Michael Weisgerber, CISSP Senior Channel Systems Engineer CEUR

Transcription

1 chutz für die, ie noch nicht ufgegeben haben Michael Weisgerber, CISSP Senior Channel Systems Engineer CEUR

2 chutz für die, ie noch nicht ufgegeben haben Michael Weisgerber, CISSP Senior Channel Systems Engineer CEUR

3 Das Zero-Trust-Konzept Maximale Kontrolle und Sichtbarkeit Branch Office VPN VPN Remote Users SaaS DMZ WildFire Users VLAN 1 PaaS Guest Wireless VLAN 2 Core switches Core switches VLAN TRUNK IT VLAN 3 Datacenter VLAN 101 APP VLAN 102 DBS VLAN 103 ADS Applications Users URL Filtering IPS Antivirus Anti-Spyware APT File Blocking 2016, Palo Alto Networks. Confidential and Proprietary.

4 Die einzig real existierende Plattform THREAT INTELLIGENCE CLOUD Next-Generation Firewall Untersucht ALLEN Verkehr Blockiert bekannte Gefahren Schickt unbekanntes zu Wildfire Deckt auch mobile und virtuelle Umgebungen ab AUTOMATED Threat Intelligence Cloud Sammelt potentielle Gefahren aus dem Netzwerk und vom Endpunkt Analysiert und korreliert Flächt die gewonnene Intelligenz auf Netzwerk und Endpunkte aus NATIVELY INTEGRATED EXTENSIBLE NEXT-GENERATION FIREWALL Advanced Endpoint Protection Untersucht alle Prozesse und Dateien Schützt vor bekannten und unbekannten Verwundbarkeiten Integriert sich in die Cloud Intelligenz ADVANCED ENDPOINT PROTECTION 2016, Palo Alto Networks. Confidential and Proprietary.

5 chutz für die, ie noch nicht ufgegeben haben Michael Weisgerber, CISSP Senior Channel Systems Engineer CEUR

6 Hackers Brötchen Michael Weisgerber, CISSP Senior Channel Systems Engineer CEUR

7 Understanding the adversary Surveyed threat experts, including current and former attackers with one goal: What is the economic incentive to be the bad guy, and use this to prevent successful data breaches.

8 Key takeaways Cyberattackers are opportunistic: 72% of survey respondents said they won t waste time on an attack that will not quickly yield high value information. Myth of the big payday: 69% of adversaries are motivated by profit, yet the average yearly earnings are less than $30k. Less than 2 days to deter attacks: Increasing the time it takes to breach an organization by 40 hours will prevent 60 percent of attacks. Next-generation security approaches can win: It takes adversaries 2X the time to breach well protected organizations, and 55% believe threat intelligence sharing is the most effective technology.

9 Changing the cost curve Number of successful attacks Cost of launching a successful attack

10 Changing the cost curve Cost of launching a successful attack Number of successful attacks

11 The attacker economics + + = $ Available malware & exploits Effective automated toolkits Cheaper computing power Successful data breaches Adversary Arithmetic

12 Why attack cost is decreasing 64% More malware and exploits available 54% Improved attacker skills 47% Better toolkits 23% Adversary collaboration 20% Intelligence on targets

13 The impact of automated toolkits 68% Automated tools make it easier to executive attacks 64% Tools are highly effective 63% Increased usage of toolkits $1,387 Spent on toolkits

14 HOW TO FLIP THE ECONOMICS

15 Changing the economics $ = + + Decreasing successful attacks Force custom, expensive operations Automatically identify & prevent new threats Use visibility to understand your threat environment

16 Prevention philosophy Steps 1 & 2 Step 3 Step 4 Step 5 = Increase your defenses NGFW WildFire Threat Prevention PAN-DB Traps AutoFocus Aperture

17 Next-Generation Security Platform

18 PALO ALTO NETWORKS: Innovations to Drive up the Cost of Attacks

19 Traps Prevents Security Breaches on the Endpoint Existing Anti-Virus Solutions Fail to Stop Targeted Attacks Gather Intelligence Exploit Vulnerabilities Execute Malware Establish Control Channel Steal Data Legacy AV Next Gen AV Traps

20 Traps Blocks Core Exploit Techniques, Not Individual Attacks All Software and Applications Contain Vulnerabilities 5,307 New Software Vulnerabilities in 2015 * Individual Attacks 1,000s That Exploit New or Unpatched Software Vulnerabilities Core Techniques Exploitation Techniques Used in Attacks *Source: CVEDetails.com

21 Traps Combines the Power of WildFire and Advanced Execution Controls to Prevent Malware Exploit Prevention Modules WildFire Inspection & Dynamic Analysis Local Hash Policy Execution Restrictions Advanced Execution Control Malware Prevention Modules

22 AutoFocus: Put threat intelligence into practice Identify Analyze Profile Protect Unique, targeted attack Correlate global intelligence Insight into attacker & methods Take action and prevent threats Transform your team into advanced threat hunters

23 AutoFocus: Put threat intelligence into practice Prioritize events Highlight unique, targeted attacks when they happen Context and search Quick investigation on actors, campaigns and attack techniques Proactive response Prevent across the attack lifecycle before the breach

24 Aperture: Cloud delivered security APERTURE WILDFIRE

25 Aperture: Cloud delivered security APERTURE Deployment agnostic No network changes or new HW/SW to install User agnostic No agents required or app limitations Prevents threats Malware detection through WildFire Retroactive policy Policy applies to past and future events

26 Die einzig real existierende Plattform THREAT INTELLIGENCE CLOUD Next-Generation Firewall Untersucht ALLEN Verkehr Blockiert bekannte Gefahren Schickt unbekanntes zu Wildfire Deckt auch mobile und virtuelle Umgebungen ab AUTOMATED Threat Intelligence Cloud Sammelt potentielle Gefahren aus dem Netzwerk und vom Endpunkt Analysiert und korreliert Flächt die gewonnene Intelligenz auf Netzwerk und Endpunkte aus NATIVELY INTEGRATED EXTENSIBLE NEXT-GENERATION FIREWALL Advanced Endpoint Protection Untersucht alle Prozesse und Dateien Schützt vor bekannten und unbekannten Verwundbarkeiten Integriert sich in die Cloud Intelligenz ADVANCED ENDPOINT PROTECTION 2016, Palo Alto Networks. Confidential and Proprietary.

27 PA-220 Specifications PA Mbps App-ID 150 Mbps Threat Prevention 64,000 sessions (8) 1G Copper Ethernet ports Dual power adapters (optional) 32GB solid state storage (EMMC), 8GB DDR4, 4 Core CPU, 1Ghz Dedicated out-of-band management port RJ-45 and Micro USB console ports Complete high availability support (A/P with session sync, and A/A) Wall-mount or rack-mount desktop form factor

28 PA-800 Series Specifications PA-850 PA Gbps App-ID 780 Mbps Threat Prevention 192,000 sessions (4) 10/100/1000 Copper (4) SFP, (4) SFP/+ 940 Mbps App-ID 610 Mbps Threat Prevention 128,000 sessions (4) 10/100/1000 Copper (8) SFP 1U rackmount chassis Dual, hot swap power supplies (PA-850 only) 240GB SSD, 16GB DDR4, 8/7 CPU cores, 1.6Ghz CPU Dedicated out-of-band management port RJ-45, Micro USB console port Dedicated HA interfaces

29 PA-5200 Series Specifications PA-5260 PA-5250 PA Gbps App-ID 30 Gbps Threat Prevention 21 Gbps IPSec VPN 32,000,000 sessions (4) 40G/100G QSFP28 (16) 1G/10G SFP/SFP+ (4) 100/1000/10G Copper 3x48 Core CPU, 1.6Ghz 64GB DDR4 per DP 35 Gbps App-ID 20 Gbps Threat Prevention 14 Gbps IPSec VPN 8,000,000 sessions (4) 40G/100G QSFP28 (16) 1G/10G SFP/SFP+ (4) 100/1000/10G Copper 2x48 Core CPU, 1.6Ghz 32GB DDR4 per DP 18 Gbps App-ID 9 Gbps Threat Prevention 5 Gbps IPSec VPN 4,000,000 sessions (4) 40G QSFP+ (16) 1G/10G SFP/SFP+ (4) 100/1000/10G Copper 1x40 Core CPU, 1.6Ghz 32GB DDR4 per DP Hot swappable fans, power supplies Dual SSD system drives (240GB) and HDD logging drives (2TB), 8/12 Core Intel I7, 32GB DDR4 Dedicated HA and management interfaces 3U, 2 and 4 post rackmount units Front to back airflow with replaceable filters NEBS Level 3 Certified

30 HIGH PERFORMANCE PRODUCT PORTFOLIO 2x App-ID 2x TP 3.5x SSL 2x Sessions 100 Gig I/O PA x App-ID 1.5x TP 1.25x SSL 4x Sessions PA x App-ID 2x TP 1.5x Sessions Modular expansion More I/O density Pre PAN-OS 8.0 PA x App-ID 1.67x TP 1.67x Sessions Front to Back Airflow More I/O density PA-7050 PA-7080 Invest for the Future Datacenter consolidation driving higher performance and capacity requirements SSL is becoming the norm and must be secured (and decrypted) Internal segmentation projects driving expanded needs

31 How are we addressing the need? Extra small Branch office, vcpe, Network based MSSP Small, Medium Hybrid cloud, segmentation, Internet gateway Large, Extra Large NFV component in virtualized data center and service provider environments VM-50 VM-100 VM-200 VM-300 VM-1000-HV VM-500 VM-700 Up to Up to Up to Up to Up to 200M App-ID 2G App-ID 4G App-ID 8G App-ID 16G App-ID Threat performance is half of App-ID

32 Automated security policy creation workflow Security Admin (Performs Steps 1 & 3) NSX Admin (Performs Step 2) PCI PCI DMZ 1 Automated update of security groups information to NSX manager PROD DEV 1 Create dynamic address groups within Panorama 2 Define security group membership within NSX 3 Create security policies in Panorama based on security groups 3 Automated creation of redirection policies on NSX manager

33 Wildfire 2016 average accuracy 99.8%

34 The VM Analysis Evasion Problem Analysis instrumentation Now it is commoditized. Valid user activity Virtual analysis environment Specific virtualization technology Evidence of virtualization Environment details System Config This used to be the domain of the advanced adversary.

35 Why is this a big problem? Says who? Everyone uses the same opensource virtualization technology VENOM vulnerability exposed the use of the same open-source virtualization technology by every major security vendor in (CVE )

36 WildFire all-new analysis engine New machine learning The only custom-built anti-evasion malware analysis environment Final frontier for anti-vm detection Static Analysis Dynamic Analysis Heuristic engine Bare Metal Analysis Detection of known exploits, malware, and new variants Detonation reveals zero-day exploitation & malware Dynamically steers highly evasive, suspicious files to bare metal Detonates malware on real hardware, detecting all VM-aware malware

37 WildFire Global Cloud Infrastructure Regional Clouds WildFire Global Cloud Analysis performed in-region EU Customer files stored in-region Local research staff handles engine accuracy maintenance CA VA Analysis data / signatures Customer files JP Intelligence & Prevention Analysis data and signatures sent to global cloud All customers receive global signature package AutoFocus continues to have global visibility SOC 2 & ISO certified datacenters SOC 2 Compliant WildFire infrastructure All customers continue to receive a global WildFire signature package every 5 minutes Customers choose which clouds to use to meet privacy needs

38 State of command-and-control prevention Trade-off between speed and quality of protection Automated C2 coverage Manual C2 coverage Domain, URL, IP based ~90,000 daily High volume, limited effectiveness Payload-based ~10 s weekly Highly effective, but cannot scale

39 Researcher-grade C2 protection, at scale Removing the trade-off, effectiveness with scale: WildFire Extract C2 payload Automatic signature generation Automatic high-fidelity signature creation Capturing C2 data from WildFire execution Daily content updates

40 The power of automated C2 prevention More Coverage 10 times more payload-based C2 signatures release per day (and growing) Higher Effectiveness New automatically generated C2 signatures cover between unique malware samples per signature

41 PAN-DB Updates Phishing and Malware categories now updated every 5 minutes Malware and phishing links detected in s are added to PAN-DB within 5 minutes and logged in the WildFire log

42 Traps Aperture Industry sharing Partner integrations Firewalls 3 rd party feeds SOURCE PAN-DB WildFire Content Updates DATA PROCESS AutoFocus INFORMATION ANALYZE INTELLIGENCE , Palo Alto Networks. Confidential and Proprietary.

43 WildFire + AutoFocus: Detecting the unknown...at scale WildFire delivers over 100K new protections to customers per day AutoFocus contains over 2 B files and over 500B artifacts (and growing) Over 1000 AutoFocus tags add human-curated intelligence to over 80% of yearly malware incidents 150M samples/ month

44