Application Visibility and Risk
Report for Ekamai International School
INSTRUCTIONS TO SEs (Please delete)


Factory Reset box and upgrade to latest version of PAN-OS before starting AVR



T...
Agenda


How was the AVR captured ?



Summary applications found



Business Risks Introduced by High Risk Application...
How was the AVR captured ?


Port Mirror



Non-Intrusive



Data Gathering 3-5 days



Report Generation



Report c...
How was the AVR captured ?

5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Summary Of Applications Found


Personal applications are being installed and used
 Elevates business and security risks...
Business Risks Introduced by High Risk Application Traffic

7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Business Risks Introduced by High Risk Application Traffic

 Data Loss (24%) - application file transfer can lead to data...
High Risk Application Traffic – Key Observations
Key observations on the 85 high risk applications:
Activity Concealment:
...
Activity Concealment – Compliance, Data Loss Risks

10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
ACC – Concealment (Example : tor)

11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
File Transfer / Data Loss / Copyright Infringement
- Data Loss, Copyright Infringement, Compliance Risks

12 | ©2012, Palo...
ACC – Concealment (Example : bittorrent)

13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Personal Communications – Productivity Loss, Compliance,
Business Continuity Risks

14 | ©2012, Palo Alto Networks. Confid...
Personal Communications – (Example : Gmail)

15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Bandwidth Hogging – Productivity Loss Risks

16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Bandwidth Hogging – (Example : rtmp)

17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Bandwidth Hogging – (Example : youtube-base)

18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Top 35 Applications (Bandwidth Consumption)

19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Applications that use HTTP

20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Top URL Categories

21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
URL Sites (example : Social Networking)

22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Top Application Vulnerabilities

23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Vulnerability ( SMB: User password Brute-Force Attempt )

24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Vulnerability ( SMB: User password Brute-Force Attempt )

25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Spywares and Virus discovered

26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Spyware and Virus ( Conficker )

27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Spyware and Virus ( Conficker )

28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
APT / Zero Day Malware Detected by WildFire

29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
APT / Zero Day Malware Detected by WildFire

30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Malware Analysis

31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Malware Analysis

32 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Malware Analysis

33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Malware Analysis

34 | ©2012, Palo Alto Networks. Confidential and Proprietary.
WildFire Malware Analysis

35 | ©2012, Palo Alto Networks. Confidential and Proprietary.
Recommendations


Implement safe application enablement policies



Address high risk areas such as P2P and browser-base...
Thank You
Avr   presentation
Avr   presentation
Upcoming SlideShare
Loading in...5
×

Avr presentation

576

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
576
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Personal applications are being installed and used on the network - End-users are installing and using a variety of non-work related applications that can elevate business and security risksApplications that can be used to conceal activity were found -IT savvy employees are using applications that can conceal their activity. Examples of these types of applications include external proxies, remote desktop access and non-VPN related encrypted tunnel. Visibility into who is using these applications, and for what purpose should be investigated.Applications that can lead to data loss were detected -File transfer applications (peer-to-peer and/or browser-based) are in use, exposing QLifeStyle to significant security, data loss, compliance and possible copyright infringement risks. Applications used for personal communications were found -Employees are using a variety of applications that enable personal communications. Examples include instant messaging, webmail, and VoIP/video conferencing. These types of applications can introduce productivity loss, compliance and business continuity risks. Bandwidth hogging, time consuming applications are in use -Media and social networking applications were found. Both of these types of applications are known to consume corporate bandwidth and employee time.
  • <instructions>Pull graph from reportProductivity Risk to productivity stems from misuse. This can take two forms: ·  Employees are using non-work-related applications instead of doing their job (e.g. Myspace, Facebook, personal email, blogging) ·  Non-work applications consume so much bandwidth that legitimate applications function poorly (e.g., YouTube, streaming/HTTP audio) Compliance Most organizations must comply with an array of government and business regulations – in the US, this includes GLBA, HIPAA, FD, SOX, FISMA, and PCI. Most of these focus on safeguarding an organization’s operational, financial, customer, or employee data. Certain applications represent significant threats to that information – either themselves or with the threats that target them (e.g., BitTorrent and MySpace, respectively). Any application that can transfer files (webmail, Skype, IM) can represent significant compliance issues. Operational Costs Risks to operational costs come in two flavors – one, having applications and infrastructure that is used inappropriately to such an extent that more must be bought (e.g., WAN circuits upgraded due to streaming video) to ensure that business processes work, and two, incidents and exploits resulting in IT expense (e.g., rebuilding servers or networks following a security incident involving an exploit or virus). Business Continuity Business continuity risks refer to applications (or the threats they carry) that can bring down or otherwise make unavailable critical components of certain business processes. Examples include email, transaction processing applications, or public-facing applications harmed by threats or effectively denied service via excessive consumption of resources by non-business applications. Data Loss The risk of data loss is the traditional information security set of risks – those associated with the theft, leakage, or destruction of data. Examples include many public thefts of customer data, theft or inadvertent leak of intellectual property, or destruction of data due to a security threat/breach. A variety of threats play a role, including exploits borne by applications (e.g., Facebook, Kazaa, IM, webmail), and non-business-related applications running on enterprise resources (e.g., BitTorrent, IM).
  • <instructions>Change X% based on report
  • <instructions>Cut and paste from report (key observations on the high risk applications)Highlight all numbers in red
  • <instructions>Cut and paste from report (high risk applications) – Eg proxy , remote-accessHighlight applications that conceal activity , explain what harm those applications can do.
  • <instructions>Highlight one or some application1. Explain the application 2. Show the IP (source / Destination) and Users3. Show which country it’s from
  • <instructions>Cut and paste from report (high risk applications) – Eg file-sharingHighlight applications that does file transfers/data loss/ copyright infringement , explain what harm those applications can do.
  • <instructions>Highlight one or some application1. Explain the application 2. Show the IP and Users3. Show which country it’s from
  • <instructions>Cut and paste from report (high risk applications) – Eg collaborationHighlight applications that does personal communication, explain what harm those applications can do.
  • <instructions>Go to the logs and filter based on email applicationExtract logs with file names, users information and application
  • <instructions>Cut and paste from report (high risk applications) – Eg mediaHighlight applications that does bandwidth hogging, explain what harm those applications can do.
  • <instructions>1. Explain the application 2. Show the IP and Users3. Show which country it’s from
  • <instructions>1. Explain the application 2. Show the IP and Users3. Show which country it’s from
  • <instructions>Cut and paste from top 35 applicationsHighlight applications that consumes a lot of bandwidth and lead to productivity loss
  • <instructions>Cut and paste from top 35 applicationsThe top 25 applications (based on bandwidth consumed) that use HTTP in some way, shape or form are shown below. Many business applications use HTTP as a means to speed deployment and simplify access while non-business applications may use it to bypass security. Knowing exactly which applications that use HTTP is a critical datapoint when assembling an application enablement policy.
  • <instructions>Cut and paste from top URL CategoriesHighlight the categories that the customer should not be seeing in his network – eg porn, streaming media
  • <<instructions>1. Explain the application 2. Show the IP and Users3. Show which country it’s from
  • <instructions>Cut and paste from threatsLook out for critical threats and explain to the customer what harm critical threats can do to the networkMake sure it’s not a false positive
  • <instructions>Research the threat that you are highlighting to explain the vulnerability that is critical to the customer.Make sure it’s not a false positive
  • <instructions>Cut and paste from ACC screenHighlight threats , attackers and users
  • <instructions>Research the threat that you are highlighting to explain the vulnerability that is critical to the customer.Make sure it’s not a false positive
  • <instructions>Cut and paste from ACC screenHighlight threats , attackers and users
  • <instructions>Copy from AVR report “Sample Malware detected by WildFire”APT – Advance Persistence Threat
  • <instructions>Copy from AVR report “Sample Malware detected by WildFire”APT – Advance Persistence Threat
  • <instructions>Copy from wildfire logs and view wildfire reportExplain the significance of the Zero day attackAPT – Advance Persistence Threat
  • <instructions>Copy from wildfire logs and view wildfire reportExplain the significance of the Zero day attack
  • <instructions>Copy from wildfire logs and view wildfire reportExplain the significance of the Zero day attack
  • <instructions>Copy from wildfire logs and view wildfire reportExplain the significance of the Zero day attack
  • <instructions>Generate summary report from the GUIMonitor tab -> Reports -> Prefined reports (select day that is most active)To demonstrate the kind of management summary reports we can generate
  • <instructions>Modify accordingly
  • Avr presentation

    1. 1. Application Visibility and Risk Report for Ekamai International School
    2. 2. INSTRUCTIONS TO SEs (Please delete)  Factory Reset box and upgrade to latest version of PAN-OS before starting AVR  Turn on all Threat Prevention / URL Filtering / Data Filtering / Wildfire  Make sure tapped zone has interesting data – User Zones  Make sure there’s data in all logs / ACC before leaving customer site  Run no more than 3-5 days of data collection  Download Raw Logs from monitor tab for further analysis  Fix presentation date to key stakeholders the following week of the AVR data collection 2 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    3. 3. Agenda  How was the AVR captured ?  Summary applications found  Business Risks Introduced by High Risk Application Traffic  Top Applications (Bandwidth)  Applications that use HTTP (Port 80)  Top URL Categories  Top Threats  Recommendations 3 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    4. 4. How was the AVR captured ?  Port Mirror  Non-Intrusive  Data Gathering 3-5 days  Report Generation  Report contains no IP information, purely statistic data collection 4 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    5. 5. How was the AVR captured ? 5 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    6. 6. Summary Of Applications Found  Personal applications are being installed and used  Elevates business and security risks  Applications that can be used to conceal activity  Hides activity that can be malicious (intended or unintended)  Applications that can lead to data loss  Security risks, data loss, compliance and copyright infringements  Applications for personal communications  Productivity loss, compliance and business continuity loss  Bandwidth hogging, time consuming applications  Consumes corporate bandwidth and employee time 6 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    7. 7. Business Risks Introduced by High Risk Application Traffic 7 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    8. 8. Business Risks Introduced by High Risk Application Traffic  Data Loss (24%) - application file transfer can lead to data leakage  Compliance (24%) - ability to evade detection or tunnel other applications can lead to compliance risks  Operational Cost (12%) - high bandwidth consumption equates to increased costs  Productivity (18%) - social networking and media apps can lead to low productivity  Business Continuity (23%) - applications that are prone to malware or vulnerabilities can introduce business continuity risks. “Identifying the risks an application poses to is the first step towards effectively managing the related business risks.” 8 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    9. 9. High Risk Application Traffic – Key Observations Key observations on the 85 high risk applications: Activity Concealment:  Proxy (1) and remote access (3) applications were found. In addition, non-VPN related encrypted tunnel applications were detected.IT savvy employees are using these applications with increasing frequency to conceal activity and in so doing, can expose EIS tocompliance and data loss risks. File transfer/data loss/copyright infringement:  P2P applications (12) and browser-based file sharing applications (6) were found. These applications expose EIS to data loss,possible copyright infringement, compliance risks and can act as a threat vector. Personal communications:  A variety of applications that are commonly used for personal communications were found including instant messaging (8), webmail(6), and VoIP/video (3) conferencing. These types of applications expose EIS to possible productivity loss, compliance and business continuity risks. Bandwidth hogging:  Applications that are known to consume excessive bandwidth including photo/video (14), audio (1) and social networking (11) were detected. These types of applications represent an employee productivity drain and can consume excessive amounts of bandwidth and can act as potential threat vectors. 9 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    10. 10. Activity Concealment – Compliance, Data Loss Risks 10 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    11. 11. ACC – Concealment (Example : tor) 11 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    12. 12. File Transfer / Data Loss / Copyright Infringement - Data Loss, Copyright Infringement, Compliance Risks 12 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    13. 13. ACC – Concealment (Example : bittorrent) 13 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    14. 14. Personal Communications – Productivity Loss, Compliance, Business Continuity Risks 14 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    15. 15. Personal Communications – (Example : Gmail) 15 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    16. 16. Bandwidth Hogging – Productivity Loss Risks 16 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    17. 17. Bandwidth Hogging – (Example : rtmp) 17 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    18. 18. Bandwidth Hogging – (Example : youtube-base) 18 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    19. 19. Top 35 Applications (Bandwidth Consumption) 19 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    20. 20. Applications that use HTTP 20 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    21. 21. Top URL Categories 21 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    22. 22. URL Sites (example : Social Networking) 22 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    23. 23. Top Application Vulnerabilities 23 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    24. 24. Vulnerability ( SMB: User password Brute-Force Attempt ) 24 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    25. 25. Vulnerability ( SMB: User password Brute-Force Attempt ) 25 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    26. 26. Spywares and Virus discovered 26 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    27. 27. Spyware and Virus ( Conficker ) 27 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    28. 28. Spyware and Virus ( Conficker ) 28 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    29. 29. APT / Zero Day Malware Detected by WildFire 29 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    30. 30. APT / Zero Day Malware Detected by WildFire 30 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    31. 31. WildFire Malware Analysis 31 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    32. 32. WildFire Malware Analysis 32 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    33. 33. WildFire Malware Analysis 33 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    34. 34. WildFire Malware Analysis 34 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    35. 35. WildFire Malware Analysis 35 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    36. 36. Recommendations  Implement safe application enablement policies  Address high risk areas such as P2P and browser-based filesharing  Implement policies dictating use of activity concealment applications  Regain control over streaming media applications  Seek Application Visibility and Control 38 | ©2012, Palo Alto Networks. Confidential and Proprietary.
    37. 37. Thank You
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×