What’s Next for Network...
Transcript of What’s Next for Network...
What’s Next for Network Security -
Visibility is king! Gøran Tømte
March 2013
Technology Sprawl and Creep Aren’t the Answer
Enterprise Network
• “More stuff” doesn’t solve the problem
• Firewall “helpers” have limited view of traffic
• Complex and costly to buy and maintain
• Doesn’t address applications
2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
IM DLP IPS Proxy URL AV
UTM
Internet
Applications Have Changed, Firewalls Haven’t
4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Network security policy is enforced at the
firewall
• Sees all traffic
• Defines boundary
• Enables access
Traditional firewalls don’t work any more
Core functions of a next-generation firewall
1. Identify applications regardless of port, protocol, evasive tactic or SSL
2. Identify and control users regardless of IP address, location, or device
3. Protect against known and unknown application-borne threats
4. Fine-grained visibility and policy control over application access / functionality
5. Multi-gigabit, low latency, in-line deployment
5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Making the firewall a business enablement tool
Applications: Enablement begins with
application classification by App-ID.
Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
Content: Scanning content and protecting
against all threats, both known and unknown,
with Content-ID and WildFire.
6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
All Apps, All ports, All users, All the time
Signature, protocol and evasive tactic based App-ID
Skype
Bittorrent, p2p
SSL
Etc
9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
The unknown! Scary hah?
Unknown applications
Control them
Unknown users
Control them
Unknown threats
Control them
10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Addressing Modern Malware
Daily Coverage of Top AV Vendors M
alw
are
Sam
ple
Co
un
t
New Malware Coverage Rate by Top 5 AV Vendors
12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Daily AV Coverage Rates for Newly Released Malware (50 Samples)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Day-0 Day-1 Day-2 Day-3 Day-4 Day-5 Day-6
5 vendors
4 vendors
3 vendors
2 vendors
1 vendor
0 vendors
The lifecycle of network attacks
Bait the end-user
1
End-user lured to a dangerous application or website containing malicious content
Exploit
2
Infected content exploits the end-user, often without their knowledge
Download Backdoor
3
Secondary payload is downloaded in the background. Malware installed
Establish Back-Channel
4
Malware establishes an outbound connection to the attacker for ongoing control
Explore & Steal
5
Remote attacker has control inside the network and escalates the attack
13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
App-ID
URL
IPS
Spyware
AV
Files
WildFire
Block high-risk apps
Block known malware sites
Block the exploit
Prevent drive-by-downloads
Detect unknown malware
Block malware
Bait the end-user
Exploit Download Backdoor
Establish Back-Channel
Explore & Steal
Block spyware, C&C traffic
Block C&C on non-standard ports
Block malware, fast-flux domains
Block new C&C traffic
Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors
Coordinated Threat Prevention An integrated approach to threat prevention
14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Real-World Spread of 0-Day Malware
15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536373839404142434445464748
• Analysis of 50 0-Day
malware samples
• Captured by WildFire in
live customer networks
• Tracked the spread and
number of infections by
hour following the initial
infection
Att
em
pte
d M
alw
are
Infe
ctions
Hours
Real-World Spread of 0-Day Malware
16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536373839404142434445464748
WildFire Subscription
Hours
Att
em
pte
d M
alw
are
Infe
ctions
In the 1st two days
malware is released,
95% of infections occur
in the first 24 hours
WildFire Architecture
• 10 Gbps Threat Prevention
and file scanning
• All traffic, all ports
• Web, email, FTP and SMB
• Running in the cloud lets
the malware do things that
you wouldn’t allow in your
network.
• Updates to sandbox logic
without impacting the
customer
• Malware signatures
developed and tested
based on malware
payload.
• Stream-based malware
engine to perform true
inline enforcement.
17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Malware Visibility and Logging
18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WILDFIRE
1,300+ 417,448
28,612 13,233 (46%)
UNIQUE FILES SCANNED IN JANUARY
NEW MALWARE FILES FOUND IN
JANUARY USING WILDFIRE MALWARE NOT INITIALLY
DETECTED BY TOP HOST AV
PRODUCTS © 2013 Palo Alto Networks. Proprietary and Confidential.
COMPANIES USING WILDFIRE
Palo Alto Networks in the DataCenter
33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Enabling Applications, Users and Content
Applications: Safe enablement begins with
application classification by App-ID.
Users: Tying users and devices, regardless of
location, to applications with User-ID and
GlobalProtect.
Content: Scanning content and protecting
against all threats – both known and unknown;
with Content-ID and WildFire.
•© 2012 Palo Alto Networks. Proprietary and Confidential. •Page 35 |
Data Center Evolution
© 2012 Palo Alto Networks. Proprietary and Confidential. Page 36 |
Many Third Parties Reach Same Conclusion
Gartner Enterprise Network Firewall Magic Quadrant Palo Alto Networks leading the market
Forrester IPS Market Overview Strong IPS solution; demonstrates effective consolidation
NetworkWorld Test Most stringent NGFW test to date; validated sustained
performance
NSS Tests IPS: Palo Alto Networks NGFW tested against competitors’
standalone IPS devices; NSS Recommended
Firewall: Traditional port-based firewall test; Palo Alto Networks most efficient by a wide margin; NSS Recommended
NGFW: Palo Alto Networks provides the best combination of protection, performance, and value; NSS Recommended (1 of only 3 NGFW recommended)
44 | ©2012, Palo Alto Networks. Confidential and Proprietary.
45 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Say no more!!! Leaders quadrant in the leaders quadrant
A crisp focus on enterprise NGFW features and messaging is viewed positively by firewall operators in enterprises.
Most firewall vendor road maps are following the Palo Alto Networks NGFW road map, placing these vendors at a competitive disadvantage.
Next Generation Customer meeting, Ultimate Test Drive
Ultimate Test Drive
En halv dags «hands-on»
En PA-200 trekkes blant deltagerne
Audi driving school trekkes en gang hvert kvartal
47 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Page 48 |
Thank You
© 2010 Palo Alto Networks. Proprietary and Confidential.