disrupting the malware kill chain - what's new from palo alto networks

Presenter’s Name: Simon Wong + Chris Cram, Scalar

Date: October 1st, 2015

Disrupting the Malware Kill Chain

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 2

Scalar Client Solutions

Security

Context-Based Enterprise Security

Infrastructure

Integration of Emerging Technologies

Cloud

Hybrid Cloud Solutions


Scalar Security Capabilities

Prepare Defend Respond

Monitor critical business assets

Respond rapidly to incidents

Validate effectiveness of security controls

Implement robust defences

Integrate leading technologies

Maximize visibility, understanding and control

Understand risks Build an effective

security program Source top

security talent


Organizational Maturity: Security

Credit: Demetrios “Laz” Lazarikos, Blue Lava


We Asked Canadian Security Experts

46%Suffered a Loss of Data

$200,000Breaches Cost

34Average Attacks Annually

41%Believe they are Winning the Cyber Security War

28%Top Performers Reduce Risk

What’s Changed?

THE EVOLUTION OF THE ATTACKER

$445CYBERCRIME NOW

100+ nations

CYBER WARFARE

Simon Wong

Replace with a better Trends slide - this one is too fud-y

What’s Changed?

Known Threats

Org

aniz

atio

nal R

isk

Zero-Day Exploits/Vulnerabilities

Unknown & Polymorphic Malware

Evasive Command-and-Control

Lateral Movement

Changing Application Environment

SSL Encryption

Mobile Threats

THE EVOLUTION OF THE ATTACK

Ultra recent examples

6.9B visits/mo

Angler

Bedep

Cryptowall

39 compromised iOS apps

App-IDUser-ID

URL

IPS

Spyware

AV

Files

Unknown Threats

Bait the end-user ExploitDownload Backdoor Command/Control

Block high-risk apps – User

control decryption

Block known malware sites

Email links

Block the exploit

Block malware

Prevent drive-by-downloads

Detect 0-day malware

Block new C2 traffic

Block spyware, C2 traffic

Block fast-flux, bad domains

Block C2 on open ports

1 2 3 4 5

Lateral Movement / Zero Trust

6

Exfiltration Of Data

Block the exploit

Block malware

Detect 0-day malware

Block fast-flux, bad domains

Block FilesData Filtering


control decryption


control decryption

Breaking the Kill Chain at Every step

DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE

ORGANIZATION – NOT JUST THE INTERNET EDGE

At the internet edge

Between employees and

devices within the LAN

At the data center edge, and

between VM’s

At the mobile device

Cloud

Within private, public and hybrid

clouds

Requirements for the Future

1. Application based security rules Including the ability to decrypt flows

2. Rules based on User Identity/User Groups

3. Wildfire subscription to detect unknown malware

4. Threat Prevention subscription to enable dynamic prevention signatures for malware

5. URL (PAN-DB) subscription to enable dynamic prevention of malware Command & Control

6. GlobalProtect to secure against the threat of time and to help assert Identity

Requirements for Security in Today’s Threat Landscape

NATIVELY INTEGRATED EXTENSIBLE

AUTOMATED

NEXT-GENERATION FIREWALL

ADVANCED ENDPOINT PROTECTION

THREAT INTELLIGENCE

CLOUD

Delivering the Next-Generation Security Platform

The endpoint

Prevention of One Technique in the Chain will Block the Entire Attack

DLLSecurity

IE Zero DayCVE-2013-3893 Heap Spray DEP

Circumvention UASLR ROP/UtilizingOS Function

ROP Mitigation/

DLL Security

Adobe ReaderCVE-2013-3346 Heap Spray

Memory LimitHeap SprayCheck andShellcode

Preallocation

DEPCircumvention UASLR Utilizing

OS FunctionDLL

Security

Adobe FlashCVE-2015-3010/0311

ROP ROP Mitigation JiT Spray J01 Utilizing

OS FunctionDLL

Security

MemoryLimit Heap

Spray Check

Exploit Prevention Case StudyUnknown Exploits Utilize Known Techniques

BeginMaliciousActivity

Normal ApplicationExecution

Heap Spray

DEPCircumvention

UtilizingOS Function

Gaps AreVulnerabilities

Activate key logger Steal critical data More…

Exploit Attack

2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.

1. Exploit attempt contained in a PDF sent by “known” entity.

3. Exploit evades AV and drops a malware payload onto the target.

4. Malware evades AV, runs in memory.

Exploit Techniques


HeapSpray

TrapsEPM

No MaliciousActivity

Exploit Attack





Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps

requires no prior knowledge of the vulnerability.

Exploit Techniques


Heap Spray

DEPCircumvention

No MaliciousActivity

TrapsEPM

Exploit Attack





Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps

requires no prior knowledge of the vulnerability.

2. If you turn off EPM #1, the first technique will succeed but the next one will be blocked, still preventing malicious activity.

Exploit Techniques

Zero Trust

All resources are accessed in a secure manner regardless of location.

Access control is on a “need-to-know” basis and is strictly enforced.

Verify and never trust.

Inspect and log all traffic.

The network is designed from the inside out.

Source: Forrester Research

19 | ©2015, Palo Alto Networks

Zero-Trust Model

Virtualized servers

Physical servers

corporate network/DMZ

Security

Network

Application

Segment North South (physical) and East West (virtual) trafficTracks virtual application provisioning and changes via dynamic address groups

Automation and orchestration support via REST-API

Host VM and Core Security

Hypervisor Based Security Architecture

Your DC is the target!

21% MS-RPC

15%Web Brows-

ing

11% SMB

10% MS-SQL Monitor

10% MS-Office

Communica-tor

4% SIP

3% Other

2% Active Directory

2% RPC

1% DNS

25% MS-SQL10 out of 1,395

applications generated 97% of the exploit logs

9 of these were datacenter applications

Source -- “Application Usage and Threat Report” (Palo Alto Networks) 2013 and 2014

Innovative deployment architectures

VM-Series for AWS

Identify and control applications traversing the VPC

Prevent known and unknown threats, inbound and EC2-to-EC2

Streamline policy updates, simplify management

Full next-generation firewall functionality for AWS

Identify and control applications traversing the VPC

Visibility: Classify all VPC traffic based on application identity Control: Enable those applications you want, deny those you don’t Authorize: Grant access based on user identity

RDP

SharePoint

Administrators

Marketing

Streamline management and policy updates

Centrally manage configuration and policy deployment of the VM-Series for AWS Manage all Palo Alto Networks next-generation firewall instances, both

hardware and virtualized form factor Aggregate traffic logs across multiple VM-Series for AWS instances for visibility,

forensics and reporting Streamline policy updates with VM-Monitoring, Dynamic Address Groups and an

API

MS SQLSharePointWeb FECredit Card /

Intellectual Property / PII

Panorama

Deployment Scenarios

1. Gateway: Full NGFW security for all traffic traversing the AWS deployment• Visibility, application control, prevention of known/unknown threats, access control based on user

2. Hybrid cloud (IPSec VPN)• Extend enterprise datacenter to AWS: IPSec VPN + full NGFW feature set

3. VPC-to-VPC protection• Control traffic between VPCs; block known and unknown threats from moving laterally • A combination of gateway and hybrid within the VPC

4. GlobalProtect Gateway: Use VM-Series deployed across various AWS regions as a VPN gateway• Secure mobile users anywhere by leveraging AWS infrastructure around the world

IPSecVPN

IPSec VPN

End-Users over Internet

Corporate Network

GlobalProtect: Consistent Security Everywhere

•Headquarters •Branch Office

malware

botnets

exploits

• VPN connection to a purpose built firewall • Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance & reporting

One more thing: Cloud/SaaS

Next-Gen FW for SaaS Enforcement

Inherent Risks with SaaS

Introducing Aperture

Cloud Delivered Model

Complete SaaS Security

NATIVELY INTEGRATED EXTENSIBLE

AUTOMATED

NEXT-GENERATION FIREWALL

ADVANCED ENDPOINT PROTECTION

THREAT INTELLIGENCE

CLOUD

Delivering the Next-Generation Security Platform

Thank You


Governance, Risk and Compliance Advisory

Assess & Advise Implementation & Execution Monitor & Maintain

Audit & Assurance

• SSAE 16 / ISAE 16 / CSAE 3416 Readiness Assessment

• Privacy Impact Assessment• SysTrust / WebTrust• Contractual

• Controls Implementation• Privacy Governance• Governance Framework

• Internal Audit Virtual• Privacy Office Virtual• Compliance Team

Information Security

• PCI DSS Assessment • ISO 27001 Gap/Risk Assessment • Application Security Testing• Vulnerability Assessment• Penetration Testing • Threat Risk Assessment• OSFI Cybersecurity Assessment

• ISMS Implementation• Policy and Procedure Development

• Virtual CSO • Virtual Security Team• Security Operations

IT Service Management

• COBIT Gap/Maturity Assessment• ITIL Gap/Maturity Assessment • ISO 20000 Gap/Maturity Assessment • Business Impact Assessment• Business Resiliency Assessment• IT Operational Risk Assessment

• Service Continuity Management • BCP & DRP Development• IT Governance Implementation• ITIL Process Implementation• Implementation Rescue • Cherwell ITSM Tool Implementation

• ITSM Managed Services• Technology Management • Cherwell ITSM SaaS

Technology Advisory

• Architecture Review • Network Review • Cloud Review• Security Device Review • Application Migration • VOIP / VOIP Security

• PKI • Two-Factor Authentication Deployment • Security Device Deployment

(FW/IDS/VPN)• BYOD Security • Secure Logging and Analysis

• IT Management• Technology Management• Staff Augmentation

Our unique approach makes us the only solution that…

Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics

Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures

Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base

Identify & control Prevent known threats

Detect unknown threats

Rapid, global sharing

All applications

Turning the Unknown into the Known

Segment your network with a “zero-trust” model as the foundation for defense

Only allow content to be accessed: By a limited and identifiable set of users

Through a well-defined set of applications

Blocking everything else

Block all known threats: Threat Prevention would have identified and stopped parts of the attack

Across known vulnerability exploits, malware, URLs, DNS queries

And command-and-control activity

Identify and block all unknown threats: WildFire had identified members of the “BlackPOS” malware family in the past

Using Behavioral characteristics such as Communicating over often-abused ports (139 or 445)

Using WebDev to share information,

Changing the security settings of Internet Explorer

Modifying Windows registries and many more

Breaking the Attack Kill Chain at Multiple Points


Next Generation Security Operations

Global Threat Intelligence & Research

Advanced Analytics

Protect Critical Assets

Robust Incident Handling

Understand Business Impact

Continuous Validation of Controls


Successful Client Outcomes

Reduced Risk Lower Cost

Higher Return Measurable Outcomes

Enable Business


Getting Started

Prepare Perform a risk assessment

Build an effective security program

Defend Deploy security infrastructure

Properly configure and continuously tune security tools

Respond Detect & respond to incidents quickly

Continuously validate the effectiveness of security controls


Looking for more information?

Check out how we helped the Medical Council of Canada streamline their remote access management for employees, committee members, and physicians with the help of Palo Alto Networks technology.

https://www.scalar.ca/en/client-stories/medical-council-of-canada-streamlines-remote-access-management-for-employees-committee-members-and-physicians

/

https://www.scalar.ca/en/client-stories/medical-council-of-canada-streamlines-remote-access-management-for-employees-committee-members-and-physicians/

