IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY

Editor's Notes

• #2: Slide 1: Significant changes in Identity world. Shift from IAM to IRM
• #5: Translate the business policy into a security policy SAP for the finance users = SAP for the finance users How does it work? Classifying all applications, across all ports, all the time with App-ID. Palo Alto Networks next-generation firewalls are built upon App-ID, a traffic classification technology that identifies the applications traversing the network, regardless of port, encryption (SSL or SSH) or evasive technique employed. The knowledge of exactly which applications are traversing the network, not just the port and protocol, then becomes the basis for all security policy decisions. Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically categorized for systematic management, which can include policy control and inspection, threat forensics, creation of a custom App-ID, or submission of a packet capture App-ID for development. Tying users and devices, not just IP addresses to applications with User-ID and GlobalProtect. The application identity is tied to the user through User-ID, allowing organizations to deploy enablement policies that are not based solely on the IP address. These policies can then be extended to any device at any location with GlobalProtect. User-ID integrates with a wide range of enterprise user repositories to provide the identity of the Microsoft Windows, Mac OS X, Linux, Android, or iOS users accessing the application. GlobalProtect ensures that the remote user is protected consistently, in the same manner as they would be if they were operating on the local network. The combined visibility and control over a users' application activity means organizations can safely enable the use of Oracle, SharePoint, or Exchange, or any other application being accessed from the datacenter, no matter where or how the user is accessing the datacenter. Protecting against all threats, both known and unknown, with Content-ID and WildFire. To protect against a blend of known exploits, malware and spyware as well as completely unknown and targeted threats, organizations can first reduce the threat footprint through an explicit deny policy for unwanted applications. Content-ID can then be used to protect the applications and associated features by blocking known vulnerability exploits, viruses, and spyware in the allowed traffic. Content-ID addresses common threat evasion tactics by executing the prevention policy using the application and protocol context generated by the decoders in App-ID. Custom or unknown malware that is not controlled through traditional signatures is addressed through WildFire, which executes unknown files and monitors for more than 100 malicious behaviors in a virtualized sandbox environment. If malware is found, a signature is automatically developed and delivered to the user community. Safe application enablement policies can help organizations improve their security posture, regardless of the deployment location. In the datacenter, application enablement translates to confirming the applications, users, and content are allowed and protected from threats – while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration.
• #6: Most architectures today resemble what you see in this picture. A set of set of silo’d organizations, processes, and technical infrastructure that have largely been assembled like a manufacturing production line where a series of security events roll down a conveyor belt of individual point products, while different staff members perform their individual duties. Historically we’ve been able to get by. But as the attacks and the attackers evolve these architectures are beginning to show their weaknesses, and today we see how they’re costly both in their inability to prevent targeted attacks, and in their unnecessary cost to the organization. There are three specific issues we’ve pinpointed: Limited visibility: You can’t secure what you can’t see. Your security architecture must have the ability to see all applications, users and the individual devices on the network to prevent attacks that might utilize non-standard ports, protocols, or SSL encryption for evasion. Your security architecture must also have the ability to see and prevent new targeted attacks that are utilizing threats (malware, zero day vulnerability exploits) that have never been seen before. Eliminate all blind spots. Lacks correlation: If attacks are multi-dimensional so to must be your defenses. Your architecture must act like a system of systems where individual technologies work together in a coordinated manner to prevent attacks. Making each element within the system smarter. Manual response: With attacks evolving at a rapid pace it’s critical that we wean ourselves from the “man in the middle”. Your security architecture must employ a system of automation that’s constantly learning and applying new defenses without a requirement for any manual intervention. It must weed out the congestion, automatically handling low to medium level severity cases so you can focus your teams attention on only the highest priority incidents.
• #7: And that’s what we have built here at Palo Alto Networks. We believe that our next generation platform delivers on this promise, and with this platform, we think and hope that prevention becomes the byword for the battle and it is technically possible and can be continuously improved over time. It is fundamentally built on three leading technologies: The industries leading next-generation firewall, which was just recognized again as a leader in the Gartner Magic Quadrant. Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks network based threats The most advanced next-generation threat cloud [WildFire, Threat Prevention, URL Filtering] Gathers potential threats from network and endpoints Analyses and correlates threat intelligence Disseminates threat intelligence to network and endpoints The market’s most compelling next-generation endpoint protection Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual, and mobile endpoints Lightweight client and cloud based And the result of that is better security at a lower cost for the good guys and less effective attacks at ever increasing costs for the bad guys. Through this security platform we can deliver complete and integrated protection across the kill-chain…
• #8: Slide 7: OpenAM Took open source code from Sun Open SSO Built out at ForgeRock with former sun folks like developers, engineers, Sun's director of engineering, the OpenAM product engineer etc. Built thru R&D and open community – so it’s built the way customers want it Traditional access management solutions authentication and authorization product, federation product web services security product adaptive auth product entitlements product – all would need to be incorporated. A lot of headaches and integration. They all have diff processes for their UIs, APIs, ways of connecting, documentation differences, etc. accidental acquisition architecture. One system to manage all your resources Traditional access management you can do. Federate to the cloud or apps outside the perimeter, you can do that, protect web services we also do thru the product, same with adaptive auth and fine grained auth and one time password and so on. Gives you a model where you adopt what you need and you add on additional things. Enabling an app outside the perimeter and need one time password, you just enable it, you don’t have to deploy additional soft and hardware and maintain and upgrade diff things AM is optimized for enterprise SaaS social and mobile deployments Support Oauth2 and rest making it very easy to connect to iOS and android and other mobile platforms. Architecture built for 100s of millions of users Social sign on and one time mobile password built into this as well. You buy the modules that you want and you just add them thru the license instead of having to deploy all these diff things as you want to move on to diff services  
• #17: Let’s get into the details of how the Target data breach happened, which is a great archetype for the type of multi-staged and complex attack APTs typically use: First the attacker did sophisticated Recon activity, understand all the third-party contractors who worked with Target, and may have been a potential pivot point into their network. They scoured public records, corporate websites, social media, and could have gone so far as calling in and pretending to be a representative of one of the companies to get further information. There is a wealth of freely available information online if you just look for it. They then identified their “target” – a third-party HVAC contractor who had an ongoing relationship with Target. They breached this contractor with a Spearphishing email and gained access to their network, and all the information they had on their clients – including credentials to Target’s systems. The attackers used this stolen credential information to log into a third-party payment system within Target’s network, which gave them an initial foothold to begin their persistent movement throughout the network. With this foothold, they are able to take that lateral movement and install the “BlackPOS” malware on POS systems. The malware was able to read customer credit card data, which it was held in memory on the POS systems, before it was encrypted. At the same time the attackers also took control of an internal server that acted as a repository for all the stolen customer information, being fed from each compromised POS system All this time, the malware and compromised systems were reaching out and communicating with the attackers with sophisticated command-and-control traffic to receive additional instruction. Once enough data had been collected on the internet server, it was exfiltrated out using FTP to those same CnC servers all around the world. With this in mind a few key pieces of information bubble to the surface: The attack was complex, and multi-threaded. Attackers always think of new ways to get in – and this requires the ability to do prevention at all key points in the network, and look at all the traffic as it comes in or goes out. Third-party tools and applications, such as the payment processing software, were used by the attackers to gain access to the Target network. Think about what could have happened if they have enabled only the applications their business needed, with specific users or “security zones” only able to use them. Segmentation of critical resources is critical, such as segmenting the “POS zone” so only finance employees, using approved applications could traverse it Common protocols, over standard ports were used, such as FTP, SSL and Netbios – which can make the attack hard to spot when it is blending into normal traffic
• #18: What’s the ideal solution? End-to-end security platform with all key security funcitons natively integrated.