PREVENTING SECURITY BREACHES ON THE ENDPOINT. Davide Rivolta System Engineer Exclusive Networks Walter Doria - System Engineer Palo Alto Networks

Transcription

1 Traps PREVENTING SECURITY BREACHES ON THE ENDPOINT Davide Rivolta System Engineer Exclusive Networks Walter Doria - System Engineer Palo Alto Networks

2 Delivering the Next-Generation Security Platform THREAT INTELLIGENCE CLOUD AUTOMATED Palo Alto Networks We are leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Because of our deep expertise, commitment to innovation and game-changing security platform, thousands of customers have chosen us and we are the fastest growing security company in the market. NATIVELY INTEGRATED EXTENSIBLE Traps Advanced Endpoint Protection Palo Alto Networks developed a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities. Prevent all exploits Prevent all malware Forensics of attempted attack Scalable, lightweight and user friendly Integrate with network and cloud security NEXT-GENERATION FIREWALL ADVANCED ENDPOINT PROTECTION

3 The Anatomy of a Targeted Attack Conduct Reconnaissance Compromise Endpoint Establish Control Channel Steal Data/ Achieve Objective The Right Time to Prevent a Security Breach is Before an Attacker Compromises an Endpoint to Gain a Foothold in Your Environment.

4 Exploits = Weaponized Data Files & Content Subvert Normal Applications Malware Executable Programs Carry Out Malicious Activity

5 Coverage Two Primary Methods for Compromising Endpoints Exploit Software Vulnerabilities Execute Malicious Programs Compromise Endpoint Traditional Next-Gen AV AV and is HIPS More Cannot Efficient Protect but Against Attacks Not More That Effective. Haven t Been Seen Before. Host IPS Next Gen AV Traditional AV Next Gen AV

6 Current endpoint security solutions fall short Too easy to bypass current antivirus products Over 60% of new malware is undetected by existing AV vendors Traditional approach to endpoint security requires prior knowledge of attack Patching and HIPS can t keep up with exploit activity Solutions that leverage multiple techniques for detection and prevention are required

7 What is Advanced Endpoint Protection Advanced Endpoint Protection is a category of security products that provide the following three core capabilities: Integrated into a Security Platform Prevent Exploits Known, Unknown/Zero-Day 2. Prevent Malware Known, Unknown

8 Traps Blocks Core Exploit Techniques, Not Individual Attacks All Software and Applications Contain Vulnerabilities 5,307 New Software Vulnerabilities in 2015 * Individual Attacks 1,000s That Exploit New or Unpatched Software Vulnerabilities Core Techniques Exploitation Techniques Used in Attacks *Source: CVEDetails.com

9 Total Number To Prevent Exploits, Aim at the Root of the Attempt Patching Requires Prior Knowledge, Proactive Application Signature / Behavior Requires Prior Knowledge of Weaponized Exploits Time Traps Requires No Patching, No Prior Knowledge of Vulnerabilities, and No Signatures , Palo Alto Networks. Confidential and Proprietary.

10 Exploit Technique Prevention Traps Forensic Data is Collected P D F PDF Process is Terminated User/Admin is Notified Infected document opened by unsuspecting user (Exploit evades Anti-Virus) Traps is seamlessly injected into processes Exploit technique is attempted and blocked by Traps before any malicious activity is initiated Traps reports the event and collects detailed forensics When an Exploitation Attempt is Made, the Exploit Hits a Trap and Fails before Any Malicious Activity is Initiated

11 Exploits Subvert Authorized Applications Vulnerabilities Vendor Patches ROP Heap Spray Utilizing OS Function Begin Malicious Activity Authorized Application Download malware Steal critical data Encrypt hard drive Destroy data More , Palo Alto Networks. Confidential and Proprietary.

12 Vendor Patch ROP Heap Spray Utilizing OS Function Begin Malicious Activity Authorized Application Activate key logger Steal critical data Encrypt hard drive Destroy data More

13 Traps Blocks Exploit Techniques No Malicious Activity Heap Spray Authorized Application Traps EPM , Palo Alto Networks. Confidential and Proprietary.

14 Traps Blocks Exploits That Use Unknown Techniques ROP No Malicious Activity Unknown Exploit Technique Authorized Application Traps EPM , Palo Alto Networks. Confidential and Proprietary.

15 Traps Blocks Zero-Day Exploits Actual Zero-Day Exploits That Traps EPMs Block CVE Heap Spray Memory Limit Heap Spray Check ROP ROP Mitigation/ UASLR Utilizing OS Function DLL Security CVE Heap Spray Memory Limit Heap Spray Check / Shellcode Preallocation DEP Circumvention UASLR Utilizing OS Function DLL Security ROP ROP Mitigation JIT Spray JIT Mitigation Utilizing OS Function DLL Security DLL Security CVE Preventing One Technique in the Chain will Block the Entire Attack 1 Operation Deputy Dog (CVE ) 2 Turla/Snake Campaign (CVE ) 3 Forbes Cyber-Espionage Campaign (CVE /0311) , Palo Alto Networks. Confidential and Proprietary.

16 Case Study: Banking Industry Customer TIMELINE Traps Version Released Vulnerability Discovered in Adobe Flash Player (CVE ) Attackers Attempted to Exploit Vulnerability. Traps Blocked the Attempt. Traps v2.3.6 Traps Prevents Unknown and Zero-Day Exploits Without the Benefit of Hindsight. No Updates or Patches Since Installation

17 Traps vs. Top 10 Zero-Day Exploits of 2015 Discovery Date Application Exploit Identifier Did Traps Block Zero-Day Exploit? January 23, 2015 Flash CVE March 13, 2015 Flash CVE April 14, 2015 Flash CVE June 23, 2015 Flash CVE July 8, 2015 Flash CVE July 14, 2015 Office CVE July 14, 2015 Flash CVE September 8, 2015 Office CVE October 15, 2015 Flash CVE December 28, 2015 Flash CVE , Palo Alto Networks. Confidential and Proprietary.

18 Malware Prevention Engine Policy-Based Restrictions Limit surface area of attack control source of file installation WildFire Inspection Prevent known malware with cloud-based integration Malware Techniques Mitigation Prevent unknown malware with technique-based mitigation

19 Quarantine Program Block Restricted Malicious Malicious User Attempts to Execute a Program Check Hash Against Override Policies No Match No Match Unknown Check Against List of Trusted Publishers Check Hash with WildFire Conduct Static Analysis Submit Program to WildFire for Analysis Allowed Trusted Benign Benign Check Execution Restrictions Restricted Allowed Block Run , Palo Alto Networks. Confidential and Proprietary.

20 WildFire Demonstrates the Shortcomings of Legacy AV 71.9M Just 37.5% 5.3M 2.0M Of the malware files seen by WildFire each month are detected by the top 6 enterprise AV vendors *. All Files Malicious Detected by AV *Average monthly values as of January Source: Palo Alto Networks WildFire and Multi-Scanner , Palo Alto Networks. Confidential and Proprietary.

21 Network Layout

22 Comm. Server Policy Database Admin Console Endpoints Endpoint Security Manager (ESM) Traps Endpoint Security Manager Architecture , Palo Alto Networks. Confidential and Proprietary.

23 A. Scalable Architecture Traps Architecture Leverages a Scalable Endpoint Security Manager (ESM) Endpoint Security Manager (ESM) 3-Tier Management SMTP Alerting ESM Console Database ESM Servers (each supports 10,000 endpoints & scales horizontally) SIEM / External Logging Forensic Folder(s) ESM Server(s) WildFire Threat Intelligence Cloud Off Premise On Premise Endpoints Running Traps , Palo Alto Networks. Confidential and Proprietary.

24 Platform Management Footprint Applications Flexible, Scalable, with Minimal Footprint 0.1% CPU Load 50 MB RAM 250 MB HD No scanning Out-of-the-Box protection for common applications Extensible to any application Physical & Virtual All major Windows editions Protects systems after end-of-support Central policy management Full SIEM integration support Role Based Access Control , Palo Alto Networks. Confidential and Proprietary.

25 Flexible Platform Coverage Workstations Windows XP * (32-bit, SP3 or later) Windows Vista (32-bit, 64-bit, SP1 or later; FIPS mode) Windows 7 (32-bit, 64-bit, RTM and SP1; FIPS mode; all editions except Home) Windows Embedded 7 (Standard and POSReady) Windows 8 * (32-bit, 64-bit) Windows 8.1 (32-bit, 64-bit; FIPS mode) Windows Embedded 8.1 Pro Windows 10 Pro (32-bit and 64-bit) Windows 10 Enterprise LTSB Servers Windows Server 2003 * (32-bit, SP2 or later) Windows Server 2003 R2 (32-bit, SP2 or later) Windows Server 2008 (32-bit, 64-bit; FIPS mode) Windows Server 2008 R2 (32-bit, 64-bit; FIPS mode) Windows Server 2012 (all editions; FIPS mode) Windows Server 2012 R2 (all editions; FIPS mode) Virtual Environments VMware ESX Citrix XenServer Oracle Virtualbox Microsoft Hyper-V * Microsoft no longer supports this operating system , Palo Alto Networks. Confidential and Proprietary.

26 Partners Keypoints

27 Why both endpoint and network prevention Network-based prevention provides: Broad, fast coverage for whole environment Significant reduction in surface area of attack Endpoint-based prevention provides: Coverage for attacks that cannot be prevented in the network Don t enter through the network, traffic that must be allowed by can t be decrypted, or delivered over multiple disassociated connections Coverage when disconnected from network-based security stack Most importantly: immediate prevention of unknown malware and zero-day exploits

28 Summary: Traps Benefits Prevent Zero-Day Vulnerabilities and Unknown Malware Install Patches on Your Own Schedule Protect Any Application from Exploits Signatureless, No Frequent Updates Network and Cloud integration Minimal Performance Impact Avoid Remediation Costs , Palo Alto Networks. Confidential and Proprietary.

29 Where to get Further Information? The PANW Web: Resources / Features / Technology / Initiatives The Partner Portal: Help Me Sell Help Me Market , Palo Alto Networks. Confidential and Proprietary.

30 hank You