Traps REVENTINGSECURITY BREACHESONTHE ENDPOINTpassport.exclusive-networks.it/upload/workdoc/TRAPS...
Transcript of Traps REVENTINGSECURITY BREACHESONTHE ENDPOINTpassport.exclusive-networks.it/upload/workdoc/TRAPS...
TrapsPREVENTING SECURITYBREACHES ON THEENDPOINT
Davide Rivolta – System Engineer – Exclusive Networks
Walter Doria - System Engineer – Palo Alto Networks
Delivering the Next-Generation Security Platform
NATIVELY INTEGRATED
EXTENSIBLE
AUTOMATED
NEXT-GENERATION FIREWALL
ADVANCED ENDPOINT PROTECTION
THREAT INTELLIGENCE CLOUD
Palo Alto Networks
We are leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Because of our deep expertise, commitment to innovation and game-changing security platform, thousands of customers have chosen us and we are the fastest growing security company in the market.
Traps – Advanced Endpoint Protection
Palo Alto Networks developed a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities.
Prevent all exploits
Prevent all malware
Forensics of attempted attack
Scalable, lightweight and user friendly
Integrate with network and cloud security
The Anatomy of a Targeted Attack
Steal Data/
Achieve Objective
Conduct
ReconnaissanceEstablish
Control Channel
Compromise
Endpoint
The Right Time to Prevent a Security Breach is Before an Attacker
Compromises an Endpoint to Gain a Foothold in Your
Environment.
Executable Programs
Carry Out Malicious Activity
Weaponized Data Files & Content
Subvert Normal Applications
MalwareExploits =
Two Primary Methods for Compromising Endpoints
Compromise
Endpoint
Execute Malicious Programs
Exploit Software Vulnerabilities
Host IPS Traditional
AV
“Next Gen”
AV
“Next Gen”
AV
Co
ve
rage
Traditional AV and HIPS Cannot Protect
Against Attacks That Haven’t Been Seen
Before.
“Next-Gen” AV is More Efficient but
Not More Effective.
Current endpoint security solutions fall short
• Too easy to bypass current antivirus products
• Over 60% of new malware is undetected by existing AV vendors
• Traditional approach to endpoint security requires prior knowledge of attack
• Patching and HIPS can’t keep up with exploit activity
• Solutions that leverage multiple techniques for detection and prevention are
required
Advanced Endpoint Protection is a category of security products that provide the
following three core capabilities:
What is Advanced Endpoint Protection
1.
2.
3. Prevent
Exploits
Prevent
Malware
Integrated
into a
Security
Platform
Known,
Unknown/Zero-Day
Known,
Unknown
Traps Blocks Core Exploit Techniques, Not Individual Attacks
All Software and Applications Contain Vulnerabilities
5,307 New Software Vulnerabilities in 2015*
*Source: CVEDetails.com
That Exploit New or Unpatched
Software Vulnerabilities
1,000s
Individual Attacks Core Techniques
Exploitation Techniques Used
in Attacks
10-15
To Prevent Exploits, Aim at the Root of the Attempt
9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
To
tal N
um
be
r Patching
Signature /
Behavior
Traps
Time
Requires Prior Knowledge,
Proactive Application
Requires Prior Knowledge
of Weaponized Exploits
Requires No Patching,
No Prior Knowledge of
Vulnerabilities, and
No Signatures
Exploit Technique Prevention
When an Exploitation Attempt is Made, the Exploit Hits
a Trap and Fails before Any Malicious Activity is Initiated
Infected document opened
by unsuspecting user
(Exploit evades Anti-Virus)
Traps is seamlessly
injected into processes
Exploit technique is attempted
and blocked by Traps before
any malicious activity is initiated
Traps
Traps reports the event
and collects detailed
forensics
User/Adminis Notified
P D F
Process isTerminated
Forensic Data is Collected
Exploits Subvert Authorized Applications
BeginMaliciousActivity
AuthorizedApplication
Heap
Spray
ROP
Utilizing
OS Function
11 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Vendor Patches
Download malware
Steal critical data
Encrypt hard drive
Destroy data
More…
Vulnerabilities
BeginMaliciousActivity
AuthorizedApplication
Heap
Spray
ROP
Utilizing
OS Function
Activate key logger
Steal critical data
Encrypt hard drive
Destroy data
More…
Vendor Patch
Traps Blocks Exploit Techniques
Heap
Spray
Traps
EPM
No MaliciousActivity
AuthorizedApplication
13 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Traps Blocks Exploits That Use Unknown Techniques
Unknown
Exploit
Technique
ROP
No MaliciousActivity
Traps
EPM
AuthorizedApplication
14 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Preventing One Technique in the Chain will Block the Entire Attack
Traps Blocks Zero-Day ExploitsActual Zero-Day Exploits That Traps EPMs Block
DLL
Security
CVE-2013-38931
Heap Spray ROPUtilizing
OS FunctionDLL Security
CVE-2013-33462
Heap Spray
Memory LimitHeap Spray
Check /Shellcode
Preallocation
DEPCircumvention
UASLRUtilizing
OS FunctionDLL
Security
CVE-2015-30103
ROPROP
MitigationJIT Spray
JITMitigation
UtilizingOS Function
DLLSecurity
MemoryLimit Heap
Spray Check
1 Operation Deputy Dog (CVE-2013-3893) 2 Turla/Snake Campaign (CVE-2013-3346) 3 Forbes Cyber-Espionage Campaign (CVE-2015-0310/0311)
15 | © 2016, Palo Alto Networks. Confidential and Proprietary.
ROPMitigation/
UASLR
Case Study: Banking Industry Customer
Traps Prevents Unknown and Zero-Day Exploits
Without the Benefit of Hindsight.
TIMELINE
Vulnerability
Discovered in
Adobe Flash Player(CVE-2015-0359)
Attackers Attempted to
Exploit Vulnerability.
Traps Blocked the
Attempt.
Traps v2.3.6
Traps
Version 2.3.6
Released
No Updates or
Patches
Since Installation
Traps vs. Top 10 Zero-Day Exploits of 2015
17 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Discovery Date Application Exploit IdentifierDid Traps Block
Zero-Day Exploit?
January 23, 2015 Flash CVE-2015-0311
March 13, 2015 Flash CVE-2015-0336
April 14, 2015 Flash CVE-2015-3043
June 23, 2015 Flash CVE-2015-3113
July 8, 2015 Flash CVE-2015-5119
July 14, 2015 Office CVE-2015-2424
July 14, 2015 Flash CVE-2015-5122
September 8, 2015 Office CVE-2015-2545
October 15, 2015 Flash CVE-2015-7645
December 28, 2015 Flash CVE-2015-8651
Malware Prevention Engine
Policy-Based Restrictions
WildFire Inspection
Malware Techniques Mitigation
Limit surface area of attack
control source of file installation
Prevent known malware
with cloud-based integration
Prevent unknown malware
with technique-based mitigation
19 | © 2015, Palo Alto Networks. Confidential and Proprietary.
No Match No Match Unknown
User Attempts
to Execute a
Program
Submit Program to WildFire for
Analysis
Quarantine Program
Restricted Malicious Malicious
Allowed Trusted Benign Benign
Restricted
Allowed
Block×
Run✓
Block×
Check Hash Against Override Policies
Check Against List of Trusted
Publishers
Check Hash with WildFire
Conduct Static Analysis
Check Execution Restrictions
WildFire Demonstrates the Shortcomings of Legacy AV
20 | ©2016, Palo Alto Networks. Confidential and Proprietary.
*Average monthly values as of January 2016. Source: Palo Alto Networks WildFire and Multi-Scanner
Of the malware files seen by WildFire each month are
detected by the top 6 enterprise AV
vendors*.
Just 37.5%71.9M
5.3M
2.0M
All Files Malicious Detected by AV
Network Layout
Traps Endpoint Security Manager Architecture
22 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Ad
min
Co
nso
le
Po
licy
Da
tab
ase
Co
mm
.
Se
rve
r
En
dp
oin
tsE
nd
poin
t S
ecu
rity
Ma
na
ge
r (E
SM
)
A. Scalable ArchitectureTraps Architecture Leverages a Scalable Endpoint Security Manager (ESM)
Endpoint Security Manager (ESM)
SIEM /
External Logging
ESM Server(s)
Endpoints Running Traps
Forensic Folder(s)
WildFire
Threat Intelligence
Cloud
@
SMTP Alerting3-Tier Management Structure
ESM Console
Database
ESM Servers(each supports 10,000 endpoints &
scales horizontally)
On
Premise
Off
Premise
23 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Flexible, Scalable, with Minimal Footprint
24 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Fo
otp
rin
t 0.1% CPU Load
50 MB RAM
250 MB HD
No scanning
Pla
tfo
rm
Physical & Virtual
All major Windows editions
Protects systems after end-of-support
Ap
plica
tio
ns
Out-of-the-Box protection for common applications
Extensible to any application
Man
ag
em
en
t
Central policy management
Full SIEM integration support
Role Based Access Control
Flexible Platform Coverage
25 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Windows XP* (32-bit, SP3 or later)
Windows Vista (32-bit, 64-bit, SP1 or later; FIPS mode)
Windows 7 (32-bit, 64-bit, RTM and SP1; FIPS mode; all
editions except Home)
Windows Embedded 7 (Standard and POSReady)
Windows 8* (32-bit, 64-bit)
Windows 8.1 (32-bit, 64-bit; FIPS mode)
Windows Embedded 8.1 Pro Windows 10 Pro (32-bit and 64-bit)
Windows 10 Enterprise LTSB
Windows Server 2003* (32-bit, SP2 or later)
Windows Server 2003 R2 (32-bit, SP2 or later)
Windows Server 2008 (32-bit, 64-bit; FIPS mode)
Windows Server 2008 R2 (32-bit, 64-bit; FIPS mode)
Windows Server 2012 (all editions; FIPS mode)
Windows Server 2012 R2 (all editions; FIPS mode)
Workstations Servers
* Microsoft no longer supports this operating system.
Virtual Environments
VMware ESX Citrix XenServer Oracle Virtualbox Microsoft Hyper-V
Partners Keypoints
Why both endpoint and network prevention
• Network-based prevention provides:
• Broad, fast coverage for whole environment
• Significant reduction in surface area of attack
• Endpoint-based prevention provides:
• Coverage for attacks that cannot be prevented in the network
• Don’t enter through the network, traffic that must be allowed by can’t be decrypted, or
delivered over multiple disassociated connections
• Coverage when disconnected from network-based security stack
• Most importantly: immediate prevention of unknown malware and zero-day exploits
Summary: Traps Benefits
28 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Prevent
Zero-Day
Vulnerabilities
and Unknown
Malware
Install
Patches on
Your Own
Schedule
Protect Any
Application
from Exploits
Minimal
Performance
Impact
Avoid
Remediation
Costs
Signatureless,
No Frequent
Updates
Network
and Cloud
integration
Where to get Further Information?
29 | © 2015, Palo Alto Networks. Confidential and Proprietary.
The PANW Web:
Resources / Features / Technology / Initiativeshttps://www.paloaltonetworks.com/products/secure-the-endpoint/traps
The Partner Portal:
Help Me Sell
Help Me Market
Thank You