Transcript Document
Dynamic Computing & Dynamic Threats Requires Dynamic Security Palo Alto Networks at a Glance Corporate Highlights Revenue $MM Founded in 2005; First Customer Shipment in 2007 $300 $255 $250 $200 Safely Enabling Applications $119 $150 $100 $49 $50 $13 $0 Able to Address all Network Security Needs FYE July FY09 FY10 FY11 FY12 Enterprise Customers Exceptional Ability to Support Global Customers 10,000 9,000 8,000 Experienced Technology and Management Team 6,000 4,700 4,000 2,000 850+ Employees Globally 1,800 0 Jul-10 2 | ©2012, Palo Alto Networks. Confidential and Proprietary. Jul-11 Jul-12 Agenda Today’s Dynamic Enterprise Computing Environment An Equally Dynamic Threat Landscape The Tension between Security and Productivity What to do About It 3 | ©2012, Palo Alto Networks. Confidential and Proprietary. A long time Ago…………Security was Simpler On Premise Data Center • Apps in one place • Users in one place • Data in one place • Devices Controlled • Devices Dumb wired • Network Simple • IT Controls it all • ….. Employee Complexity Has Grown..…A Lot • Apps all over the place • Users all over place On Premise • Data all over the place • Devices not controlled The “Network” • Devices Smart • Network is Complex • IT Controls only some of it • User’s control increased wired • Riskswireless are FARVPNhigher “VDI” Cloud Internet Content / tools Modern threats – targeted, multivector, persistent Employee Guest Mobile employee Partner/contractor From the Classroom…… 6 | ©2012, Palo Alto Networks. Confidential and Proprietary. to the Playground The Emergence of the User Kingdom Devices Most often very small and mobile More devices are now in the control and ownership of end users Users are people, people are different, so the diversity of devices is expanding Applications Users are discovering new ways to get work done Multiple tools being used to do the same thing Many applications are risky – introduces threats, potential data loss Many applications are costly – consumes lots of computing and network resources IT is not participating in selecting Location Work gets done in and out of the office On-demand is essential 7 | ©2012, Palo Alto Networks. Confidential and Proprietary. Mobile Climate and Challenges IT SECURITY NEEDS Keep users, network, devices, and data safe Keep users productive Allow use of business-owned or personal devices •Page 8 | © 2013 Palo Alto Networks. Proprietary and Confidential. WHAT EMPLOYEES WANT Access to corporate and personal applications Want the full features of their mobile devices, not watered down functionality Don’t want boundaries and restrictions Evolution Towards Cloud Networks Bring New Challenges (even within our own data centers) How do you have visibility into the virtualized environment? How do you track rogue virtual machine creation? How do you embrace the dynamic nature of virtualization? Page 9 | © 2012 Palo Alto Networks. Proprietary and Confidential. Limitations Classic Data Architecture What Doesofvirtualized DataCenter Centers Look Like • Applications of the same trust levels on a server Segmentation deployments: • DMZ/Corporate/PCI/R&D • Application Tiers • Limitations in design: • Not optimized for hardware (spare CPUs may be idle) • Not ideal because traffic routed north bound (latency) • Expensive – Vlans and ports Page 10 | © 2012 Palo Alto Networks. Proprietary and Confidential. App App App Web Web Web vSwitch vSwitch vSwitch Virtual Host 1 Virtual Host 2 Virtual Host 3 DB DB DB Considerations Towards “Cloud” Model Shared “pools of resources” • Optimizes hardware Applications of different trust levels on a server • Reduce latency • Delivers applications on-demand • Security Issues • Safely enable East-West traffic DB App Web Web DB App vSwitch vSwitch Virtual Host 1 Virtual Host 2 Virtual Host 3 • Automation so security does not slow down the virtual workload © 2012 Palo Alto Networks. Proprietary and Confidential. Web DB vSwitch • Track policies to VM adds, moves, changes Page 11 | App So that’s a snapshot of the modern computing “Ecosystem”. Next, the threat environment………… 12 | ©2012, Palo Alto Networks. Confidential and Proprietary. Modern Attacks are Targeted, Stealthy and Multi-Step What Has Changed / What is the Same Attack strategy has evolved Patient, multi-step process Compromise a user, then expand Motive NY Times Jan 31, 2013 Statesponsored CIA Feb 10, 2012 Hacktivism Symantec Feb 8, 2012 Extortion Zappos Jan 15, 2012 Cybercrime Danish Government Aug 22, 2011 Government practices Sony PSN April 19, 2011 Hacktivism Epsilon April 1, 2011 Financial RSA March 17, 2011 Statesponsored The attacker has changed Nation-states Criminal organizations Political groups Date Attack techniques have evolved New applications as the threat vector Avoidance of traditional AV signatures Hiding malware communications Real Attacks Employ Multiple Techniques 1 2 Bait the end-user Exploit End-user lured to a dangerous application or website containing malicious content Infected content exploits the end-user, often without their knowledge 3 Download Backdoor Secondary payload is downloaded in the background. Malware installed 4 5 Establish Back-Channel Explore & Steal Malware establishes outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack The Gaps in Traditional Antivirus Protection Modern malware is increasingly able to: - Avoid falling into traditional AV honey-pots - Evolve before protection can be delivered ☣ Targeted and custom malware ☣ Polymorphic malware ☣ Newly released malware Highly variable time to protection (Note: WildFire finds 200 – 400 unique new malware samples undetectable by leading antivirus software every day.) Page 15 | Applications Bypassing Port- and Protocol-based Security Applications Leveraging Non-standard Ports, Random Ports, Encryption 97% of Exploits Come From Business Not Social Applications 16 | ©2012, Palo Alto Networks. Confidential and Proprietary. All These Challenges! Where do I Start? 17 | ©2012, Palo Alto Networks. Confidential and Proprietary. Lots and Lots of Security Tools! Yea!! (Or Boo?) Tools for Servers Tools for End Points Tools for Networks Tools for Tools 18 | ©2012, Palo Alto Networks. Confidential and Proprietary. Firewall Fuzzers Anti-Virus Anti-Malware NIPS HIPS MDM DLP WAF SIEM Authentication Encryption Sniffers Forensics Packet Crafters Port Scanners Rootkit Detectors Vulnerability Scanners Web Proxies Wireless Security Etc………………………………….. All These Solutions! Where do I Start? 19 | ©2012, Palo Alto Networks. Confidential and Proprietary. There is a good place to start……. Applications The Network is the Common Denominator Devices DATA Users 20 | ©2013, Palo Alto Networks. Confidential and Proprietary. We should start here! Requirements for Security in a Brave New World 1. See All Traffic – reduce or eliminate blind spots 2. Safe Application Enablement • Identify Applications by deep inspection, not by port filtering • Control Application Use by User/group-based Policies • Inspect that traffic which you allow - protect against known and unknown threats 3. Segment all parts of the network 4. Be nimble - Address the moving parts • Tie security policies to VM Orchestration – VM creation / movement • Give mobile users controlled access • Rapidly deploy protections against new threats Reducing the Scope of Attack – App Control » The ever-expanding universe of applications, services and threats Page 22 | Only allow the apps you need Clean the allowed traffic of all threats in a single pass » Traffic limited to » Complete threat library with no approved business use cases based on App and User » Attack surface reduced by orders of magnitude » Port, protocol Agnostic © 2012 Palo Alto Networks. Proprietary and Confidential. blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels Scans unknown files Identify Unknowns 1. Known Traffic is controlled using positive enforcement 2. Allow the good, block everything else Positive control reduces endless “Whack-a-Mole” of finding/stopping unwanted apps Identify Unknown Applications Anything non-compliant or custom should be known and approved When the vast majority of traffic is identified, the unknowns become manageable Unknown traffic is common – every network has some 3. 4. New publicly available commercial applications Internally developed, custom applications Rogue or malicious applications (malware) Unknowns are manageable Investigate unknowns Aggressively control or block remaining unknown traffic Identify All Users Do NOT Trust, always verify all access Base security policy on users and their roles, not IP addresses. For groups of users, tie access to specific groups of applications Limit the amount of exfiltration via network segmentation 24 | ©2012, Palo Alto Networks. Confidential and Proprietary. Scan All Content Full Visibility of Traffic Equal analysis of all traffic across all ports (no assumptions) Control the applications that attackers use to hide Exploits Malware Decrypt, decompress and decode Control the full attack lifecycle Exploits, malware, and malicious traffic Maintain context across disciplines Maintain predictable performance Expect the Unknown Exploits are delivered over the network Malware is delivered over the network Malware communicates over the network Encryp on, fragmenta on Re-encoded and targeted malware Proxies, tunneling, encryp on, custom traffic Detect and stop unknown malware Automatically manage unknown or anomalous traffic If it’s unknown, how can I stop it? 25 | ©2012, Palo Alto Networks. Confidential and Proprietary. Spyware, C&C Behavioral Analysis of Potential Malware Malware Analysis Sandbox-based analysis that finds malware based on behaviors Generates detailed forensics report Creates malware and C&C signatures Protection delivered to all customer firewalls Unknown files are forwarded for deeper analysis ✓ Potentially malicious files from Internet ✓ ✓ Daily Coverage of Top AV Vendors Daily AV Coverage Rates for Newly Released Malware (50 Samples) 100% 90% Malware Sample Count 80% 70% 5 vendors 60% 4 vendors 3 vendors 50% 2 vendors 40% 1 vendor 0 vendors 30% 20% 10% 0% Day-0 Day-1 Day-2 Day-3 Day-4 Day-5 Day-6 New Malware Coverage Rate by Top 5 AV Vendors 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. Network Segmentation – A Great Best Practice • • Implement security zones in your network For each zone, group systems by risk and desired control point: • • Systems that share similar risk factors Systems that share security classifications • Communication between zones is only via the firewall • Every zone should be restricted by: • • • • User Applications All content is scanned Integrated reporting, logging for auditing purposes 28 | ©2012, Palo Alto Networks. Confidential and Proprietary. Zero Trust Model F W AC Ensure all resources are accessed in a secure manner Access control is strictly enforced (Verify and never trust) Inspect and log all traffic Forrester Research Control Users and Their Devices with The Network MDM Ensure device is “OK” Security Settings Passcode Encryption State Jailbroken Actions Lock/Wipe Managed/Monitored devices •Page 29 | © 2013 Palo Alto Networks. Proprietary and Confidential. Consistent policy App policy Data filtering URL filtering Protect device & traffic Malware detection Vulnerability protection •Flexible Deployments to to Protect East-West Traffic Physical and Virtual (where do what to reduce latency) Application Physical Firewalls Network Inter-host Segmentation HA Security Orchestration systems Virtualized Firewalls Intra-host Segmentation Virtualized servers Page 30 | © 2012 Palo Alto Networks. Proprietary and Confidential. Physical Servers Why It Has to Be a Next-Generation Firewall? Next-Generation Firewalls Applications • Only next-generation firewalls can safely enable applications and understands: • • • Devices • Designed from the ground up to tackle threat protection without performance impact • Addresses emerging challenges including virtualization and cloud DATA Users 31 | ©2012, Palo Alto Networks. Confidential and Proprietary. Applications Users Content © 2012 Palo Alto Networks. Proprietary and Confidential. Page 32 |