Next-Generation Firewall
Roberto Maina | Systems Engineer
Alessandro Senni | Brand Manager
Maggio 2020
Emerging Challengesin Network Security
2 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Cyber Evolution Trends
Virtualization, IoT, BYOD and SaaS adoption have increased threat vectors
Data Is Everywhere Security Skills Shortage
A lack of skilled personnel leaves
organizations at risk
Advanced Threats
Attacks are becoming more pervasive and sophisticated
25B+connected devices
in use by 2021
300M+never-before-seen
samples every month
53%of organizations
report a shortage of skilled staff
32%YoY increase in
malware delivered in encrypted traffic
3 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Cyber Evolution: Enterprise
Data Is Everywhere
Mobile Users IoT CloudBranch Data Center
4 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Cyber Evolution: Threats
Easiest to Execute Most Sophisticated and Damaging
Increasingly Advanced Threat Landscape
Known Threats Evasive Malware Zero-Day Attacks Fileless Attacks Targeted AttacksLow and SlowInsider Threats
5 | © 2020 Palo Alto Networks, Inc. All rights reserved.
The Security Skills Gap Is Widening
Source: https://www.csoonline.com/article/3331983/the-cybersecurity-skills-shortage-is-getting-worse.html
2018–2019
2017–2018
2016–2017
2015–2016
0% 60%50%40%30%20%10%Reported Shortage of Cybersecurity Skills
6 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Palo Alto NetworksNext-Generation Firewall
Unique Approach
7 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Today’s Reality for a User
Public Cloud SaaS Data CenterInternet
Home PC
Work Laptop
BYODPhone
HQ
On the Go
Branch
Home
8 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Today’s Reality for a User
Home PC BYODPhone
HOME HQ
Work Laptop
CAFE
Work Laptop
BRANCH
Work Laptop
9 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Public Cloud SaaS Data CenterInternet
Phishing and Stolen Credentials
Top 2 threat action varieties in 1,774 breaches
– 2019 Verizon Data Breach Investigations Report
10 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Image recognitionStops evasive phishing with ML-based deep learning
2018 Microsoft
Coordinated analysisIdentify new types of phishing pages with higher accuracy
URL FILTERING: CONTINUOUSLY ADVANCING PHISHING DETECTION
2018 Microsoft
User Identity Protected from a Variety of Attacks
GENERAL ATTACKS TARGETED ATTACKS
Malware analysis,including machine
learning
URLclassification
CUSTOM ATTACK
User enters corporatecredentials on a fake SSO page
Next-Gen Firewall identifies corporate credentials
12 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Protection from Successful Credential Reuse
Web Application
Legacy Application
Attacker uses stolen credentials1
4Attacker fails to gain access, attempt recorded
2 User receives MFA request
Da
ta C
en
ter
User denies request to access sensitive data3
13 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Typical Application Use
SANCTIONED TOLERATED UNSANCTIONED
DENYCONTROLSAFELY ENABLE
14 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Complete Visibility into All Applications in Use
Understand app usage by threats transferred, category and user
Get a comprehensive report on SaaS usage in your organization
Understand risky SaaS app usage based on risk characteristics
15 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Enable Apps Safely in Policies
SAAS APPLICATIONAPPLICATION
Evasive
Excessive bandwidth
Prone to misuse
Transfers files
Tunnels other apps
Used by malware
Vulnerabilities
Audio streaming
Encrypted tunnel
File sharing
Gaming
Proxy
Remote access
Software UpdateSoftware update
PCI DSS
SOC 1
SOC 2
SSAE 16
HIPAA
FedRAMP
FINRA
No certifications
Poor financial viability
Poor terms of service
IP-based restrictions
History of data breaches
SaaS CharacteristicsCharacteristicsCategories
HIPAA
16 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Control the Use of Sanctioned/Tolerated Apps
APPLICATION
Download Upload Posting
Enterprise vs. consumer(personal) accounts
Screen sharing/remote control
File blockingDocument sharing
File sandboxingWildFire
File transfer
Audio and video
Select
.EXE
.RAR
.XLS
Select
.EXE
.RAR
.XLS
17 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Malware
Prevention Requires Securing Encrypted Traffic
“Percent of time spent on encrypted websites and apps, Windows and Mac”
>80%Encrypted
HTTPS encryption on the web – Google Transparency Report
Upatre
Steals credentials
Dridex
Unit 42 Research
Transfers funds illegally
Ehdoor
Steals sensitive information
Encrypted traffic carried nearly 3.5 million unique malware samples in 2017
Encrypted Traffic
18 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Governed byRegulations
Secure Encrypted Traffic Without Compromising Privacy
Dangerous
Self-signed certsUntrusted certs
Expired certs
HealthcareGovernment
Banking
Unsafe
Unsafe TLS versionsWeak cipher suites
All Else
?
19 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Detect and Prevent New Threats with WildFire
Malware, URLs, DNS, Auto-C2
Update within seconds
Static analysis
Dynamic analysis
Machine learningBare metal analysis
Dynamic unpacking
Network traffic profiling
SANDBOX
Binaries Documents
Flash Web Archive
Data collected from a vast global community
Analysis techniques far beyond traditional sandboxing
Automated protection against multiple attack variants
CloudNetwork Endpoint
20 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Un
kno
wn
sP
rote
ctio
ns
Prevent Patient Zero with ML
Centralized Configuration, Policy, Logging
Mobile users
Branch
Configuration
Configuration
Logs Logs
Logs
PolicyReporting
Panorama
Cortex™ Data LakePrisma™ Access Public cloud
HQ
NGFW
Momentum
23 | © 2020 Palo Alto Networks, Inc. All rights reserved.
2019 Gartner Magic Quadrant for Network Firewalls
8-time Leader in the Gartner Firewall MQ, NSS Labs Recommended
NSS Labs Recommended
66,000+customers
in 150+ countries
85of the Fortune 100
rely on Palo Alto Networks
63% of the Global 2Kare Palo Alto Networks customers
FY15 FY16 FY17 FY18 FY19
#1in enterprise security
revenue trend 33% CAGRFY15‒FY19
20% year-over-yearrevenue growth*
9.1/10average CSAT score
Q2FY2020. Fiscal year ends July 31Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 3Q19, 6 March 2020,
Palo Alto Networks 10-k
24 | © 2020 Palo Alto Networks, Inc. All rights reserved.
The World’s Leading Cybersecurity Company
The Next-Generation Firewall Continues to Evolve
25 | © 2020 Palo Alto Networks, Inc. All rights reserved.
NGFWs for All Your Deployment Needs
PA-220
PA-220R
PA-800 Series
PA-3200 Series
PA-5200 Series
PA-7000 Series
26 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Small Branches & Remote Locations
Network Perimeter
LargeData Centers
100+ New Capabilities in PAN-OS 8.1, 9.0, 9.1
App-ID• Policy Optimizer• HTTP/2 inspection• SIP enhancements• App-default with decryption• Streamlined schedule• SaaS app characteristics
User-ID• Dynamic User Groups• Increased terminal services capacity• Improved scalability with virtual
systems
Security Subscriptions• New DNS Security subscription• Improved phishing detection via ML• Multi-category URL filtering• High, Medium, Low risk classification
More• EDL capacity and performance
improvements• GTP security for IoT• More flexible data filtering
Panorama• Manage up to 5,000 NGFWs with single
Panorama instance; up to 30,000 NGFWs with Panorama Interconnect
• Device group/template config management
• Optimized bulk onboarding of NGFWs• Proactive health and metrics monitoring
Management• Dynamic Address Groups: increased
capacity, performance, and visibility• API security• API simplification• Wildcard Address Support for policy
match• Rule audit comments• Tag-based rule management• Policy/Infrastructure testing in UI• Policy UUID
Networking• DHCP/FQDN support for dest NAT• FQDN refresh responsiveness
improvement• VxLAN inspection• GRE tunneling• TrustSec SGT Tag support
Decryption• Decryption broker
GlobalProtect• Managed/Unmanaged device
identification• HIP redistribution• Detailed logs for rapid
troubleshooting
New hardware• All-new hardware portfolio from PA-
220 to PA-7000 Series with new cards
27 | © 2020 Palo Alto Networks, Inc. All rights reserved.
DNS Security - One Year in, Amazing Growth ...D
NS
re
qu
est
s a
na
lyze
d(B
illio
ns)
Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
0
2
3
5
6
8
9
11
12
14
28 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Refresh Bundle Offer
29 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Exclusive Bundle For Customers With Refresh EligibleHardware
30 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Trade-in Levels and Credit Amount
PA-3220 € 900
PA-3250 € 1,250
PA-3260 € 1,500
PA-5220 € 2,250
PA-5250 € 4,500
PA-5260 € 7,500
PA-5280 € 8,500
PA-7000 Chasis € 5,000
PA-7000 100GNPC € 5,000
Product being purchased Credit
PA-7000 Chasis&
100G Cards
PA-4060 PA-5060
PA-5280
PA-5260
PA-4050 PA-5050 PA-5250
PA-4020 PA-5020 PA-5220
PA-2050
PA-3060 PA-3260
PA-3050 PA-3250
PA-2020 PA-3020 PA-3220
Generation 1 Generation 2 Current Product
Hardware level to be equivalent to
current product or higher asdenoted
by direction of arrow to qualify
for trade-incredit.
Example
31 | © 2020 Palo Alto Networks, Inc. All rights reserved.
Terms and Condition
➢ Valid until 31 July.
➢ Hardware level to be equivalent to current product or higher
➢ Bundle Offer is valid for 3 or 5 Years
➢ Customer will be asked to sing “Certificate of Decommision”
➢ Insert code FY20 HW Refresh Offer Bundle in DR Qualifying Campaign Code
➢ Contact us or your Palo Alto Networks Account Manager
32 | © 2020 Palo Alto Networks, Inc. All rights reserved.