Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Transcription

1 Integrated Approach to Network Security Lee Klarich Senior Vice President, Product Management March 2013

2 Real data from actual networks , Palo Alto Networks. Confidential and Proprietary.

3 2008: HTTP, the universal application transport HTTP is 64% of enterprise bandwidth Most HTTP traffic is client/server (54%) Web browsing is 23% Other browser-based applications (23%) many have full-fledged clients All HTTP Applications Browser-based Applications Web Browsing , Palo Alto Networks. Confidential and Proprietary.

4 2009: file sharing usage is rampant Despite risks, P2P file sharing use is common An average of 6 variants per organization 17 in one case Browser-based file sharing usage doubled over 12 month period Rapidly growing segment average of 5 variants, as high as , Palo Alto Networks. Confidential and Proprietary.

5 2010: browser-based sharing grows File sharing trend: Frequency of use and number of applications shifts towards browser-based Use of other file sharing applications (like FTP) remains steady 100% 75% 50% 25% File Sharing Trends Over Time Mar Oct Mar Oct Mar Oct Browser-Based File Sharing Peer-to-peer File Sharing FTP All Other Applications 998 TB , Palo Alto Networks. Confidential and Proprietary. Bandwidth Consumption Comparison Other Filesharing 49 TB Browser-based Filesharing 22 TB Other P2P Filesharing 48 TB Xunlei (P2P) 203 TB 80 filesharing applications (23 P2P, 49 BB, 9 other) consuming 323 TB (24%) Xunlei, 5th most popular P2P consumed 203 TB 15% of overall BW Business benefits: easier to move large files, central source of Linux binaries Outbound risks: Data loss is the primary business risk Inbound risks: Mariposa is propagated across P2P (and MSN)

6 2011: rise of hidden applications Hidden application traffic 41% of the applications (433) found can use SSL or hop ports Consuming roughly 36% of overall bandwidth Only 43% use the browser , Palo Alto Networks. Confidential and Proprietary.

7 2012: malware uses applications x x 8.1x 3044 samples (23%) generated unknown traffic or fake HTTP Unknown traffic represents 11% of malware sessions , Palo Alto Networks. Confidential and Proprietary. 0 short h p headers unknown traffic ddns, fas lux domain 10.9x fake h p 2.3x 1.5x 3.0x nonstandard h p port irc on regular port irc on nonstandard port number of sessions number of samples

8 Technology sprawl won t fix the problem More stuff doesn t solve the problem Firewall helpers have limited view of traffic Complex and costly to buy and maintain Doesn t address applications UTM Internet IPS DLP IM AV URL Proxy Enterprise Network , Palo Alto Networks. Confidential and Proprietary.

9 PALO ALTO NETWORKS What s Needed: An Integrated Solution

10 Make the firewall do its job. Network security policy is enforced at the firewall Sees all traffic Defines boundary Enables access Traditional firewalls don t work any more , Palo Alto Networks. Confidential and Proprietary.

11 Core functions of a next-generation firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment , Palo Alto Networks. Confidential and Proprietary.

12 Making the firewall a business enablement tool Applications: Enablement begins with application classification by App-ID. Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire , Palo Alto Networks. Confidential and Proprietary.

13 Single Pass Platform Architecture , Palo Alto Networks. Confidential and Proprietary.

14 Addressing Modern Malware

15 Malware Sample Count Today: more and more malware goes undetected 100% 90% 80% 70% 60% 50% 40% 30% 5 vendors 4 vendors 3 vendors 2 vendors 1 vendor 0 vendors 20% 10% 0% Day-0 Day-1 Day-2 Day-3 Day-4 Day-5 Day-6 New Malware Coverage Rate by Top 5 AV Vendors , Palo Alto Networks. Confidential and Proprietary.

16 The lifecycle of network attacks Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal End-user lured to a dangerous application or website containing malicious content Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack , Palo Alto Networks. Confidential and Proprietary.

17 Coordinated Threat Prevention An integrated approach to threat prevention Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal App-ID Block high-risk apps Block C&C on nonstandard ports URL Block known malware sites Block malware, fastflux domains IPS Spyware AV Block the exploit Block malware Block spyware, C&C traffic Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Files Prevent drive-bydownloads WildFire Detect unknown malware Block new C&C traffic , Palo Alto Networks. Confidential and Proprietary.

18 Conclusions From the Lifecycle Attacks are blended and patient Exploits, malware and traffic Long-term time scale Malware is the strategic enabler Provides a persistent point of control inside the target network Malware enables evasion When both ends of a connection are malicious, new evasions become available. Encryption, strange ports, tunneling, polymorphic malware, etc. Exploits Exploits are delivered over the network Encryp on, fragmenta on Malware Malware is delivered over the network Re-encoded and targeted malware Spyware, C&C Malware communicates over the network Proxies, tunneling, encryp on, custom traffic , Palo Alto Networks. Confidential and Proprietary.

19 Why Traditional Antivirus Protection Fails Modern malware is increasingly able to: - Targeted malware avoids traditional AV honey-pots - Evolve before protection can be delivered via polymorphism, reencoding, and changing URLs Targeted and custom malware Polymorphic malware Newly released malware Highly variable time to protection , Palo Alto Networks. Confidential and Proprietary.

20 WildFire: A Modern Threat Prevention Architecture Make Malware Enforcement Local Find unknowns in real enterprise network traffic, not honeypots Turn the Power of the Cloud Against Malware New and polymorphic malware is unlimited Cloud-based analysis scales with any analysis demands Provide True Malware Protections All subscribers protected world-wide within 1 hour of first malware infection instance True malware signatures based on payload, not URL or filename True in-line blocking Drop traffic as opposed to TCP resets , Palo Alto Networks. Confidential and Proprietary.

21 WildFire Architecture 10 Gbps Threat Prevention and file scanning All traffic, all ports Web, , FTP and SMB Running in the cloud lets the Malware malware signatures do things developed that you and wouldn t tested based allow on in malware your payload. network. Updates to sandbox logic Stream-based malware engine to without impacting the perform true inline enforcement. customer , Palo Alto Networks. Confidential and Proprietary.

22 1, ,448 COMPANIES USING WILDFIRE UNIQUE FILES SCANNED IN JA WILDFIRE 28,612 13,233 (46%) NEW MALWARE FILES FOUND IN JANUARY USING WILDFIRE 2013 Palo Alto Networks. Proprietary and Confidential. MALWARE NOT INITIALLY DETECTED BY TOP HOST AV PRODUCTS

23 An integrated approach to network security Applications Sources Known Threats Unknown Threats Visibility and control of all traffic, across all ports, all the time Control traffic sources and destinations based on risk Stop exploits, malware, spying tools, and dangerous files Automatically identify and block new and evolving threats Reduce the attack surface Control the threat vector Control the methods that threats use to hide , Palo Alto Networks. Confidential and Proprietary. R e d u c i n g R i s k Sites known to host malware Find traffic to command and control servers SSL decrypt high-risk sites NSS tested and Recommended IPS Stream-based anti-malware based on millions of samples Control threats across any port WildFire analysis of unknown files Visibility and automated management of unknown traffic Anomalous behaviors

24 , Palo Alto Networks. Confidential and Proprietary.