PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.

PALO ALTO NETWORKS
NEXT-GENERATION
SECURITY PLATFORM

Palo Alto Networks at-a-glance
2 | © 2015,Palo Alto Networks.Confidentialand Proprietary.
CORPORATE HIGHLIGHTS
• Founded in 2005; first customer
shipment in 2007
• Safely enabling applications and
preventing cyber threats
• Able to address all enterprise
cybersecurity needs
• Exceptional ability to support global
customers
• Experienced team of 3,600+ employees
• Q3 FY16: $345.8 revenue
$MM
REVENUES ENTERPRISE CUSTOMERS
$13 $49
$119
$255
$396
$598
$928
$0
$200
$400
$600
$800
$1.000
FY09 FY10 FY11 FY12 FY13 FY14 FY15
4.700
9.000
13,500
19,000
26.000
0
4.000
8.000
12.000
16.000
20.000
24.000
Jul/11 Jul/12 Jul/13 Jul/14 Jul/15

What’s changed?
THE EVOLUTION OF THE ATTACKER
Asked for the weak spot in the
cybersecurity of their organization,
47% of the Belgian IT decision
makers talks about attacks that
evolve faster than their security.

Innovation at the other side
Known Threats
OrganizationalRisk
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Evasive Command-and-Control
Lateral Movement
Changing Application Environment
SSL Encryption
Mobile Threats
THE EVOLUTION OF THE ATTACK

Evasive Command and Control
WEKBY Attacks use DNS requests

WEKBY Attacks use DNS requests
The following commands, and their descriptions are supported by the malware:
• sifo – Collect victim system information
• drive – List drives on victim machine
• list – List file information for provided directory
• upload – Upload a file to the victim machine
• open – Spawn a command shell

Twitter Based Command Channel

Hacking Team POC’s
Invisibility test
Invisibility test - MacOS (Yosemite) + AVG (silent installer): during the infection everything
was good; a problem occurred just after we configured the MacOS' mail client in order to let
the agent retrieve the emails: just a few seconds after that configuration, an AVG popup
warned about a trojan detection. I closed the popup in time while the customer was
attending Serge's explanation of the received evidences, so the customer didn't see. The
emails were correctly retrieved by the agent, but we didn't have a chance to check what was
the object of the detection (our trojan or what else);
https://wikileaks.org/hackingteam/emails/emailid/19213

Lateral Movement
Hacking Team
http://pastebin.com/raw/0SNSvyjJ

Zero Day Exploits
HT
It is known as a "zero-day" because
once the vulnerability becomes
known, the software's author has
zero days in which to plan and advise
any mitigation against its
exploitation (for example, by
advising workarounds or by issuing
patches).

Patching is Often Insufficient to Protect Endpoints
Example:Hacking Team Adobe Flash Zero-Day Exploits
Average days before a zero-day exploit is patched*
312
*Source: https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf

0-day
Brokers
High-end exploit broker "the Grugq" at a Bangkok bar.
The bag of cash at his feet is for one of his exploit
developers. (Photo credit: Christopher Wise/Redux)
GrugQ -- who takes a 15% commission on deals -- said
that six-figure deals are common, and that he won't
touch a vulnerability worth less than $50,000.

Zero Days
You don’t need 0days when there are 1000 days in the network
In an unprecedented talk on Thursday at the USENIX Enigma security conference in
San Francisco, Rob Joyce, chief of NSA's Tailored Access Operations (TAO),
downplayed the importance of zero-days and the degree to which nation-state
hackers like those in his unit depend on them.
“I will tell you that persistence and focus will get you in, will achieve that exploitation
without the zero-days,” he continued “There's so many more vectors that are easier,
less risky and quite often more productive than going down that route.”

Changing Application Environment
SaaS

24 | © 2015, Palo Alto Networks. Confidential and Proprietary.
MALWARE PROPAGATION

25 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Share
all files
publicly!
MALICIOUS DATA EXFILTRATION

SSL Encryption
HTTPS Everywhere
These are only normal websites over SSL!

SSL Encryption
Easy to hide
Dridex activity included SSL traffic to various IP addresses, mostly with example.com SSL
certificates. I also noted an SSL certificate for example.net as shown below:

Mobile Threats
Android Trojan “Xbot” Phishes Credit Cards and Bank Accnts, Encrypts Devices for Ransom

Failure of legacy security architectures
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for
outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited visibility Manual responseLacks correlation
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware Intelligence
DNS Alert
Endpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert

Requirements for the future
DETECT AND PREVENT THREATSAT EVERY POINTACROSS THE ORGANIZATION
At the internet
edge
Between employees
and devices within
the LAN
At the data center
edge, and
between VM’s
At the mobile
device
Cloud
Within private,
public and hybrid
clouds

Delivering the next-generation security platform

The Next Generation Firewall Foundations
•App-ID™
•Identify the application
•User-ID™
•Identify the user
•Content-ID™
•Scan the content

Single Pass Parallel Processing Architecture

KISS
Policy Decision
Firewall
App-ID
Allow Salesforce
X Allow Salesforce
This IS Safe Application Enablement
Translate a Policy into a Policy

WildFire: Protecting Against The Unknown
Protections developed
with in-line enforcement
across the attack lifecycle
Intelligence correlated across:
Web
Detect unknown
§ Malware
§ Exploits
§ Command-and-control
§ DNS queries
§ Malware URLs
WildFire
WildFire
Threat
Prevention
URL
Filtering
All traffic
SSL encryption
All ports
Perimeter
All commonly
exploited file types
3rd party data
Data center
Endpoint
Email
FTP
SMTP
SMB
Sandboxing The Unknown

But what about the Endpoint
Begin
Malicious
Activity
Authorized
Application
Heap
Spray
ROP
Utilizing
OS Function
Vendor Patches
§ Download malware
§ Steal critical data
§ Encrypt hard drive
§ Destroy data
§ More…
Vulnerabilities

Traps Blocks Exploit Techniques
Heap
Spray
Traps
EPM
No Malicious
Activity
Authorized
Application

Traps
Delivering continuous innovation
GlobalProtect
WildFire
AutoFocus
Aperture
Threat Prevention
URL Filtering

The Prevention Opportunity in the attack lifecycle
1
Exploit infiltration
3Malware download
2 Vulnerability Exploit
4 Malware installation 5
Command and Control
6 Lateral movement
7
East - West
8
Data exfiltration

Why Palo Alto Networks?
Prevention
Zero-Day
Reduce Risk
Policy
Visibility
Remediation
Detection
Endpoint
Data Center
Mobility
BYOD Management
Vulnerability
Responsive
Exploit
Anti-Malware Forensics
Automation
Private Cloud
Public Cloud
Performance
Scalability
Platform
Segmentation
Applications
Users
Control
Agile
Perimeter
Integrated
Support
Web Security
Command-&-Control
Virtualization
Ecosystem
Context
Correlation
Services
People
Culture
Safe Enablement
Application

PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.

PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (16)

Similar a PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.

Similar a PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016. (20)

Más de SWITCHPOINT NV/SA

Más de SWITCHPOINT NV/SA (6)

Último

Último (20)

PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience Day on 7th June 2016.