office365, Salesforce, box, etc…)
The perimeter is gone and need to protect data, users and apps everywhere
Traditional datacenter security best practices are not effective anymore
In response to these requirements, traditional security vendors built technology after technology: intrusion prevention, data loss prevention, proxies and so on, all trying to help the stateful inspection firewall mitigate some of the new attacks. Since this was operationally extremely cumbersome for customers, vendors then consolidated all these “blades” into a single hardware device. This is the origin of the UTM, or the Unified Threat Management appliance. There are several problems with these layered technologies, whether they are in multiple devices or a single device:
This is an inefficient way to gain visibility into the traffic, because in every device or blade, the traffic typically goes through layer 3 or 4 inspection, followed by layer 7 inspection
This does not give you the required control, because these technologies are not integrated. What the DLP device or blade finds, it can’t correlate with what the proxy and URL filtering devices find to make an intelligent security decision. This results in a weak security posture.
These devices and blades work on different enforcement models. For example, IPS and DLP work on a negative enforcement model, which is: deny the traffic that’s bad, and allow everything else. Firewalls on the other hand work on a positive enforcement model, which is: let only that traffic through that is allowed by policy, and deny everything else. This results in very different-looking policies on each device. Creating and maintaining these policies require dedicated staff, resulting in high operational costs.
In case of a problem, it is very difficult to correlate logs from different devices or blades because the logging and reporting is not consistent.
The bottom line is that this is an accidental architecture. If you want protection against modern attackers that are using supersonic jets, you can’t go to battle with chariots and catapults.
We invented the Next-Generation Firewall, which allows you to easily adopt security best practices using app, user and content-based policies, and a zero-trust approach, to minimize opportunities for attack. Our first evolution added cloud-based services for threat detection and prevention using the Next-Generation Firewalls as sensors and for automated enforcement. We source threat intelligence globally, inoculating your environment from new threats.
Fortunately for us this form of unpacking technique is not useful to the attacker in bypassing analysis in dynamic environments. The reason is that once the piece of malware is loaded it necessarily has to unpack to be able to execute inside a dynamic analysis environment or worst case on a victim's machine.
That means that at some point that piece of malware will have been unpacked in memory and will be accessible to our dynamic analysis environment. So what we're doing in wildfire to combat this technique is we're able to extract the unpacked piece of malware during our dynamic analysis.
We're going to feed that back into the static analysis model to again improve our detection capabilities. And this just continues to build on a number of capabilities over the years that improve our detection.
For example in previous releases, we've built our own custom hypervisor that makes it more difficult for malware to detect that it's in an analysis environment. In a bare metal environment, threats are not able to identify that they're in an analysis environment because frankly there is no virtual environment to detect.
300M Never before seen samples – We collect and process up to 300M never seen before samples a month
More than 26,000 + customers and our partner echo system submitting files to us 24/7
Proofpoint submits up to 1M files per month to give you some perspective (example)
This is not demo data, or lab assembled data. This is real customer data, that makes it unique
45% malware detected by WildFire unknown in Virus Total – When a WildFire issues a verdict on a sample, we check virus total to see if this malware has been seen before, and 45% of the time it shows up as unknown.
This percentage is going down over time because other vendors our integrating latest detection engines (normal trend)
45% is still a high number to demonstrate the quality of data WildFire is analyzing
90% of the SOC engineers use Virus total to start their hunting process
40% zero-day malware not detected by Top 6 AV vendors – Similar to Virus total, we run the malware through top 6 leading AV vendors ( no names required) to see if they detect the file as malicious. 40% of these files go undetected
This percentage is going down over time as these vendors upgrade their detection capabilities (normal trend)
Objection Questions:
Do you have any 3rd party metrics around this claim? No. These are internal tests that gives us a close bench mark. Great way to position Traps to get real validation!
Who are these vendors you test against? We don’t disclose the names, but we elude to the top 6 in the market
Note: This numbers are used to demonstrate a point, and to showcase our superior detection capabilities. Avoid the rat hole! Encourage a PoC..
230K protections delivered daily to our platform – Key selling point for us. At the end of the day, everyone can boost their numbers, but the most important thing is what to do with it?
We deliver up to 230K protections directly to the platform within 5 minutes, without any human intervention. This consists of : IP addresses, Domains, Command and control, URLs and WF-AV. These protections are delivered in packaged signatures fast!
The more samples we have, more protections we deliver
In average we deliver 29 signatures for 100 pieces of malware. This implies two things:
Many of the malware samples we learn via feeds are not valid
Our file-based signatures can block more than one file (unlike a hash)
One WildFire signature can cover up to 1.1M variants of an attack
Top filetype trends– It is good to talk about trends and indicators
We see Android APK moving up fast, beating DLL to take 2nd spot.
Linux ELF file type is moving getting closer to PDF.
8% malware delivered over applications other than web and email – This is an important metric. Majority of the vendors talk about malware being delivered via email or web-browsing, which is a fact, but its equally important to talk about malware inside your network. They using standard file transferring protocols to propagate, which includes FTP and SMB
Our platform has complete visibility in the network, cloud and endpoint. We have seen up to 8% of malware being delivered through non-web/email. This 8% could turn to be the most damaging if gone unchecked.
24,000 WildFire customers – We have more than 24,000 WildFire customers, which growing in 1000’s every quarter.
Objection Question:
You have 52,000 Palo Alto Networks customers, why don’t all of them use WF, why only 50% . According to Gartner, an average enterprise has little budget for an advance malware detection solution. The industry is at 20-30% attach rate. Palo Alto Networks is at 50% on customer penetration, but 75% on device attach rate which is way above industry average.
This does not include Traps, Magnifier and partners contributing in the millions
Our second evolution extended these capabilities to endpoints and the cloud. Our Advanced Endpoint Protection blocks malware, file-less attacks, exploits of vulnerability, and ransomware. Our cloud security products speed multi-cloud deployment and simplify management through deep integrations with native cloud services and automation tools.
And all of these capabilities work together. Shared intelligence and consistent enforcement across network, cloud, and endpoints strengthens prevention and speeds response.
120K + NGFW submitting samples to WildFire– We collect and process samples from large distribution of NGFW globally. This number is growing exponentially.
5M Traps endpoints– WildFire is free with all traps agent and is not included in the 26,000 customer list. We get requests for verdicts from 5M end points deployed globally
150+ Partner Integration– Besides collecting and processing samples from our own products, we also collect information from 3rd Party solutions. This includes partners like Tanium, Proofpoint, Virus total etc.. We have more than 150+ vendors who use WF API’s to get quick verdicts for samples which then enhances our detection capability and response time.
2M + API queries per day - Everything that we see in AutoFocus GUI is available through the API. It enables organizations to plug-in AutoFocus seamlessly to their existing security eco system, without logging into the GUI. Many customers that run big SOCs use APIs on a daily basis
10+ Security Vendors as part of CTA: Palo Alto Networks started the Cyber Threat Alliance initiative to get all the top security vendors to share intelligence data. This includes vendors like Cisco, Check Point, Fortinet and Symantec.
Intelligence generation starts with high volume raw data collection, which is then processed and turned into more useful, yet still high volume, pieces of information, which is then further analyzed and refined into intelligence. Raw data or even unrefined information isn’t actionable, only intelligence is.
Our threat intelligence cloud is modeled after this process. Our threat intelligence cloud is collecting large amounts of data from customer firewalls, Traps endpoint agents, Aperture, and various 3rd party integrations and data feeds. This raw data comes in many forms, namely files, URLs, domains, hashes, telemetry, and other data.
The raw data is processed by various systems that perform processing and inspection of the data. For example, WildFire processes files and URLs to establish malware vs. benign files, and produces forensic reports that indicate all the activities of the sample. PAN-DB crawls URLs to categorize websites and find evidence of compromised sites or phishing pages. Signature generation engines process output from these systems to produce signatures for consumption.
Finally, the information is ingested by AutoFocus where automated systems and Unit 42 researchers analyze the information to produce actionable intelligence in the form of attack context (such as attacker attribution and methods) and indicators for that attack and past/future attacks. AutoFocus users can access this information to better empower their SOC and IR teams.
It is not a one way street, however. Every layer in this process feeds back into every other layer. For example, AutoFocus makes WildFire better by generating observations at the global level that help improve WildFire sandbox accuracy. And the output of WildFire processing results in protections delivered to our customers’ firewalls and endpoint agents in minutes.
The rate of attacker innovation continues to increase, putting more pressure on defenders to keep up by quickly deploying new security capabilities.
Attack volumes are rising faster than ever, and manual response will never scale to automated attackers.
Sophisticated new techniques are being used to evade traditional defenses, and you can’t just rely on what you have today.
Notes on the stats:
Over the past year we have seen a significant increase in the volume of new malware samples. In fact, there has been an increase of over 55% of new malware samples discovered in the wild since 2017.
As users become more aware and educated about file-based threats, attackers have upped the ante to use more evasive techniques by way of file-less attacks. Ponemon institute is projecting that 35% of the attacks in 2018 will be file-less. This is a significant threat because file-less attacks are 10 times more likely to succeed over file-based attacks because they don’t require a user to take actions like opening an infected file.
We’re also seeing attacks get much more sophisticated. While the off the shelf ransomware attacks will continue in volume and severity, organizations need to also be aware of targeted and multi-vector attacks that target specific people, organizations, and employ multiple attack strategies to accomplish their goals.
Deploying new technology is hard – and there is more of it to choose from than ever.
For example, we saw over 600 vendors exhibiting at the RSA 2018, which continues to increase each year.
Do you have the right time to evaluate or pick the right technology?
Even when you make the right choice, it can be hard to manage what you already have, let alone what you are trying to add.
From a security vendor perspective, it can take years to take an idea to the market, at which point the attack landscape may have already changed..
We are in our third evolution which extends our automated approach, allowing you to add new capabilities that build on your existing investment in our sensors and enforcement points. Innovative apps developed by us, 3rd parties, or developed by your own teams, can access a security data set that is specific to your environment, as well as access shared threat intelligence. The apps can monitor, detect and report on threats, automate workflows, and meet compliance. We released an application in January that offers behavioral analytics, allowing you to detect and stop threats hiding in the network. The stealthiest attacks require analysis of data that is collected across the cloud, endpoints and network, giving you the context required to stop the attack
We recognize that we cannot do everything ourselves, and customers need a way to rapidly consume new security innovation as it occurs, from any provider.
However, the current approach of adding more technology to the security sprawl doesn’t scale – often requiring more manual effort access, evaluate and adopt new technologies.
To solve this, we’ve opened up the platform to enable third-party innovation, allowing the development of cloud-delivered security Apps as an extension of the platform they already own and operate.
The framework allows customers to gain leverage from the sensors, rich data collected over time, and enforcement points available as part of the platform.
This approach only works when you can gain information and action on threats across the network, endpoint and cloud. This means your NGFWs, Traps, VM-Series, and Aperture provide the visibility needed for Apps to run.
A key enabler of the framework is the Logging Service, providing a cloud-based central repository and consistent format of log data from all those locations.
Apps further gain enrichment from threat intel data available as part of the globally correlated data from WildFire.
Beyond Apps developed by Palo Alto Networks, the framework enables anyone to build Apps, including third-party partners, MSSPs, customers themselves.
The Application Framework brings true openness and extensibility to the platform – allowing customers to leverage the most innovative security technologies as a seamlessly extension of the Palo Alto Networks platform.
We believe the framework radically disrupts the way security will be created, delivered and adopted.