Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Expose The Underground Advanced Persistent Threats Jeff Baker The problem • Today’s cyber attackers are utilizing an increasingly sophisticated set of evasion tactics • Disjointed techniques rely on a “whack-a-mole” approach for detection and prevention, leaving enterprises prone to risk • Volume of attacks is rapidly accelerating, applying strain on a limited population of security specialists •2 | ©2014, Palo Alto Networks. Confidential and Proprietary. What is an APT? Human entity Targeted Persistent •3 | ©2014, Palo Alto Networks. Confidential and Proprietary. Modern Attacks are changing... •Attackers: •Nation-states •Organized Crime •Political groups •Easier IT Targets: •New Vectors •Extended IT Access •Escalating Tactics •Concealment: •Evasion Techniques •Polymorphic Attacks Target Date Motive Target Nov 27, 2013 Financial NY Times Jan 31, 2013 Statesponsored CIA Feb 10, 2012 Hacktivism Symantec Feb 8, 2012 Extortion Zappos Jan 15, 2012 Cybercrime Danish Government Aug 22, 2011 Government practices Sony PSN April 19, 2011 Hacktivism Epsilon April 1, 2011 Financial RSA March 17, 2011 Statesponsored •High Volume some say, is that it reacts to •“The biggest problem with thatAnalysis older technology, threats rather than anticipating them.” •– Austin American Statesman Jan 19th, 2014 Example: Modern Malware Attack Targeted malicious email sent to user Steal Signature Detection Malicious website exploits client-side vulnerability IPS Behavioral Analysis URL Filtering User clicks on link to a malicious website •6 | ©2014, Palo Alto Networks. Confidential and Proprietary. Drive-by download of malicious payload Control Relay Understanding the Cyber Attack Kill Chain 1 Bait the end-user 2 3 4 5 •Exploit •Download Backdoor Back •Explore & Steal Infected End-user content lured to a exploits the dangerous application or •Infiltrateend-user, often without website their containing knowledge malicious content Channel Secondary Malware payload is establishes an downloaded outbound in the connection to background. the attacker •Lateral Movement Malware for ongoing installed control Remote attacker has control inside the network and escalates the attack •Remove Data Need to break it at different points in the chain! Best-of-breed, disparate solutions or integrated intelligence? Goal: Break the Kill Chain at Every Possible Step (Automatically) 1 Bait the enduser App-ID URL IPS 2 3 •Exploit •Download Backdoor 5 Command/Control •Block high-risk apps •Block C2 on open ports •Block known malware sites •Block fast-flux, bad domains •Block the exploit •Block spyware, C2 traffic Spyware AV •Block malware Files •Prevent driveby-downloads Unknown Threats •Detect 0-day malware •8 | ©2014, Palo Alto Networks. Confidential and Proprietary. 4 •Block new C2 traffic When the world was simple •Stateful inspection addresses: • Two applications: browsing and email • With predictable application behavior • 9 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. In a basic threat environment Challenge, More Security = Poor Performance Traditional Security •Network Performance Best Case Performance Each security box, blade, or software module robs the network of performance Firewall Threat prevention technologies are often the worst offenders Leads to the classic friction between network and security IPS Anti-Malware •Increased Complexity/Cost •10 | ©2014, Palo Alto Networks. Confidential and Proprietary. Technology sprawl and creep aren’t the answer • “More stuff” doesn’t solve the problem • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Doesn’t address applications and new cyber threats Internet Enterprise Network •11 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. UTM’s and blades aren’t the answer either • “More stuff” doesn’t solve the problem • Firewall “helpers” have limited view of traffic • Complex and costly to buy and maintain • Doesn’t address applications and cyber threats UTM or blades Internet Enterprise Network •12 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. Multi-Step Scanning Ramifications Firewall App-Control Add-on Allow port 80 Applications •Policy Decision #1 •Open ports to •Policy Decision #2 •300+ applications allowed* •allow the application •Allow Facebook •Facebook allowed…what about the other 299 apps? Key Difference Ramifications Two separate policies • • More Work. Two policies = double the admin effort (data entry, mgmt, etc) Possible security holes. No policy reconciliation tools to find potential holes Two separate policy decisions • Weakens the FW deny all else premise. Applications allowed by port-based FW decision. Two separate log databases • Less visibility with more effort. informed policy decisions require more effort , slows reaction time No concept of unknown traffic • • Increased risk. Unknown is found on every network = low volume, high risk More work, less flexible. Significant effort to investigate; limited ability to manage if it is found. •13 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. •*Based on Palo Alto Networks Application Usage and Risk Report Tectonic shifts create the perfect storm •Cloud + SaaS •Social + consumerization •Massive opportunity for cyber criminals •Mobile + BYOD •Cloud + virtualization •All These Challenges! Where do I Start? 15 | ©2014, Palo Alto Networks. Confidential and Proprietary. Our fundamentally new approach to enterprise security •App-ID •Identify the application •Content-ID •Scan the content •User-ID •Identify the user 16 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. Architectural Differences Palo Alto Networks Operations Once per packet Competitor Products Several Operations per packet introduce performance degradation App-ID, User-ID, Content-ID Parallel Processing (Single Pass-Through) Serial Processing (Switching between Modules) Single Policy Multiple Policies Includes App-ID, User-ID and Content-ID Single Log Entry for one session Firewall(Ports), IPS, App-Control, AV… Separate Log entries for on session How do we reduce risk with this platform approach? Achieve 100% Visibility into Network Traffic (at speed) Todays Network •0 Full Visibility •1 Limit network traffic to business-relevant applications based on actual usage (App-ID) “Safely enable is the new Block” •2 •RISK Eliminate all types of known threats/vectors (AV, AS, IPS, URL) •LEVEL •3 Eliminate unknown threats (WildFire) •Single Security Policy •18 | ©2014, Palo Alto Networks. Confidential and Proprietary. Safely Enabling Applications, Users & Content Applications: Safe enablement begins with application classification by App-ID Users: Tying users and devices, regardless of location, to applications with User-ID Content: Scanning content and protecting against all threats – both known and unknown; with Content-ID The Benefits of Classifying Traffic in the Firewall •X Firewall Allow Facebook App-ID •Policy Decision Key Difference Benefit Single firewall policy • Less work, more secure. Administrative effort is reduced; potential reconciliation holes eliminated. Positive control model • Allow by policy, all else is denied. It’s a firewall. Single log database • Less work, more visibility. Policy decisions based on complete information. Systematic management of unknowns • Less work, more secure. Quickly identify high risk traffic and systematically manage it. •20 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. NGFW vs. Legacy Firewalls •App-ID •Legacy Firewalls •Firewall Rule: ALLOW SMTP SMTP ✔ SMTP •Firewall Rule: ALLOW Port 25 SMTP Firewall Bittorrent ✗ •SMTP=SMTP:•Allow •Bittorrent≠SMTP:•Deny •Visibility: Bittorrent detected and blocked ✔ SMTP Firewall Bittorrent ✔ Bittorrent •Packet on Port 25:•Allow •Packet on Port 25: •Allow •Visibility: Port 25 allowed NGFW vs. Legacy Firewall + App IPS •App-ID •Legacy Firewalls •Firewall Rule: ALLOW SMTP SMTP ✔ SMTP •Firewall Rule: ALLOW Port 25 •Application IPS Rule: Block Bittorrent SMTP Firewall Bittorrent ✗ •SMTP=SMTP:•Allow •Bittorrent ≠ SMTP:•Deny •Visibility: Bittorrent detected and blocked ✔ ✔ SMTP App IPS Firewall Bittorrent ✔ SMTP Bittorrent ✗ •Packet on Port 25:•Allow •Bittorrent: •Deny •Visibility: Bittorrent detected and blocked NGFW vs. Legacy Firewall + App IPS •App-ID •Legacy Firewalls •Firewall Rule: ALLOW SMTP ✔ ✗ ✗ •Firewall Rule: ALLOW Port 25 •Application IPS Rule: Block Bittorrent Firewall SMTP Bittorrent SSH, Skype, Ultrasurf ✔ ✔ ✔ SMTP •SMTP=SMTP:•Allow •Skype≠SMTP: •Deny •SSH≠SMTP: •Deny Ultrasurf≠SMTP: •Deny •Visibility: each app detected and blocked SMTP Bittorrent SSH, Skype, Ultrasurf ✔ ✗ ✔ App IPS Firewall SMTP Bittorrent SSH, Skype, Ultrasurf •Packet on Port 25:•Allow •Packet ≠ Bittorrent:•Allow •Visibility: Packets on Port 25 allowed SMTP SSH, Skype, Ultrasurf NGFW vs. Legacy Firewall + App IPS •App-ID •Legacy Firewalls •Firewall Rule: ALLOW SMTP ✔ ✗ ✗ •Firewall Rule: ALLOW Port 25 •Application IPS Rule: Block Bittorrent Firewall SMTP Bittorrent C&C ✔ ✔ ✔ SMTP •SMTP=SMTP:•Allow •Command & Control ≠ SMTP:•Deny •Visibility: Unknown traffic detected and blocked SMTP Bittorrent C&C ✔ ✗ ✔ App IPS Firewall SMTP Bittorrent C&C •Packet on Port 25: •Allow •C & C ≠ Bittorrent: •Allow •Visibility: Packet on Port 25 allowed SMTP C&C We safely enable the business and manage the risks 25 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. User Safely enable Prohibited use Financial advisor Post info to a prospect’s wall Sales rep Sharing opportunities with channel partner Sharing customer lists externally Marketing specialist Exchange of Photoshop files with agencies Downloading malware HR recruiter Communication with candidates Exposing lists of employees and their salaries Chatting Clicking on infected links Security Context from Integration • Allowing 10.1.2.4 to 148.62.45.6 on port 80 does not provide context. •Allowing Sales Users on Corporate LAN to access Salesforce.com but look for threats and malware inside the decrypted SSL tunnel, and easily seeing you have done so is context. • Seeing you had 10 tunneling apps, 15 IPS hits, and 4 visits to malware sites no context. •Seeing Dave Smith visited a malware site, downloaded 0-day Malware, and his device is visiting other known malware sites, and using tunneling apps that is context. COMPROMISED CREDIT CARDS – APTs IN ACTION •Recon on companies Target works with •Spearphishing third-party HVAC contractor •Breached Target network with stolen payment system credentials •Moved laterally within Target network and installed POS Malware •Maintain access •Compromised internal server to collect customer data •Exfiltrated data command-andcontrol servers over FTP Palo Alto Networks at a Glance Revenues Company highlights $MM Founded in 2005; first customer shipment in 2007 Safely enabling applications Addressing the entire $10B+ network security market $396 $400 $350 $300 $250 $200 $150 $100 $50 $0 $255 $119 $13 FYE July $49 FY09 FY10 FY11 FY12 FY13 Enterprise customers Enterprise leadership position & rapid customer growth 13,500 14,000 12,000 9,000 10,000 Experienced team of 1,900+ employees 8,000 6,000 4,700 4,000 Over 21,000 Enterprise customers 2,000 0 Jul-11 28 | ©2014, Palo Alto Networks. Confidential and Proprietary. Jul-12 Jul-13 Gartner -- Enterprise Firewall Magic Quadrant •December 2011 •February 2013 •We pushed the competitors back Gartner -- Enterprise Firewall Magic Quadrant Next-generation enterprise security platform Palo Alto Networks Threat Intelligence Cloud •Next-Generation Firewall • Inspects all traffic • Blocks known threats • • •Threat Intelligence Cloud Gathers potential threats from network and endpoints Sends unknown to cloud Analyzes and correlates threat intelligence Extensible to mobile & virtual networks Disseminates threat intelligence to network and endpoints •Advanced Endpoint Protection Palo Alto Networks Next-Generation Firewall 31 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. Inspects all processes and files Palo Alto Networks Prevents both known & unknown exploits Integrates with cloud to prevent known & unknown malware Advanced Endpoint Protection Detect and Defend: Turning the Unknown into Known •Rapid, global sharing •Identify & control •Prevent known threats •Detect unknown threats •All applications Our unique approach makes us the only solution that… Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures Detects zero day malware & exploits using public/private cloud and automatically creates signatures to defend our global customer base •32 | ©2014, Palo Alto Networks. Confidential and Proprietary. We have pioneered the next generation of security •Next generation: •Safely enable all applications •Prevent all cyber threats •Legacy: •Allow or block some apps •Detect some malware •Allow •Block •Mid 1990’s – today 33 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. •Today+ Palo Alto Networks Next Generation Firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment 34 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. Covering the entire enterprise Network location Data center/cloud Enterprise perimeter Distributed/BYOD Endpoint Next-generation appliances • Physical: PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, PA-7050 WildFire: WF-500 • Virtual: VM-Series & VM-Series-HV for NSX Threat Prevention URL Filtering GlobalProtect™ Subscriptions WildFire™ Endpoint (Traps) Use cases Next-Generation Firewall Cybersecurity: IDS / IPS / APT Web gateway Management system Panorama, M-100 appliance, GP-100 appliance Operating system PAN-OS™ 35 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. VPN Our core value proposition An enterprise security platform that safely enables all applications through granular use control and prevention of known and unknown cyber threats for all users on any device across any network. Superior security with superior TCO 36 | ©, 2014 Palo Alto Networks. Confidential and Proprietary. Thank You Page 37 | © 2012 Palo Alto Networks. Proprietary and Confidential.