Presentation is loading. Please wait.

Presentation is loading. Please wait.

About Palo Alto Networks

Published byAldous Conley Modified over 8 years ago

Similar presentations

Presentation on theme: "About Palo Alto Networks"— Presentation transcript:

1 Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats

2 About Palo Alto Networks
Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience Founded in 2005, first customer July 2007 Top-tier investors Builds next-generation firewalls that identify / control applications Restores the firewall as the core of the enterprise network security infrastructure Innovations: App-ID™, User-ID™, Content-ID™ Global footprint: 4,500+ customers in 70+ countries, 24/7 support

3 Agenda Brief review of modern malware and threats
Introduction to how the next-generation firewall can help Steps and best practices you can take today Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

4 The State of Intrusions Today
Advanced Malware and Intrusions Are Here Today Steady stream of high-profile, sophisticated breaches and intrusions All types of enterprises and information are being targeted. Intellectual property – RSA Customer information – Epsilon Information to enable further attacks Business partners – Comodo Political/hacktivism – US Senate Breaches are not limited to financial information if it is valuable to you, it is likely valuable to someone else For years the security industry has been the boy who cried wolf, focused on scaring enterprises that someone was actively trying to steal their most precious assets. In most cases, this was untrue. Hackers were largely creatures of opportunity – if they encountered a secured network, they were likely to move on looking for a softer target. Today, hackers have become far more professional and skilled and will use persistence and intelligence to break through an enterprises defenses.

5 What Has Changed / What is the Same
The attacker changed Nation-states Criminal organizations Political groups Attack strategy evolved Patient, multi-step process Compromise user, then expand Attack techniques evolved New ways of delivering malware Hiding malware communications Signature avoidance The Sky is Not Falling Not new, just more common Solutions exist Don’t fall into “the APT ate my homework” trap Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

6 Strategy: Patient Multi-Step Intrusions
Organized Crime Nation-States Hacktivists The Enterprise Infection Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Command and Control Escalation Exfiltration Exfiltration

7 Opportunities for Security
Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Threats need your network to function Multiple chances to detect and correlate Expand security beyond the perimeter

8 Recognize the Modern Threat Shell Game
In the physical world The mark is lured into trying to follow the pea, when the real game is about sleight of hand. Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? How it applies to threats: Our old habits make us think of malware as the pea (an executable payload, probably carried in an ). In reality, modern malware relies on sleight of hand – how to infect, persist and communicate without being detected.

9 Multi-Step Intrusions
Organized Crime Hacktivists The Enterprise Infection Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Command and Control Escalation Exfiltration Exfiltration

10 Convergence of Malware and Network Security
To understand network attacks, you must understand malware Provides a persistent control point inside the network Malware is the hacker’s application To understand modern malware, you must understand the network Ongoing control of the attack Escalates the attack Update and change functions Infection Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Command and Control Escalation Exfiltration Exfiltration

11 The Lifecycle of Modern Malware
Social engineering Drive-by-Downloads Obscured traffic Unknown malware Rootkit/Bootkits Inject into the OS Disable endpoint security Backdoors Infection Persistence Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Command & Control Communication Social applications and P2P Update configuration Download new exe Encryption Proxies Tunneling Non-standard ports

12 The Threat Lifecycle Infection Persistence Communication
Command & Control Phishing (Social) Rootkits Encryption (SSL, SSH, Custom) Common Apps (Social media, P2P) Hide Transmission (SSL, IM) Backdoor (Poison Ivy) Proxies, RDP, Application Tunnels Update Configuration Files Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Remote Exploit (Shell Access) Anti-AV (Infect MBR) Port Evasions (tunnel over open ports) EXE Updates Malware Delivery (Drive-by) Fast Flux (Dynamic DNS) Backdoors and Proxies

13 Key Observations Communications are the life-blood of an attack
Modern threats are networked threats Virtually every phase involves methods to hide and evade from security Extensible Framework If you can infect, persist, communicate and manage, then the threat functionality can be almost anything Begin to think of threats as a framework, not the functionality of the payload Threats exist across multiple disciplines Applications – can hide and enable threats URLs and websites – can host and enable threats Exploits – creates shell access to the target Malware – controls and uses the compromised target Files – used to update malware and steal data Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

14 The Value of the Next-Generation Firewall
Ensures visibility and control of all traffic Non-standard use of ports Tunneling within protocols Tunneling within SSL Remote desktop, SSH Anonymizers, proxies, personal VPNs, encrypted tunnels, etc. Integrated approach to threat prevention Blocks risky applications or application features IPS and vulnerability protection Anti-malware File and content control Behavioral analysis of unknown threats Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

15 Always the 1st task performed
What Palo Alto Networks Brings to the Fight Visibility and Control What is the traffic and should it be allowed? All Palo Alto Networks security begins with an integrated full-stack analysis of all traffic regardless of port, protocol or evasion App-ID SSL –decrypted based on policy HTTP Tunnel – decode Skype - Signature File Transfer (BLOCKED) Always the 1st task performed All traffic, all ports Always on © 2010 Palo Alto Networks. Proprietary and Confidential.

16 The Palo Alto Networks Next-Generation Firewall
Visibility and Control Integrated Threat Prevention What is the traffic and should it be allowed? Stop threats within allowed traffic App-ID Threat Prevention SSL IPS Proven 93.4% block rate and performance Anti-Malware Millions of samples, 50k analyzed per day HTTP Tunnel Skype File Transfer URL Filtering Malware sites, unknown and newly registered sites Content Control file types, downloads, specific content Behavioral Analysis Always the 1st task performed All traffic, all ports Always on Single unified engine (single-pass) Always in application and user context Independent of port or evasion © 2010 Palo Alto Networks. Proprietary and Confidential.

17 Example: TDL-4* TDL-4 Infection Persistence Communication
Extension of earlier malware, a.k.a Alureon, TDSS, TDL Named “the indestructible botnet” due to the ability protect itself from takedowns/takeovers Infection Any (outsourced to affiliates) Drive-by-Downloads easily the most common Persistence Infects MBR 32/64 bit rootkits Communication Proprietary encryption Tunneled within SSL Sells proxy as a service Command & Control Kad P2P network C&C servers Proxy through infected hosts Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? 20+ Programs Used Malicious apps, Fake AV, Spam, Adware, etc *Derived from analysis by Kaspersky Labs

18 Protecting Against TDL-4
Indestructible does not mean indefensible How to Use Palo Alto Networks to Control TDL-4 Prevent Infection Drive-by download protection Block risky sites Decrypt social networking Prevent Communications Decrypt SSL to unknown sites Block unknown or proprietary encryption Limit proxies to select proxies and approved users Disrupt Command and Control Block Kad usage Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

19 Best Practices

20 NGFW Best Practices Reduce your exposure
Ensure visibility into traffic Lock down use of commonly open ports Prevent infections Implement full protection from known threats Analyze events in context Investigate the unknowns Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

21 1 - Reduce the Exposure Block Unneeded and High-Risk Applications
Block (or limit) peer-to-peer applications Block unneeded applications that can tunnel other applications Review the need for applications known to be used by malware Block anonymizers such as Tor Block encrypted tunnel applications such as UltraSurf Limit use to approved proxies Limit use of remote desktop Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

22 2 - Ensure Visibility into All Traffic
Classify all traffic on all ports This is core to a NGFWs job, but most don’t do it Check protocol decoders Expand visibility beyond the perimeter Inside the network – remember that much of a modern intrusion happens inside the network Outside the network – deliver the same application control and threat prevention outside as inside Firewall FTP SSH Telnet HTTP IM Port 21 Port 22 Port 23 Port 80 Port 531 Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

23 2b - Ensure Visibility – Control SSL
Applications and sites are moving to SSL by default Facebook, Google, etc 36% of applications by bandwidth Establish SSL Decryption Policies Decrypt policies Social networking, webmail, IM, message boards, micro-blogging, gaming sites Do not decrypt policies Health care sites and applications Financial sites and applications Secure channels Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

24 3 - Lock Down Use of Commonly Open Ports
Botnets and malware regularly communicate on ports that are open by default DNS (port 53) is a favorite The next-generation firewall lets you to set policy that only DNS traffic should be allowed on port 53 and block everything else Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

25 4 - Prevent Infections Drive-by-Download Protection
Detects downloads in the background even following an unknown exploit Host browser and OS will not report it Train users Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? User visits infected webpage Crafted image exploits vulnerability on client Drive-by-Download Protection

26 5 - Block Known Exploits and Malware
Known Threats are Still the Majority of Threats Today Malware and exploit kits are increasingly popular Vulnerability facing signatures detect common variants Full Protection With Performance Palo Alto Networks has shown the ability to meet datasheet speeds with all signatures enabled Common engine and signature format processes traffic to detect all threats Through 2015, over 90% of malware and exploits will continue to be known threats - Gartner Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

27 6 - Evaluate Events in Context
Develop Context-Based Visibility Applications, Patterns, Sources and Behaviors Correlate by User and Application Known malware Known exploits Phone-home detection Download history Exploits URL categories Treat unknowns as significant Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

28 7 - Aggressively Investigate the Unknowns
NGFW classifies all known traffic Custom App-IDs for internal or custom developed applications Any remaining “unknown” traffic can be tracked and investigated Used in the field to find botnets and unknown threats Behavioral Botnet Report Automatically correlates end-user behavior to find clients that are likely infected by a bot Unknown TCP and UDP, Dynamic DNS, Repeated file downloads/attempts, Contact with recently registered domains, etc Find specific users that are potentially compromised by a bot Jeff.Martin Page 28 | © 2010 Palo Alto Networks. Proprietary and Confidential.

29 Summary App-ID™ Patterns Sources Behaviors
All traffic, all ports, all the time Application signatures Heuristics Decryption Patterns Block threats on all ports 93.4% block rate of known exploits 5M+ malware samples Sources Malware hosting URLs Recently registered domains SSL decryption of high-risk sites Behaviors Dynamic DNS, fast flux Download patterns Unknown traffic Prevents known threats 90% of threats through 2015 (Gartner) Block known sources of threats Be wary of unclassified and new domains Reduce the attack surface Remove the ability to hide Detects pre-existing or unknown threats © 2011 Palo Alto Networks. Proprietary and Confidential.

30 Questions

31 Recognize the Modern Malware Shell Game
Modern malware is largely defined by how it addresses 4 key problems: How does the malware infect the target without triggering traditiona AV and anti-malware How does the malware persist on the infected host and avoid removal If malware can survive on the host, communicate securely and update itself, then the payload can be virtually anything How does the malware securely communicate without being detected How does the malware establish effective command and control without exposing itself to take-over Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Infect Persist Communicate Manage

32 Recognize the Modern Malware Shell Game
Modern malware is largely defined by how it addresses 4 key problems: Drive-by-Download Attack begins with a remote exploit Malware is downloaded in the background following the successful exploit Root Kits Back doors Anti-AV Infection of master boot record Process injection, etc Encryption Proxies Fast Flux, Dynamic DNS Peer-to-Peer Many methods to hide from security Command and Control Custom app or protocol Config files EXE download P2P, social networks More use of fast flux Customized and polymorphic malware to avoid signature detection Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Infect Persist Communicate Manage

33 © 2010 Palo Alto Networks. Proprietary and Confidential.

34 4 Qualities of Modern Malware
Infection How does the malware infect the target without being detected? Persistence How does the malware remain on the infected host? Remote Exploits Hidden Traffic Custom Malware Rootkits Backdoors Anti-AV Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Control How does the malware coordinate and control itself without being taken over? Communication How does the malware communicate securely without being detected? Social Media Configuration Files EXE Updates Proxies & Evasions Fast Flux Encryption

35 4 Qualities of Modern Malware
Infection How does the malware infect the target without being detected? Persistence How does the malware remain on the infected host? Ensure Visibility into Traffic Integrated IPS and Anti-Malware Drive-by-Download Protection Detect and Block Backdoors Rootkits Integrated Anti-AV Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Control How does the malware coordinate and control itself without being taken over? Communication How does the malware communicate securely without being detected? Control Social Media Detect Configuration Files via IPS Control Proxies & Evasions Track Fast Flux & Dynamic DNS Block EXE Downloads Decrypt SSL, Block Encryption

36 Long-Term Attacks Require Multiple Tactics
Applications / Evasions Attackers have learned to use applications and evasions to hide their traffic from security Travel over non-standard ports Tunnel within protocols Tunnel within SSL Dynamic DNS to cover their tracks Use circumventing applications (remote desktop, SSH) Use anonymizing applications (proxies, Tor, personal VPNs) Exploits / Malware The fusion of exploits and malware allows any connection to deliver malware Exploit user on a web-page, establish shell access, download malware in background Malware is no longer simply an exe for a user to click on Signature avoidance Polymorphic malware Zero-Day vulnerabilities Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

37 Long-Term Attacks Require Multiple Tactics
Applications / Evasions Attackers have learned to use applications and evasions to hide their traffic from security Travel over non-standard ports Tunnel within protocols Tunnel within SSL Dynamic DNS to cover their tracks Use circumventing applications (remote desktop, SSH) Use anonymizing applications (proxies, Tor, personal VPNs) Exploits / Malware The fusion of exploits and malware allows any connection to deliver malware Exploit user on a web-page, establish shell access, download malware in background Malware is no longer simply an exe for a user to click on Signature avoidance Polymorphic malware Zero-Day vulnerabilities Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code?

38 Example User visits infected webpage
Crafted image exploits vulnerability on client Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Exploit gains shell access and downloads malware in background Infected host used to investigate network, capture passwords, exploit other users and systems

39 Example Remote Desktop User visits infected webpage
Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Crafted image exploits vulnerability on client Exploit gains shell access and downloads malware in background

40 Example SSL Remote Desktop User visits infected webpage
Attackers changed – Why it matters? Because nation states and organized crime know what to do with stolen property. Previously a hacker may have been able to break into a network. But what will they really do with RSA source code? Crafted image exploits vulnerability on client Exploit gains shell access and downloads malware in background

Download ppt "About Palo Alto Networks"

Similar presentations

Intrusion Prevention anno 2012: Widening the IPS concept.

Intrusion Prevention anno 2012: Widening the IPS concept.
Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive Network Security Platform Safely Enabling Applications.

Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive Network Security Platform Safely Enabling Applications.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.

Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.

Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.

“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

Similar presentations

Ads by Google