Traps REVENTINGSECURITY BREACHESONTHE ENDPOINTpassport.exclusive-networks.it/upload/workdoc/TRAPS...

TrapsPREVENTING SECURITYBREACHES ON THEENDPOINT

Davide Rivolta – System Engineer – Exclusive Networks

Walter Doria - System Engineer – Palo Alto Networks

Delivering the Next-Generation Security Platform

NATIVELY INTEGRATED

EXTENSIBLE

AUTOMATED

NEXT-GENERATION FIREWALL

ADVANCED ENDPOINT PROTECTION

THREAT INTELLIGENCE CLOUD

Palo Alto Networks

We are leading a new era in cybersecurity by protecting thousands of enterprise, government, and service provider networks from cyber threats. Because of our deep expertise, commitment to innovation and game-changing security platform, thousands of customers have chosen us and we are the fastest growing security company in the market.

Traps – Advanced Endpoint Protection

Palo Alto Networks developed a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities.

Prevent all exploits

Prevent all malware

Forensics of attempted attack

Scalable, lightweight and user friendly

Integrate with network and cloud security

The Anatomy of a Targeted Attack

Steal Data/

Achieve Objective

Conduct

ReconnaissanceEstablish

Control Channel

Compromise

Endpoint

The Right Time to Prevent a Security Breach is Before an Attacker

Compromises an Endpoint to Gain a Foothold in Your

Environment.

Executable Programs

Carry Out Malicious Activity

Weaponized Data Files & Content

Subvert Normal Applications

MalwareExploits =

Two Primary Methods for Compromising Endpoints

Compromise

Endpoint

Execute Malicious Programs

Exploit Software Vulnerabilities

Host IPS Traditional

AV

“Next Gen”

AV

“Next Gen”

AV

Co

ve

rage

Traditional AV and HIPS Cannot Protect

Against Attacks That Haven’t Been Seen

Before.

“Next-Gen” AV is More Efficient but

Not More Effective.

Current endpoint security solutions fall short

• Too easy to bypass current antivirus products

• Over 60% of new malware is undetected by existing AV vendors

• Traditional approach to endpoint security requires prior knowledge of attack

• Patching and HIPS can’t keep up with exploit activity

• Solutions that leverage multiple techniques for detection and prevention are

required

Advanced Endpoint Protection is a category of security products that provide the

following three core capabilities:

What is Advanced Endpoint Protection

1.

2.

3. Prevent

Exploits

Prevent

Malware

Integrated

into a

Security

Platform

Known,

Unknown/Zero-Day

Known,

Unknown

Traps Blocks Core Exploit Techniques, Not Individual Attacks

All Software and Applications Contain Vulnerabilities

5,307 New Software Vulnerabilities in 2015*

*Source: CVEDetails.com

That Exploit New or Unpatched

Software Vulnerabilities

1,000s

Individual Attacks Core Techniques

Exploitation Techniques Used

in Attacks

10-15

To Prevent Exploits, Aim at the Root of the Attempt

9 | © 2016, Palo Alto Networks. Confidential and Proprietary.

To

tal N

um

be

r Patching

Signature /

Behavior

Traps

Time

Requires Prior Knowledge,

Proactive Application

Requires Prior Knowledge

of Weaponized Exploits

Requires No Patching,

No Prior Knowledge of

Vulnerabilities, and

No Signatures

Exploit Technique Prevention

When an Exploitation Attempt is Made, the Exploit Hits

a Trap and Fails before Any Malicious Activity is Initiated

Infected document opened

by unsuspecting user

(Exploit evades Anti-Virus)

Traps is seamlessly

injected into processes

Exploit technique is attempted

and blocked by Traps before

any malicious activity is initiated

Traps

Traps reports the event

and collects detailed

forensics

User/Adminis Notified

PDF

P D F

Process isTerminated

Forensic Data is Collected

Exploits Subvert Authorized Applications

BeginMaliciousActivity

AuthorizedApplication

Heap

Spray

ROP

Utilizing

OS Function


Vendor Patches

Download malware

Steal critical data

Encrypt hard drive

Destroy data

More…

Vulnerabilities

BeginMaliciousActivity


Heap

Spray

ROP

Utilizing

OS Function

Activate key logger

Steal critical data

Encrypt hard drive

Destroy data

More…

Vendor Patch

Traps Blocks Exploit Techniques

Heap

Spray

Traps

EPM

No MaliciousActivity



Traps Blocks Exploits That Use Unknown Techniques

Unknown

Exploit

Technique

ROP

No MaliciousActivity

Traps

EPM



Preventing One Technique in the Chain will Block the Entire Attack

Traps Blocks Zero-Day ExploitsActual Zero-Day Exploits That Traps EPMs Block

DLL

Security

CVE-2013-38931

Heap Spray ROPUtilizing

OS FunctionDLL Security

CVE-2013-33462

Heap Spray

Memory LimitHeap Spray

Check /Shellcode

Preallocation

DEPCircumvention

UASLRUtilizing

OS FunctionDLL

Security

CVE-2015-30103

ROPROP

MitigationJIT Spray

JITMitigation

UtilizingOS Function

DLLSecurity

MemoryLimit Heap

Spray Check

1 Operation Deputy Dog (CVE-2013-3893) 2 Turla/Snake Campaign (CVE-2013-3346) 3 Forbes Cyber-Espionage Campaign (CVE-2015-0310/0311)


ROPMitigation/

UASLR

Case Study: Banking Industry Customer

Traps Prevents Unknown and Zero-Day Exploits

Without the Benefit of Hindsight.

TIMELINE

Vulnerability

Discovered in

Adobe Flash Player(CVE-2015-0359)

Attackers Attempted to

Exploit Vulnerability.

Traps Blocked the

Attempt.

Traps v2.3.6

Traps

Version 2.3.6

Released

No Updates or

Patches

Since Installation

Traps vs. Top 10 Zero-Day Exploits of 2015


Discovery Date Application Exploit IdentifierDid Traps Block

Zero-Day Exploit?

January 23, 2015 Flash CVE-2015-0311

March 13, 2015 Flash CVE-2015-0336

April 14, 2015 Flash CVE-2015-3043

June 23, 2015 Flash CVE-2015-3113

July 8, 2015 Flash CVE-2015-5119

July 14, 2015 Office CVE-2015-2424

July 14, 2015 Flash CVE-2015-5122

September 8, 2015 Office CVE-2015-2545

October 15, 2015 Flash CVE-2015-7645

December 28, 2015 Flash CVE-2015-8651

Malware Prevention Engine

Policy-Based Restrictions

WildFire Inspection

Malware Techniques Mitigation

Limit surface area of attack

control source of file installation

Prevent known malware

with cloud-based integration

Prevent unknown malware

with technique-based mitigation


No Match No Match Unknown

User Attempts

to Execute a

Program

Submit Program to WildFire for

Analysis

Quarantine Program

Restricted Malicious Malicious

Allowed Trusted Benign Benign

Restricted

Allowed

Block×

Run✓

Block×

Check Hash Against Override Policies

Check Against List of Trusted

Publishers

Check Hash with WildFire

Conduct Static Analysis

Check Execution Restrictions

WildFire Demonstrates the Shortcomings of Legacy AV

20 | ©2016, Palo Alto Networks. Confidential and Proprietary.

*Average monthly values as of January 2016. Source: Palo Alto Networks WildFire and Multi-Scanner

Of the malware files seen by WildFire each month are

detected by the top 6 enterprise AV

vendors*.

Just 37.5%71.9M

5.3M

2.0M

All Files Malicious Detected by AV

Network Layout

Traps Endpoint Security Manager Architecture


Ad

min

Co

nso

le

Po

licy

Da

tab

ase

Co

mm

.

Se

rve

r

En

dp

oin

tsE

nd

poin

t S

ecu

rity

Ma

na

ge

r (E

SM

)

A. Scalable ArchitectureTraps Architecture Leverages a Scalable Endpoint Security Manager (ESM)

Endpoint Security Manager (ESM)

SIEM /

External Logging

ESM Server(s)

Endpoints Running Traps

Forensic Folder(s)

WildFire

Threat Intelligence

Cloud

@

SMTP Alerting3-Tier Management Structure

ESM Console

Database

ESM Servers(each supports 10,000 endpoints &

scales horizontally)

On

Premise

Off

Premise


Flexible, Scalable, with Minimal Footprint


Fo

otp

rin

t 0.1% CPU Load

50 MB RAM

250 MB HD

No scanning

Pla

tfo

rm

Physical & Virtual

All major Windows editions

Protects systems after end-of-support

Ap

plica

tio

ns

Out-of-the-Box protection for common applications

Extensible to any application

Man

ag

em

en

t

Central policy management

Full SIEM integration support

Role Based Access Control

Flexible Platform Coverage


Windows XP* (32-bit, SP3 or later)

Windows Vista (32-bit, 64-bit, SP1 or later; FIPS mode)

Windows 7 (32-bit, 64-bit, RTM and SP1; FIPS mode; all

editions except Home)

Windows Embedded 7 (Standard and POSReady)

Windows 8* (32-bit, 64-bit)

Windows 8.1 (32-bit, 64-bit; FIPS mode)

Windows Embedded 8.1 Pro Windows 10 Pro (32-bit and 64-bit)

Windows 10 Enterprise LTSB

Windows Server 2003* (32-bit, SP2 or later)

Windows Server 2003 R2 (32-bit, SP2 or later)

Windows Server 2008 (32-bit, 64-bit; FIPS mode)

Windows Server 2008 R2 (32-bit, 64-bit; FIPS mode)

Windows Server 2012 (all editions; FIPS mode)

Windows Server 2012 R2 (all editions; FIPS mode)

Workstations Servers

* Microsoft no longer supports this operating system.

Virtual Environments

VMware ESX Citrix XenServer Oracle Virtualbox Microsoft Hyper-V

Partners Keypoints

Why both endpoint and network prevention

• Network-based prevention provides:

• Broad, fast coverage for whole environment

• Significant reduction in surface area of attack

• Endpoint-based prevention provides:

• Coverage for attacks that cannot be prevented in the network

• Don’t enter through the network, traffic that must be allowed by can’t be decrypted, or

delivered over multiple disassociated connections

• Coverage when disconnected from network-based security stack

• Most importantly: immediate prevention of unknown malware and zero-day exploits

Summary: Traps Benefits


Prevent

Zero-Day

Vulnerabilities

and Unknown

Malware

Install

Patches on

Your Own

Schedule

Protect Any

Application

from Exploits

Minimal

Performance

Impact

Avoid

Remediation

Costs

Signatureless,

No Frequent

Updates

Network

and Cloud

integration

Where to get Further Information?


The PANW Web:

Resources / Features / Technology / Initiativeshttps://www.paloaltonetworks.com/products/secure-the-endpoint/traps

The Partner Portal:

Help Me Sell

Help Me Market

https://www.paloaltonetworks.com/products/secure-the-endpoint/traps

Thank You

Traps REVENTINGSECURITY BREACHESONTHE ENDPOINTpassport.exclusive-networks.it/upload/workdoc/TRAPS...

Documents

Transcript of Traps REVENTINGSECURITY BREACHESONTHE ENDPOINTpassport.exclusive-networks.it/upload/workdoc/TRAPS...