Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.

Slides:

Advertisements

Similar presentations

A l a d d i n. c o m eSafe 6 FR2 Product Overview.

Advertisements

Application Usage and Risk Report 7 th Edition, May 2011.

Next Generation FWs Against Modern Malware and Threads Hakan Unsal – Technical Security Consultant Tunc Cokkeser – Regional Sales Manager.

Dynamic Computing & Dynamic Threats Requires Dynamic Security.

Nathan Labadie Systems Engineer, US-Central FireEye

Intrusion Prevention anno 2012: Widening the IPS concept.

Modern Malware Mixer. Jul-10Jul-11 Palo Alto Networks at a Glance Corporate Highlights Disruptive Network Security Platform Safely Enabling Applications.

Palo Alto Networks Jay Flanyak Channel Business Manager

Challenges In The Morphing Threat Landscape Apr 2011, Arnhem Tamas Rudnai, Websense Security Labs.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

“Next Generation Security” ISACA June Training Seminar Philip Hurlston 6/20/14.

What's new in Threat Management Gateway (TMG) 2010 Ronald Beekelaar

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

LittleOrange Internet Security an Endpoint Security Appliance.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

About Palo Alto Networks

What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect.

Barracuda Networks Steve Scheidegger Commercial Account Manager

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureSurf Protect your users when surfing the Internet.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

How STERIS is using Cloud Technology to Protect Web Access Presented By: Ed Pollock, CISSP-ISSMP, CISM CISO STERIS Corporation “Enabling Business”

APT29 HAMMERTOSS Jayakrishnan M.

Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

What Did You Do At School Today Junior?

Dell Connected Security Solutions Simplify & unify.

© 2014 VMware Inc. All rights reserved. Palo Alto Networks VM-Series for VMware vCloud ® Air TM Next-Generation Security for Hybrid Clouds Palo Alto Networks.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

Bill Jensen Bashar Kachachi Session Code: SIA309.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Security fundamentals Topic 10 Securing the network perimeter.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Sky Advanced Threat Prevention

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. State of Network Security.

Module 10: Windows Firewall and Caching Fundamentals.

©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

IS3220 Information Technology Infrastructure Security

Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Palo Alto Networks - Next Generation Security Platform

©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.

Understanding and breaking the cyber kill chain

Security fundamentals

BUILD SECURE PRODUCTS AND SERVICES

A Virtual Tour of SophosLabs Building next-generation protection

Sophos Intercept Next-Gen Endpoint Protection

TMG Client Protection 6NPS – Session 7.

Real-time protection for web sites and web apps against ATTACKS

Sophos Intercept Next-Gen Endpoint Protection

Threat Management Gateway

Jon Peppler, Menlo Security Channels

Threat Ready: The Benefits of Segmentation

Presentation transcript:

Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.

About Palo Alto Networks Palo Alto Networks is the Network Security Company World-class team with strong security and networking experience - Founded in 2005, first customer July Top-tier investors Builds next-generation firewalls that identify / control applications - Restores the firewall as the core of the enterprise network security infrastructure - Innovations: App-ID™, User-ID™, Content-ID™ Global footprint: 6,000+ customers in 70+ countries, 24/7 support

What Has Changed / What is the Same The attacker changed - Nation-states - Criminal organizations - Political groups Attack strategy evolved - Patient, multi-step process - Compromise user, then expand Attack techniques evolved - New ways of delivering malware - Hiding malware communications - Signature avoidance The Sky is Not Falling - Not new, just more common - Solutions exist - Don’t fall into “the APT ate my homework” trap

Strategy: Patient Multi-Step Intrusions The Enterprise Infection Command and Control Escalation Exfiltration Organized Attackers

Challenges to Traditional Security Threats coordinate multiple techniques, while security is segmented into silos - Exploits, malware, spyware, obfuscation all part of a patient, multi-step intrusion Threats take advantage of security blind spots to keep from being seen - Patient attacks must repeatedly cross the perimeter without being detected Targeted and custom malware can bypass traditional signatures - The leading edge of an attack is increasingly malware that has never been seen before.

Regaining Control Over Modern Threats © 2011 Palo Alto Networks. Proprietary and Confidential.Page 6 | New Requirements for Threat Prevention 1. Full Visibility - all traffic regardless of port, protocol, evasive tactic or SSL 2. Stop all known network threats - (IPS, Anti-malware, URL, etc.) while maintaining multi-gigabit performance 3. Find and stop new and unknown threats - even without a pre-existing signature Vulnerabilities Malware Dangerous URLs Malware Sites SQL Injection Cross-Site Scripting Denial of Service Botnets Key Loggers Fast Flux

Visibility Visibility is Fundamental - You can’t stop what you can’t see - Virtually all threats other than DoS depend on avoiding security Full Stack Inspection of All Traffic - All traffic, on all ports, all the time - Progressive decoding of traffic to find hidden, tunneled streams - Contextual decryption of SSL Control the Applications That Hide Traffic - Limit traffic to approved proxies, remote desktop applications - Block bad applications like encrypted tunnels, circumventors

Control the Methods Threats Use to Hide © 2011 Palo Alto Networks. Proprietary and Confidential. Encrypted Traffic SSL is the new standard Proxies Reverse proxies are hacker favorites Remote Desktop Increasingly standard Compressed Content ZIP files, compressed HTTP Encrypted Tunnels Hamachi, Ultrasurf, Tor Purpose-built to avoid security Encryption (e.g. SSL) Compression (e.g. GZIP) Proxies (e.g CGIProxy) Circumventors and Tunnels  Outbound C&C Traffic If you can’t see it, you can’t stop it Page 8 |

Block the Applications That Hide Traffic Block Unneeded and High- Risk Applications - Block (or limit) peer-to-peer applications - Block unneeded applications that can tunnel other applications - Review the need for applications known to be used by malware - Block anonymizers such as Tor - Block encrypted tunnel applications such as UltraSurf - Limit use to approved proxies - Limit use of remote desktop

Control Known Threats Modern attacks are patient and use multiple techniques - Threats are more than exploits - Malware - Dangerous URLs - Spyware - Command and Control Traffic - Circumvention Techniques Context is Key - Clear visibility into all URLs, users, applications and files connected to a particular threat

© 2011 Palo Alto Networks. Proprietary and Confidential.Page 11 | “Okay, but what about unknown and targeted malware?”

The Malware Window of Opportunity Time required to capture 1 st sample of malware in the wild Time required to create and verify malware signature Time before antivirus definitions are updated Total Time Exposed Days and weeks until users are protected by traditional signatures

Attackers Target the Window of Opportunity © 2011 Palo Alto Networks. Proprietary and Confidential.Page 13 | Refreshed Malware Malware Construction Kits Targeted Attacks

Controlling Unknown Malware Using the Next-Generation Firewall Introducing WildFire - New feature of the Palo Alto Networks NGFW - Captures unknown inbound files and analyzes them for 70+ malicious behaviors - Analysis performed in a cloud-based, virtual sandbox Automatically generates signatures for identified malware - Infecting files and command-and-control - Distributes signatures to all firewalls via regular threat updates Provides forensics and insight into malware behavior - Actions on the target machine - Applications, users and URLs involved with the malware © 2011 Palo Alto Networks. Proprietary and Confidential.Page 14 |

Daily Coverage of Top AV Vendors Based on data collected in January 2012

Case Study - Password Stealing Botnets © 2010 Palo Alto Networks. Proprietary and Confidential.

Malware Analysis

Case Study - Enterprise Phishing Shipping and Security are common topics for enterprise phishing - Fake DHL, USPS, UPS and FedEx delivery messages - Fake CERT notifications Ongoing Phishing Operations - Large volumes of malware – commonly in the top 3 of daily unknown malware seen in enterprises - Correlate new malware talking back to the same malware servers - Refreshed daily to avoid traditional AV signatures USPS Report DHL-international-shipping-ID DHL-international-shipping- notification DHL-Express-Notification-JAN United-Parcel-Service-Invoice US-CERT Operations Center Report USPS-Failed-Delivery_Notification

Trusted Sources CNET/Download.com Strong reputation for providing safe downloads of shareware and freeware that are verified to be malware free. In early December 2011 WildFire began identifying files from Download.com as containing spyware. CNET had begun providing software downloads in a wrapper that installed subtle spyware designed to track shopping habits Changed a variety of client and browser security settings

An Integrated Approach to Threat Prevention © 2011 Palo Alto Networks. Proprietary and Confidential.Page 22 | Applications All traffic, all ports, all the time Application signatures Heuristics Decryption Reduce the attack surface Remove the ability to hide Prevents known threats Exploits, malware, C&C traffic Exploits & Malware Block threats on all ports NSS Labs Recommended IPS Millions of malware samples Dangerous URLs Malware hosting URLs Newly registered domains SSL decryption of high-risk sites Unknown & Targeted Threats WildFire control of unknown and targeted malware Unknown traffic analysis Anomalous network behaviors Block known sources of threats Be wary of unclassified and new domains Pinpoints live infections and targeted attacks Decreasing Risk

Roundtable Discussion