Traps PREVENTING SECURITY BREACHES ON THE ENDPOINT Davide Rivolta System Engineer Exclusive Networks Walter Doria - System Engineer Palo Alto Networks
Delivering the Next-Generation Security Platform THREAT INTELLIGENCE CLOUD AUTOMATED Palo Alto Networks We are leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Because of our deep expertise, commitment to innovation and game-changing security platform, thousands of customers have chosen us and we are the fastest growing security company in the market. NATIVELY INTEGRATED EXTENSIBLE Traps Advanced Endpoint Protection Palo Alto Networks developed a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities. Prevent all exploits Prevent all malware Forensics of attempted attack Scalable, lightweight and user friendly Integrate with network and cloud security NEXT-GENERATION FIREWALL ADVANCED ENDPOINT PROTECTION
The Anatomy of a Targeted Attack Conduct Reconnaissance Compromise Endpoint Establish Control Channel Steal Data/ Achieve Objective The Right Time to Prevent a Security Breach is Before an Attacker Compromises an Endpoint to Gain a Foothold in Your Environment.
Exploits = Weaponized Data Files & Content Subvert Normal Applications Malware Executable Programs Carry Out Malicious Activity
Coverage Two Primary Methods for Compromising Endpoints Exploit Software Vulnerabilities Execute Malicious Programs Compromise Endpoint Traditional Next-Gen AV AV and is HIPS More Cannot Efficient Protect but Against Attacks Not More That Effective. Haven t Been Seen Before. Host IPS Next Gen AV Traditional AV Next Gen AV
Current endpoint security solutions fall short Too easy to bypass current antivirus products Over 60% of new malware is undetected by existing AV vendors Traditional approach to endpoint security requires prior knowledge of attack Patching and HIPS can t keep up with exploit activity Solutions that leverage multiple techniques for detection and prevention are required
What is Advanced Endpoint Protection Advanced Endpoint Protection is a category of security products that provide the following three core capabilities: Integrated into a Security Platform 3. 1. Prevent Exploits Known, Unknown/Zero-Day 2. Prevent Malware Known, Unknown
Traps Blocks Core Exploit Techniques, Not Individual Attacks All Software and Applications Contain Vulnerabilities 5,307 New Software Vulnerabilities in 2015 * Individual Attacks 1,000s That Exploit New or Unpatched Software Vulnerabilities Core Techniques 10-15 Exploitation Techniques Used in Attacks *Source: CVEDetails.com
Total Number To Prevent Exploits, Aim at the Root of the Attempt Patching Requires Prior Knowledge, Proactive Application Signature / Behavior Requires Prior Knowledge of Weaponized Exploits Time Traps Requires No Patching, No Prior Knowledge of Vulnerabilities, and No Signatures 9 2016, Palo Alto Networks. Confidential and Proprietary.
Exploit Technique Prevention Traps Forensic Data is Collected P D F PDF Process is Terminated User/Admin is Notified Infected document opened by unsuspecting user (Exploit evades Anti-Virus) Traps is seamlessly injected into processes Exploit technique is attempted and blocked by Traps before any malicious activity is initiated Traps reports the event and collects detailed forensics When an Exploitation Attempt is Made, the Exploit Hits a Trap and Fails before Any Malicious Activity is Initiated
Exploits Subvert Authorized Applications Vulnerabilities Vendor Patches ROP Heap Spray Utilizing OS Function Begin Malicious Activity Authorized Application Download malware Steal critical data Encrypt hard drive Destroy data More 11 2016, Palo Alto Networks. Confidential and Proprietary.
Vendor Patch ROP Heap Spray Utilizing OS Function Begin Malicious Activity Authorized Application Activate key logger Steal critical data Encrypt hard drive Destroy data More
Traps Blocks Exploit Techniques No Malicious Activity Heap Spray Authorized Application Traps EPM 13 2016, Palo Alto Networks. Confidential and Proprietary.
Traps Blocks Exploits That Use Unknown Techniques ROP No Malicious Activity Unknown Exploit Technique Authorized Application Traps EPM 14 2016, Palo Alto Networks. Confidential and Proprietary.
Traps Blocks Zero-Day Exploits Actual Zero-Day Exploits That Traps EPMs Block CVE-2013-3893 1 Heap Spray Memory Limit Heap Spray Check ROP ROP Mitigation/ UASLR Utilizing OS Function DLL Security CVE-2013-3346 2 Heap Spray Memory Limit Heap Spray Check / Shellcode Preallocation DEP Circumvention UASLR Utilizing OS Function DLL Security ROP ROP Mitigation JIT Spray JIT Mitigation Utilizing OS Function DLL Security DLL Security CVE-2015-3010 3 Preventing One Technique in the Chain will Block the Entire Attack 1 Operation Deputy Dog (CVE-2013-3893) 2 Turla/Snake Campaign (CVE-2013-3346) 3 Forbes Cyber-Espionage Campaign (CVE-2015-0310/0311) 15 2016, Palo Alto Networks. Confidential and Proprietary.
Case Study: Banking Industry Customer TIMELINE Traps Version 2.3.6 Released Vulnerability Discovered in Adobe Flash Player (CVE-2015-0359) Attackers Attempted to Exploit Vulnerability. Traps Blocked the Attempt. Traps v2.3.6 Traps Prevents Unknown and Zero-Day Exploits Without the Benefit of Hindsight. No Updates or Patches Since Installation
Traps vs. Top 10 Zero-Day Exploits of 2015 Discovery Date Application Exploit Identifier Did Traps Block Zero-Day Exploit? January 23, 2015 Flash CVE-2015-0311 March 13, 2015 Flash CVE-2015-0336 April 14, 2015 Flash CVE-2015-3043 June 23, 2015 Flash CVE-2015-3113 July 8, 2015 Flash CVE-2015-5119 July 14, 2015 Office CVE-2015-2424 July 14, 2015 Flash CVE-2015-5122 September 8, 2015 Office CVE-2015-2545 October 15, 2015 Flash CVE-2015-7645 December 28, 2015 Flash CVE-2015-8651 17 2015, Palo Alto Networks. Confidential and Proprietary.
Malware Prevention Engine Policy-Based Restrictions Limit surface area of attack control source of file installation WildFire Inspection Prevent known malware with cloud-based integration Malware Techniques Mitigation Prevent unknown malware with technique-based mitigation
Quarantine Program Block Restricted Malicious Malicious User Attempts to Execute a Program Check Hash Against Override Policies No Match No Match Unknown Check Against List of Trusted Publishers Check Hash with WildFire Conduct Static Analysis Submit Program to WildFire for Analysis Allowed Trusted Benign Benign Check Execution Restrictions Restricted Allowed Block Run 19 2015, Palo Alto Networks. Confidential and Proprietary.
WildFire Demonstrates the Shortcomings of Legacy AV 71.9M Just 37.5% 5.3M 2.0M Of the malware files seen by WildFire each month are detected by the top 6 enterprise AV vendors *. All Files Malicious Detected by AV *Average monthly values as of January 2016. Source: Palo Alto Networks WildFire and Multi-Scanner 20 2016, Palo Alto Networks. Confidential and Proprietary.
Network Layout
Comm. Server Policy Database Admin Console Endpoints Endpoint Security Manager (ESM) Traps Endpoint Security Manager Architecture 22 2016, Palo Alto Networks. Confidential and Proprietary.
A. Scalable Architecture Traps Architecture Leverages a Scalable Endpoint Security Manager (ESM) Endpoint Security Manager (ESM) 3-Tier Management Structure @ SMTP Alerting ESM Console Database ESM Servers (each supports 10,000 endpoints & scales horizontally) SIEM / External Logging Forensic Folder(s) ESM Server(s) WildFire Threat Intelligence Cloud Off Premise On Premise Endpoints Running Traps 23 2016, Palo Alto Networks. Confidential and Proprietary.
Platform Management Footprint Applications Flexible, Scalable, with Minimal Footprint 0.1% CPU Load 50 MB RAM 250 MB HD No scanning Out-of-the-Box protection for common applications Extensible to any application Physical & Virtual All major Windows editions Protects systems after end-of-support Central policy management Full SIEM integration support Role Based Access Control 24 2016, Palo Alto Networks. Confidential and Proprietary.
Flexible Platform Coverage Workstations Windows XP * (32-bit, SP3 or later) Windows Vista (32-bit, 64-bit, SP1 or later; FIPS mode) Windows 7 (32-bit, 64-bit, RTM and SP1; FIPS mode; all editions except Home) Windows Embedded 7 (Standard and POSReady) Windows 8 * (32-bit, 64-bit) Windows 8.1 (32-bit, 64-bit; FIPS mode) Windows Embedded 8.1 Pro Windows 10 Pro (32-bit and 64-bit) Windows 10 Enterprise LTSB Servers Windows Server 2003 * (32-bit, SP2 or later) Windows Server 2003 R2 (32-bit, SP2 or later) Windows Server 2008 (32-bit, 64-bit; FIPS mode) Windows Server 2008 R2 (32-bit, 64-bit; FIPS mode) Windows Server 2012 (all editions; FIPS mode) Windows Server 2012 R2 (all editions; FIPS mode) Virtual Environments VMware ESX Citrix XenServer Oracle Virtualbox Microsoft Hyper-V * Microsoft no longer supports this operating system. 25 2016, Palo Alto Networks. Confidential and Proprietary.
Partners Keypoints
Why both endpoint and network prevention Network-based prevention provides: Broad, fast coverage for whole environment Significant reduction in surface area of attack Endpoint-based prevention provides: Coverage for attacks that cannot be prevented in the network Don t enter through the network, traffic that must be allowed by can t be decrypted, or delivered over multiple disassociated connections Coverage when disconnected from network-based security stack Most importantly: immediate prevention of unknown malware and zero-day exploits
Summary: Traps Benefits Prevent Zero-Day Vulnerabilities and Unknown Malware Install Patches on Your Own Schedule Protect Any Application from Exploits Signatureless, No Frequent Updates Network and Cloud integration Minimal Performance Impact Avoid Remediation Costs 28 2016, Palo Alto Networks. Confidential and Proprietary.
Where to get Further Information? The PANW Web: Resources / Features / Technology / Initiatives https://www.paloaltonetworks.com/products/secure-the-endpoint/traps The Partner Portal: Help Me Sell Help Me Market 29 2015, Palo Alto Networks. Confidential and Proprietary.
hank You