Using Network Security and Identity Management to Empower CISOs Today: The Case For A Comprehensive Enterprise Security Policy

ForgeRockUsing Network Security and Identity Management to

Empower CISOs TodayThe Case For A Comprehensive Enterprise Security Policy

The Stolen Data EpidemicTarget Replaces CEO Steinhafel Following Massive Holiday Breach- Wall Street Journal

‘Heartbleed Bug Exposes Millions of Web Sites To Security Risks- NBC News April 8, 2014

18 million email addresses and passwords stolen in Germany- ZDNet April 7, 2014

360m newly stolen passwords on the black market - The London Free Press

Data breaches surge with 93,000 passwords stolen every hour- Computer Business Review

Bitcoin miners unearth 30,000 college student SSNs- Next Gov April 24, 2014

To be truly effective,

you need to see all

applications, all user

identities and most

importantly, all threats

But traditional firewalls only

gave you ports, protocols,

and IP addresses – missing

the malware threat completely

Traditional Firewalls Had Limitations

Confidential Data

Command & Control Traffic

Regulated Data

Exploits

Copyrighted Material

Malware

Palo Alto Networks Reinvented Network SecurityIt’s no longer be about Ports and Protocols but instead it’s about User Identity, Applications, and how they communicate

But without User Identity and Context, You Cannot Create a True Comprehensive Security Policy For the End User

5

Modern Security Technologies

■ Users: Understanding users and devices, regardless of location with User-ID

■ Applications: Safe enablement and security begins with application classification by App-ID.

■ Content: Scanning content flowing between Users and Applications and protecting against all threats – both known and unknown; with Content-ID

Palo Alto Networks Next-Generation Threat Cloud

Palo Alto Networks Next-Generation Endpoint

Palo Alto Networks Next-Generation Firewall

Next-Generation Firewall Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks network based threats

Next-Generation Threat Cloud Gathers potential threats from

network and endpoints

Analyses and correlates threat intelligence

Disseminates threat intelligence to network and endpoints

Next-Generation Endpoint Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual, and mobile endpoints Lightweight client and cloud based

Next-Generation Security Platform

• ~500,000 Wildfire samples/day• ~5% determined to be Malware• 1 new Android Malware App every 30 minutes• 1/3 of all portable executables are Malware

7

Next-Generation Identity ManagementHighly Scalable, Modular, Easy To Deploy Architecture

“All-in-One” solution delivered as a single platform

Access to any application – Enterprise, SaaS, Social, Mobile

Flexible and extensible architecture

Social sign-on and one-time mobile password

Architected for consumer scale +100M users

FORGEROCK.COM | CONFIDENTIAL

Combine Capabilities To Reinvent SecurityCreating A Unified Enterprise-wide Security Platform

Next-gen Network Security & Identity Functions Natively Integrated In One Solution

Centralized Management

Access Management

Threat

Prevention

User Identity

Managem

entA

uthe

ntic

atio

n &

Aut

hori

zatio

n

App

Vi

sibi

lity

&

Con

trol

9FORGEROCK.COM | CONFIDENTIAL

The Vision

Deliver the only unified identity security platform that can make hyper intelligent

decisions based on both network security and user identity context.

10

Key Benefits■ Understand more about the user before granting them access to

corporate resources

■ Create a feedback loop to take appropriate action on both ends:

– The network blocks traffic when suspicious identity activity occurs

– The identity platform blocks access when suspicious network activity occurs

■ Real-time, automated remediation of malicious activity

■ Organizations are much, much safer!!!!

11FORGEROCK.COM | CONFIDENTIAL

Security/Identity Feedback Loop

Data Center

Establish Identity

Assert Identity

12FORGEROCK.COM | CONFIDENTIAL

Security/Identity Feedback Loop

Data Center

Legitimate Traffic

As defined by user rights

13FORGEROCK.COM | CONFIDENTIAL

Security/Identity Feedback Loop

Data Center

Malware/Inappropriate Traffic

Block & Alarm

Feedback Identity of Malicious Traffic

14FORGEROCK.COM | CONFIDENTIAL

Security/Identity Feedback Loop

Data Center

Change Identity Rights-Restrict User Traffic to all resources

■ Network violations modify Identity Rights

■ Feedback changes ID state and security state

15

Target data breach – APTs in action

Maintain access

Spearphishing third-party HVAC

contractor

Moved laterally within Target network and

installed POS Malware

Exfiltrated data command-and-control servers

over FTP

Recon on companies

Target works with

Compromised internal server

to collect customer data

Breached Target network with

stolen payment system

credentials

Centralized Management

Any location

All Key Identity & Network Security

Functions Natively Integrated in One

Solution

Innovative Approach To Securing Today’s EnterpriseEliminate Security Silios For A Unified Enterprise-wide Security Policy

Visibility & Control

Threat prevention

Any Infrastructure

Closed Loop Single Enterprise Wide Policy

ProvisioningIdentity Management

Unify Your Enterprise Security Strategy

Protect the enterprise from known threats and zero-day attacks

Gain full control over your identity and network security investments

Make informed decisions based upon correlated events & data points

Adaptable closed loop security policy enforcement

Drive top line business initiatives faster

18FORGEROCK.COM | CONFIDENTIAL

Thank You!