Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Copyright © 2014, Palo Alto Networks
Traps – Advanced Endpoint Protection Jakub Jiricek, CISSP, CNSE
Systems Engineer, Eastern Europe
Copyright © 2014, Palo Alto Networks
Harsh Reality
Targeted attacks can only be solved on the endpoint
Attackers are more sophisticated and well funded
Launching Zero-Day attacks is more accessible and common
of breaches involve a targeted user device 71%
of exploit kits utilize vulnerabilities less than 2 years old 78%
increase in targeted attacks in 2013 91%
Copyright © 2014, Palo Alto Networks
Laterally hop into the data center for ini1al infec1on there
ENTER THE DATA CENTER
Lateral Data Center mo1on for a foothold on the target VM
REACH THE TARGET
Understanding the Attack Kill-chain Attack kill-chain
Prevent attacks by stopping one step in the kill-chain
Steal intellectual property
STEAL DATA
Move laterally and infect addi1onal hosts
ENDPOINT OPERATIONS
Ini1al compromise
BREACH PERIMETER
Deliver malware and communicate with a>acker
DELIVER MALWARE
Copyright © 2014, Palo Alto Networks
Platform approach
Next-Generation Firewall
§ Inspects all traffic
§ Blocks known threats
§ Sends unknown to cloud
§ Extensible to mobile & virtual networks
Copyright © 2014, Palo Alto Networks
Application Prevention vs. Safe Enablement
Application Prevention
Legacy security approaches force organizations to either completely
block or unsafely allow modern applications.
Application Enablement
The Palo Alto Networks platform safely enables applications, ensuring full
business benefits while minimizing the security risks.
Allow All Block All
Allow & scan for threats
Allow & limit access time
Allow only certain
functions
Allow for specific users
Allow & scan for confidential data
Allow & shape (QoS)
Block All
Allow All
Copyright © 2014, Palo Alto Networks
Platform approach
Next-Generation Threat Cloud § Gathers potential threats from
network and endpoints § Analyzes and correlates threat
intelligence § Disseminates threat intelligence to
network and endpoints
Copyright © 2014, Palo Alto Networks
Next-generation threat cloud
WildFire TM
WF-500
Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures
Soak sites, sinkholes, 3rd party sources
WildFire Users
§ Highly scalable cloud-based approach to analyzing unknowns from many sources
§ Leverages highly customized and tuned virtual “sandboxes” to analyze files
§ Constantly evolving analytics engine to detect the latest threats
§ Significantly expanded to include PDF, Office, Java, and Android APK files
Copyright © 2014, Palo Alto Networks
Scaling the threat cloud § On a typical day, WildFire receives
over 280,000 unique files • 11,600 every hour • 195 every minute • 3 every second
§ From those unknowns, about 30,000 are new malware • >70% not detected by any of the
leading AV software
§ On average, each file is processed in less than 6 minutes § Even as the number of files has
quadrupled
-
350,000
700,000
1,050,000
1,400,000
1,750,000
11/19/
13
12/3/1
3
12/17/
13
12/31/
13
1/14/1
4
1/28/1
4
2/11/1
4
2/25/1
4
3/11/1
4
3/25/1
4
Unique'Samples/Week'
On average, each NGFW is detec4ng 2.5 new unknown threats a day
Number of registered devices in last 30 days = 17,223
Copyright © 2014, Palo Alto Networks
Platform approach
§ Inspects all processes and files § Prevents both known & unknown exploits § Integrates with cloud to prevent known &
unknown malware
Next-Generation Endpoint
Copyright © 2014, Palo Alto Networks
The failures of traditional approaches
EXE
Legacy Endpoint Protection
Known signature? NO
Known strings? NO
Previously seen behavior?
NO PDF
Malware direct execution
Exploit vulnerability
to run any code
Targeted Evasive Advanced
Copyright © 2014, Palo Alto Networks
Introducing Traps The right way to deal with advanced cyber threats
Prevent Exploits Including zero-day exploits
Prevent Malware Including advanced & unknown malware
Collect Attempted-Attack Forensics For further analysis
Scalable & Lightweight Must be user-friendly and cover complete enterprise
Integrate with Network and Cloud Security For data exchange and crossed-organization protection
Copyright © 2014, Palo Alto Networks
Block the core techniques – not the individual attacks
Software Vulnerability Exploits Exploitation Techniques
Thousands of new vulnerabilities and exploits a year
Only 2-4 new exploit techniques a year
Malware Malware Techniques
Millions of new malware every year 10’s – 100’s of new malware
sub-techniques every year
Copyright © 2014, Palo Alto Networks
Exploit prevention – how it works
Document is opened by user
Traps seamlessly injected into processes
Process is protected as exploit attempt is
trapped
CPU <0.1%
When an exploitation attempt is made, the exploit hits a “trap” and fails before any malicious activity is initiated.
Attack is blocked before any successful
malicious activity
Safe! Process is terminated
Forensic data is collected
User\admin is notified
Traps triggers immediate actions
Reported to ESM
Copyright © 2014, Palo Alto Networks
Malware prevention
Policy-Based Restrictions
WildFire Inspection
Malware Techniques Mitigation
Limit surface area of attack control source of file installation
Prevent known malware with cloud-based integration
Prevent unknown malware with technique-based mitigation
Copyright © 2014, Palo Alto Networks
User tries to open executable file
Policy-based Restrictions Applied
HASH checked against WildFire
File is allowed to
execute
Malware technique prevention employed
Malware prevention – how it works
Safe! Reported to ESM
Copyright © 2014, Palo Alto Networks
Ongoing attack-triggered forensics
Ongoing recording
- Any files execution - Time of execution - File name - File HASH - User name - Computer name - IP address - OS version - File’s malicious history
- Any interference with Traps service
- Traps Process shutdown attempt - Traps Service shutdown attempt - Related system logs
Exploit or malware hits a “trap” and triggers real-time collection
- Attack-related forensics - Time stamp - Triggering File (non executable) - File source - Involved URLs\URI - Prevented exploitation technique - IP address - OS version - Version of attempted vulnerable software - All components loaded to memory under attacked process - Full memory dump - Indications of further memory corruption activity - User name and computer name
Copyright © 2014, Palo Alto Networks
Endpoint Security Manager (ESM)
3-tier management structure • ESM platform • Database • Connection server
(each supports ~10,000 endpoints -scales horizontally)
All-in-one management center • Configuration management • Logging and DB query • Admin dashboard and security overview • Forensics captures • Integration configuration
Database -‐ Designated or integra4on with exis4ng
Connec4on server
PCs, servers, VMs, VDI, Citrix session, thin client, embedded
ESM Syslog
SCCM
Connec4on server
Connec4on server
Copyright © 2014, Palo Alto Networks
Coverage and system requirements
Supported operating systems Workstations • Windows XP SP3 • Windows 7 • Windows 8.1
Servers • Windows Server 2003 • Windows Server 2008 (+R2) • Windows Server 2012 (+R2)
Footprint • 25 MB • 0.1% CPU • Very Low I\O
Copyright © 2014, Palo Alto Networks
Benefits
Business
§ Prevent breaches, not just detect
§ Increases business continuity
§ Lowers TCO
Operations
§ Save time and money on Forensics and remediation
§ Easy to manage, does not require frequent updates
§ Zero-day coverage
IT
§ Install patches on your own schedule
§ Compatible with existing solutions
§ Minimal performance impact
Intelligence
§ Access to threat intel through WildFire integration
§ Attack-triggered forensics collection
Copyright © 2014, Palo Alto Networks
Copyright © 2014, Palo Alto Networks
Traditional Detection
“Detection & Remediation”
• Requires Prior Knowledge • Scanning vs activity-focused • Can be reverse engineered
• The sensor is the vulnerability • Malicious activity can disable
detection • Remediation takes a great effort • Too much noise – detection is
ignored
Network-layer security • Can’t see all content • No visibility to endpoint infections • Hard to block malicious activity
on legit protocols
Cloud-based emulation • Can’t simulate all environments • Threat emulation can be identified
by the malware • Cant’ enforce actions on the endpoint
Why advanced endpoint protection