Presentation is loading. Please wait.

Presentation is loading. Please wait.

What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect.

Similar presentations


Presentation on theme: "What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect."— Presentation transcript:

1 What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect

2 Palo Alto Networks at a glance Corporate highlights Founded in 2005; first customer shipment in 2007 Safely enabling applications Able to address all network security needs Exceptional ability to support global customers Experienced technology and management team 900+ employees globally Jul-10Jul-11 Revenue Enterprise customers $MM FYE July Oct-12 2 | ©2013, Palo Alto Networks. Confidential and Proprietary.

3 Page 3 | Data Sources for Today’s Talk Application Usage and Risk Report (evaluation networks) Taken from 1,636 live enterprise networks 30% North America 30% Asia 40% Europe 9.5 Petabytes of data WildFire Malware Analysis (production networks) 26,000 unknown malware samples Collected from 1,000+ production enterprise networks at the firewall 3 months of data Application DataMalware Data

4 The Lifecycle of Network Attacks Bait the end-user 1 End-user lured to a dangerous application or website containing malicious content Exploit 2 Infected content exploits the end-user, often without their knowledge Download Backdoor 3 Secondary payload is downloaded in the background. Malware installed Establish Back-Channel 4 Malware establishes an outbound connection to the attacker for ongoing control Explore & Steal 5 Remote attacker has control inside the network and escalates the attack 4 | ©2012, Palo Alto Networks. Confidential and Proprietary.

5 In Malware, Both Sides Are Malicious 5 | ©2012, Palo Alto Networks. Confidential and Proprietary. Attacks are blended and patient  Exploits, malware and traffic  Long-term time scale Malware is the strategic enabler  Provides a persistent point of control inside the target network Malware enables evasion  When both ends of a connection are malicious, new evasions become available.  Encryption, strange ports, tunneling, polymorphic malware, etc.

6 Solving Modern Malware and Targeted Threats 1.Full Visibility of Traffic  Equal analysis of all traffic across all ports (no assumptions)  Control the applications that attackers use to hide  Decrypt, decompress and decode 2.Control the full attack lifecycle  Exploits, malware, and malicious traffic  Maintain context across disciplines  Maintain predictable performance 3.Expect the Unknown  Detect and stop unknown malware  Automatically manage unknown or anomalous traffic 6 | ©2012, Palo Alto Networks. Confidential and Proprietary.

7 Requirement 1: Visibility Into All Traffic “Got To See It to Prevent It”

8 © 2010 Palo Alto Networks. Proprietary and Confidential. Page 8 | Applications and Malware Evade Security Port-Based Evasion - Traditional security enforces rules and signatures based on port Tunneling - Hide inside allowed traffic Custom Protocols - Unique TCP, UDP and encryption Custom Malware - Targeted attacks - Polymorphic malware

9 Evasion is Common in Applications Non-Standard Ports - Evasive Applications – Standard application behavior - Security Best Practices – Moving Internet facing protocols off of standard ports (e.g. RDP) Tunneling Within Allowed Protocols - SSL and SSH - HTTP - DNS Circumventors - Proxies - Anonymizers (Tor) - Custom Encrypted Tunnels (e.g. Freegate, Ultrasurf) 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.

10 How Evasive is “Evasive” SSL - 4,740 ports Skype - 1,802 ports Skype Probe - 27,749 ports BitTorrent - 21,222 ports © 2012 Palo Alto Networks. Proprietary and Confidential. Page 10 |

11  Remote Access  27 variants found 95% of the time  APT1 remote access  External Proxies  22 variants found 76% of the time  TDL-4 paid proxy service  Encrypted Tunnels  Non-VPN related – found 30% of the time  Ultrasurf observed as malware C2 Circumventing Applications in Networks

12 Next Generation Firewall – The Right Place The Rule of All - All traffic, all ports, all the time - Mobile and roaming users Progressive Inspection - Decode – 190+ application and protocol decoders - Decrypt – based on policy - Decompress Stop the methods that attackers use to hide - Proxies - Encrypted tunnels - Peer-to-peer Any Traffic Not Fully Inspected = Threats Missed 12 | ©2012, Palo Alto Networks. Confidential and Proprietary.

13  Unknown traffic traversing the DNS port  HTTP using random high ports Proof: Evasion in Action

14 What Was In That Non-Standard Stream? © 2012 Palo Alto Networks. Proprietary and Confidential. Page 14 |

15 Requirement 2: Threat Prevention That Performs “Protecting Against the Known”

16 App-ID URL IPS Threat License Spyware AV Files WildFire Block high-risk apps Block known malware sites Block the exploit Prevent drive-by- downloads Detect unknown malware Block malware Bait the end-user ExploitDownload Backdoor Establish Back-Channel Explore & Steal Block spyware, C&C traffic Block C&C on non-standard ports Block malware, fast-flux domains Block new C&C traffic Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors Coordinated Threat Prevention An Integrated Approach to Threat Prevention 16 | ©2012, Palo Alto Networks. Confidential and Proprietary.

17 Traditional Security  Each security box or blade robs the network of performance  Threat prevention technologies are often the worst offenders  Leads to the classic friction between network and security Traditionally, More Security = Poor Performance Best Case Performance Firewall Anti-Malware IPS 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

18 Single-Pass Pattern Match Single-pass pattern match engine can provide multiple matches with one pass through the engine. Look once, get many answers. 18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

19 Stream-Based Malware Analysis In-line threat prevention is stream based, because it’s the only method that maintains performance. Only Palo Alto Networks and Fortinet have stream-based malware analysis (requires specialized processors). 19 | ©2012, Palo Alto Networks. Confidential and Proprietary.

20 Validated in 3 rd Party Testing “Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost…” -NetworkWorld, 2012 20 | ©2012, Palo Alto Networks. Confidential and Proprietary.

21 Requirement 3: Expect the Unknowns “Where the Real Risk Lurks”

22 Unknown Traffic and Domains Used by Malware Use unknowns as correlating factors for policy enforcement: No file downloads from unknown domains No HTTP posts to unknown domains Investigate and classify any unknown traffic

23 Systematically Classify the Unknowns Look for large numbers of sessions relative to bytes Look for concentrations of unknown traffic in one user or device

24 Page 24 | “Unknown” traffic is found in significantly high rates in malware as opposed to valid network traffic Application Usage and Threat Report – Over 50% of custom UDP sessions triggered known malware logs Modern Malware Review– Custom TCP/UDP was the 3 rd most common traffic type generated by unknown malware Enterprises can progressively reduce the amount of unknown traffic Create custom App-IDs for internally developed or custom applications Continually improved baselines to see what does not belong Unknown Does Not Mean Unmanageable

25 Unknown Malware is An Everyday Problem  True Targeted Attacks  APT1, Stuxnet  Nation-state operators  Highly sophisticated  Comparatively Rare  Polymorphic Malware  Zeus, Kelihos  Organized crime  Heavily web driven  Malware package is re-encoded to avoid signatures 25 | ©2012, Palo Alto Networks. Confidential and Proprietary. Both categories are critical risks Classic 80/20 Problem We MUST do better at proactively blocking polymorphic malware At least 40% of malware are variants that can be blocked

26 Active Testing to Find Unknown Malware 10 Gbps Threat Prevention and file scanning All traffic, all ports Web, email, FTP and SMB Running in the cloud lets the malware do things that you wouldn’t allow in your network. Updates to sandbox logic without impacting the customer 26 | ©2012, Palo Alto Networks. Confidential and Proprietary. Malware signatures developed and tested based on malware payload. Stream-based malware engine to perform true inline enforcement.

27 Daily Coverage of Top AV Vendors Malware Sample Count New Malware Coverage Rate by Top 5 AV Vendors 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. Daily AV Coverage Rates for Newly Released Malware (50 Samples)

28 Real-World Spread of 0-Day Malware 28 | ©2012, Palo Alto Networks. Confidential and Proprietary. Analysis of 50 0-Day malware samples Captured by WildFire in live customer networks Tracked the spread and number of infections by hour following the initial infection Attempted Malware Infections Hours

29 Real-World Spread of 0-Day Malware 29 | ©2012, Palo Alto Networks. Confidential and Proprietary. WildFire Subscription Hours Attempted Malware Infections In the 1 st two days malware is released, 95% of infections occur in the first 24 hours

30 Validate All Traffic – Control any method that can hide traffic  All traffic, all ports, all the time  Decode, decrypt and decompress Establish a Clean Baseline  Classify any unknown traffic  Learn what is normal for the network and users Get Proactive  Active analysis of unknown files  Block Re-establishing Visibility and Control

31 Sustainable Visibility and Control Applications Visibility and control of all traffic, across all ports, all the time Sources Control traffic sources and destinations based on risk Known Threats Stop exploits, malware, spying tools, and dangerous files Unknown Threats Automatically identify and block new and evolving threats Reduce the attack surface Control the threat vector Control the methods that threats use to hide Sites known to host malware Find traffic to command and control servers SSL decrypt high-risk sites NSS tested and Recommended IPS Stream-based anti-malware based on millions of samples Control threats across any port WildFire analysis of unknown files Visibility and automated management of unknown traffic Anomalous behaviors Reducing Risk 31 | ©2012, Palo Alto Networks. Confidential and Proprietary.

32 Thank You


Download ppt "What Are We Missing? Practical Use of the Next-Generation Firewall: Controlling Modern Malware and Threats Jason Wessel – Solutions Architect."

Similar presentations


Ads by Google