“SWITCHPOINT” Template for rail to revive and thrive Hon Tim Fischer AC.
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.
42
PALO ALTO NETWORKS NEXT-GENERATION SECURITY PLATFORM
-
Upload
switchpoint-nvsa -
Category
Technology
-
view
231 -
download
1
Transcript of PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.
PALO ALTO NETWORKSNEXT-GENERATION SECURITY PLATFORM
Palo Alto Networks at-a-glance
2 | © 2015,Palo Alto Networks. Confidential and Proprietary.
CORPORATEHIGHLIGHTS
• Founded in 2005; first customer shipment in 2007
• Safely enabling applications and preventing cyber threats
• Able to address all enterprise cybersecurity needs
• Exceptional ability to support global customers
• Experienced team of 3,600+ employees• Q3 FY16: $345.8 revenue
$MM
REVENUES ENTERPRISE CUSTOMERS
$13 $49$119
$255
$396
$598
$928
$0
$200
$400
$600
$800
$1.000
FY09 FY10 FY11 FY12 FY13 FY14 FY15
4.700
9.000
13,500
19,000
26.000
0
4.000
8.000
12.000
16.000
20.000
24.000
Jul/11 Jul/12 Jul/13 Jul/14 Jul/15
What’s changed?
3 | © 2016,Palo Alto Networks. Confidential and Proprietary.
THE EVOLUTION OF THE ATTACKER
Asked for the weak spot in the cybersecurity of their organization, 47% of the Belgian IT decision makers talks about attacks that evolve faster than their security.
Innovation at the other side
Known Threats
Org
aniz
atio
nal R
isk
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Evasive Command-and-Control
Lateral Movement
Changing Application Environment
SSL Encryption
Mobile Threats
THE EVOLUTION OF THE ATTACK
Evasive Command and Control
WEKBY Attacks use DNS requests
Evasive Command and Control
WEKBY Attacks use DNS requests
Evasive Command and Control
WEKBY Attacks use DNS requests
Thefollowing commands,andtheirdescriptionsaresupportedbythemalware:• sifo – Collectvictimsysteminformation• drive– Listdrivesonvictimmachine• list– Listfileinformation forprovided directory• upload– Uploadafiletothevictimmachine• open– Spawnacommandshell
Evasive Command and Control
Twitter Based Command Channel
Lateral Movement
Hacking Team
Hacking Team POC’s
Invisibility test
Invisibilitytest- MacOS (Yosemite)+AVG(silentinstaller):during theinfectioneverythingwasgood;aproblemoccurredjustafterweconfigured theMacOS'mailclientinordertolettheagentretrievetheemails:justafewsecondsafterthatconfiguration, anAVGpopupwarnedaboutatrojan detection.Iclosedthepopup intimewhilethecustomerwasattendingSerge'sexplanationofthereceivedevidences, sothecustomerdidn't see.Theemailswerecorrectlyretrievedbytheagent,butwedidn'thaveachancetocheckwhatwastheobjectofthedetection(our trojan orwhatelse);
https://wikileaks.org/hackingteam/emails/emailid/19213
Lateral Movement
Hacking Team
http://pastebin.com/raw/0SNSvyjJ
Lateral Movement
Hacking Team
Zero Day Exploits
HTItisknownasa"zero-day"becauseoncethevulnerabilitybecomesknown, thesoftware'sauthorhaszerodaysinwhichtoplanandadviseanymitigationagainstitsexploitation(forexample,byadvisingworkaroundsorbyissuingpatches).
Patching is Often Insufficient to Protect Endpoints
14 | © 2016,Palo Alto Networks. Confidential and Proprietary.
Example: Hacking Team Adobe Flash Zero-Day Exploits
Average days before a zero-day exploit is patched*312*Source: https://users.ece.cmu.edu/~tdumitra/public_documents /bilge12_zero_day .pdf
0-day
Market
0-day
Brokers
High-endexploitbroker"theGrugq"ataBangkokbar.Thebagofcashathisfeetisforoneofhisexploitdevelopers.(Photocredit:ChristopherWise/Redux)
GrugQ -- whotakesa15%commissionondeals-- saidthat six-figuredealsarecommon,andthathewon'ttouchavulnerabilityworthlessthan$50,000.
Zero Days
You don’t need 0days when there are 1000 days in the network
Inanunprecedented talkonThursdayattheUSENIXEnigmasecurityconferenceinSanFrancisco, RobJoyce,chiefofNSA'sTailoredAccessOperations(TAO),downplayed theimportanceofzero-daysandthedegreetowhichnation-statehackerslikethoseinhisunitdependonthem.
“Iwilltellyouthatpersistenceandfocuswillgetyouin,willachievethatexploitationwithout thezero-days,”hecontinued“There'ssomanymorevectorsthatareeasier,lessriskyandquiteoftenmoreproductive thangoingdownthatroute.”
Unknown & Polymorphic Malware
Unknown & Polymorphic Malware
Unknown & Polymorphic Malware
22 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Changing Application Environment
SaaS
24 |©2015, PaloAltoNetworks.ConfidentialandProprietary.
MALWARE PROPAGATION
25 |©2015, PaloAltoNetworks.ConfidentialandProprietary.
Share all files
publicly!
MALICIOUS DATA EXFILTRATION
SSL Encryption
HTTPS Everywhere
These are only normal websites over SSL!
SSL Encryption
Easy to hide
Dridex activityincludedSSLtraffictovariousIPaddresses,mostlywith example.com SSLcertificates. IalsonotedanSSLcertificatefor example.net asshownbelow:
Mobile Threats
Android Trojan “Xbot” Phishes Credit Cards and Bank Accnts, Encrypts Devices for Ransom
Failure of legacy security architectures
29 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Anti-APT for port 80 APTs
Anti-APT for port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited visibility Manual responseLacks correlation
Vendor 1Vendor 2
Vendor 3Vendor 4
Internet ConnectionMalware Intelligence
DNS AlertEndpoint Alert
AV Alert
SMTP AlertAV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
IT IS TIME TO TURN THE PAGE
Requirements for the future
DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION
At the internet edge
Between employees and devices within
the LAN
At the data center edge, and
between VM’s
At the mobile device
Cloud
Within private, public and hybrid
clouds
6 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Delivering the next-generation security platform
32 | © 2015,Palo Alto Networks. Confidential and Proprietary.
The Next Generation Firewall Foundations
•App-ID™
•Identifytheapplication
•User-ID™
•Identifytheuser
•Content-ID™
•Scanthecontent
Single Pass Parallel Processing Architecture
KISS
PolicyDecision
FirewallApp-ID
AllowSalesforceXAllow Salesforce
This IS Safe Application Enablement
Translate a Policy into a Policy
WildFire: Protecting Against The Unknown
Protections developed with in-line enforcement across the attack lifecycleIntelligence correlated across:
Web
Detect unknown§ Malware§ Exploits§ Command-and-control§ DNS queries§ Malware URLs
WildFire
WildFire Threat Prevention
URL Filtering
All trafficSSL encryption
All ports
PerimeterAll commonly
exploited file types
3rd party data
Data centerEndpoint
FTP
SMTP
SMB
Sandboxing The Unknown
But what about the Endpoint
BeginMaliciousActivity
AuthorizedApplication
Heap Spray
ROP
UtilizingOS Function
37 | © 2016,Palo Alto Networks. Confidential and Proprietary.
Vendor Patches
§ Download malware§ Steal critical data§ Encrypt hard drive§ Destroy data§ More…
Vulnerabilities
Traps Blocks Exploit Techniques
HeapSpray
TrapsEPM
No MaliciousActivity
AuthorizedApplication
38 | © 2016,Palo Alto Networks. Confidential and Proprietary.
Traps
Delivering continuous innovation
GlobalProtect
WildFire
AutoFocus
Aperture
Threat Prevention
URL Filtering
10 | © 2015,Palo Alto Networks. Confidential and Proprietary.
The Prevention Opportunity in the attack lifecycle
40 | © 2016,Palo Alto Networks. Confidential and Proprietary.
1Exploit infiltration
3Malware download2 Vulnerability Exploit
4 Malware installation 5 Command and Control
6 Lateral movement
7East - West
8Data exfiltration
Why Palo Alto Networks?
Prevention
Zero-DayReduce RiskPolicy
Visibility
Remediation
Detection
EndpointData Center
Mobility
BYOD Management
Vulnerability
Responsive
Exploit
Anti-Malware Forensics
AutomationPrivate Cloud
Public Cloud
Performance
Scalability
Platform
Segmentation
Applications
UsersControl
Agile
Perimeter
Integrated
Support
Web Security
Com
mand-&-C
ontrol
Virtualization
EcosystemContext
Correlation
Services
People
Culture
Safe Enablement
Application
