avr presentation

Application Visibility and Risk Report for Ekamai International School

INSTRUCTIONS TO SEs (Please delete)

Factory Reset box and upgrade to latest version of PAN-OS before starting AVR

Turn on all Threat Prevention / URL Filtering / Data Filtering / Wildfire

Make sure tapped zone has interesting data – User Zones

Make sure there’s data in all logs / ACC before leaving customer site

Run no more than 3-5 days of data collection

Download Raw Logs from monitor tab for further analysis

Fix presentation date to key stakeholders the following week of the AVR data collection

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Agenda

How was the AVR captured ?

Summary applications found

Business Risks Introduced by High Risk Application Traffic

Top Applications (Bandwidth)

Applications that use HTTP (Port 80)

Top URL Categories

Top Threats

Recommendations

3 | ©2012, Palo Alto Networks. Confidential and Proprietary.

How was the AVR captured ?

Port Mirror

Non-Intrusive

Data Gathering 3-5 days

Report Generation

Report contains no IP information, purely statistic data collection

4 | ©2012, Palo Alto Networks. Confidential and Proprietary.

How was the AVR captured ?

5 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Summary Of Applications Found

Personal applications are being installed and used Elevates business and security risks

Applications that can be used to conceal activity Hides activity that can be malicious (intended or unintended)

Applications that can lead to data loss Security risks, data loss, compliance and copyright infringements

Applications for personal communications Productivity loss, compliance and business continuity loss

Bandwidth hogging, time consuming applications Consumes corporate bandwidth and employee time

6 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Business Risks Introduced by High Risk Application Traffic

7 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Business Risks Introduced by High Risk Application Traffic

Data Loss (24%) - application file transfer can lead to data leakage

Compliance (24%) - ability to evade detection or tunnel other applications can lead to compliance risks

Operational Cost (12%) - high bandwidth consumption equates to increased costs

Productivity (18%) - social networking and media apps can lead to low productivity

Business Continuity (23%) - applications that are prone to malware or vulnerabilities can introduce business continuity risks.

“Identifying the risks an application poses to is the first step towards effectively managing the related business risks.”

8 | ©2012, Palo Alto Networks. Confidential and Proprietary.

High Risk Application Traffic – Key Observations

Key observations on the 85 high risk applications:

Activity Concealment:

Proxy (1) and remote access (3) applications were found. In addition, non-VPN related encrypted tunnel applications were detected.IT savvy employees are using these applications with increasing frequency to conceal activity and in so doing, can expose EIS tocompliance and data loss risks.

File transfer/data loss/copyright infringement:

P2P applications (12) and browser-based file sharing applications (6) were found. These applications expose EIS to data loss,possible copyright infringement, compliance risks and can act as a threat vector.

Personal communications:

A variety of applications that are commonly used for personal communications were found including instant messaging (8), webmail(6), and VoIP/video (3) conferencing. These types of applications expose EIS to possible productivity loss, compliance and business continuity risks.

Bandwidth hogging:

Applications that are known to consume excessive bandwidth including photo/video (14), audio (1) and social networking (11) were detected. These types of applications represent an employee productivity drain and can consume excessive amounts of bandwidth and can act as potential threat vectors.

9 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Activity Concealment – Compliance, Data Loss Risks

10 | ©2012, Palo Alto Networks. Confidential and Proprietary.

ACC – Concealment (Example : tor)

11 | ©2012, Palo Alto Networks. Confidential and Proprietary.

File Transfer / Data Loss / Copyright Infringement- Data Loss, Copyright Infringement, Compliance Risks

12 | ©2012, Palo Alto Networks. Confidential and Proprietary.

ACC – Concealment (Example : bittorrent)

13 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Personal Communications – Productivity Loss, Compliance, Business Continuity Risks

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Personal Communications – (Example : Gmail)

15 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Bandwidth Hogging – Productivity Loss Risks

16 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Bandwidth Hogging – (Example : rtmp)

17 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Bandwidth Hogging – (Example : youtube-base)

18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Top 35 Applications (Bandwidth Consumption)

19 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Applications that use HTTP

20 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Top URL Categories

21 | ©2012, Palo Alto Networks. Confidential and Proprietary.

URL Sites (example : Social Networking)

22 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Top Application Vulnerabilities

23 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Vulnerability ( SMB: User password Brute-Force Attempt )

Research from Internet – Google, Yahoo, Ect

24 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Extract from ACC

Vulnerability ( SMB: User password Brute-Force Attempt )

25 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Spywares and Virus discovered

26 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Spyware and Virus ( Conficker )

27 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Extract from ACC

Spyware and Virus ( Conficker )

28 | ©2012, Palo Alto Networks. Confidential and Proprietary.

APT / Zero Day Malware Detected by WildFire

29 | ©2012, Palo Alto Networks. Confidential and Proprietary.

APT / Zero Day Malware Detected by WildFire

30 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Malware Analysis

31 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Malware Analysis

32 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Malware Analysis

33 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Malware Analysis

34 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Malware Analysis

35 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Recommendations

Implement safe application enablement policies

Address high risk areas such as P2P and browser-based filesharing

Implement policies dictating use of activity concealment applications

Regain control over streaming media applications

Seek Application Visibility and Control

38 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Thank You