Integrated Approach to Network Security Lee Klarich Senior Vice President, Product Management March 2013
Real data from actual networks 2 2012, Palo Alto Networks. Confidential and Proprietary.
2008: HTTP, the universal application transport HTTP is 64% of enterprise bandwidth Most HTTP traffic is client/server (54%) Web browsing is 23% Other browser-based applications (23%) many have full-fledged clients All HTTP Applications Browser-based Applications Web Browsing 3 2012, Palo Alto Networks. Confidential and Proprietary.
2009: file sharing usage is rampant Despite risks, P2P file sharing use is common An average of 6 variants per organization 17 in one case Browser-based file sharing usage doubled over 12 month period Rapidly growing segment average of 5 variants, as high as 17 4 2012, Palo Alto Networks. Confidential and Proprietary.
2010: browser-based sharing grows File sharing trend: Frequency of use and number of applications shifts towards browser-based Use of other file sharing applications (like FTP) remains steady 100% 75% 50% 25% File Sharing Trends Over Time Mar. 2008 Oct. 2008 Mar. 2009 Oct. 2009 Mar. 2010 Oct. 2010 Browser-Based File Sharing Peer-to-peer File Sharing FTP All Other Applications 998 TB 5 2012, Palo Alto Networks. Confidential and Proprietary. Bandwidth Consumption Comparison Other Filesharing 49 TB Browser-based Filesharing 22 TB Other P2P Filesharing 48 TB Xunlei (P2P) 203 TB 80 filesharing applications (23 P2P, 49 BB, 9 other) consuming 323 TB (24%) Xunlei, 5th most popular P2P consumed 203 TB 15% of overall BW Business benefits: easier to move large files, central source of Linux binaries Outbound risks: Data loss is the primary business risk Inbound risks: Mariposa is propagated across P2P (and MSN)
2011: rise of hidden applications Hidden application traffic 41% of the applications (433) found can use SSL or hop ports Consuming roughly 36% of overall bandwidth Only 43% use the browser 6 2012, Palo Alto Networks. Confidential and Proprietary.
2012: malware uses applications 45000 40000 9.0x 35000 30000 25000 20000 15000 12.8x 8.1x 3044 samples (23%) generated unknown traffic or fake HTTP Unknown traffic represents 11% of malware sessions 10000 5000 7 2012, Palo Alto Networks. Confidential and Proprietary. 0 short h p headers unknown traffic ddns, fas lux domain 10.9x fake h p 2.3x 1.5x 3.0x nonstandard h p port irc on regular port irc on nonstandard port number of sessions 40336 33567 14472 4696 459 12 39 number of samples 4470 2615 1777 429 201 8 13
Technology sprawl won t fix the problem More stuff doesn t solve the problem Firewall helpers have limited view of traffic Complex and costly to buy and maintain Doesn t address applications UTM Internet IPS DLP IM AV URL Proxy Enterprise Network 8 2012, Palo Alto Networks. Confidential and Proprietary.
9 2012 PALO ALTO NETWORKS What s Needed: An Integrated Solution
Make the firewall do its job. Network security policy is enforced at the firewall Sees all traffic Defines boundary Enables access Traditional firewalls don t work any more 10 2012, Palo Alto Networks. Confidential and Proprietary.
Core functions of a next-generation firewall 1. Identify applications regardless of port, protocol, evasive tactic or SSL 2. Identify and control users regardless of IP address, location, or device 3. Protect against known and unknown application-borne threats 4. Fine-grained visibility and policy control over application access / functionality 5. Multi-gigabit, low latency, in-line deployment 11 2012, Palo Alto Networks. Confidential and Proprietary.
Making the firewall a business enablement tool Applications: Enablement begins with application classification by App-ID. Users: Tying users and devices, regardless of location, to applications with User-ID and GlobalProtect. Content: Scanning content and protecting against all threats, both known and unknown, with Content-ID and WildFire. 12 2012, Palo Alto Networks. Confidential and Proprietary.
Single Pass Platform Architecture 13 2012, Palo Alto Networks. Confidential and Proprietary.
Addressing Modern Malware
Malware Sample Count Today: more and more malware goes undetected 100% 90% 80% 70% 60% 50% 40% 30% 5 vendors 4 vendors 3 vendors 2 vendors 1 vendor 0 vendors 20% 10% 0% Day-0 Day-1 Day-2 Day-3 Day-4 Day-5 Day-6 New Malware Coverage Rate by Top 5 AV Vendors 15 2012, Palo Alto Networks. Confidential and Proprietary.
The lifecycle of network attacks 1 2 3 4 5 Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal End-user lured to a dangerous application or website containing malicious content Infected content exploits the end-user, often without their knowledge Secondary payload is downloaded in the background. Malware installed Malware establishes an outbound connection to the attacker for ongoing control Remote attacker has control inside the network and escalates the attack 16 2012, Palo Alto Networks. Confidential and Proprietary.
Coordinated Threat Prevention An integrated approach to threat prevention Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal App-ID Block high-risk apps Block C&C on nonstandard ports URL Block known malware sites Block malware, fastflux domains IPS Spyware AV Block the exploit Block malware Block spyware, C&C traffic Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Files Prevent drive-bydownloads WildFire Detect unknown malware Block new C&C traffic 17 2012, Palo Alto Networks. Confidential and Proprietary.
Conclusions From the Lifecycle Attacks are blended and patient Exploits, malware and traffic Long-term time scale Malware is the strategic enabler Provides a persistent point of control inside the target network Malware enables evasion When both ends of a connection are malicious, new evasions become available. Encryption, strange ports, tunneling, polymorphic malware, etc. Exploits Exploits are delivered over the network Encryp on, fragmenta on Malware Malware is delivered over the network Re-encoded and targeted malware Spyware, C&C Malware communicates over the network Proxies, tunneling, encryp on, custom traffic 18 2012, Palo Alto Networks. Confidential and Proprietary.
Why Traditional Antivirus Protection Fails Modern malware is increasingly able to: - Targeted malware avoids traditional AV honey-pots - Evolve before protection can be delivered via polymorphism, reencoding, and changing URLs Targeted and custom malware Polymorphic malware Newly released malware Highly variable time to protection 19 2012, Palo Alto Networks. Confidential and Proprietary.
WildFire: A Modern Threat Prevention Architecture Make Malware Enforcement Local Find unknowns in real enterprise network traffic, not honeypots Turn the Power of the Cloud Against Malware New and polymorphic malware is unlimited Cloud-based analysis scales with any analysis demands Provide True Malware Protections All subscribers protected world-wide within 1 hour of first malware infection instance True malware signatures based on payload, not URL or filename True in-line blocking Drop traffic as opposed to TCP resets 20 2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Architecture 10 Gbps Threat Prevention and file scanning All traffic, all ports Web, email, FTP and SMB Running in the cloud lets the Malware malware signatures do things developed that you and wouldn t tested based allow on in malware your payload. network. Updates to sandbox logic Stream-based malware engine to without impacting the perform true inline enforcement. customer 21 2012, Palo Alto Networks. Confidential and Proprietary.
1,300+ 417,448 COMPANIES USING WILDFIRE UNIQUE FILES SCANNED IN JA WILDFIRE 28,612 13,233 (46%) NEW MALWARE FILES FOUND IN JANUARY USING WILDFIRE 2013 Palo Alto Networks. Proprietary and Confidential. MALWARE NOT INITIALLY DETECTED BY TOP HOST AV PRODUCTS
An integrated approach to network security Applications Sources Known Threats Unknown Threats Visibility and control of all traffic, across all ports, all the time Control traffic sources and destinations based on risk Stop exploits, malware, spying tools, and dangerous files Automatically identify and block new and evolving threats Reduce the attack surface Control the threat vector Control the methods that threats use to hide 23 2012, Palo Alto Networks. Confidential and Proprietary. R e d u c i n g R i s k Sites known to host malware Find traffic to command and control servers SSL decrypt high-risk sites NSS tested and Recommended IPS Stream-based anti-malware based on millions of samples Control threats across any port WildFire analysis of unknown files Visibility and automated management of unknown traffic Anomalous behaviors
24 2012, Palo Alto Networks. Confidential and Proprietary.