Next-generation enterprise security platform Walter Doria
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Next-generation enterprise security platform
Walter Doria
Why do you need network, endpoint, and cloud
working together?
The network is best for identifying and controlling all traffic,
preventing known threats, and gathering context for analytics
Limitation: the network is not the target…therefore it only sees
data in transit which limits zero-day attack prevention
The endpoint is the best location to prevent zero-day attacks
and gather initial forensics information
Limitations: it’s safer to prevent the attack before it reaches
the target; mobile operating systems limit endpoint capabilities
The cloud is best for gathering information, analyzing,
correlating, and disseminating intelligence back to the
enforcement points
Limitations: the cloud is only as good as the data it receives
and does not actually do prevention on its own
Platform approach
Next-Generation Threat Cloud
Gathers potential threats from network and endpoints
Analyzes and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
Inspects all processes and files
Prevents both known & unknown exploits
Integrates with cloud to prevent known & unknown malware
Next-Generation Endpoint
Next-Generation Firewall
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile & virtual networks
Next-Generation Firewall
Inspects all traffic
Blocks known threats
Sends unknown to cloud
Extensible to mobile & virtual networks
Next-generation enterprise security platform
① Prevents attacks — even attacks seen
for the first time
② Protects all users and applications —
including mobile and virtualized
③ Seamlessly combines network and
endpoint security, as each has unique
strengths
④ Provides rapid analysis of new threats
Attacks are developed to be hidden
Legal traffic and malware
encryption, tunneling, polimorfic malware
Attacking the base security
When a CnC is established, traffic from external
is implicitly allowed
An attack lifecycle
Exploits are
delivered over
the network
Encryption,
fragmentation
Malware is
delivered over
the network
Re-encoded and
targeted malware
Malware
communicates
over the network
Proxies tunneling,
encryption, custom
traffic
Exploits Malware Exploits Malware Spyware,
C&C
WildFire Architecture
• Threat Prevention e file
scanning at 10 Gbps
• Web, email, FTP e SMB
• Cloud Analysis
• New Signature based on a
new malware
• Anti-malware stream engine
updating every 15min
App-ID
URL
IPS
Th
reat
Lic
en
se
Spyware
AV
Files
WildFire
Blocco app ad alto rischio
Blocco siti malware conosciuti
Blocco exploit
Previene drive-by-download
malware sconosciuti
Blocco malware
Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal
Blocco spyware e C&C traffic
Blocco C&C su porte non-standard
Blocco malware e domini fast-flux
Blocco traffico C&C sconsciuto
Analisi coordinata per identificare e bloccare exploit, malware e minacce conosciute e sconosciute
An integrated approach
Command/Control Client Exploit
Advanced threats require a solution, not point products
HTTP
SSL
DNS
URL / C&C
EXE, Java,
.LNK, DLL
Known viruses
and exploits
High-risk
applications
1 Reduce the
attack surface 2
Detect the
unknown 3
Create new
protections
• Whitelist applications or block
high-risk apps
• Block known viruses, exploits
• Block commonly exploited file
types
• Analysis of all application
traffic
• SSL decryption
• WildFire sandboxing of
exploitive files
Detection and blocking of C&C via:
• Bad domains in DNS traffic
• URLs (PAN-DB)
• C&C signatures (anti-spyware)
Successful spear-phishing email Post-compromise activity Failed attempts
Scaling the threat cloud
On a typical day, WildFire receives over
280,000 unique files
• 11,600 every hour
• 195 every minute
• 3 every second
From those unknowns, about 30,000 are new
malware
• >70% not detected by any of the leading
AV software
On average, each file is processed in less
than 6 minutes
• Even as the number of files has
quadrupled
6.0 Released
WildFire subscription benefits
WildFire WildFire
Subscription
WildFire analysis of PE files
Daily signature feed (Threat Prevention subscription required)
WildFire logs integrated within PAN-OS
WildFire analysis of all other file types (PDF, MS Office, Java, Flash, APK*)
WildFire analysis of potentially malicious email links*
15-minute WildFire AV signature updates
WildFire Cloud API key
Use of WF-500
*APK and email link analysis not available on WF-500
How To Read WildFire Events
WildFire Submission Log
Monitor tab > WildFire Submissions
WildFire Submission Log Details
WildFire Log Details Tab
WildFire Analysis Report
WildFire Analysis Report Tab
WildFire Analysis Report
WildFire Analysis Report Tab: Pcap download
WildFire Analysis Report
WildFire Analysis Report Tab: Host activity
WildFire Analysis Report
WildFire Analysis Report Tab: File activity
WildFire Analysis Report
WildFire Analysis Report Tab: Submit malware and report incorrect verdicts
Summary : Key Benefits of Palo Alto Networks Solution
Our unique approach makes us the only solution that…
Scans ALL applications (including SSL traffic) to secure all avenues in/out
of a network, reduce the attack surface area, and provide context for
forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS,
command & control, and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and
automatically creates signatures for global customer base
6.1 WildFire Enhancements
New on 6.1 release
Signature Generation on the WF-500
Email Link Analysis
Email Header Information
15 min signature updates
API Limit Increased
Integration with TRAPS
Analysis of web-based Adobe Flash files
Windows 7 64-bit analysis VM
Extending Signature Generation Capabilities to WF-500
Generate local malware and command-and-control signatures
directly on the WildFire appliance
Provides 3 types of protection:
• Antivirus signatures – prevent malware downloads
• DNS signatures – block command-and-control traffic
• URL malware categorization – block command-and-
control traffic
Distribute local WF-500 signatures to all PAN-OS firewalls
across the network for consistent network protection
DNS URL AV
Local WildFire Appliance
Identify and Protect Against Malicious Email Links
PAN-OS firewalls detect and send web links in
suspicious emails to WildFire
WildFire visits the webpage and analyzes the traffic to
detect exploits and malware
Prevent patient-0 from getting compromised by quickly
adding the URL to PAN-DB
Quickly identify targeted users and machines via email
headers and integration with User-ID
Only available in the WildFire Cloud
WildFire
http://comp-intra.net/ref?d8ca2
Mail server
Compromised
host
URL
Exploit
BLOCK
Email Header Information
Configure the User-ID option to enable the firewall to match
User-ID information with email header, information identified in
email links and email attachments that are forwarded to
WildFire.
When a match occurs, the user name in the WildFire log email
header section will contain a link that when clicked, will bring
up the ACC filtered by the User or Group of users.
“Email Session” or “Email Protocol” refers to SMTP and POP3
only.
• If used over SSL decryption will be required
• IMAP is not supported at this time
WildFire
Sender/Receiver; Subject; Fields
Mail server
Compromised
host
URL /
Attachments
Exploit
BLOCK
WildFire Analysis Report
WildFire Cloud Updates
WildFire Signature Updates
- Are now every 15 minutes
WildFire API Limits Increased
- Are now 1,000 uploads a day (previously 100)
- Are now 10,000 queries a day (previously 1,000)
Additional WildFire Enhancements
New daily content updates for the WF-500 provide additional cloud intelligence
• The content updates help improve WF-500 analysis accuracy by providing
daily updates to trusted code signing certificates, domains, file hashes, and
other useful information
• Just as with PAN-OS content, the WF-500 content packages can be
automatically downloaded and installed, or manually downloaded and
installed to the WF-500
WildFire API on the WF-500 to support automation and 3rd party integrations
Support for Palo Alto Networks Traps advanced endpoint protection product
DEMO
Related Documents
