11 Zero Trust Networking PALO ALTO NETWORKS Zero Trust Networking April 2015 | ©2014, Palo Alto Networks. Confidential and Proprietary.1 Greg Kreiling Regional Sales Manager, Michigan

2 WHAT’S CHANGED? THE EVOLUTION OF THE ATTACKER $1+ CYBERCRIME NOW trillion industry 100+ nations CYBER WARFARE

3 WHAT’S CHANGED? Known threats Organizational risk Identity compromise Zero-day exploits / vulnerabilities Evasive command-and-control Unknown & polymorphic malware Mobility threat THE EVOLUTION OF THE ATTACK

4 Changing Face of Security  Has Been – Block known bad traffic – Pass rest of traffic as good  New Challenge – The Unknown  Need to investigate unknown traffic and define it as either known good or known bad – Then block the newly defined bad  New World – Top Down Security Architecture – Known good – Known bad – Unknown Continuous Loop

5 FAILURE OF LEGACY SECURITY ARCHITECTURES Anti-APT for port 80 APTs Anti-APT for port 25 APTs Endpoint AV DNS protection cloud Network AV DNS protection for outbound DNS Anti-APT cloud Internet Enterprise Network UTM/Blades Limited visibility Manual response Lacks correlation Vendor 1 Vendor 2 Vendor 3 Vendor 4 Internet Connection Malware Intelligence DNS Alert Endpoint Alert AV Alert SMTP Alert AV Alert Web Alert SMTP Alert DNS Alert AV Alert DNS Alert Web Alert Endpoint Alert

6 Common traits for breached networks 1. A port based firewall 2. A static IPS 3. Zero Day Malware used to manipulate platforms in the network 4. Identity credentials hijacked

7 Laterally hop into the data center for initial infection there ENTER THE DATA CENTER Lateral Data Center motion for a foothold on the target VM REACH THE TARGET Understanding the Attack Kill-chain Attack kill-chain Prevent attacks by stopping one step in the kill-chain Steal intellectual property STEAL DATA Move laterally and infect additional hosts ENDPOINT OPERATIONS Initial compromise and malware delivery BREACH PERIMETER Deliver secondary malware and communicate with attacker DELIVER MALWARE

8 REQUIREMENTS FOR THE FUTURE DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION At the internet edge Between employees and devices within the LAN At the data center edge, and between VM’s At the mobile device Cloud Within private, public and hybrid clouds

9 ZERO TRUST NETWORKING Framework of what can be done in a modern security framework

10 Overall Historic Framework  Security has been largely based on perimeter point solutions and endpoint AV – Firewall, IPS, web gateway, etc  Some enterprises may also create security segmentation between network types— usually port based rules  Security in the Data Center has been evolved differently for different companies – Some with no security between users and data – Some with simple port based rules – Some with port rules and some degree of IPS functionality  Rules are typically blocking in nature—ports, signatures, or URLs

11 Evolution of Security Architectures  Up until ~2 years ago, best of breed security deployments were seen as the most reliable security model – No reliance on a single vendor, no single vulnerability, different engineering efforts  Today that has lead to two problems – Platform sprawl—many different security elements with different specialties required. You become the SI – Rule management—as applications or policies change, rules don’t get uniformly updated across all platforms, leaving rules that are no longer relevant or that might create new vulnerabilities  And with those problems…a lack of ability to prevent malware attacks – Malware detection becomes another piece of product sprawl – Very difficult to move from detection to prevention with so many dissimilar security products in the network  “Where” security is deployed is rapidly changing—trust zones are breaking down – Internet Edge, Network Segmentation, Data Center Edge, Data Center East/West

12 THEN AND NOW How the posture of security is changing

13 Internet Perimeter  Work to protect the network from known threats  Security posture: – Only open ports needed to support the business – Use an IPS to block all known malware via signature – Block known dangerous or unapproved URL sites  Static set of rules  Work to defend the users and applications from attack  Security posture can now: – Blacklist/Whitelist by application and user – Sandboxing to detect unknown malware – Create feedback loop to map unknown  known to prevent – Integrate AV signatures for known/unknown Malware – Disallow known dangerous URL sites—13,500 additional new per day – Integrated policies between application, signature, and URL  Dynamic security posture THENNOW GOAL  Block known bad ports, signatures and URLs GOAL  App/User security focused on Zero-Day prevention

14 Segmentation Strategy GOAL  Limit traffic flow between different network segments  Different user groups create different privileges GOAL  Defeat lateral movement of malware in the network  Create segmentation zones to limit users per group  Strictly control flows between security zones  Limit types of flows that can move between segments THENNOW Typically port based firewall rules with specific open ports between segments Policy tends toward user/application whitelisting where specific applications are allowed and all other traffic blocked Passive detection strategy for malware and hackers

15 Data Center Perimeter (N/S flows) GOAL  Protect your data center from disallowed traffic GOAL  Protect your data center from any hacked user or malware (no longer trust your users) at the application level THENNOW  Policy typically based on: – Opening ports in and out of the DC based on applications supported – Typically little to no IPS monitoring – Less focus on securing traffic egressing the DC  Often focused on compliance vs security  Policy based on: – Whitelisting policies: You know both sides of the flow, only allow specific interactions between users and applications  For allowed rules, use Wildfire/WF-500 to examine any executable or file shared to look for embedded malware  Enforce application based egress policies to limit data exfiltration

16 Intra-Data Center (E/W flows) GOAL  Protect your data center VMs by enforcing the ports that applications can use to communicate GOAL  Protect your data center from any hacked user or malware (no longer trust your VMs) at the application level THENNOW  Policy typically based on: – Opening allowed ports between VM’s – Typically limited or no IPS functions  Policy based on: – Whitelisting policies: You know both sides of the flow, only allow specific application interactions (not port rules)  For allowed rules, use sandboxing to examine any executable or document shared to look for embedded malware

17 Remote Users  Ensure users from outside the network can get secured access to the network  Policy typically based on: –Creating secured tunnels from remote users to an access concentrator in the network –Once authenticated into the network, full rights are now allowed –Typically limited or no additional security mapped to remote users  Ensure users from outside the network can get secured access to the network  Security posture relies on: –Validation of the devices to determine how safe it is to allow on the network –Protection of the device to determine if it has malware –Encrypted access for all traffic –User-ID integration to create policies regardless of where/how accessing the network –Full inspection of all flows to watch for malware from the remote device THENNOW GOAL  Remote VPN with malware prevention GOAL  Remote VPN

18 Requirements for Security in todays Threat Landscape 1. Application based security rules – Including the ability to decrypt flows 2. Rules based on User Identity/User Groups 3. Sandbox Technology to detect unknown malware 4. Threat Prevention updates to enable dynamic prevention signatures for malware 5. URL Technology to enable dynamic prevention of malware Command & Control

19