Next-generation enterprise security platform

Walter Doria

Why do you need network, endpoint, and cloud

working together?

The network is best for identifying and controlling all traffic,

preventing known threats, and gathering context for analytics

Limitation: the network is not the target…therefore it only sees

data in transit which limits zero-day attack prevention

The endpoint is the best location to prevent zero-day attacks

and gather initial forensics information

Limitations: it’s safer to prevent the attack before it reaches

the target; mobile operating systems limit endpoint capabilities

The cloud is best for gathering information, analyzing,

correlating, and disseminating intelligence back to the

enforcement points

Limitations: the cloud is only as good as the data it receives

and does not actually do prevention on its own

Platform approach

Next-Generation Threat Cloud

Gathers potential threats from network and endpoints

Analyzes and correlates threat intelligence

Disseminates threat intelligence to network and endpoints

Inspects all processes and files

Prevents both known & unknown exploits

Integrates with cloud to prevent known & unknown malware

Next-Generation Endpoint

Next-Generation Firewall

Inspects all traffic

Blocks known threats

Sends unknown to cloud

Extensible to mobile & virtual networks

Next-Generation Firewall

Inspects all traffic

Blocks known threats

Sends unknown to cloud

Extensible to mobile & virtual networks

Next-generation enterprise security platform

① Prevents attacks — even attacks seen

for the first time

② Protects all users and applications —

including mobile and virtualized

③ Seamlessly combines network and

endpoint security, as each has unique

strengths

④ Provides rapid analysis of new threats

Attacks are developed to be hidden

Legal traffic and malware

encryption, tunneling, polimorfic malware

Attacking the base security

When a CnC is established, traffic from external

is implicitly allowed

An attack lifecycle

Exploits are

delivered over

the network

Encryption,

fragmentation

Malware is

delivered over

the network

Re-encoded and

targeted malware

Malware

communicates

over the network

Proxies tunneling,

encryption, custom

traffic

Exploits Malware Exploits Malware Spyware,

C&C

WildFire Architecture

• Threat Prevention e file

scanning at 10 Gbps

• Web, email, FTP e SMB

• Cloud Analysis

• New Signature based on a

new malware

• Anti-malware stream engine

updating every 15min

App-ID

URL

IPS

Th

reat

Lic

en

se

Spyware

AV

Files

WildFire

Blocco app ad alto rischio

Blocco siti malware conosciuti

Blocco exploit

Previene drive-by-download

malware sconosciuti

Blocco malware

Bait the end-user Exploit Download Backdoor Establish Back-Channel Explore & Steal

Blocco spyware e C&C traffic

Blocco C&C su porte non-standard

Blocco malware e domini fast-flux

Blocco traffico C&C sconsciuto

Analisi coordinata per identificare e bloccare exploit, malware e minacce conosciute e sconosciute

An integrated approach

Command/Control Client Exploit

Advanced threats require a solution, not point products

HTTP

SSL

DNS

URL / C&C

EXE, Java,

.LNK, DLL

Known viruses

and exploits

High-risk

applications

1 Reduce the

attack surface 2

Detect the

unknown 3

Create new

protections

• Whitelist applications or block

high-risk apps

• Block known viruses, exploits

• Block commonly exploited file

types

• Analysis of all application

traffic

• SSL decryption

• WildFire sandboxing of

exploitive files

Detection and blocking of C&C via:

• Bad domains in DNS traffic

• URLs (PAN-DB)

• C&C signatures (anti-spyware)

Successful spear-phishing email Post-compromise activity Failed attempts

Scaling the threat cloud

On a typical day, WildFire receives over

280,000 unique files

• 11,600 every hour

• 195 every minute

• 3 every second

From those unknowns, about 30,000 are new

malware

• >70% not detected by any of the leading

AV software

On average, each file is processed in less

than 6 minutes

• Even as the number of files has

quadrupled

6.0 Released

WildFire subscription benefits

WildFire WildFire

Subscription

WildFire analysis of PE files

Daily signature feed (Threat Prevention subscription required)

WildFire logs integrated within PAN-OS

WildFire analysis of all other file types (PDF, MS Office, Java, Flash, APK*)

WildFire analysis of potentially malicious email links*

15-minute WildFire AV signature updates

WildFire Cloud API key

Use of WF-500

*APK and email link analysis not available on WF-500

How To Read WildFire Events

WildFire Submission Log

Monitor tab > WildFire Submissions

WildFire Submission Log Details

WildFire Log Details Tab

WildFire Analysis Report

WildFire Analysis Report Tab

WildFire Analysis Report

WildFire Analysis Report Tab: Pcap download

WildFire Analysis Report

WildFire Analysis Report Tab: Host activity

WildFire Analysis Report

WildFire Analysis Report Tab: File activity

WildFire Analysis Report

WildFire Analysis Report Tab: Submit malware and report incorrect verdicts

Summary : Key Benefits of Palo Alto Networks Solution

Our unique approach makes us the only solution that…

Scans ALL applications (including SSL traffic) to secure all avenues in/out

of a network, reduce the attack surface area, and provide context for

forensics

Prevents attacks across ALL attack vectors (exploit, malware, DNS,

command & control, and URL) with content-based signatures

Detects zero day malware & exploits using public/private cloud and

automatically creates signatures for global customer base

6.1 WildFire Enhancements

New on 6.1 release

Signature Generation on the WF-500

Email Link Analysis

Email Header Information

15 min signature updates

API Limit Increased

Integration with TRAPS

Analysis of web-based Adobe Flash files

Windows 7 64-bit analysis VM

Extending Signature Generation Capabilities to WF-500

Generate local malware and command-and-control signatures

directly on the WildFire appliance

Provides 3 types of protection:

• Antivirus signatures – prevent malware downloads

• DNS signatures – block command-and-control traffic

• URL malware categorization – block command-and-

control traffic

Distribute local WF-500 signatures to all PAN-OS firewalls

across the network for consistent network protection

DNS URL AV

Local WildFire Appliance

Identify and Protect Against Malicious Email Links

PAN-OS firewalls detect and send web links in

suspicious emails to WildFire

WildFire visits the webpage and analyzes the traffic to

detect exploits and malware

Prevent patient-0 from getting compromised by quickly

adding the URL to PAN-DB

Quickly identify targeted users and machines via email

headers and integration with User-ID

Only available in the WildFire Cloud

WildFire

http://comp-intra.net/ref?d8ca2

Mail server

Compromised

host

URL

Exploit

BLOCK

Email Header Information

Configure the User-ID option to enable the firewall to match

User-ID information with email header, information identified in

email links and email attachments that are forwarded to

WildFire.

When a match occurs, the user name in the WildFire log email

header section will contain a link that when clicked, will bring

up the ACC filtered by the User or Group of users.

“Email Session” or “Email Protocol” refers to SMTP and POP3

only.

• If used over SSL decryption will be required

• IMAP is not supported at this time

WildFire

Sender/Receiver; Subject; Fields

Mail server

Compromised

host

URL /

Attachments

Exploit

BLOCK

WildFire Analysis Report

WildFire Cloud Updates

WildFire Signature Updates

- Are now every 15 minutes

WildFire API Limits Increased

- Are now 1,000 uploads a day (previously 100)

- Are now 10,000 queries a day (previously 1,000)

Additional WildFire Enhancements

New daily content updates for the WF-500 provide additional cloud intelligence

• The content updates help improve WF-500 analysis accuracy by providing

daily updates to trusted code signing certificates, domains, file hashes, and

other useful information

• Just as with PAN-OS content, the WF-500 content packages can be

automatically downloaded and installed, or manually downloaded and

installed to the WF-500

WildFire API on the WF-500 to support automation and 3rd party integrations

Support for Palo Alto Networks Traps advanced endpoint protection product

DEMO