PALO ALTO NETWORKS - Tanjung Network · PALO ALTO NETWORKS Cyber Threats Hunting how relevant are you? Jerry Chiang Paloalto Networks Malaysia

PALO ALTO NETWORKS Cyber Threats Hunting how relevant are you?

Jerry Chiang

Paloalto Networks Malaysia

2 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Customer Technologies Choices…………………


CYBERscape: The Cybersecurity LandscapeThe Security Sector Is Dynamic And Vast. We Are Ceaseless & Vigilant In Our Coverage.

Network Security

Network Firewall Network Monitoring/Forensics

Intrusion Prevention Systems Unified Threat Management

Managed Security Service Provider Messaging Security

Application Security

WAF & Application Security

Vulnerability Assessment

Endpoint Security

Endpoint Prevention

Endpoint Detection & Response

Specialized Threat Analysis & Protection

Cloud Security

Fraud Prevention / Transaction Security

Identity & Access Management

Web Security

Risk & Compliance

Threat Intelligence

Industrial / IoT Security

Mobile SecurityData Security

Security Incident Response

SIEM

Security Operations & Incident Response

Source: Momentum Partners. 20

Failure of legacy security architectures


Anti-APT for

port 80 APTs

Anti-APT for

port 25 APTs

Endpoint AV

DNS protection cloud

Network AV

DNS protection for

outbound DNS

Anti-APT cloud

Internet

Enterprise Network

UTM/Blades

Limited visibility Manual response Lacks correlation

Vendor 1

Vendor 2

Vendor 3

Vendor 4

Internet Connection

Malware Intelligence

DNS Alert Endpoint Alert

AV Alert

SMTP Alert

AV Alert

Web Alert

Web Alert

SMTP Alert

DNS Alert

AV Alert

DNS Alert

Web Alert

Endpoint Alert

© 2017, Palo Alto Networks. Confidential and Proprietary.

Security framework

• All applications

• All users

• All content

• Encrypted traffic

• SaaS

• Cloud

• Mobile

• Enable business

apps

• Block “bad”

apps

• Limit app

functions

• Limit file types

• Block websites

• Exploits

• Malware

• Command &

control

• Malicious

websites

• Bad domains

• Stolen

credentials

• Dynamic

analysis

• Static analysis

• Attack

techniques

• Anomaly

detection

• Analytics

344 KB file-sharing URL category

PowerPoint file type

“Confidential and Proprietary”

content

mjacobsen user

prodmgmt group

canada destination country

172.16.1.10 source IP

64.81.2.23 destination IP

TCP/443 destination port

SSL protocol

HTTP protocol

slideshare application

slideshare-uploading application function

344 KB unknown URL category

EXE file type

shipment.exe file name

stomlinson user

finance group

china destination country

172.16.1.10 source IP

64.81.2.23 destination IP

TCP/443 destination port

SSL protocol

HTTP protocol

web-browsing application

Our Approach: Seek First to Understand The Power of Context

• classify all traffic to app level even encrypted traffic

• determine who (users) • continually update this understanding includes content inspection

9 | ©2016, Palo Alto Networks. Confidential and Proprietary.

Then Enforce Better Decisions Based on Full Situational Awareness

• a positive enforcement model • stepwise refinement • systematic management of unknown

document xfer

Fred (finance group)

Enforce

other context

Allow

Deny

Allow, but:

Fully Understand (Enables) +

or

or

scan for threats block files

per schedule etc.


A Fundamentally Different Architecture

Port

Classification

Application

Classification

Filter

+

File

Classification

Filter

+

Threat

Matching

Filter

+ etc.

User L1-4

User L1-4

User L1-4

Competitors: Sequential Filtering

?

Full

Classification

Palo Alto Networks: Single Pass

Done

? Application User L1-4

Full

Enforcement


Why Does This Matter? A Specific Scenario

Web Browsing

Cloud Backup

SharePoint Online

Block all file types

Allow all file types

Block only Executables

Desired Policy

We Can Do This!


Why? The Architecture.

Port

Classification

Application

Classification

Filter

+

File

Classification

Filter

+

Threat

Matching

Filter

+ etc.

User L1-4

User L1-4

User L1-4

Competitors: Sequential Filtering

?

Filter has no app knowledge

Full

Classification

Palo Alto Networks: Single Pass

Done

? Application User L1-4

Full

Enforcement


• All applications

• All users

• All content

• Encrypted traffic

• SaaS

• Cloud

• Mobile

• Enable business

apps

• Block “bad”

apps

• Limit app

functions

• Limit file types

• Block websites

• Exploits

• Malware

• Command &

control

• Malicious

websites

• Bad domains

• Stolen

credentials

• Dynamic

analysis

• Static analysis

• Attack

techniques

• Anomaly

detection

• Analytics

Natively Integrated

Consistent Across All Locations

SaaS Endpoint Datacenter/ Private Cloud

Public Cloud

Google Cloud

Internet Gateway

IoT Mobile Users

Traps

Delivering continuous innovation

GlobalProtect

WildFire

AutoFocus

Aperture

Threat Prevention

URL Filtering


THREAT INTELLIGENCE CLOUD

Automatically identified

THE UNKNOWN REMEDIATION

Automatically prevented

Anti-malware protections per day

URL protections per day

DNS protections per day

192,000

24,000

12,000

Protections delivered automatically in

Rich Forensic and Reporting for quick, detailed investigation

>> 5 Minutes THREAT

INTELLIGENCE

CLOUD

WildFire

Threat

Prevention

URL

Filtering

Forensics

& Reporting

WildFire’s All New Analysis Environments

Detonation reveals

zero-day exploitation

& malware

Detection of known

exploits, malware,

and new variants

Dynamically steers

highly evasive,

suspicious files to

bare metal

Detonates malware

on real hardware,

detecting all

VM-aware malware

Static Analysis

Dynamic Analysis

Bare Metal Analysis

Heuristic engine

NEW: Final frontier for anti-VM detection

+ Machine learning

(April ’16)

NEW: 100% custom-built anti-evasion malware analysis

environment

Requirements for cyber threat intelligence

223.144.191.23

Adversary

Lotus Blossom

Related indicators Connection:

101.55.121.171:443

DNS: gagalist.net

Targets Government &

Military

Context around indicators

and incidents Quick and

proactive response Prioritize

important events


Automatically export

malicious indicators to

security controls

Prevent future

attacks Export indicators

Prevent attacks

Extending our threat intelligence cloud


WILDFIRE

Discover new threats

and deliver protections

to the network

AUTOFOCUS

Accelerate analysis,

forensics and hunting

workflows

Correlate global

& local threat

intelligence

Analyze

Unique, targeted

attack

Identify Context

Attacks,

campaigns,

techniques

Protect

Proactively

prevent attacks

AutoFocus: weaponize your threat intelligence

Globally shared threat intelligence


10,000 WILDFIRE

CUSTOMERS

1 BILLION SAMPLES

INCREASING 3-5

MILLION PER DAY

BILLIONS OF

ARTIFACTS

UNIT 42

INTELLIGENCE

GLOBALLY

CORRELATED

Security Operations use case


Security

Operations

Receive tagged

event

Assess uniqueness

& industry

prevalence

Find related

indicators Export indicators

& prevent attacks

!

AutoFocus intelligence summary


A complete security architecture

Enterprise network

Public

cloud

Private

Cloud


Unique Platform Offering Cloud Datacenter Enterprise perimeter Distributed/BYOD Endpoint

Next-Generation

Firewall

Cybersecurity:

IDS / IPS / APT Web gateway VPN Mobile security

Panorama, M-100 & M-500 appliances, GP-100 appliance

PAN-OS™

Consistency

Products

Subscriptions

Use cases

Management system

Physical: PA-200, PA-500, PA-3000 Series, PA-5000 Series, PA-7050, PA-7080

WildFire: WF-500

Virtual: VM-Series for NSX, AWS, and KVM

Operating system

Traps™ Aperture™


URL Filtering

GlobalProtect™

WildFire™

Threat Prevention

AutoFocus™

PA-220

THREE AMAZING NEW LINES OF HARDWARE APPLIANCES

PA-5200 SERIES

Up to 10x performance and

capacity increases

Up to 35x SSL session capacity

increase

Up to 10x decryption performance

increase

Higher port density, flexible I/O, &

hardware resiliency

Front-to-back cooling

PA-800 SERIES

PA-220

500 Mbps App-ID

150 Mbps Threat Prevention

64,000 sessions

(8) 1G Copper Ethernet ports

PA-220 Specifications

• Dual power adapters (optional)

• 32GB solid state storage (EMMC), 8GB DDR4, 4 Core CPU, 1Ghz

• Dedicated out-of-band management port

• RJ-45 and Micro USB console ports

• Complete high availability support (A/P with session sync, and A/A)

• Wall-mount or rack-mount desktop form factor

PA-820

• 940 Mbps App-ID

• 610 Mbps Threat Prevention

• 128,000 sessions

• (4) 10/100/1000 Copper

• (8) SFP

PA-850

• 1.9 Gbps App-ID

• 780 Mbps Threat Prevention

• 192,000 sessions

• (4) 10/100/1000 Copper

• (4) SFP, (4) SFP/+

PA-800 Series Specifications

• 1U rackmount chassis

• Dual, hot swap power supplies (PA-850 only)

• 240GB SSD, 16GB DDR4, 8/7 CPU cores, 1.6Ghz CPU

• Dedicated out-of-band management port

• RJ-45, Micro USB console port

• Dedicated HA interfaces

PA-5220

• 18 Gbps App-ID

• 9 Gbps Threat Prevention

• 5 Gbps IPSec VPN

• 4,000,000 sessions

• (4) 40G QSFP+

• (16) 1G/10G SFP/SFP+

• (4) 100/1000/10G Copper

• 1x40 Core CPU, 1.6Ghz

• 32GB DDR4 per DP

PA-5250

• 35 Gbps App-ID



• 8,000,000 sessions

• (4) 40G/100G QSFP28

• (16) 1G/10G SFP/SFP+

• (4) 100/1000/10G Copper



PA-5260

• 72 Gbps App-ID



• 32,000,000 sessions

• (4) 40G/100G QSFP28

• (16) 1G/10G SFP/SFP+

• (4) 100/1000/10G Copper



PA-5200 Series Specifications

• Hot swappable fans, power supplies

• Dual SSD system drives (240GB) and HDD logging drives (2TB), 8/12 Core Intel I7, 32GB DDR4

• Dedicated HA and management interfaces

• 3U, 2 and 4 post rackmount units

• Front to back airflow with replaceable filters

• NEBS Level 3 Certified

Palo Alto Networks is positioned as a Leader in the

Gartner Magic Quadrant for enterprise network firewalls.*

*Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hils, Greg Young, Jeremy D’Hoinne, and Rajpreet Kaur, May 2016.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research

publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any

warranties of merchantability or fitness for a particular purpose.

Palo Alto Networks is highest in execution

and a visionary within the Leaders Quadrant.



Align Technology with Risk: Security Lifecycle Review

• Customized risk assessment for your organization

• Visibility into the applications, malware, vulnerability

exploits and more on your network

• Schedule with a Palo Alto Networks’s Partner

Tanjung Networks.

A guided, hands-on experience with Palo Alto Networks® Next-Generation Security Platform.

• Over 15,000 attendees in FY-2016

• 6 labs to choose from

• Register for an online session:

• www.paloaltonetworks.com/events/tes

t-drive.html

• Or attend an in-person session

near you:

• events.paloaltonetworks.com/ehome/

event-calendar


Ultimate Test Drive

https://www.paloaltonetworks.com/events/test-drive.html





https://events.paloaltonetworks.com/ehome/event-calendar




PALO ALTO NETWORKS - Tanjung Network · PALO ALTO NETWORKS Cyber Threats Hunting how relevant are you? Jerry Chiang Paloalto Networks Malaysia

Documents