PALO ALTO NETWORKS Cyber Threats Hunting how relevant are you? Jerry Chiang Paloalto Networks Malaysia
PALO ALTO NETWORKS Cyber Threats Hunting how relevant are you?
Jerry Chiang
Paloalto Networks Malaysia
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Customer Technologies Choices…………………
3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
CYBERscape: The Cybersecurity LandscapeThe Security Sector Is Dynamic And Vast. We Are Ceaseless & Vigilant In Our Coverage.
Network Security
Network Firewall Network Monitoring/Forensics
Intrusion Prevention Systems Unified Threat Management
Managed Security Service Provider Messaging Security
Application Security
WAF & Application Security
Vulnerability Assessment
Endpoint Security
Endpoint Prevention
Endpoint Detection & Response
Specialized Threat Analysis & Protection
Cloud Security
Fraud Prevention / Transaction Security
Identity & Access Management
Web Security
Risk & Compliance
Threat Intelligence
Industrial / IoT Security
Mobile SecurityData Security
Security Incident Response
SIEM
Security Operations & Incident Response
Source: Momentum Partners. 20
Failure of legacy security architectures
4 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection for
outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited visibility Manual response Lacks correlation
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware Intelligence
DNS Alert Endpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
© 2017, Palo Alto Networks. Confidential and Proprietary.
Security framework
• All applications
• All users
• All content
• Encrypted traffic
• SaaS
• Cloud
• Mobile
• Enable business
apps
• Block “bad”
apps
• Limit app
functions
• Limit file types
• Block websites
• Exploits
• Malware
• Command &
control
• Malicious
websites
• Bad domains
• Stolen
credentials
• Dynamic
analysis
• Static analysis
• Attack
techniques
• Anomaly
detection
• Analytics
344 KB file-sharing URL category
PowerPoint file type
“Confidential and Proprietary”
content
mjacobsen user
prodmgmt group
canada destination country
172.16.1.10 source IP
64.81.2.23 destination IP
TCP/443 destination port
SSL protocol
HTTP protocol
slideshare application
slideshare-uploading application function
344 KB unknown URL category
EXE file type
shipment.exe file name
stomlinson user
finance group
china destination country
172.16.1.10 source IP
64.81.2.23 destination IP
TCP/443 destination port
SSL protocol
HTTP protocol
web-browsing application
Our Approach: Seek First to Understand The Power of Context
• classify all traffic to app level even encrypted traffic
• determine who (users) • continually update this understanding includes content inspection
9 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Then Enforce Better Decisions Based on Full Situational Awareness
• a positive enforcement model • stepwise refinement • systematic management of unknown
document xfer
Fred (finance group)
Enforce
other context
Allow
Deny
Allow, but:
Fully Understand (Enables) +
or
or
scan for threats block files
per schedule etc.
10 | ©2016, Palo Alto Networks. Confidential and Proprietary.
A Fundamentally Different Architecture
Port
Classification
Application
Classification
Filter
+
File
Classification
Filter
+
Threat
Matching
Filter
+ etc.
User L1-4
User L1-4
User L1-4
Competitors: Sequential Filtering
?
Full
Classification
Palo Alto Networks: Single Pass
Done
? Application User L1-4
Full
Enforcement
11 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Why Does This Matter? A Specific Scenario
Web Browsing
Cloud Backup
SharePoint Online
Block all file types
Allow all file types
Block only Executables
Desired Policy
We Can Do This!
12 | ©2016, Palo Alto Networks. Confidential and Proprietary.
Why? The Architecture.
Port
Classification
Application
Classification
Filter
+
File
Classification
Filter
+
Threat
Matching
Filter
+ etc.
User L1-4
User L1-4
User L1-4
Competitors: Sequential Filtering
?
Filter has no app knowledge
Full
Classification
Palo Alto Networks: Single Pass
Done
? Application User L1-4
Full
Enforcement
13 | ©2016, Palo Alto Networks. Confidential and Proprietary.
• All applications
• All users
• All content
• Encrypted traffic
• SaaS
• Cloud
• Mobile
• Enable business
apps
• Block “bad”
apps
• Limit app
functions
• Limit file types
• Block websites
• Exploits
• Malware
• Command &
control
• Malicious
websites
• Bad domains
• Stolen
credentials
• Dynamic
analysis
• Static analysis
• Attack
techniques
• Anomaly
detection
• Analytics
Natively Integrated
Consistent Across All Locations
SaaS Endpoint Datacenter/ Private Cloud
Public Cloud
Google Cloud
Internet Gateway
IoT Mobile Users
Traps
Delivering continuous innovation
GlobalProtect
WildFire
AutoFocus
Aperture
Threat Prevention
URL Filtering
10 | © 2015, Palo Alto Networks. Confidential and Proprietary.
THREAT INTELLIGENCE CLOUD
Automatically identified
THE UNKNOWN REMEDIATION
Automatically prevented
Anti-malware protections per day
URL protections per day
DNS protections per day
192,000
24,000
12,000
Protections delivered automatically in
Rich Forensic and Reporting for quick, detailed investigation
>> 5 Minutes THREAT
INTELLIGENCE
CLOUD
WildFire
Threat
Prevention
URL
Filtering
Forensics
& Reporting
WildFire’s All New Analysis Environments
Detonation reveals
zero-day exploitation
& malware
Detection of known
exploits, malware,
and new variants
Dynamically steers
highly evasive,
suspicious files to
bare metal
Detonates malware
on real hardware,
detecting all
VM-aware malware
Static Analysis
Dynamic Analysis
Bare Metal Analysis
Heuristic engine
NEW: Final frontier for anti-VM detection
+ Machine learning
(April ’16)
NEW: 100% custom-built anti-evasion malware analysis
environment
Requirements for cyber threat intelligence
223.144.191.23
Adversary
Lotus Blossom
Related indicators Connection:
101.55.121.171:443
DNS: gagalist.net
Targets Government &
Military
Context around indicators
and incidents Quick and
proactive response Prioritize
important events
19 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Automatically export
malicious indicators to
security controls
Prevent future
attacks Export indicators
Prevent attacks
Extending our threat intelligence cloud
20 | © 2015, Palo Alto Networks. Confidential and Proprietary.
WILDFIRE
Discover new threats
and deliver protections
to the network
AUTOFOCUS
Accelerate analysis,
forensics and hunting
workflows
Correlate global
& local threat
intelligence
Analyze
Unique, targeted
attack
Identify Context
Attacks,
campaigns,
techniques
Protect
Proactively
prevent attacks
AutoFocus: weaponize your threat intelligence
Globally shared threat intelligence
22 | © 2015, Palo Alto Networks. Confidential and Proprietary.
10,000 WILDFIRE
CUSTOMERS
1 BILLION SAMPLES
INCREASING 3-5
MILLION PER DAY
BILLIONS OF
ARTIFACTS
UNIT 42
INTELLIGENCE
GLOBALLY
CORRELATED
Security Operations use case
23 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Security
Operations
Receive tagged
event
Assess uniqueness
& industry
prevalence
Find related
indicators Export indicators
& prevent attacks
!
AutoFocus intelligence summary
24 | ©2013, Palo Alto Networks. Confidential and Proprietary.
A complete security architecture
Enterprise network
Public
cloud
Private
Cloud
9 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Unique Platform Offering Cloud Datacenter Enterprise perimeter Distributed/BYOD Endpoint
Next-Generation
Firewall
Cybersecurity:
IDS / IPS / APT Web gateway VPN Mobile security
Panorama, M-100 & M-500 appliances, GP-100 appliance
PAN-OS™
Consistency
Products
Subscriptions
Use cases
Management system
Physical: PA-200, PA-500, PA-3000 Series, PA-5000 Series, PA-7050, PA-7080
WildFire: WF-500
Virtual: VM-Series for NSX, AWS, and KVM
Operating system
Traps™ Aperture™
16 | © 2015, Palo Alto Networks. Confidential and Proprietary.
URL Filtering
GlobalProtect™
WildFire™
Threat Prevention
AutoFocus™
PA-220
THREE AMAZING NEW LINES OF HARDWARE APPLIANCES
PA-5200 SERIES
Up to 10x performance and
capacity increases
Up to 35x SSL session capacity
increase
Up to 10x decryption performance
increase
Higher port density, flexible I/O, &
hardware resiliency
Front-to-back cooling
PA-800 SERIES
PA-220
500 Mbps App-ID
150 Mbps Threat Prevention
64,000 sessions
(8) 1G Copper Ethernet ports
PA-220 Specifications
• Dual power adapters (optional)
• 32GB solid state storage (EMMC), 8GB DDR4, 4 Core CPU, 1Ghz
• Dedicated out-of-band management port
• RJ-45 and Micro USB console ports
• Complete high availability support (A/P with session sync, and A/A)
• Wall-mount or rack-mount desktop form factor
PA-820
• 940 Mbps App-ID
• 610 Mbps Threat Prevention
• 128,000 sessions
• (4) 10/100/1000 Copper
• (8) SFP
PA-850
• 1.9 Gbps App-ID
• 780 Mbps Threat Prevention
• 192,000 sessions
• (4) 10/100/1000 Copper
• (4) SFP, (4) SFP/+
PA-800 Series Specifications
• 1U rackmount chassis
• Dual, hot swap power supplies (PA-850 only)
• 240GB SSD, 16GB DDR4, 8/7 CPU cores, 1.6Ghz CPU
• Dedicated out-of-band management port
• RJ-45, Micro USB console port
• Dedicated HA interfaces
PA-5220
• 18 Gbps App-ID
• 9 Gbps Threat Prevention
• 5 Gbps IPSec VPN
• 4,000,000 sessions
• (4) 40G QSFP+
• (16) 1G/10G SFP/SFP+
• (4) 100/1000/10G Copper
• 1x40 Core CPU, 1.6Ghz
• 32GB DDR4 per DP
PA-5250
• 35 Gbps App-ID
• 20 Gbps Threat Prevention
• 14 Gbps IPSec VPN
• 8,000,000 sessions
• (4) 40G/100G QSFP28
• (16) 1G/10G SFP/SFP+
• (4) 100/1000/10G Copper
• 2x48 Core CPU, 1.6Ghz
• 32GB DDR4 per DP
PA-5260
• 72 Gbps App-ID
• 30 Gbps Threat Prevention
• 21 Gbps IPSec VPN
• 32,000,000 sessions
• (4) 40G/100G QSFP28
• (16) 1G/10G SFP/SFP+
• (4) 100/1000/10G Copper
• 3x48 Core CPU, 1.6Ghz
• 64GB DDR4 per DP
PA-5200 Series Specifications
• Hot swappable fans, power supplies
• Dual SSD system drives (240GB) and HDD logging drives (2TB), 8/12 Core Intel I7, 32GB DDR4
• Dedicated HA and management interfaces
• 3U, 2 and 4 post rackmount units
• Front to back airflow with replaceable filters
• NEBS Level 3 Certified
Palo Alto Networks is positioned as a Leader in the
Gartner Magic Quadrant for enterprise network firewalls.*
*Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hils, Greg Young, Jeremy D’Hoinne, and Rajpreet Kaur, May 2016.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research
publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose.
Palo Alto Networks is highest in execution
and a visionary within the Leaders Quadrant.
31 | © 2016, Palo Alto Networks. Confidential and Proprietary.
32 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Align Technology with Risk: Security Lifecycle Review
• Customized risk assessment for your organization
• Visibility into the applications, malware, vulnerability
exploits and more on your network
• Schedule with a Palo Alto Networks’s Partner
Tanjung Networks.
A guided, hands-on experience with Palo Alto Networks® Next-Generation Security Platform.
• Over 15,000 attendees in FY-2016
• 6 labs to choose from
• Register for an online session:
• www.paloaltonetworks.com/events/tes
t-drive.html
• Or attend an in-person session
near you:
• events.paloaltonetworks.com/ehome/
event-calendar
33 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Ultimate Test Drive