6/3/2018 9:04 PM BRK2374 Stop data exfiltration and advanced threats in Microsoft Office 365 and Azure Jigar Shah, Megha Tamvada Palo Alto Networks © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Expanded Data and Application Locations Software as a Service(SaaS) Private Cloud (Hyper-V, NSX, KVM, OpenStack) Public Cloud (AWS, Azure)

Common Risks MALICIOUS OUTSIDER ACCIDENTAL DATA EXPOSURE MALICIOUS INSIDER 59% 23% 14% SOURCE OF BREACH DATA – 2013-2017 – breachlevelindex.com

Common Thread in Security Incidents 6/3/2018 9:04 PM Common Thread in Security Incidents INFECT USER/WORKLOAD INFECT THE DATA CENTER MOVE ACROSS THE NETWORK $ or EXPLOIT KIT CREDENTIAL THEFT, PHISHING ADVERSARY COMMANDS STEAL DATA BUILD BOTNETS HARVEST BITCOIN © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Preventing Successful Attacks 6/3/2018 9:04 PM Preventing Successful Attacks © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Many Required Capabilities 6/3/2018 9:04 PM Many Required Capabilities All applications All users All content Encrypted traffic SaaS Cloud Mobile Enable business apps Block “bad” apps Limit app functions Limit file types Block websites Exploits Malware Command & control Malicious websites Bad domains Stolen credentials Dynamic analysis Static analysis Attack techniques Anomaly detection Analytics © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Approach to Security for Clouds 6/3/2018 9:04 PM Approach to Security for Clouds Diversity of clouds Hyper-V AWS Azure NSX KVM ESXi Cloud scalability Consistent security across the organization Operational/ orchestration integration © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What about NSG’s and ACLs… 6/3/2018 9:04 PM What about NSG’s and ACLs… Network Security Groups and ACLs are useful, to a point Reduce the attack surface Don’t inspect for malware, C2, bad IPs… Don’t control on a per-application basis Can be cumbersome to manage on a day-to-day basis Recommendations Set baseline policies using NSGs and ACLs, preferably in templates Control management traffic: lock it to your organizations’ IPs Segment inter-subnet, inter-application tier and inter-VNET traffic Set inbound NSG for required ports only: 80, 443… Once you set these, you don’t have to change them too often! VM-Series is complementary to the built-in controls like NSG’s and ACL’s © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Stop Data Exfiltration and Advanced Threats in Azure 6/3/2018 9:04 PM Stop Data Exfiltration and Advanced Threats in Azure Segmentation (subnet, VNET, resource group) Improved security and compliance Inspect all traffic Visibility and control Whitelist applications Control Restrict destinations (east-west, north-south) Block C2, prevent exfiltration and attacks Scale out Elastic, cloud-friendly architectures © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Security Challenges in Public Cloud 6/3/2018 9:04 PM Security Challenges in Public Cloud Deploying the best virtual firewalls is now easy Scaling them, with minimum headaches, is a bit harder How do you: Secure outbound and east-west traffic Centralize security stack across apps Secure inbound web apps © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Inbound: Securing Web Applications, at Scale 6/3/2018 9:04 PM Inbound: Securing Web Applications, at Scale Azure Application Gateway + WAF Web application delivery controller (ADC) Protects web applications against common exploits and vulnerabilities OWASP 3.0 and 2.2.9 core rule sets VM-Series Next generation firewall Inbound, outbound, east-west security Complements the WAF Protects all traffic types Inspect reverse traffic for PII data Block malicious files using WildFire Block malicious IP’s updated via EDLs Resource Group VNET Availability Set Web Tier Application Gateway + WAF Internal Azure Load Balancer github.com/PaloAltoNetworks/azure-applicationgateway github.com/jigarshah04/azure-applicationgateway (WAF enabled) © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Outbound & East-West Security, at Scale VM-Series can: Control outbound and east-west traffic by application type and destination Protect against exfiltration, C2, malicious IPs, malware botnets, bitcoin mining… You must configure LB for all applications, each port/protocol: 53, 80, 123, 443… tcp, udp Availability Set Web Tier Internet UDR Azure Load Balancer Untrust Trust DB Tier

Centralized Security Stack 6/3/2018 9:04 PM Centralized Security Stack VNET Peering Internet Web Application VNET Private Data Center PANORAMA Security/Services VNET VNET Peering ExpressRoute IPSec VPN Generic Application VNET © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Outbound & East-West Security, at Scale 6/3/2018 9:04 PM Outbound & East-West Security, at Scale Control outbound traffic by application type and destination Protect against exfiltration, C2, malware bot networks, bitcoin mining… Floating IP mode + HA Ports load balancing Availability Set Web Tier Internet UDR Azure Load Balancer Untrust Trust DB Tier © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Controlling outbound and east-west traffic in Azure 6/3/2018 9:04 PM Demo Controlling outbound and east-west traffic in Azure © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What’s Special Here? User-Defined Routes (UDR) to Azure Load Balancer 6/3/2018 9:04 PM What’s Special Here? User-Defined Routes (UDR) to Azure Load Balancer Azure UDR controls packet routing, cannot bypass the firewall VM-Series firewalls can be scaled out behind Azure Load Balancer Floating IP mode option No destination NAT (DNAT) by internal Azure Load Balancer VM-Series firewall sees actual destination, applies policy, forwards packets Works like a charm for east-west, outbound, nothing fancy needed HA ports load balancing No need to configure individual ports and protocol for each application VM-Series firewall controls the applications, per policy, for all use cases © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Centralized Security Stack 6/3/2018 9:04 PM Centralized Security Stack Floating IP mode + HA Ports load balancing VNET Peering Internet Web Application VNET Private Data Center PANORAMA Security/Services VNET VNET Peering ExpressRoute IPSec VPN Generic Application VNET © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Daisy Chain Security with Operations 6/3/2018 9:04 PM Daisy Chain Security with Operations Found a critical threat in logs: Trigger an Azure Function Make an API call to VM-Series Enable: Action-Oriented Log Forwarding in VM-Series Azure API call: Quarantine the VM Close off the NSG © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Templates Outboun d Inbound: Web Apps Inbound: All apps 6/3/2018 9:04 PM Templates Outboun d Inbound: Web Apps Inbound: All apps github.com/fullscale180/PAN github.com/PaloAltoNetworks live.paloaltonetworks.com  Cloud templates © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Stop data exfiltration and advanced threats in Microsoft Office 365 6/3/2018 9:04 PM Stop data exfiltration and advanced threats in Microsoft Office 365 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

EXPANDED DATA AND APPLICATION LOCATIONS Software as a Service(SaaS) Public Cloud (AWS, Azure) Private Cloud (NSX, OpenStack)

344 KB IMPORTANCE OF VISIBILITY slideshare-uploading PowerPoint application function PowerPoint file type “Confidential and Proprietary” content 344 KB slideshare application prodmgmt group HTTP protocol file-sharing URL category mjacobsen user SSL protocol canada destination country 172.16.1.10 source IP 64.81.2.23 destination IP TCP/443 destination port

ENTERPRISE SECURITY REQUIRES SECURING APPS, USERS AND CONTENT Next-generation firewall provides full context Application or app function User or role Nature of content Core functionality of PAN-OS from the beginning

DISCOVER CLOUD APPS AND ASSESS RISK SaaS Usage Reporting Interactive SaaS Dashboard

Share all files publicly! SAAS THREATS Malware Propagation Data Exfiltration Share all files publicly! Malicious User External Collaborator

SIMPLE HUMAN ERROR Promiscuous Sharing Unintentional Sharing mark Share With: mark Marketing Mark (CFO) Anyone with the link

INLINE PROTECTION No context in the application

API BASED PROTECTION Preserves user experience More context Lot more that content and user activity Monitor security controls 3rd party integrations

SECURELY ENABLE O365 WITH APERTURE WILDFIRE COMPLETE VISIBILITY & CONTROL Prevent data exposure and enforce compliance PREVENT MALWARE Known and unknown malware AUTOMATED REMEDIATION Quarantine assets and notify users instantly RETROACTIVE POLICY Policy applies to past and future events

APERTURE DLP POLICIES PCI: Credit Card Number, Magnetic Stripe, IBAN PII: US SSN, US TIN, Canada SIN, UK UTR/NINO, Australia TIN and Germany TFN Source Code Policy: File Type + Regular expressions Company Confidential Policy: Inspects documents marked as Confidential Regular Expression: Customer Defined uses Java Regex syntax Sensitive Credentials: RSA private keys, SSH Keys Sensitive Documents: Document Classification using Machine Learning

ACTIVITY BASED ALERTING/USER ANOMALIES

SaaS 3rd Party App Platform Most SaaS vendors have a third party app platform

APERTURE PROTECTION FOR OFFICE 365 SharePoint and OneDrive Exchange Online Yammer

THREAT INTELLIGENCE CLOUD APERTURE FOR EXCHANGE APERTURE Email Security Threat Prevention and DLP 0-Day Malware detection tied to WildFire Detection of sensitive content and exposure Activity monitoring and anomalies Email Controls Monitoring Detection of auto-forwarding to untrusted domains Detection of Public Folders Detection of Retention Policy Violations THREAT INTELLIGENCE CLOUD

APERTURE FOR SHAREPOINT & ONEDRIVE Protect against Data exfiltration Detection of sensitive content Activity monitoring and anomalies Monitor SharePoint Sites Users OneDrive Folders Remediate accidental exposure Stop Malware Propagation Detect Malware Quarantine APERTURE THREAT INTELLIGENCE CLOUD

THREAT INTELLIGENCE CLOUD APERTURE FOR YAMMER APERTURE Protect against Data exfiltration Detection of sensitive content Yammer Networks Remediate accidental exposure Stop Malware Propagation Detect Malware THREAT INTELLIGENCE CLOUD

THREAT INTELLIGENCE CLOUD APERTURE FOR IAAS APERTURE Protect against Data exfiltration Detection of sensitive content Yammer Networks Remediate accidental exposure Stop Malware Propagation Detect Malware THREAT INTELLIGENCE CLOUD IAAS

CONTINOUS EXPANSION SAAS APP COVERAGE IN PAN-OS AND APERTURE SANCTIONED APPS UNSANCTIONED APPS 2300+ Apps (SaaS and Non-SaaS Apps) with App-ID Application risk 6 new App-ID every week Custom App-ID URL Filtering (adding 70K URLs/day)

Demo

A Prevention Platform for Microsoft Environments In the Cloud Securely enable Office 365 and Azure migrations Protect cloud environments from threats Prevent data loss in Office 365 On the Network Next-generation firewall; appliance or virtualized Securely enable Microsoft applications Prevent known and unknown threats On the Endpoint Enforce policy consistency for all users and devices Prevent known and unknown threats

Please evaluate this session Tech Ready 15 6/3/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite https://myignite.microsoft.com/evaluations Phone: download and use the Microsoft Ignite mobile app https://aka.ms/ignite.mobileapp Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.