Upload
scalar-decisions
View
1.175
Download
1
Embed Size (px)
Citation preview
Presenter’s Name: Simon Wong + Chris Cram, Scalar
Date: October 1st, 2015
Disrupting the Malware Kill Chain
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 2
Scalar Client Solutions
Security
Context-Based Enterprise Security
Infrastructure
Integration of Emerging Technologies
Cloud
Hybrid Cloud Solutions
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 3
Scalar Security Capabilities
Prepare Defend Respond
Monitor critical business assets
Respond rapidly to incidents
Validate effectiveness of security controls
Implement robust defences
Integrate leading technologies
Maximize visibility, understanding and control
Understand risks Build an effective
security program Source top
security talent
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 4
Organizational Maturity: Security
Credit: Demetrios “Laz” Lazarikos, Blue Lava
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 5
We Asked Canadian Security Experts
46%Suffered a Loss of Data
$200,000Breaches Cost
34Average Attacks Annually
41%Believe they are Winning the Cyber Security War
28%Top Performers Reduce Risk
What’s Changed?
THE EVOLUTION OF THE ATTACKER
$445CYBERCRIME NOW
100+ nations
CYBER WARFARE
What’s Changed?
Known Threats
Org
aniz
atio
nal R
isk
Zero-Day Exploits/Vulnerabilities
Unknown & Polymorphic Malware
Evasive Command-and-Control
Lateral Movement
Changing Application Environment
SSL Encryption
Mobile Threats
THE EVOLUTION OF THE ATTACK
Ultra recent examples
6.9B visits/mo
Angler
Bedep
Cryptowall
39 compromised iOS apps
App-IDUser-ID
URL
IPS
Spyware
AV
Files
Unknown Threats
Bait the end-user ExploitDownload Backdoor Command/Control
Block high-risk apps – User
control decryption
Block known malware sites
Email links
Block the exploit
Block malware
Prevent drive-by-downloads
Detect 0-day malware
Block new C2 traffic
Block spyware, C2 traffic
Block fast-flux, bad domains
Block C2 on open ports
1 2 3 4 5
Lateral Movement / Zero Trust
6
Exfiltration Of Data
Block the exploit
Block malware
Detect 0-day malware
Block fast-flux, bad domains
Block FilesData Filtering
Block high-risk apps – User
control decryption
Block high-risk apps – User
control decryption
Breaking the Kill Chain at Every step
DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE
ORGANIZATION – NOT JUST THE INTERNET EDGE
At the internet edge
Between employees and
devices within the LAN
At the data center edge, and
between VM’s
At the mobile device
Cloud
Within private, public and hybrid
clouds
Requirements for the Future
1. Application based security rules Including the ability to decrypt flows
2. Rules based on User Identity/User Groups
3. Wildfire subscription to detect unknown malware
4. Threat Prevention subscription to enable dynamic prevention signatures for malware
5. URL (PAN-DB) subscription to enable dynamic prevention of malware Command & Control
6. GlobalProtect to secure against the threat of time and to help assert Identity
Requirements for Security in Today’s Threat Landscape
NATIVELY INTEGRATED EXTENSIBLE
AUTOMATED
NEXT-GENERATION FIREWALL
ADVANCED ENDPOINT PROTECTION
THREAT INTELLIGENCE
CLOUD
Delivering the Next-Generation Security Platform
The endpoint
Prevention of One Technique in the Chain will Block the Entire Attack
DLLSecurity
IE Zero DayCVE-2013-3893 Heap Spray DEP
Circumvention UASLR ROP/UtilizingOS Function
ROP Mitigation/
DLL Security
Adobe ReaderCVE-2013-3346 Heap Spray
Memory LimitHeap SprayCheck andShellcode
Preallocation
DEPCircumvention UASLR Utilizing
OS FunctionDLL
Security
Adobe FlashCVE-2015-3010/0311
ROP ROP Mitigation JiT Spray J01 Utilizing
OS FunctionDLL
Security
MemoryLimit Heap
Spray Check
Exploit Prevention Case StudyUnknown Exploits Utilize Known Techniques
BeginMaliciousActivity
Normal ApplicationExecution
Heap Spray
DEPCircumvention
UtilizingOS Function
Gaps AreVulnerabilities
Activate key logger Steal critical data More…
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Exploit Techniques
Normal ApplicationExecution
HeapSpray
TrapsEPM
No MaliciousActivity
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps
requires no prior knowledge of the vulnerability.
Exploit Techniques
Normal ApplicationExecution
Heap Spray
DEPCircumvention
No MaliciousActivity
TrapsEPM
Exploit Attack
2. PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader.
1. Exploit attempt contained in a PDF sent by “known” entity.
3. Exploit evades AV and drops a malware payload onto the target.
4. Malware evades AV, runs in memory.
Traps Exploit Prevention Modules (EPM)1. Exploit attempt blocked. Traps
requires no prior knowledge of the vulnerability.
2. If you turn off EPM #1, the first technique will succeed but the next one will be blocked, still preventing malicious activity.
Exploit Techniques
Zero Trust
All resources are accessed in a secure manner regardless of location.
Access control is on a “need-to-know” basis and is strictly enforced.
Verify and never trust.
Inspect and log all traffic.
The network is designed from the inside out.
Source: Forrester Research
19 | ©2015, Palo Alto Networks
Zero-Trust Model
Virtualized servers
Physical servers
corporate network/DMZ
Security
Network
Application
Segment North South (physical) and East West (virtual) trafficTracks virtual application provisioning and changes via dynamic address groups
Automation and orchestration support via REST-API
Host VM and Core Security
Hypervisor Based Security Architecture
Your DC is the target!
21% MS-RPC
15%Web Brows-
ing
11% SMB
10% MS-SQL Monitor
10% MS-Office
Communica-tor
4% SIP
3% Other
2% Active Directory
2% RPC
1% DNS
25% MS-SQL10 out of 1,395
applications generated 97% of the exploit logs
9 of these were datacenter applications
Source -- “Application Usage and Threat Report” (Palo Alto Networks) 2013 and 2014
Innovative deployment architectures
VM-Series for AWS
Identify and control applications traversing the VPC
Prevent known and unknown threats, inbound and EC2-to-EC2
Streamline policy updates, simplify management
Full next-generation firewall functionality for AWS
Identify and control applications traversing the VPC
Visibility: Classify all VPC traffic based on application identity Control: Enable those applications you want, deny those you don’t Authorize: Grant access based on user identity
RDP
SharePoint
Administrators
Marketing
Streamline management and policy updates
Centrally manage configuration and policy deployment of the VM-Series for AWS Manage all Palo Alto Networks next-generation firewall instances, both
hardware and virtualized form factor Aggregate traffic logs across multiple VM-Series for AWS instances for visibility,
forensics and reporting Streamline policy updates with VM-Monitoring, Dynamic Address Groups and an
API
MS SQLSharePointWeb FECredit Card /
Intellectual Property / PII
Panorama
Deployment Scenarios
1. Gateway: Full NGFW security for all traffic traversing the AWS deployment• Visibility, application control, prevention of known/unknown threats, access control based on user
2. Hybrid cloud (IPSec VPN)• Extend enterprise datacenter to AWS: IPSec VPN + full NGFW feature set
3. VPC-to-VPC protection• Control traffic between VPCs; block known and unknown threats from moving laterally • A combination of gateway and hybrid within the VPC
4. GlobalProtect Gateway: Use VM-Series deployed across various AWS regions as a VPN gateway• Secure mobile users anywhere by leveraging AWS infrastructure around the world
IPSecVPN
IPSec VPN
End-Users over Internet
Corporate Network
GlobalProtect: Consistent Security Everywhere
•Headquarters •Branch Office
malware
botnets
exploits
• VPN connection to a purpose built firewall • Automatic protected connectivity for users both inside and outside• Unified policy control, visibility, compliance & reporting
One more thing: Cloud/SaaS
Next-Gen FW for SaaS Enforcement
Inherent Risks with SaaS
Inherent Risks with SaaS
Introducing Aperture
Cloud Delivered Model
Complete SaaS Security
NATIVELY INTEGRATED EXTENSIBLE
AUTOMATED
NEXT-GENERATION FIREWALL
ADVANCED ENDPOINT PROTECTION
THREAT INTELLIGENCE
CLOUD
Delivering the Next-Generation Security Platform
Thank You
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 38
Governance, Risk and Compliance Advisory
Assess & Advise Implementation & Execution Monitor & Maintain
Audit & Assurance
• SSAE 16 / ISAE 16 / CSAE 3416 Readiness Assessment
• Privacy Impact Assessment• SysTrust / WebTrust• Contractual
• Controls Implementation• Privacy Governance• Governance Framework
• Internal Audit Virtual• Privacy Office Virtual• Compliance Team
Information Security
• PCI DSS Assessment • ISO 27001 Gap/Risk Assessment • Application Security Testing• Vulnerability Assessment• Penetration Testing • Threat Risk Assessment• OSFI Cybersecurity Assessment
• ISMS Implementation• Policy and Procedure Development
• Virtual CSO • Virtual Security Team• Security Operations
IT Service Management
• COBIT Gap/Maturity Assessment• ITIL Gap/Maturity Assessment • ISO 20000 Gap/Maturity Assessment • Business Impact Assessment• Business Resiliency Assessment• IT Operational Risk Assessment
• Service Continuity Management • BCP & DRP Development• IT Governance Implementation• ITIL Process Implementation• Implementation Rescue • Cherwell ITSM Tool Implementation
• ITSM Managed Services• Technology Management • Cherwell ITSM SaaS
Technology Advisory
• Architecture Review • Network Review • Cloud Review• Security Device Review • Application Migration • VOIP / VOIP Security
• PKI • Two-Factor Authentication Deployment • Security Device Deployment
(FW/IDS/VPN)• BYOD Security • Secure Logging and Analysis
• IT Management• Technology Management• Staff Augmentation
Our unique approach makes us the only solution that…
Scans ALL applications (including SSL traffic) to secure all avenues in/out of a network, reduce the attack surface area, and provide context for forensics
Prevents attacks across ALL attack vectors (exploit, malware, DNS, command & control, and URL) with content-based signatures
Detects zero day malware & exploits using public/private cloud and automatically creates signatures for global customer base
Identify & control Prevent known threats
Detect unknown threats
Rapid, global sharing
All applications
Turning the Unknown into the Known
Segment your network with a “zero-trust” model as the foundation for defense
Only allow content to be accessed: By a limited and identifiable set of users
Through a well-defined set of applications
Blocking everything else
Block all known threats: Threat Prevention would have identified and stopped parts of the attack
Across known vulnerability exploits, malware, URLs, DNS queries
And command-and-control activity
Identify and block all unknown threats: WildFire had identified members of the “BlackPOS” malware family in the past
Using Behavioral characteristics such as Communicating over often-abused ports (139 or 445)
Using WebDev to share information,
Changing the security settings of Internet Explorer
Modifying Windows registries and many more
Breaking the Attack Kill Chain at Multiple Points
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 41
Next Generation Security Operations
Global Threat Intelligence & Research
Advanced Analytics
Protect Critical Assets
Robust Incident Handling
Understand Business Impact
Continuous Validation of Controls
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 42
Successful Client Outcomes
Reduced Risk Lower Cost
Higher Return Measurable Outcomes
Enable Business
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 43
Getting Started
Prepare Perform a risk assessment
Build an effective security program
Defend Deploy security infrastructure
Properly configure and continuously tune security tools
Respond Detect & respond to incidents quickly
Continuously validate the effectiveness of security controls
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 44
Looking for more information?
Check out how we helped the Medical Council of Canada streamline their remote access management for employees, committee members, and physicians with the help of Palo Alto Networks technology.
https://www.scalar.ca/en/client-stories/medical-council-of-canada-streamlines-remote-access-management-for-employees-committee-members-and-physicians
/