NEXT GENERATIONSECURITY PLATFORM
1 | © 2015, Palo Alto Networks. Confidential and Proprietary.
2 | © 2015, Palo Alto Networks. Confidential and Proprietary.
NEXT GENERATIONSECURITY PLATFORM
3 | © 2015, Palo Alto Networks. Confidential and Proprietary.
CORPORATE HIGHLIGHTS
• Founded in 2005; first customer shipment in 2007
• Safely enabling applications and preventing cyber threats
• Able to address all enterprise cybersecurity needs
• Exceptional ability to support global customers
• Experienced team of 3,800+ employees
• Q3 FY17: $4xx.xx revenue
4 | © 2016, Palo Alto Networks. Confidential and Proprietary.
PALO ALTO NETWORKS AT-A-GLANCE
Number of Customers
Revenue
Palo Alto Networks is positioned as a Leader in the Gartner Magic Quadrant for enterprise network firewalls.*
*Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hils, Greg Young, Jeremy D’Hoinne, and Rajpreet Kaur, May 2016.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research
publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose.
Palo Alto Networks is highest in execution
and a visionary within the Leaders Quadrant.
5 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Today’s Security Challenges
7 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Page 9 |
Applications Have Changed, firewalls have not
• The gateway at the trust border is the right place to enforce policy control- Sees all traffic- Defines trust boundary
Need to Restore Visibility and Control in the Firewall
Collaboration / MediaSaaS Personal
• BUT…Applications Have Changed
- Ports ≠Applications
- IP Addresses≠Users
- Packets≠Content
344 KBfile-sharingURL category
PowerPointfile type
“Confidential and Proprietary”
content
mjacobsenuser
prodmgmtgroup
canadadestination country
172.16.1.10source IP
64.81.2.23destination IP
TCP/443destination port
SSLprotocol
HTTPprotocol
slideshareapplication
slideshare-uploadingapplication function
© 2017 Palo Alto Networks, Inc. Confidential
THREATS HAVE CHANGED
New Challenges• The Unknown• Zero Day Attacks• Malware• Lateral Movement• Encrypted Traffic• Call Backs• Malicious URLs• Stolen Devices• You name it…
It is no port/ip allow/block anymore
Legacy approaches are failing
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint
protection
DNS protection cloud
Network AV
DNS protection for
outbound DNS
Anti-APT cloud
Internet
Enterprise Network
UTM/Blades
Limited Visibility Manual ResponseLacks Integration
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware Intelligence
DNS AlertEndpoint Alert
AV Alert
SMTP Alert
AV Alert
Web Alert
Web Alert
SMTP Alert
DNS Alert
AV Alert
DNS Alert
Web Alert
Endpoint Alert
PALO ALTO NETWORKSSOLUTION
“PREVENTION”
13 | © 2015, Palo Alto Networks. Confidential and Proprietary.
SaaS EndpointDatacenter/ Private Cloud
Public Cloud
Google Cloud
Internet Gateway
IoTMobile Users
© 2017 Palo Alto Networks, Inc. Confidential
Philosophy for Prevention
• All applications
• All users
• All content
• Encrypted traffic
• SaaS
• Cloud
• Mobile
• Enable business
apps
• Block “bad”
apps
• Limit app
functions
• Limit file types
• Block websites
• Exploits
• Malware
• Command &
control
• Malicious
websites
• Bad domains
• Stolen
credentials
• Dynamic
analysis
• Static analysis
• Attack
techniques
• Anomaly
detection
• Analytics
DELIVERING THE NEXT-GENERATION SECURITY PLATFORM
PALO ALTO NETWORKS SOLUTION
Organizational Network
Internet/WAN
AV
Malware?
Exploit?
Call Back?
Dynamic?
SaaS?
APT AlertEndpoint Alert
AV Alert
Firewall Alert
AV Alert
Web Alert
Proxy Alert
SMTP Alert
IPS ALERT
AV Alert
DNS AlertWeb Alert
Endpoint Alert
AutoFocus
Wildfire
Panorama
Panorama
NG SECURITY PLATFORM APPROACH
Organizational Network
Internet/WAN
AV
AutoFocus
Wildfire
Traps
GlobalProtect
WildFire
Aperture
Threat Prevention
URL Filtering
AutoFocus
Single-Pass Parallel Processing™(SP3) Architecture
FW IPS AV URL
Visibility, control, and policy enforcement
Applications Users Content
Enabling Applications, Users and Content
User-ID
22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Our unique approach to enterprise security
App-IDIdentify the application
User-IDIdentify the user
Content-IDScan the content
Data Filtering
WildFire
File Blocking
URL Filtering
Antivirus
IPS
Anti-spyware
Preventing attacks at every stage of the kill-chain
Breach the perimeter1 Deliver the malware2 Lateral movement3 Exfiltrate data4
URL Filtering
Prevent use of social
engineering
Block known malicious URLs
and IP addresses
Next-Generation Firewall /
GlobalProtect
Visibility into all traffic,
including SSL
Enable business-critical
applications
Block high-risk applications
Block commonly exploited file
types
Threat Prevention
Block known exploits,
malware and inbound
command-and-control
communications
WildFire
Send specific incoming files
and email links from the
internet to public or private
cloud for inspection
Detect unknown threats
Automatically deliver
protections globally
Next-Generation Firewall /
GlobalProtect
Establish secure zones with
strictly enforced access
control
Provide ongoing monitoring
and inspection of all traffic
between zones
Threat Prevention
Block outbound command-
and-control communications
Block file and data pattern
uploads
DNS monitoring and
sinkholing
Traps / WildFire
Block known and unknown
vulnerability exploits
Block known and unknown
malware
Provide detailed forensics on
attacksURL Filtering
Block outbound
communication to known
malicious URLs and IP
addresses
WildFire
Detecting unknown threats
pervasively throughout the
network
PAN-OS Core Firewall Features
• Strong networking foundation
• Dynamic routing (BGP, OSPF, RIPv2)
• Tap mode – connect to SPAN port
• Virtual wire (“Layer 1”) for true transparent
in-line deployment
• L2/L3 switching foundation
• Policy-based forwarding
• VPN
• Site-to-site IPSec VPN
• Remote Access (SSL) VPN
• QoS traffic shaping
• Max/guaranteed and priority
• By user, app, interface, zone, & more
• Real-time bandwidth monitor
• Zone-based architecture
• All interfaces assigned to security zones for
policy enforcement
• High Availability
• Active/active, active/passive
• Configuration and session synchronization
• Path, link, and HA monitoring
• Virtual Systems
• Establish multiple virtual firewalls in a single
device (PA-7050, PA-5000, PA-3000, and
PA-2000 Series)
• Simple, flexible management
• CLI, Web, Panorama, SNMP, Syslog
Visibility and control of applications, users and content complement core firewall features
PA-800 Series
PA-220
PA-3000 Series
PA-3060, PA-3050, PA-3020
PA-5000 SeriesPA-5060, PA-5050 PA-5020
VM-Series
PA-7050- PA7080
PA-5200 SeriesPA-5260, PA-5250 PA-5220
EXPANSIVE PARTNER ECOSYSTEM
Enterprise SecurityVirtualization Networking Mobility Security Analytics
Threat Intel – Unit 42
27 | © 2015, Palo Alto Networks. Confidential and Proprietary.
WildFire & AutoFocus Architecture
WildFireTM
URL
Re-categorization
5min
DNS Sinkholing
Signatures5min
Sessions Samples Artifacts
Threat Intelligence
Intelligence with context
FirewallsTraps Aperture
Industry sharing3rd party feeds
Partner integrations
File-based
Signatures
5min
29 | © 2016, Palo Alto Networks. Confidential and Proprietary.
30 | © 2015, Palo Alto Networks. Confidential and Proprietary.
AutoFocus
INFORMATION
Firewalls
Traps
ApertureIndustry sharing
DATA
INTELLIGENCE
SOURCE
PROCESS
ANALYZE
WildFire
PAN-DB
3rd party feeds
Partner integrations
Content
Updates
Sources of Threat Intelligence
Newest FeaturesPanOS 8.0
31 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Mail server
Domain controller
Application server
Bob. D
Policy CheckMFA challenge
12
Prevent use of stolen credentials on the network
RADIUS
User Destination Action
sales_engineers jira
product_managers jira | intranet | engweb
developers jira | perforce | lab
IT_admins AD_servers
xxxx
xxxx
xxxx
xxxx
Breaking credential theft attack cycle
Mail server
Domain controller
Application server
1Phishing email sent to victim
Credentials sent to phishing page
2
Analyzed by WildFire,
blocked by PAN-DB
Suspicious credential
submission blocked
Policy-based MFA
enforced at network layer
Adversary navigates through network to access critical applications with stolen credentials
3
Policy enforcement on data classification tags
Combine the strength of the firewall and client based products:– Technology partner products classify documents and assign properties– Firewall identifies these properties and enforces policy accordingly– Support for Titus and Microsoft DLP tags on Office and PDF documents
PAN-OS SECURİTY POLİCYPolicy Source Dest App Action
Quarantine Compromised Hosts
Any Any Deny
All Together Now
DNS SpywareVulnerability Alert
DoS Flood
Malware Alert
AV Alert
Exploit Kit Correlation
WildFire C2
WildFire Correlated C2
Scan Alert
C2 Spyware
Unknown URL
Private IP URL
Phishing URL
Type: CorrelationCategory: WildFire Correlated C2
WildFire Correlated C2
SRC IP: 10.3.4.122
Utilize Filtered Log
Forwarding
IPs Added to Dynamic
Address Groups (DAG)
Automatically Tag SRC
or DST IP Addresses
Quarantine DAG
10.3.4.122Quarantine
Quarantine DAG
Reducing the attack surface with IP feeds
• New built-in IP feeds from Palo Alto Networks
• Known malicious IP addresses
• Confirmed malicious by Palo Alto Networks R&D with evidence
• High risk IP addresses
• Likely malicious or associated with malicious activity
• Sourced from trusted providers, open source national advisories, etc.
• Feeds are defined and updated in daily content with option to add more feeds in content going
forward
• Feeds appear as pre-defined External Dynamic Lists
• Requires Threat Prevention Subscriptionfutboll1.cn
newsc0rp.net
tme-zone.ru
218.94.124.46
Screen shot
Wildfire
Preventing Zero Days in theNetwork
38 | © 2015, Palo Alto Networks. Confidential and Proprietary.
WildFire architecture
Enterprise Network
Internet
Palo Alto Networks
security platform
center
Private cloud
(optional WF-500 appliance)
File
s
Pro
tec
tion
s
Public cloud
Pro
tec
tion
s
File
s
WildFireTM
Binaries and URLs forwarded
for analysis
WildFire Detects Malware Using Multiple Methods & Techniques
Static Analysis
File Anomaly Detection
Static Signatures
String & Code Block Detection
Machine Learning &
Static Analysis
Dynamic Analysis
Full Execution Analysis
Multi-version
Execution Environment
Multi-dimensional Scoring
Network
Traffic Analysis
WildFire Turns the Unknown into the Knownin About 5 Minutes
WildFire vs. single-purpose “add on” approach
WildFire - cloud-based
WildFireTM
Public/private
cloud
Internet
Single-purpose - add-on
SandboxWeb
Sandbox
File share
Sandbox
Central managerManual analysis
Internet
Traps
Preventing Zero Days in theEndpoint
42 | © 2015, Palo Alto Networks. Confidential and Proprietary.
Traditional AV is Not the Solution
to Endpoint Protection.
It’s the Problem!
Understanding the Threat at Endpoint
Exploit
Malformed data file that
is processed by a
legitimate app
Takes advantage of a vulnerability
in the legitimate app which allows
the attacker to run code
‘Tricks’ the legitimate application into
running the attacker’s code
Small payload
Malicious Executable
Malicious code that comes
in an executable file form
Does not rely on any
application vulnerability
Already executes code – aims to control
the machine
Large payload
Exploit vs. Malicious Executable – What’s the Difference?
A Typical Cyber Attack Life Cycle
Prevention of an Attack at the Earliest Stage is Critical
Traps Exploit and Malware Prevention Blocks the Attack Before Any Malicious Activity Can Initiate
Plan theAttack
Gather
Intelligence
SilentInfection
Leverage
Exploit
MalwareCommunicateswith Attacker
Control
Channel
Malicious FileExecuted
Execute
Malware
Data Theft, Sabotage, Destruction
Steal Data
Preventive Controls Reactive Controls
Distinguish good from bad - The Entropy Difference
Exploitation techniques
Execution patterns
Post execution behavior
Access
Action
Individual Attacks
Software Vulnerability Exploits
Thousands of new vulnerabilitiesand exploits per year
1,000s
Core Techniques
Exploitation Techniques
Only two to four new exploittechniques per year
2-4
Malware
Millions of new malwarevariations every year
1,000,000sMalware Techniques
Tens to hundreds of new malware sub-techniques every year
~10s
LogicFlaw
Prevention
Exploit Protection Modules
Hash Control Search
MacOSSupport
Microsoft Security Center
Registration4
5
6
3
2
1
Admin
Override
Policies
Trusted
Publisher
Identification
Static Analysis
via Machine
Learning
WildFire
Inspection &
Analysis
Execution
Restrictions
Malware
Quarantine
Traps
Multi-Method
Malware
Prevention
Traps
Exploit
Prevention
Memory
Corruption
Prevention
Code
Execution
Prevention
Advanced Endpoint Protection – TRAPS 4.0 Features
Exploit Techniques
BeginMaliciousActivitiy
Normal ApplicationExecution
Heap
Spray
DEP
Circumvention
Utilizing
OS Function
Gaps Are
Vulnerabilities
Activate key logger
Steal critical data
More…
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Exploit Techniques
Normal ApplicationExecution
Heap
Spray
Traps
EPM
No MaliciousActivity
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Traps Exploit PreventionModules (EPM)
1. Exploit attempt blocked. Traps requires no prior knowledge of the vulnerability.
Demo
50 | © 2015, Palo Alto Networks. Confidential and Proprietary.
51 | © 2015, Palo Alto Networks. Confidential and Proprietary.
• Over 15,000 attendees in FY-2016
• 6 labs to choose from
• Register for an online session:
www.paloaltonetworks.com/events/test-drive.html
• Or attend an in-person session near you:
events.paloaltonetworks.com/ehome/event-calendar
ULTIMATE TEST DRIVE
A guided, hands-on experience with Palo Alto Networks® Next-Generation Security Platform.
52 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
53 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Thank you…