21
Copyright © 2014, Palo Alto Networks Traps – Advanced Endpoint Protection Jakub Jiricek, CISSP, CNSE Systems Engineer, Eastern Europe

Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Traps – Advanced Endpoint Protection Jakub Jiricek, CISSP, CNSE

Systems Engineer, Eastern Europe

Page 2: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Harsh Reality

Targeted attacks can only be solved on the endpoint

Attackers are more sophisticated and well funded

Launching Zero-Day attacks is more accessible and common

of breaches involve a targeted user device 71%

of exploit kits utilize vulnerabilities less than 2 years old 78%

increase in targeted attacks in 2013 91%

Page 3: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Laterally  hop  into  the  data  center  for  ini1al  infec1on  there  

ENTER  THE  DATA  CENTER  

Lateral  Data  Center  mo1on  for  a  foothold  on  the  target  VM  

REACH  THE  TARGET  

Understanding the Attack Kill-chain Attack kill-chain

Prevent attacks by stopping one step in the kill-chain

Steal  intellectual  property  

STEAL  DATA  

Move  laterally  and  infect    addi1onal  hosts  

ENDPOINT  OPERATIONS  

Ini1al  compromise  

BREACH  PERIMETER  

Deliver  malware  and  communicate  with  a>acker  

DELIVER  MALWARE  

Page 4: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Platform approach

Next-Generation Firewall

§  Inspects all traffic

§  Blocks known threats

§  Sends unknown to cloud

§  Extensible to mobile & virtual networks

Page 5: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Application Prevention vs. Safe Enablement

Application Prevention

Legacy security approaches force organizations to either completely

block or unsafely allow modern applications.

Application Enablement

The Palo Alto Networks platform safely enables applications, ensuring full

business benefits while minimizing the security risks.

Allow All Block All

Allow & scan for threats

Allow & limit access time

Allow only certain

functions

Allow for specific users

Allow & scan for confidential data

Allow & shape (QoS)

Block All

Allow All

Page 6: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Platform approach

Next-Generation Threat Cloud §  Gathers potential threats from

network and endpoints §  Analyzes and correlates threat

intelligence §  Disseminates threat intelligence to

network and endpoints

Page 7: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Next-generation threat cloud

WildFire TM

WF-500

Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures

Soak sites, sinkholes, 3rd party sources

WildFire Users

§  Highly scalable cloud-based approach to analyzing unknowns from many sources

§  Leverages highly customized and tuned virtual “sandboxes” to analyze files

§  Constantly evolving analytics engine to detect the latest threats

§  Significantly expanded to include PDF, Office, Java, and Android APK files

Page 8: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Scaling the threat cloud §  On a typical day, WildFire receives

over 280,000 unique files •  11,600 every hour •  195 every minute •  3 every second

§  From those unknowns, about 30,000 are new malware •  >70% not detected by any of the

leading AV software

§  On average, each file is processed in less than 6 minutes §  Even as the number of files has

quadrupled

-

350,000

700,000

1,050,000

1,400,000

1,750,000

11/19/

13

12/3/1

3

12/17/

13

12/31/

13

1/14/1

4

1/28/1

4

2/11/1

4

2/25/1

4

3/11/1

4

3/25/1

4

Unique'Samples/Week'

On  average,  each  NGFW  is  detec4ng  2.5  new  unknown  threats  a  day  

Number  of  registered  devices  in  last  30  days  =  17,223    

Page 9: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Platform approach

§  Inspects all processes and files §  Prevents both known & unknown exploits §  Integrates with cloud to prevent known &

unknown malware

Next-Generation Endpoint

Page 10: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

The failures of traditional approaches

EXE

Legacy Endpoint Protection

Known signature? NO

Known strings? NO

Previously seen behavior?

NO PDF

Malware direct execution

Exploit vulnerability

to run any code

Targeted Evasive Advanced

Page 11: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Introducing Traps The right way to deal with advanced cyber threats

Prevent Exploits Including zero-day exploits

Prevent Malware Including advanced & unknown malware

Collect Attempted-Attack Forensics For further analysis

Scalable & Lightweight Must be user-friendly and cover complete enterprise

Integrate with Network and Cloud Security For data exchange and crossed-organization protection

Page 12: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Block the core techniques – not the individual attacks

Software Vulnerability Exploits Exploitation Techniques

Thousands of new vulnerabilities and exploits a year

Only 2-4 new exploit techniques a year

Malware Malware Techniques

Millions of new malware every year 10’s – 100’s of new malware

sub-techniques every year

Page 13: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Exploit prevention – how it works

Document is opened by user

Traps seamlessly injected into processes

Process is protected as exploit attempt is

trapped

CPU <0.1%

When an exploitation attempt is made, the exploit hits a “trap” and fails before any malicious activity is initiated.

Attack is blocked before any successful

malicious activity

Safe! Process is terminated

Forensic data is collected

User\admin is notified

Traps triggers immediate actions

Reported to ESM

Page 14: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Malware prevention

Policy-Based Restrictions

WildFire Inspection

Malware Techniques Mitigation

Limit surface area of attack control source of file installation

Prevent known malware with cloud-based integration

Prevent unknown malware with technique-based mitigation

Page 15: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

User tries to open executable file

Policy-based Restrictions Applied

HASH checked against WildFire

File is allowed to

execute

Malware technique prevention employed

Malware prevention – how it works

Safe! Reported to ESM

Page 16: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Ongoing attack-triggered forensics

Ongoing recording

-  Any files execution -  Time of execution -  File name -  File HASH -  User name -  Computer name -  IP address -  OS version -  File’s malicious history

-  Any interference with Traps service

-  Traps Process shutdown attempt -  Traps Service shutdown attempt -  Related system logs

Exploit or malware hits a “trap” and triggers real-time collection

-  Attack-related forensics -  Time stamp -  Triggering File (non executable) -  File source -  Involved URLs\URI -  Prevented exploitation technique -  IP address -  OS version -  Version of attempted vulnerable software -  All components loaded to memory under attacked process -  Full memory dump -  Indications of further memory corruption activity -  User name and computer name

Page 17: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Endpoint Security Manager (ESM)

3-tier management structure •  ESM platform •  Database •  Connection server

(each supports ~10,000 endpoints -scales horizontally)

All-in-one management center •  Configuration management •  Logging and DB query •  Admin dashboard and security overview •  Forensics captures •  Integration configuration

Database  -­‐  Designated    or    integra4on  with  exis4ng  

Connec4on  server  

PCs,  servers,  VMs,  VDI,  Citrix  session,  thin  client,  embedded  

ESM  Syslog  

SCCM  

Connec4on  server  

Connec4on  server  

Page 18: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Coverage and system requirements

Supported operating systems Workstations •  Windows XP SP3 •  Windows 7 •  Windows 8.1

Servers •  Windows Server 2003 •  Windows Server 2008 (+R2) •  Windows Server 2012 (+R2)

Footprint •  25 MB •  0.1% CPU •  Very Low I\O

Page 19: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Benefits

Business

§ Prevent breaches, not just detect

§ Increases business continuity

§ Lowers TCO

Operations

§ Save time and money on Forensics and remediation

§ Easy to manage, does not require frequent updates

§ Zero-day coverage

IT

§ Install patches on your own schedule

§ Compatible with existing solutions

§ Minimal performance impact

Intelligence

§ Access to threat intel through WildFire integration

§ Attack-triggered forensics collection

Page 20: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Page 21: Traps – Advanced Endpoint Protectioninfosek.net/gradiva-INFOSEK-2014/Gradivo_Infosek/... · Prevent Exploits Including zero-day exploits Prevent Malware Including advanced & unknown

Copyright © 2014, Palo Alto Networks

Traditional Detection

“Detection & Remediation”

•  Requires Prior Knowledge •  Scanning vs activity-focused •  Can be reverse engineered

•  The sensor is the vulnerability •  Malicious activity can disable

detection •  Remediation takes a great effort •  Too much noise – detection is

ignored

Network-layer security •  Can’t see all content •  No visibility to endpoint infections •  Hard to block malicious activity

on legit protocols

Cloud-based emulation •  Can’t simulate all environments •  Threat emulation can be identified

by the malware •  Cant’ enforce actions on the endpoint

Why advanced endpoint protection