Dynamic Computing & Dynamic Threats Requires Dynamic Security

Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling Applications Able to Address all Network Security Needs Exceptional Ability to Support Global Customers Experienced Technology and Management Team 850+ Employees Globally Jul-10Jul-11 Revenue Enterprise Customers $MM FYE July Jul-12 2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Agenda Todays Dynamic Enterprise Computing Environment An Equally Dynamic Threat Landscape The Tension between Security and Productivity What to do About It 3 | ©2012, Palo Alto Networks. Confidential and Proprietary.

A long time Ago…………Security was Simpler wired Employee On Premise Data Center Apps in one place Users in one place Data in one place Devices Controlled Devices Dumb Network Simple IT Controls it all …..

Complexity Has Grown..…A Lot Cloud Internet Content / tools Modern threats – targeted, multi- vector, persistent wirelessVPNVDI Guest Mobile employee Partner/contractor wired Employee The Network On Premise Apps all over the place Users all over place Data all over the place Devices not controlled Devices Smart Network is Complex IT Controls only some of it Users control increased Risks are FAR higher

From the Classroom…… 6 | ©2012, Palo Alto Networks. Confidential and Proprietary. to the Playground

The Emergence of the User Kingdom Devices Most often very small and mobile More devices are now in the control and ownership of end users Users are people, people are different, so the diversity of devices is expanding Applications Users are discovering new ways to get work done Multiple tools being used to do the same thing Many applications are risky – introduces threats, potential data loss Many applications are costly – consumes lots of computing and network resources IT is not participating in selecting Location Work gets done in and out of the office On-demand is essential 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Mobile Climate and Challenges IT SECURITY NEEDS WHAT EMPLOYEES WANT Access to corporate and personal applications Want the full features of their mobile devices, not watered down functionality Dont want boundaries and restrictions Keep users, network, devices, and data safe Keep users productive Allow use of business-owned or personal devices Page 8 | © 2013 Palo Alto Networks. Proprietary and Confidential.

Evolution Towards Cloud Networks Bring New Challenges (even within our own data centers) © 2012 Palo Alto Networks. Proprietary and Confidential. Page 9 | How do you have visibility into the virtualized environment? How do you track rogue virtual machine creation? How do you embrace the dynamic nature of virtualization?

What Does virtualized Data Centers Look Like Segmentation deployments: DMZ/Corporate/PCI/R&D Application Tiers Limitations in design: Not optimized for hardware (spare CPUs may be idle) Not ideal because traffic routed north bound (latency) Expensive – Vlans and ports Limitations of Classic Data Center Architecture Virtual Host 1 DB vSwitch DB Virtual Host 2 App vSwitch App Virtual Host 3 Web vSwitch Web Applications of the same trust levels on a server © 2012 Palo Alto Networks. Proprietary and Confidential. Page 10 |

Considerations Towards Cloud Model Shared pools of resources Optimizes hardware Reduce latency Delivers applications on-demand Security Issues Safely enable East-West traffic Track policies to VM adds, moves, changes Automation so security does not slow down the virtual workload Virtual Host 1 vSwitch Virtual Host 2 vSwitch Virtual Host 3 vSwitch DB App Web Applications of different trust levels on a server © 2012 Palo Alto Networks. Proprietary and Confidential. Page 11 |

So thats a snapshot of the modern computing Ecosystem. Next, the threat environment………… 12 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Modern Attacks are Targeted, Stealthy and Multi-Step What Has Changed / What is the Same The attacker has changed Nation-states Criminal organizations Political groups Attack strategy has evolved Patient, multi-step process Compromise a user, then expand Attack techniques have evolved New applications as the threat vector Avoidance of traditional AV signatures Hiding malware communications DateMotive NY Times Jan 31, 2013State- sponsored CIA Feb 10, 2012Hacktivism Symantec Feb 8, 2012Extortion Zappos Jan 15, 2012Cybercrime Danish Government Aug 22, 2011Government practices Sony PSN April 19, 2011Hacktivism Epsilon April 1, 2011Financial RSA March 17, 2011State- sponsored

Real Attacks Employ Multiple Techniques Bait the end-user 1 End-user lured to a dangerous application or website containing malicious content Exploit 2 Infected content exploits the end-user, often without their knowledge Download Backdoor 3 Secondary payload is downloaded in the background. Malware installed Establish Back-Channel 4 Malware establishes outbound connection to the attacker for ongoing control Explore & Steal 5 Remote attacker has control inside the network and escalates the attack

The Gaps in Traditional Antivirus Protection Targeted and custom malware Polymorphic malware Newly released malware Highly variable time to protection Page 15 | Modern malware is increasingly able to: - Avoid falling into traditional AV honey-pots - Evolve before protection can be delivered (Note: WildFire finds 200 – 400 unique new malware samples undetectable by leading antivirus software every day.)

Applications Bypassing Port- and Protocol-based Security 16 | ©2012, Palo Alto Networks. Confidential and Proprietary. 97% of Exploits Come From Business Not Social Applications Applications Leveraging Non-standard Ports, Random Ports, Encryption

17 | ©2012, Palo Alto Networks. Confidential and Proprietary. All These Challenges! Where do I Start?

Lots and Lots of Security Tools! Yea!! (Or Boo?) Tools for Servers Tools for End Points Tools for Networks Tools for Tools Firewall Fuzzers Anti-Virus Anti-Malware NIPS HIPS MDM DLP WAF SIEM Authentication Encryption Sniffers Forensics Packet Crafters Port Scanners Rootkit Detectors Vulnerability Scanners Web Proxies Wireless Security Etc………………………………….. 18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

19 | ©2012, Palo Alto Networks. Confidential and Proprietary. All These Solutions! Where do I Start?

There is a good place to start……. 20 | ©2013, Palo Alto Networks. Confidential and Proprietary. The Network is the Common Denominator We should start here! Applications UsersDevices DATA

Requirements for Security in a Brave New World 1.See All Traffic – reduce or eliminate blind spots 2.Safe Application Enablement Identify Applications by deep inspection, not by port filtering Control Application Use by User/group-based Policies Inspect that traffic which you allow - protect against known and unknown threats 3.Segment all parts of the network 4.Be nimble - Address the moving parts Tie security policies to VM Orchestration – VM creation / movement Give mobile users controlled access Rapidly deploy protections against new threats

Reducing the Scope of Attack – App Control » The ever-expanding universe of applications, services and threats » Traffic limited to approved business use cases based on App and User » Attack surface reduced by orders of magnitude » Port, protocol Agnostic » Complete threat library with no blind spots Bi-directional inspection Scans inside of SSL Scans inside compressed files Scans inside proxies and tunnels Scans unknown files Only allow the apps you need Clean the allowed traffic of all threats in a single pass © 2012 Palo Alto Networks. Proprietary and Confidential. Page 22 |

1.Known Traffic is controlled using positive enforcement Allow the good, block everything else Positive control reduces endless Whack-a-Mole of finding/stopping unwanted apps 2.Identify Unknown Applications Anything non-compliant or custom should be known and approved When the vast majority of traffic is identified, the unknowns become manageable 3.Unknown traffic is common – every network has some New publicly available commercial applications Internally developed, custom applications Rogue or malicious applications (malware) 4.Unknowns are manageable Investigate unknowns Aggressively control or block remaining unknown traffic Identify Unknowns

Identify All Users Do NOT Trust, always verify all access Base security policy on users and their roles, not IP addresses. For groups of users, tie access to specific groups of applications Limit the amount of exfiltration via network segmentation 24 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Scan All Content 25 | ©2012, Palo Alto Networks. Confidential and Proprietary. Full Visibility of Traffic Equal analysis of all traffic across all ports (no assumptions) Control the applications that attackers use to hide Decrypt, decompress and decode Control the full attack lifecycle Exploits, malware, and malicious traffic Maintain context across disciplines Maintain predictable performance Expect the Unknown Detect and stop unknown malware Automatically manage unknown or anomalous traffic If its unknown, how can I stop it?

Behavioral Analysis of Potential Malware Malware Analysis Potentially malicious files from Internet Protection delivered to all customer firewalls Unknown files are forwarded for deeper analysis Sandbox-based analysis that finds malware based on behaviors Generates detailed forensics report Creates malware and C&C signatures

Daily Coverage of Top AV Vendors Malware Sample Count New Malware Coverage Rate by Top 5 AV Vendors 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. Daily AV Coverage Rates for Newly Released Malware (50 Samples)

Network Segmentation – A Great Best Practice Implement security zones in your network For each zone, group systems by risk and desired control point: Systems that share similar risk factors Systems that share security classifications Communication between zones is only via the firewall Every zone should be restricted by: User Applications All content is scanned Integrated reporting, logging for auditing purposes 28 | ©2012, Palo Alto Networks. Confidential and Proprietary. Zero Trust Model Ensure all resources are accessed in a secure manner Access control is strictly enforced (Verify and never trust) Inspect and log all traffic Forrester Research FWFW IPS CF AC Crypt o AM

Control Users and Their Devices with The Network Page 29 | © 2013 Palo Alto Networks. Proprietary and Confidential. Consistent policy App policy Data filtering URL filtering Protect device & traffic Malware detection Vulnerability protection Managed/Monitored devices Ensure device is OK Security Settings Passcode Encryption State Jailbroken Actions Lock/Wipe Always on VPN MDM

Physical and Virtual (where to do what to reduce latency) Flexible Deployments to Protect East-West Traffic Inter-host Segmentation Intra-host Segmentation Physical Servers Virtualized servers HA Physical Firewalls Virtualized Firewalls Security Network Application Orchestration systems © 2012 Palo Alto Networks. Proprietary and Confidential. Page 30 |

Why It Has to Be a Next-Generation Firewall? Only next-generation firewalls can safely enable applications and understands: Applications Users Content Designed from the ground up to tackle threat protection without performance impact Addresses emerging challenges including virtualization and cloud 31 | ©2012, Palo Alto Networks. Confidential and Proprietary. Applications UsersDevices DATA Next-Generation Firewalls

© 2012 Palo Alto Networks. Proprietary and Confidential. Page 32 |