Application Visibility and Risk Report
Prepared for: The XYZ Company
Prepared by: Michael Locke
Monday, March 11, 2013
Palo Alto Networks3300 Olcott StSanta Clara, CA 95054Sales 866.207.0077www.paloaltonetworks.com
1
Why Palo Alto Networks?
Fundamental shifts in the application and threat landscape, user behavior, and network infrastructure have steadily eroded the securitythat traditional port-based firewalls once provided. Users are accessing all types of applications, using a range of device types, oftentimes to get their job done. Datacenter expansion, virtualization, mobility, and cloud-based initiatives are forcing organizations to re-thinkhow to enable application access yet protect the network. Palo Alto Networks next-generation firewalls can help organizations safelyenable applications, for all users, regardless of location, resulting in a reduction in the associated business and security risks.
Classifying all applications, across all ports, all the time. App-ID applies multiple classification mechanisms to the traffic stream, assoon as the firewall sees it, to determine the exact identity of application, regardless of port, encryption (SSL or SSH) or evasivetechnique employed. The knowledge of exactly which applications are traversing the network, not just the port and protocol,becomes the basis for all security policy decisions. Unidentified applications, typically a small percentage of traffic, yet high inpotential risk, are automatically categorized for systematic management – which can include policy control and inspection, threatforensics, creation of a custom App-ID, or a packet capture for Palo Alto Networks App-ID development.
Tying users and devices, not just IP addresses, to policies. Security policies that are based on the application and the useridentity, regardless of device or location, are a more effective means of protecting the network than relying solely on port and IPaddress. Integration with a wide range of enterprise user repositories provides the identity of the Microsoft Windows, Mac OS X,Linux, Android, or iOS user accessing the application. Users who are traveling or working remotely are seamlessly protected with thesame, consistent policies that are in use on the local, or corporate network. The combined visibility and control over a user’sapplication activity means organizations can safely enable the use of Oracle, BitTorrent, or Gmail, or any other application traversingyour network, no matter where or how the user is accessing it.
Prevent against all threats, both known and unknown. Coordinated threat prevention can be applied to known malware sites,vulnerability exploits, viruses, spyware and malicious DNS queries can all be blocked in a single pass while custom or otherwiseunknown malware is actively analyzed and identified by executing the unknown files and directly observing more than 100 maliciousbehaviors in a virtualized sandbox environment. When new malware is discovered, a signature for the infecting file and relatedmalware traffic is automatically generated and delivered. All threat prevention analysis uses full application and protocol context,ensuring that threats are caught even if they attempt to hide from security in tunnels, compressed content or on non-standard ports.
Safe application enablement policies can help organizationsimprove their security posture, in the following ways. At theperimeter, the threat footprint can be reduced by blockingunwanted applications and then inspecting the allowedapplications for both known and unknown threats. In the traditionalor virtualized datacenter, application enablement translates toensuring only datacenter applications are in use by authorizedusers, protecting the content from threats and addressing securitychallenges introduced by the dynamic nature of the virtualinfrastructure. Enterprise branch offices and remote userenablement policies can be extensions of the same policiesdeployed at the headquarters location, thereby ensuring policyconsistency.
2
Summary and Key Findings
Palo Alto Networks conducted an application visibility and risk analysis for The XYZ Company using the Palo Alto Networks next-generation firewall. This report summarizes the The XYZ Company analysis beginning with key findings and an overall business risk
assessment; it then discusses the applications and types of content found, closing with a summary and recommended actions.
Key findings that should be addressed by The XYZ Company:
Personal applications are being installed and used on the network.End-users are installing and using a variety of non-work related applications that can elevate business and security risks.
Applications that can be used to conceal activity were found.IT savvy employees are using applications that can conceal their activity. Examples of these types of applications include externalproxies, remote desktop access and non-VPN related encrypted tunnel. Visibility into who is using these applications, and for whatpurpose should be investigated.
Applications that can lead to data loss were detected.File transfer applications (peer-to-peer and/or browser-based) are in use, exposing The XYZ Company to significant security, dataloss, compliance and possible copyright infringement risks.
Applications used for personal communications were found.Employees are using a variety of applications that enable personal communications. Examples include instant messaging, webmail,and VoIP/video conferencing. These types of applications can introduce productivity loss, compliance and business continuity risks.
Bandwidth hogging, time consuming applications are in use.Media and social networking applications were found. Both of these types of applications are known to consume corporatebandwidth and employee time.
3
Business Risks Introduced by High Risk Application Traffic
The potential business risks that can be introduced by the applicationstraversing the network are determined by looking at the behavioralcharacteristics of the high risk applications (those that carry a risk ratingof 4 or 5 on a scale of 1-5). Each of the behavioral characteristics canintroduce business risks. Application file transfer can lead to dataleakage; ability to evade detection or tunnel other applications can leadto compliance risks; high bandwidth consumption equates to increasedoperational costs and applications that are prone to malware orvulnerabilities can introduce business continuity risks. Identifying therisks an application poses to is the first step towards effectivelymanaging the related business risks.
A summary of the business risk calculation is shown in figure 1.Appendix A has a complete description of the business risks.
Productivity 19%
BusinessContinuity 22%
Operational
Cost 13%
Compliance 24%
Data Loss 22%
Figure 1: Business risk breakdown of Top High Risk Applications
Top High Risk Applications in Use
The high risk applications (risk rating of 4 or 5) sorted by category, subcategory and bytes consumed are shown below. The ability toview the application along with its respective category, subcategory and technology can be useful when discussing the business value
and the potential risks that the applications pose with the respective users or groups of users.
Key observations on the 126 high risk applications:
Activity Concealment:Proxy (3) and remote access (3) applications were found. In addition, non-VPN related encrypted tunnel applications were detected.IT savvy employees are using these applications with increasing frequency to conceal activity and in so doing, can expose The XYZCompany to compliance and data loss risks.
File transfer/data loss/copyright infringement:P2P applications (11) and browser-based file sharing applications (18) were found. These applications expose The XYZ Company todata loss, possible copyright infringement, compliance risks and can act as a threat vector.
Personal communications:A variety of applications that are commonly used for personal communications were found including instant messaging (10), webmail(8), and VoIP/video (3) conferencing. These types of applications expose The XYZ Company to possible productivity loss,compliance and business continuity risks.
Bandwidth hogging:Applications that are known to consume excessive bandwidth including photo/video (20), audio (1) and social networking (15) weredetected. These types of applications represent an employee productivity drain and can consume excessive amounts of bandwidthand can act as potential threat vectors.
4
Risk Category Sub-Category Technology Bytes SessionsApplication
4 business-systems general-business browser-based 6,675,224 321concur
4 business-systems general-business client-server 1,614 2activesync
5 business-systems office-programs browser-based 8,619,780,731 50,050google-docs-base
4 business-systems office-programs peer-to-peer 163,839,949 5,657ms-groove
5 business-systems office-programs browser-based 44,368 4google-docs-enterprise
4 business-systems office-programs browser-based 7,171 1editgrid
4 business-systems software-update client-server 3,898,009,791 116,989ms-update
4 business-systems storage-backup client-server 2,809,744 486sosbackup
5 collaboration email client-server 79,275,774,839 608,413smtp
4 collaboration email client-server 13,019,625,179 26,010ms-exchange
4 collaboration email browser-based 2,278,042,607 102,971aim-mail
4 collaboration email browser-based 749,876,306 17,215gmail-base
4 collaboration email browser-based 21,889,637 5,316hotmail
4 collaboration email browser-based 7,793,272 614outlook-web
4 collaboration email browser-based 558,235 45squirrelmail
5 collaboration email browser-based 370,552 17horde
4 collaboration email browser-based 81,851 22gmail-enterprise
4 collaboration email browser-based 22,742 4secureserver-mail
4 collaboration email client-server 18,101 5blackberry
4 collaboration instant-messaging client-server 1,821,279,584 439,725google-talk-base
4 collaboration instant-messaging client-server 585,077,566 40,377msn-base
4 collaboration instant-messaging client-server 402,952,328 148,265yahoo-im-base
4 collaboration instant-messaging browser-based 29,868,591 1,893aim-express-base
5 collaboration instant-messaging client-server 15,385,400 121jabber
4 collaboration instant-messaging client-server 871,250 108aim-base
4 collaboration instant-messaging browser-based 30,494 14zoho-im
4 collaboration instant-messaging browser-based 8,551 1mibbit
4 collaboration instant-messaging browser-based 8,432 1imo
4 collaboration instant-messaging client-server 621 1qq-base
4 collaboration internet-conferencing client-server 23,923 33live-meeting
4 collaboration social-networking browser-based 19,448,823,043 864,782facebook-base
4 collaboration social-networking browser-based 818,239,297 1,712vkontakte-base
5 collaboration social-networking browser-based 78,279,922 13,668stumbleupon
4 collaboration social-networking browser-based 40,696,468 2,587facebook-posting
4 collaboration social-networking browser-based 6,692,860 30orkut
4 collaboration social-networking browser-based 3,753,482 269facebook-apps
4 collaboration social-networking browser-based 1,956,746 49ameba-now-base
4 collaboration social-networking browser-based 989,154 10cyworld
4 collaboration social-networking browser-based 575,363 96myspace-base
4 collaboration social-networking browser-based 186,318 39plaxo
4 collaboration social-networking browser-based 182,627 41sina-weibo-base
5 collaboration social-networking browser-based 80,810 13netlog
4 collaboration social-networking browser-based 69,035 25me2day
4 collaboration social-networking browser-based 62,684 7odnoklassniki-base
4 collaboration social-networking browser-based 35,964 11twitter-posting
5 collaboration voip-video peer-to-peer 944,625,462 185,922skype
4 collaboration voip-video peer-to-peer 117,318,307 25,580sip
5 collaboration voip-video browser-based 54,768 2stickam
4 collaboration web-posting browser-based 788,461,751 15,818blog-posting
4 general-internet file-sharing client-server 85,951,827,707 466,037dropbox
5 general-internet file-sharing client-server 43,925,959,270 41,448ftp
4 general-internet file-sharing browser-based 4,375,747,758 43amazon-cloud-drive-uploading
4 general-internet file-sharing client-server 2,860,216,479 1,652,684tftp
5 general-internet file-sharing browser-based 1,296,128,951 93,384webdav
5
4 general-internet file-sharing browser-based 725,223,265 11,574google-drive-web
4 general-internet file-sharing browser-based 597,545,328 4,894docstoc-base
4 general-internet file-sharing browser-based 308,817,436 24amazon-cloud-drive-base
4 general-internet file-sharing client-server 254,172,452 117sugarsync
4 general-internet file-sharing browser-based 103,301,057 5284shared
4 general-internet file-sharing browser-based 36,925,979 2,326skydrive-base
5 general-internet file-sharing peer-to-peer 12,963,314 3,255bittorrent
4 general-internet file-sharing browser-based 10,687,263 365mediafire
4 general-internet file-sharing browser-based 1,719,859 85putlocker
4 general-internet file-sharing client-server 1,041,213 20live-mesh-base
5 general-internet file-sharing peer-to-peer 640,748 375manolito
4 general-internet file-sharing client-server 451,298 85mendeley
4 general-internet file-sharing browser-based 346,268 10sendspace
5 general-internet file-sharing peer-to-peer 208,793 37imesh
5 general-internet file-sharing browser-based 181,472 9fileserve
4 general-internet file-sharing client-server 140,214 58office-live
4 general-internet file-sharing browser-based 92,259 18yousendit-base
4 general-internet file-sharing client-server 59,955 2diino
4 general-internet file-sharing browser-based 26,065 11rapidshare
4 general-internet file-sharing browser-based 16,451 3uploading
4 general-internet file-sharing browser-based 14,680 3megaupload
5 general-internet file-sharing peer-to-peer 13,462 38azureus
4 general-internet file-sharing browser-based 12,670 2divshare
5 general-internet file-sharing browser-based 11,868 6filesonic
4 general-internet file-sharing client-server 11,229 3ifolder
5 general-internet file-sharing peer-to-peer 9,738 1gnutella
5 general-internet file-sharing browser-based 4,715 1hotfile
4 general-internet internet-utility browser-based 2,251,619,608,497 40,391,950web-browsing
4 general-internet internet-utility browser-based 1,280,649,342,639 1,668,194flash
5 general-internet internet-utility client-server 3,961,215,678 135,774rss
4 general-internet internet-utility browser-based 3,669,814,104 201,283web-crawler
4 general-internet internet-utility client-server 268,092,819 561apple-appstore
4 general-internet internet-utility browser-based 12,295,275 1,084mobile-me
4 general-internet internet-utility browser-based 6,981,431 127zamzar
4 general-internet internet-utility client-server 2,319,158 22atom
4 general-internet internet-utility client-server 1,187,693 26opera-mini
4 general-internet internet-utility client-server 1,028,460 752google-desktop
5 media audio-streaming browser-based 194,937,986,997 396,317http-audio
4 media gaming client-server 23,885 6second-life-base
5 media photo-video browser-based 2,010,835,255,045 663,691youtube-base
5 media photo-video browser-based 881,524,310,035 101,986http-video
4 media photo-video browser-based 383,155,518,638 45,529rtmp
4 media photo-video browser-based 358,888,474,822 22,084,043rtmpt
4 media photo-video browser-based 67,668,901,074 1,504rtmpe
5 media photo-video browser-based 39,240,630,787 692asf-streaming
4 media photo-video browser-based 21,807,584,411 4,570limelight
5 media photo-video browser-based 17,605,286,601 7,681vimeo
4 media photo-video browser-based 7,493,086,541 3,663youtube-safety-mode
4 media photo-video browser-based 3,359,271,462 49,861youtube-uploading
4 media photo-video browser-based 896,428,836 544niconico-douga
5 media photo-video browser-based 109,139,083 2,053brightcove
4 media photo-video client-server 48,739,469 11amazon-unbox
4 media photo-video browser-based 30,565,140 1,937socialtv
4 media photo-video client-server 17,394,983 123sky-player
4 media photo-video browser-based 2,316,492 329dailymotion
4 media photo-video browser-based 193,839 31metacafe
6
4 media photo-video browser-based 176,771 22justin.tv
5 media photo-video browser-based 56,802 17tudou
4 media photo-video peer-to-peer 6,067 1qvod
4 networking encrypted-tunnel browser-based 1,150,170,737,770 26,608,430ssl
4 networking encrypted-tunnel client-server 3,818,568,709 1,447ssh
5 networking encrypted-tunnel peer-to-peer 3,709,108,624 11hamachi
5 networking encrypted-tunnel peer-to-peer 452,406,229 33,318freenet
4 networking encrypted-tunnel client-server 636,966 2tor
4 networking infrastructure network-protocol 11,301,292,610 25,389,090dns
4 networking ip-protocol network-protocol 143,750,206 1,054,959icmp
5 networking proxy browser-based 841,203,461,851 43,944,128http-proxy
5 networking proxy browser-based 2,838,393,104 18,548glype-proxy
5 networking proxy browser-based 962,835,231 2,260phproxy
5 networking remote-access client-server 13,376,807,389 547vnc-base
4 networking remote-access client-server 1,195,932,463 384ms-rdp
5 networking remote-access client-server 205,130,891 947logmein
Figure 2: High risk applications (rating of 4 or 5) that are traversing the network.
7
Application Characteristics That Determine Risk
The Palo Alto Networks research team uses the application behavioral characteristics to determine a risk rating of 1 through 5. Thecharacteristics are an integral piece of the application visibility that administrators can use to learn more about a new application thatthey may find on the network and in turn, make a more informed decision about how to treat the application.
Application Behavioral Characteristic Definitions
Prone to misuse used for malicious purposes or is easily configured to expose more than intended. Examples include externalproxy, remote access, and P2P filesharing applications.
Tunnels other applications able to transport other applications. Examples include SSH and SSL as well as UltraSurf, TOR andRTSP, RTMPT.
Has known vulnerabilities the application has had known vulnerability exploits.
Transfers files able to transfer files from one network to another. Examples include filesharing and file transfer applications of alltypes, as well as IM and email.
Used by malware has been used to propagate malware, initiate an attack or steal data. Applications that are used by malwareinclude collaboration (email, IM, etc) and general Internet categories (filesharing, Internet utilities).
Consumes bandwidth application consumes 1 Mbps or more regularly through normal use. Examples include P2P, streamingmedia, as well as software updates and other business applications.
Evasive uses a port or protocol for something other than its intended purpose with intent to ease deployment or hide from existingsecurity infrastructure.
With the knowledge of which applications are traversing the network, their individual characteristics and which employees are usingthem, The XYZ Company is enabled to more effectively decide how to treat the applications traffic through associated security policies.Note that many applications carry multiple behavioral characteristics.
Application Behavorial Characteristics
Evasive
Consumes Bandwidth
Prone to Misuse
Tunnels Other Applications
Has Known Vulnerablities
Transfers Files
Used By Malware
0 20 40 60 80 100 120 140
Number of Applications
83
54
42
53
117
109
74
Figure 3: Behavioral characteristics of the high risk applications detected
8
Top Applications Traversing the Network
The top 35 applications (based on bandwidth consumption), sorted by category and subcategory are shown below. The ability to viewthe application category, subcategory and technology is complemented by the behavioral characteristics (previous page), resulting in a
more complete picture of the business benefit an application may provide.
Risk Category Sub-Category Technology Bytes SessionsApplication
2 business-systems auth-service client-server 25,169,731,084 400,168active-directory
2 business-systems database client-server 82,441,613,871 345,323mssql-db
3 business-systems software-update client-server 51,460,129,522 3,323symantec-av-update
3 business-systems software-update browser-based 49,394,265,498 323,547google-update
2 business-systems software-update client-server 32,564,494,337 168,972adobe-update
3 business-systems software-update client-server 26,751,598,845 19,065apple-update
3 business-systems storage-backup client-server 1,014,553,373,316 12backup-exec
3 business-systems storage-backup client-server 622,430,509,108 1,499,990ms-ds-smb
5 collaboration email client-server 79,275,774,839 608,413smtp
3 collaboration social-business browser-based 69,691,338,114 570,323sharepoint-base
2 collaboration social-networking browser-based 73,054,977,497 1,354,641pinterest
4 general-internet file-sharing client-server 85,951,827,707 466,037dropbox
5 general-internet file-sharing client-server 43,925,959,270 41,448ftp
4 general-internet internet-utility browser-based 2,251,619,608,497 40,391,950web-browsing
4 general-internet internet-utility browser-based 1,280,649,342,639 1,668,194flash
3 general-internet internet-utility client-server 29,635,385,019 128,391google-earth
2 general-internet internet-utility browser-based 24,343,782,565 1,237,934google-analytics
3 media audio-streaming client-server 587,755,989,148 636,761itunes-base
5 media audio-streaming browser-based 194,937,986,997 396,317http-audio
3 media audio-streaming client-server 42,637,864,775 2,105itunes-mediastore
1 media audio-streaming client-server 31,815,470,021 1,138shoutcast
5 media photo-video browser-based 2,010,835,255,045 663,691youtube-base
5 media photo-video browser-based 881,524,310,035 101,986http-video
4 media photo-video browser-based 383,155,518,638 45,529rtmp
4 media photo-video browser-based 358,888,474,822 22,084,043rtmpt
2 media photo-video client-server 104,198,725,714 77,621rtp
4 media photo-video browser-based 67,668,901,074 1,504rtmpe
3 media photo-video browser-based 56,765,909,460 2,847google-video-base
5 media photo-video browser-based 39,240,630,787 692asf-streaming
3 media photo-video browser-based 31,861,175,994 12,836ustream
4 networking encrypted-tunnel browser-based 1,150,170,737,770 26,608,430ssl
2 networking encrypted-tunnel client-server 32,250,388,478 396ipsec-esp-udp
1 networking infrastructure network-protocol 103,855,592,733 5,099,313capwap
2 networking infrastructure client-server 38,033,610,224 994,521snmpv1
5 networking proxy browser-based 841,203,461,851 43,944,128http-proxy
Figure 4: Top applications that are consuming the most bandwidth, sorted by category, subcategory and technology
Key observations on top 35 (out of 414) applications in use:
The most common types of applications are photo-video and internet-utility.
9
Application Subcategories
The subcategory breakdown of all the applications found, sorted by bandwidth consumption provides an excellent summary of where the
application usage is heaviest. These data points can help IT organizations more effectively prioritize their application enablement efforts.
Number of Applications Bytes Consumed Sessions ConsumedSub-Category
52 4,049,042,526,936 23,865,247photo-video
38 3,640,454,144,872 58,411,113internet-utility
6 1,637,031,558,934 1,501,033storage-backup
9 1,190,530,017,249 26,647,472encrypted-tunnel
18 874,845,464,508 1,054,787audio-streaming
3 845,004,690,186 43,964,936proxy
24 203,503,465,060 53,765,804infrastructure
15 180,349,677,264 678,803software-update
41 143,318,929,483 3,053,919file-sharing
40 107,620,751,204 2,962,396social-networking
18 101,171,359,301 1,102,327email
5 82,508,087,872 347,431database
4 70,316,128,832 581,928social-business
6 31,109,037,373 2,348,908auth-service
11 24,510,737,648 917,447office-programs
14 21,874,624,096 35,775remote-access
15 15,185,243,149 2,560,352management
19 9,396,696,833 26,548gaming
15 9,073,715,672 260,142general-business
13 3,160,922,575 483,781voip-video
21 3,022,101,927 645,450instant-messaging
6 1,850,551,017 3,393internet-conferencing
9 968,334,514 22,391web-posting
3 143,947,524 1,055,493ip-protocol
6 79,391,386 17,060erp-crm
3 7,919,250 10,889routing
414 13,246,080,024,665 226,324,825
Figure 5: Subcategory breakdown of all the applications found, sorted by bytes consumed.
Grand Total
Key observations on application subcategories:
The application subcategories that are consuming the highest amount of bandwidth are: photo-video, internet-utility, storage-backup.
10
Applications That Use HTTP
The top 25 applications (based on bandwidth consumed) that use HTTP in some way, shape or form (but may not use port 80) areshown below. Many applications use HTTP to speed deployment and simplify access while non-business applications may use it to
bypass security. Knowing exactly which applications use HTTP is a critical datapoint when assembling an application enablement policy.
Risk Technology Bytes SessionsHTTP Application
4 browser-based 2,251,619,608,497 40,391,950web-browsing
5 browser-based 2,010,835,255,045 663,691youtube-base
4 browser-based 1,280,649,342,639 1,668,194flash
5 browser-based 881,524,310,035 101,986http-video
5 browser-based 841,203,461,851 43,944,128http-proxy
3 client-server 587,755,989,148 636,761itunes-base
4 browser-based 358,888,474,822 22,084,043rtmpt
5 browser-based 194,937,986,997 396,317http-audio
4 client-server 85,951,827,707 466,037dropbox
2 browser-based 73,054,977,497 1,354,641pinterest
3 browser-based 69,691,338,114 570,323sharepoint-base
3 browser-based 56,765,909,460 2,847google-video-base
3 client-server 51,460,129,522 3,323symantec-av-update
3 browser-based 49,394,265,498 323,547google-update
3 client-server 42,637,864,775 2,105itunes-mediastore
5 browser-based 39,240,630,787 692asf-streaming
2 client-server 32,564,494,337 168,972adobe-update
3 browser-based 31,861,175,994 12,836ustream
1 client-server 31,815,470,021 1,138shoutcast
3 client-server 29,635,385,019 128,391google-earth
3 client-server 26,751,598,845 19,065apple-update
2 client-server 25,169,731,084 400,168active-directory
2 browser-based 24,343,782,565 1,237,934google-analytics
4 browser-based 21,807,584,411 4,570limelight
4 browser-based 19,448,823,043 864,782facebook-base
Figure 6: Top HTTP applications identified ranked in terms of bytes consumed.
Key observations on top 25 (out of 325) HTTP applications in use:
There is a mix of both work and non-work related applications traversing the network that can use HTTP in some way or another.
11
Top URL Categories in Use
Identifying and controlling both the applications traversing the network and the web sites a user is allowed to visit is an ideal approach tosafely enabling applications. As a result, organizations are protected from a full spectrum of legal, regulatory, productivity and resource
utilization risks. The most commonly visited URL categories are shown in the table below.
CountURL Category
12,596,289educational-institutions
10,363,146society
4,101,795search-engines
3,451,761business-and-economy
2,122,494training-and-tools
2,085,679computer-and-internet-info
2,013,006news-and-media
1,914,987unknown
1,760,765web-advertisements
1,707,548online-personal-storage
1,055,407streaming-media
1,002,279social-networking
958,496content-delivery-networks
841,066games
828,819shopping
787,021private-ip-addresses
470,817kids
446,637sports
431,209reference-and-research
328,514entertainment-and-arts
320,318malware-sites
312,386internet-portals
201,512financial-services
184,010personal-sites-and-blogs
148,293travel
Figure 7: Top URL categories visited
Key observations on the top 25 most frequently visited URLs visited:
The URL category report shows a mix of work and non-work related web activity.
12
Application Vulnerabilities Discovered
The increased visibility into the applications on the network, regardless of port hopping, tunneling or other evasive tactics that may beused, extends into vulnerability exploit protection to ensure that the threat is detected and blocked. The application vulnerabilities
discovered on the network, ranked by severity and count are shown in the table below.
Category Severity CountThreat Name Application
info-leak Critical 36Microsoft IIS ASP.NET NULL Byte Injection Information DisclosureVulnerability
web-browsing
overflow Critical 20Adobe Flash Player JPG Embedded SWF Processing HeapOverflow
flash
code-execution Critical 15Microsoft Windows SChannel Malformed Certificate RequestRemote Code Execution
ssl
code-execution Critical 8Adobe Flash Player Multimedia FileDefineSceneAndFrameLabelData Code Execution Vulnerability
flash
info-leak Critical 6Microsoft IIS ASP.NET NULL Byte Injection Information DisclosureVulnerability
http-proxy
Critical 3Microsoft .NET Framework and Silverlight framework ClassInheritance Vulnerability
silverlight
code-execution Critical 3Microsoft Publisher Memory Index Code Execution Vulnerability smtp
code-execution Critical 2Microsoft Windows Media Format Runtime Media File RemoteCode Execution Vulnerability
youtube-uploading
code-execution Critical 2Adobe Flash Player Bounds Checking Remote Code ExecutionVulnerability
flash
overflow Critical 2IBM Lotus Domino LDAP Server Invalid DN Message BufferOverflow
ldap
code-execution Critical 1Microsoft Publisher Memory Index Code Execution Vulnerability sharepoint-base
code-execution Critical 1Android EASY Local Root Exploit web-browsing
code-execution Critical 1Blackhole Exploit Kit web-browsing
code-execution Critical 1OpenSSL SSLv2 Malformed Client Key Parsing Buffer OverflowVulnerability
ssl
brute-force High 319,976SSL Renegotiation Denial of Service Brute-force ssl
High 1,629TimThumb Remote Code Execution Vulnerability web-browsing
brute-force High 1,152HTTP Forbidden Brute-force Attack gmail-base
brute-force High 645HTTP Forbidden Brute-force Attack http-proxy
brute-force High 539HTTP Forbidden Brute-force Attack web-browsing
overflow High 65RealNetworks RealPlayer SWF Flash File Buffer Overflow flash
overflow High 52Castle Rock Computing SNMPc Network Manager CommunityString Stack Buffer Overflow
snmp-trap
brute-force High 37HTTP Forbidden Brute-force Attack facebook-base
code-execution High 10HTTP Cross Site Scripting Vulnerability web-browsing
brute-force High 10HTTP Forbidden Brute-force Attack webdav
High 10Digium Asterisk Skinny Channel NULL-Pointer DereferenceVulnerability
sccp
Figure 8: Top vulnerabilities identified, sorted by severity and count.
Key observations on the 25 most commonly detected (out of 1336) exploits:
The Palo Alto Networks next-generation firewall is providing visibility into vulnerability exploits traversing the network regardless ofport or protocol.
Of the 1,336 vulnerabilities found, 2% are critical, 2% are high and 1% are medium severity. The remainder are low severity orinformational.
13
Spyware and Viruses Discovered on the Network
The increased visibility into the applications on the network, regardless of port hopping, tunneling or other evasive tactics that may beused, helps ensure that spyware, the associated command and control traffic and viruses are detected and blocked. Examples of
spyware and viruses discovered on the network are shown in figures 9 and 10 below.
Type Severity CountThreat Name Application
spyware phone home Critical 217,522ZeroAccess.Gen Command and Control Traffic unknown-udp
spyware phone home Critical 86Smoke.Loader Command And Control Traffic web-browsing
spyware phone home Critical 60IBryte.Gen Phone Home Traffic web-browsing
spyware phone home Critical 34Smoke.Loader Command And Control Traffic twitter-base
spyware phone home Critical 20ZeroAccess.Gen Command and Control Traffic web-browsing
spyware phone home Critical 18Smoke.Loader Command And Control Traffic http-proxy
spyware phone home Critical 17WGeneric.Gen Command and Control Traffic web-browsing
spyware phone home Critical 14IBryte.Gen Phone Home Traffic http-proxy
spyware phone home Critical 13Smoke.Loader Command And Control Traffic facebook-social-plugin
spyware phone home Critical 7ZeroAccess.Gen Command and Control Traffic http-proxy
spyware phone home Critical 6ZeroAccess.Gen Command and Control Traffic web-browsing
spyware phone home Critical 5WGeneric.Gen Command and Control Traffic http-proxy
spyware phone home Critical 4Agent.Gen Command And Control Traffic web-browsing
spyware phone home Critical 2ZeroAccess.Gen Command and Control Traffic http-proxy
spyware phone home Critical 2ZeroAccess.Gen Command and Control Traffic web-browsing
spyware phone home Critical 1Ilac.Gen Command And Control Traffic web-browsing
spyware phone home Critical 1Smoke.Loader Command And Control Traffic facebook-posting
spyware phone home Critical 1Smoke.Loader Command And Control Traffic facebook-base
spyware download High 1,886Conficker DNS Request dns
Suspicious DNS Medium 755Suspicious DNS Query (Virus.virut:urteoq.com) dns
spyware phone home Medium 394Suspicious user-agent strings web-browsing
Suspicious DNS Medium 260Suspicious DNS Query(Trojan-Spy.zbot:yhcixnzlhofswqsguson.biz)
dns
Suspicious DNS Medium 260Suspicious DNS Query(generic:fdleiztuwmlbqcambatv.org)
dns
Suspicious DNS Medium 259Suspicious DNS Query(Trojan-Spy.zbot:qjvchzxnvdqqojnxsmj.info)
dns
Suspicious DNS Medium 258Suspicious DNS Query(Trojan-Spy.zbot:eeafiypseawgukydhfmx.net)
dns
Figure 9: Most common spyware found, sorted by severity and count.
14
Most Common Viruses Discovered
CountThreat Name Application
42Virus/Win32.WGeneric.fdbs web-browsing
30Trojan-GameThief/Win32.staem.abq ms-ds-smb
18Trojan-Dropper/Win32.agent.bmtgr ms-ds-smb
16Virus/Win32.WGeneric.fdbs http-proxy
12Virus/Win32.WGeneric.ezsn web-browsing
10Virus/Win32.WGeneric.eyja web-browsing
8Virus/Win32.WGeneric.ewuq web-browsing
7Virus/Win32.WGeneric.dzyw web-browsing
6Virus/Win32.WGeneric.fewr web-browsing
6Virus/Win32.WGeneric.fhvj web-browsing
5Virus/Win32.WGeneric.fiku web-browsing
5Virus/Win32.WGeneric.fdhx web-browsing
5Virus/Win32.WGeneric.errw web-browsing
5Virus/Win32.WGeneric.evav web-browsing
4Virus/Win32.WGeneric.eyja http-proxy
4Virus/Win32.WGeneric.erdi web-browsing
3Virus/Win32.WGeneric.dmeb web-browsing
3Virus/Win32.WGeneric.djdm web-browsing
3Virus/Win32.WGeneric.emzd ms-ds-smb
3Virus/Win32.WGeneric.ewuq http-proxy
3Trojan-Downloader/Win32.genome.iktm ms-ds-smb
3Virus/Win32.WGeneric.fdhx http-proxy
3Trojan-GameThief/Win32.staem.zo ms-ds-smb
3Adware/Win32.gamevance.ivxj ms-ds-smb
3Virus/Win32.WGeneric.esew web-browsing
Figure 10: Most common viruses found, sorted by count.
Key observations on the most commonly detected (out of 1046) spyware and viruses
The Palo Alto Networks next-generation firewall is providing visibility into the viruses and spyware traversing the network, regardlessof port or protocol.
The most common type of malware found is spyware phone home.
15
Modern Malware Discovered on the Network
A summary of the 232 files analyzed by WildFire during the seven days prior to 11 March 2013 shows that there were 59 pieces ofmalware found.
Modern Malware Antivirus Vendor Coverage Summary
A summary of the antivirus (AV) vendors who had coverage for the malware found by WildFire, based on VirusTotal (VT) statistics, isshown below.
Modern Malware Detected by Day
Monday
Tuesday
Wednesday
Thursday
Friday
0 20 40 60 80 100 120 140 160 180
12
40
163
25
23
2
3
2
2
1
2
1
5
Covered by 4+ Coverage from 1 to 3 No Coverage in VirusTotal
Figure 11: Antivirus vendor coverage for malware detected by WildFire based on VirusTotal statistics.
Sample Malware Detected by WildFire
The list below provides some examples of the malicious files detected by WildFire along with the VirusTotal vendor coverage. The first30 characters of the filename are shown along with the MD5 checksum which can be used to investigate sample in more detail usingthe WildFire console.
MD5Filename Application AV VendorCoverage
nvoice ID-EF2342AC2357-AA-4334 0a2c21b865e83500335c98ff6106811f smtp Unknown to VT
installer-silent.exe baeaefa9afa8b8188c40536da769453f web-browsing 1
audacity.exe 377a50bc35c35b2adcf8892f3f05fdfd web-browsing Unknown to VT
audacity.exe 377a50bc35c35b2adcf8892f3f05fdfd http-proxy Unknown to VT
default_tab_search_results-1-1 d43cb808702b85f37e7878c52921af50 web-browsing Unknown to VT
Figure 12: Examples of malicious files detected by WildFire.
Key observations on the modern malware discovered by WildFire:
The data above shows the presence of 51 malicious files traversing the network that would not have been detected without WildFireanalysis. These modern threats are often the leading edge of a sophisticated attack, making detection and remediation a keycomponent of any layered defense strategy.
16
Files and File Types Traversing the Network
Applications that transfer files have are an integral part of today’s business environment. Knowing which types of files and content aretraversing the network can help organizations mitigate a range of business and security threats. The table below shows the mostcommon file and content types along with the associated application.
File/Content Name Data or File Transfer Direction Application Used Count
ZIP file Download google-earth 7,827,461
ZIP file Download itunes-base 1,429,571
MP3 File file Upload web-browsing 352,699
ZIP file Download web-browsing 290,132
MP3 File file Upload http-proxy 180,725
MP3 File file Upload flash 166,429
Microsoft Cabinet (CAB) file Download sharepoint-base 141,142
MP3 File file Download itunes-base 132,935
ZIP file Upload smtp 67,509
ZIP file Download http-proxy 58,255
MP3 File file Upload http-audio 48,829
MP3 File file Download http-audio 29,854
Java Class File file Download web-browsing 26,448
ZIP file Download sharepoint-base 23,977
FLV File file Download flash 22,815
Adobe Portable Document Format (PDF) file Download web-browsing 20,506
MP4 Detected file Download youtube-base 19,183
JPEG File Upload file Upload smtp 17,151
Microsoft Cabinet (CAB) file Download ms-update 16,363
MP4 Detected file Download http-video 13,328
JPEG File Upload file Upload web-browsing 12,486
MP3 File file Download flash 11,912
MP3 File file Download web-browsing 11,694
ZIP file Download ms-ds-smb 10,929
ZIP file Download flash 10,354
ZIP file Download symantec-av-update 9,423
ZIP file Upload web-browsing 8,645
Microsoft MSOFFICE file Download ms-ds-smb 8,302
Adobe Portable Document Format (PDF) file Upload smtp 6,810
ZIP file Download ftp 5,705
Figure 13: File and content types traversing the network, sorted by type, then by count.
Key observations on the files and content traversing the network:
Files based on type (as opposed to looking only at the file extension) and confidential data patterns (credit card and socialsecurity numbers) were detected during the evaluation.
17
Application Usage by Underlying Technology and Category
The resources consumed (sessions and bytes) based on underlying technology and application subcategory complement the granularapplication and threat data to provide a more complete summary of the network activity. The charts below show the sessions consumed,
based on the underlying application technology and the bytes consumed, based on the application subcategory.
Figure 13: Application usage by category and by technology.
Usage by technology in sessions as a percentage of total
browser-based
network-protocol
client-server
0 10 20 30 40 50 60 70
60%
23%
12%
Usage by category in bytes as a percentage of total
photo-video
internet-utility
storage-backup
encrypted-tunnel
audio-streaming
proxy
infrastructure
software-update
file-sharing
0 5 10 15 20 25 30 35
30%
27%
12%
9%
7%
6%
2%
1%
1%
Key observations on application usage by category and technology:
During the evaluation, browser-based applications consumed 60% of the sessions.
In terms of application usage by category, photo-video applications consumed 30% of the overall bandwidth.
18
Findings:
During the planning phase for the Palo Alto Networks analysis, the The XYZ Company team explained that their environment is relativelyopen but the inability to see which applications were traversing the network introduces a wide range of business and security risks. Theanalysis uncovered the following items.
Activity concealment applications were found. Applications that allowed IT savvy users to conceal their activity and bypass securitywere found on the network.
P2P and browser-based filesharing application usage. P2P and browser-based file sharing applications were found, exposing TheXYZ Company to security, data loss and copyright infringement risks.
Streaming media and social networking application usage. Applications that are used for entertainment and socializing (media,audio, social networking) were found on the network. These applications represent secure enablement challenges to IT – how tobalance morale, recruitment/retention and end-user satisfaction with productivity, threat exposure, compliance, and data loss risks.
Use of Webmail, IM and VoIP. Examples of these personal use applications were found on the network. Many of these applicationscan easily bypass firewalls and act as threat vectors as well as being an avenue for data leakage.
Recommendations:
Implement safe application enablement policies.Like most organizations, The XYZ Company lacks fine-grained policy governing application use - because it hasn't historically beennecessary or enforceable. With the growth in user-controlled applications, their tendency to carry evasive characteristics to simplifyaccess, and the threats that take advantage of them, we recommend implementing safe application enablement policies that allow, ina controlled manner, the application use.
Address high risk areas such as P2P and browser-based filesharing.The security and compliance risks associated with these applications may present problems for The XYZ Company as employeesuse these applications to bypass existing traditional controls. Without understanding, categorizing, and mitigating risk in these areas,The XYZ Company exposes itself possible unauthorized data transfer, compliance violations and the associated application levelthreats.
Implement policies dictating use of activity concealment applications.Proxy, remote access and encrypted tunnel applications are sometimes used by employees who want to conceal their activity. Thisrepresents both business and security risks to The XYZ Company. Policies dictating the use of these applications should beimplemented.
Regain control over streaming media applications.The XYZ Company should look at applying policies to rein in the use of these applications without offending the user community.Possible options would be a time-based schedule, or QoS marking to limit consumption.
Seek Application Visibility and ControlThe only way to mitigate the application-level risk is first to know which applications are being used what their business and securityrisks are, and finally to create and enforce an appropriate firewall policy . There are a few technologies that offer some of the visibilityrequired for certain types of applications, but only next-generation firewalls enable organizations to gain visibility across allapplication traffic and offer the understanding, control, and scalability to suit enterprises. Accordingly, our recommendation involvesdeploying a Palo Alto Networks firewall in The XYZ Company network and creating safe application enablement policies to ensurethat the network is being used according to the organization’s priorities.
19
ComplianceMost organizations must comply with an array of government and business regulations – in the US, this includes GLBA, HIPAA, FD,SOX, FISMA, and PCI. Most of these focus on safeguarding an organization’s operational, financial, customer, or employee data.Many of the personal-use applications represent compliance risks to that information either from a data loss perspective or a threatdelivery perspective.
Operational CostsRisks to operational costs come in two flavors – one, having applications and infrastructure that is used inappropriately to such anextent that more must be bought (e.g., WAN circuits upgraded due to streaming video) to ensure that business processes work, andtwo, incidents and exploits resulting in IT expense (e.g., rebuilding servers or networks following a security incident involving anexploit or virus).
Business ContinuityBusiness continuity risks refer to applications (or the threats they carry) that can bring down or otherwise make unavailable criticalcomponents of certain business processes. Examples include email, transaction processing applications, or public-facingapplications harmed by threats or effectively denied service via excessive consumption of resources by non-business applications.
Data LossThe risk of data loss is the traditional information security set of risks – those associated with the theft, leakage, or destruction of data.Examples include many public thefts of customer data, theft or inadvertent leak of intellectual property, or destruction of data due to asecurity threat/breach. A variety of threats play a role, including exploits borne by applications (e.g., social media, P2P filesharing,IM, webmail), and non-business-related applications running on enterprise resources (e.g., P2P filesharing, instant messaging,personal webmail).
·· employees are using non-work-related applications instead of doing their job (e.g. social media, personal email, videostreaming)
·· non-work applications consume so much bandwidth that legitimate applications function poorly (e.g., P2P filesharing, videostreaming,)
Appendix A: Business Risk Definitions
When developing the business risk analysis presented on page 3, the potential impact the application could have on the enterprise andthe processes within were taken into account. The resultant risks to the business are defined below.
ProductivityRisk to productivity stems from misuse that can take one of two forms:
20
Appendix B: Key Palo Alto Networks Technologies and Services
Palo Alto Networks next-generation firewalls safely enable applications, users and content across the entire organization using a
combination of technologies and services delivered in either a purpose-built hardware platform or in a virtualized form factor.
App-ID: Using multiple traffic classification mechanisms, App-ID accurately identifies the application as soon as the firewall sees it,regardless of which port the application is using or other evasive technique employed. The application identity becomes the basis forall security policy decisions. Unknown applications are categorized for analysis and systematic management.
User-ID: Allows organizations to extend user-based application enablement polices to any user, regardless of which platform theyare using. User-ID seamlessly integrates with a wide range of enterprise directories (Microsoft Active Directory, eDirectory, and OpenLDAP) and terminal services offerings (Citrix and Microsoft Terminal Services). Integration with Microsoft Exchange, a CaptivePortal, and an XML API enable organizations to extend policy to Apple Mac OS X, Apple iOS, and UNIX users that typically resideoutside of the domain.
GlobalProtect: Delivers the same safe application enablement policies that are used at the headquarters site, to all users,regardless of location or device. Remote users are automatically and securely connected to the nearest gateway using strongauthentication and ss long they are online, they are connected to the corporate network and protected as if they never left thecorporate campus. The result is a consistent set of policies, an improved security posture and a reduction in operational costs.
Content-ID: Prevents vulnerability exploits, malware and the related malware generated command-and-control traffic using auniform signature format and a single pass scanning engine that reduces latency. Threat prevention is applied in full application andprotocol context to ensure threats are detected and blocked regardless of evasion techniques used. URL filtering enables policycontrol over web browsing activity, while file and data filtering help control unauthorized data transfer.
WildFire: Identifies custom malware that is not controlled through traditional signatures by directly executing the files in a cloud-based, virtualized sandbox environment. WildFire observes and monitors more than 100 malicious behaviors and the result isdelivered to the administrator. If the file is malicious, a signature is automatically developed and delivered to the user community.
Panorama: Enables organizations to manage a network of Palo Alto Networks firewalls from a central location, balancing the needfor global, centralized control with local policy flexibility using features such as templates, and shared policy. With Panorama, allfunctions of the devices and/or virtual systems under management can be controlled centrally.
Purpose-built hardware or virtualized platform: The entire set of safe application enablement features is available on a family ofpurpose-built hardware platforms that range from the PA-200, designed for enterprise branch offices, to the PA-5060, which is a high-speed datacenter firewall. The platform architecture is based on a single pass software engine and uses function specific processingfor networking, security, threat prevention and management to deliver predictable performance. The exact same firewall functionalitythat is available in the hardware platforms is also available in the VM-Series virtual firewall, allowing organizations to securevirtualized and cloud-based computing environments.
21