Palo Alto Networks Threat Prevention

Palo Alto Networks at a Glance

Corporate Highlights

Founded in 2005; First Customer Shipment in 2007

Safely Enabling Applications

Able to Address all Network Security Needs

Exceptional Ability to Support Global Customers

Experienced Technology and Management Team

850+ Employees Globally0

2,000

4,000

6,000

8,000

10,000

1,800

4,700

9,000

Jul-10 Jul-11

FY09 FY10 FY11 FY12$0

$50

$100

$150

$200

$250

$300

$13

$49

$255

$119

Revenue

Enterprise Customers

$MM

FYE July

Jul-12

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Real Attacks Employ Multiple Techniques

Bait theend-user

1

End-user lured to a dangerous application or website containing malicious content

Exploit

2

Infected content exploits the end-user, often without their knowledge

DownloadBackdoor

3

Secondary payload is downloaded in the background. Malware installed

EstablishBack-Channel

4

Malware establishes an outbound connection to the attacker for ongoing control

Explore & Steal

5

Remote attacker has control inside the network and escalates the attack

3 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Lifecycle of a Modern Attack - Simplified

4 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Attacks are Blended

Traffic and Malware

Inbound and Outbound

Designed to Evade Security

Encryption, strange ports, tunneling, polymorphic malware, etc.

Break Security Assumptions

When attackers control both ends of a connection they can hide their traffic in any way they want

Threat Prevention Requirements

1. Full Visibility of Traffic Equal analysis of all traffic across

all ports (no assumptions) Control the applications that

attackers use to hide Decrypt, decompress and

decode

2. Control the full attack lifecycle Exploits, malware, and malicious

traffic Maintain context across

disciplines Maintain predictable performance

3. Expect the Unknown Detect and stop unknown

malware Automatically manage unknown

or anomalous traffic

5 | ©2012, Palo Alto Networks. Confidential and Proprietary.

An Integrated Approach to Threat PreventionApplications

• Visibility and control of all traffic, across all ports, all the time

Sources

• Control traffic sources and destinations based on risk

Known Threats

• Stop exploits, malware, spying tools, and dangerous files

Unknown Threats

• Automatically identify and block new and evolving threats

• Reduce the attack surface

• Control the threat vector

• Control the methods that threats use to hide

• Sites known to host malware

• Find traffic to command and control servers

• SSL decrypt high-risk sites

• NSS tested and Recommended IPS

• Stream-based anti-malware based on millions of samples

• Control threats across any port

• WildFire analysis of unknown files

• Visibility and automated management of unknown traffic

• Anomalous behaviors

R e d u c i n g R i s k

6 | ©2012, Palo Alto Networks. Confidential and Proprietary.

App-ID

URL

IPS Threat License

Spyware

AV

Files

WildFire

Block high-risk apps

Block known malware sites

Block the exploit

Prevent drive-by-downloads

Detect unknown malware

Block malware

Bait theend-user

Exploit DownloadBackdoor

EstablishBack-Channel

Explore &Steal

Block spyware, C&C traffic

Block C&C on non-standard ports

Block malware, fast-flux domains

Block new C&C traffic

Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors

Coordinated Threat PreventionAn Integrated Approach to Threat Prevention

7 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Requirement: Visibility Into All Traffic

Requirements for Visibility

Any Traffic Not Fully Inspected = Threats Missed

• The Rule of All- All traffic, all ports, all the time- Mobile and roaming users

• Progressive Inspection- Decode – 190+ application and protocol decoders- Decrypt – based on policy- Decompress

• Stop the methods that attackers use to hide- Proxies- Encrypted tunnels- Peer-to-peer

9 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Evasion is Common in Applications

Non-Standard Ports- Evasive Applications – Standard application

behavior - Security Best Practices – Moving internet facing

protocols off of standard ports (e.g. RDP)

Tunneling Within Allowed Protocols- SSL and SSH - HTTP- DNS

Circumventors- Proxies- Anonymizers (Tor)- Custom Encrypted Tunnels (e.g. Freegate,

Ultrasurf)

568Applications that can dynamically use non-standard ports.

260Applications that can tunnel other apps and protocols

82Applications designed to avoid security

10 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Evasive Traffic Observed in Malware

• Malware in Live Networks Detected by WildFire- Use of non-standard ports, dynamic DNS, use of proxies and custom traffic

were most common techniques

13,256 samples generated Internet

traffic

Of those samples, 7,918 generated evasive traffic

16,497 Newly Discovered Malware Samples (1 month)

59%80%66%

Undetected by traditional AV vendors

11 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Evasion is Standard in Malware

Requirement: Threat Prevention That Performs

Traditionally, More Security = Poor Performance

Traditional Security

Each security box or blade robs the network of performance

Threat prevention technologies are often the worst offenders

Leads to the classic friction between network and security

Best Case Performance

Firewall

Anti-Malware

IPS

13 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Single-Pass Pattern Match

Single-pass pattern match engine can provide multiple matches with one pass through the engine. Look once, get many answers.

14 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Stream-Based Malware Analysis

In-line threat prevention is stream based, because it’s the only method that maintains performance.

Only Palo Alto Networks and Fortinet have stream-based malware analysis (requires specialized processors).

15 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Validated in 3rd Party Testing

“Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost…”

-NetworkWorld, 2012

16 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Requirement: Expect the Unknowns

Systematically Manage Knowns and Unknowns

Applications Users Content

Known • Decoders (190+)• Signatures• Port and protocol• Decryption

• Active Directory• LDAP• eDirectory• Terminal Services• Exchange• GlobalProtect

• Decoders (190+)• Stream-based

scanning • Uniform signature

format

All Apps, All Ports, All the

Time

All Users, All Locations, Any

Repository

All Exploits, Malware, Files,

and URLs

Unknown • Unknown Decoders• Heuristics• Override• Custom App-ID

• XML API• Captive Portal

• Behavioral Botnet Report

• WildFire

Policy Control: Identify, Allow, Enable, Deny

18 | ©2012, Palo Alto Networks. Confidential and Proprietary.

The Gaps in Traditional Antivirus Protection

☣ Targeted and custom malware

☣ Polymorphic malware

☣ Newly released malware

Highly variable time to protection

Modern malware is increasingly able to: - Avoid falling into traditional AV honey-pots- Evolve before protection can be delivered via

polymorphism, re-encoding, and crypting

19 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Architecture

• 10 Gbps Threat Prevention and file scanning

• All traffic, all ports• Web, email, FTP and

SMB

• Running in the cloud lets the malware do things that you wouldn’t allow in your network.

• Updates to sandbox logic without impacting the customer

• Stream-based malware engine to perform true inline enforcement

20 | ©2012, Palo Alto Networks. Confidential and Proprietary.

EPS\Pitch\Palo Alto Networks - 601955643© 2012 Palo Alto Networks. Proprietary and Confidential.

Page 21 |

Daily Coverage of Top AV VendorsM

alw

are

Sam

ple

Coun

t

New Malware Coverage Rate by Top 6 AV Vendors

22 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Real-World Spread of 0-Day Malware

23 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• Analysis of 50 0-Day malware samples

• Captured by WildFire in live customer networks

• Tracked the spread and number of infections by hour following the initial infection

Att

empt

ed M

alw

are

Infe

ctio

ns

Hours

Real-World Spread of 0-Day Malware

24 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Subscription

Hours

Tota

l Att

empt

ed M

alw

are

Infe

ctio

ns

Looking at the first 48 hours of malware propagation, 95% of infections occur in the first 24 hours

95%

5%

Real-World Spread of 0-Day Malware

25 | ©2012, Palo Alto Networks. Confidential and Proprietary.

WildFire Subscription Threat Prevention

Hours

Att

empt

ed M

alw

are

Infe

ctio

ns

Sample WildFire Analysis

26 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• Detailed analysis of malware behaviors including

• Malware actions

• Domains visited

• Registry changes

• File changes

Integrated WildFire Logging

27 | ©2012, Palo Alto Networks. Confidential and Proprietary.

• WildFire logs integrated to the Palo Alto Networks user interface

• Malware verdict

• User

• Application

• Related logs

App-ID

URL

IPS Threat License

Spyware

AV

Files

WildFire

Block high-risk apps

Block known malware sites

Block the exploit

Prevent drive-by-downloads

Detect unknown malware

Block malware

Bait theend-user

Exploit DownloadBackdoor

EstablishBack-Channel

Explore &Steal

Block spyware, C&C traffic

Block C&C on non-standard ports

Block malware, fast-flux domains

Block new C&C traffic

Coordinated intelligence to detect and block active attacks based on signatures, sources and behaviors

Coordinated Threat PreventionAn Integrated Approach to Threat Prevention

28 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Questions?