SCOTT STEVENS, VP, Technology, WW Systems, Engineering, Palo Alto Networks and ALLAN FOSTER
VP, Technology & Standards, Office of the CTO, ForgeRock, at the European IRM Summit 2014.
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
1. ForgeRock
Using Network Security and Identity Management to
Empower CISOs Today
The Case For A Comprehensive Enterprise Security Policy
2. The Stolen Data Epidemic
Target Replaces CEO Steinhafel Following Massive Holiday Breach
- Wall Street Journal
‘Heartbleed Bug Exposes Millions of Web Sites To Security Risks
- NBC News April 8, 2014
18 million email addresses and passwords stolen in Germany
- ZDNet April 7, 2014
360m newly stolen passwords on the black market
- The London Free Press
Data breaches surge with 93,000 passwords stolen every hour
- Computer Business Review
Bitcoin miners unearth 30,000 college student SSNs
- Next Gov April 24, 2014
3. Traditional Firewalls Had Limitations
To be truly effective,
you need to see all
applications, all user
identities and most
importantly, all threats
Confidential Data
But traditional firewalls only
gave you ports, protocols, and
IP addresses – missing the
malware threat completely
Command &
Control Traffic
Regulated Data
Copyrighted
Material
Exploits
Malware
4. Palo Alto Networks Reinvented Network Security
It’s no longer be about Ports and Protocols but instead it’s about
User Identity, Applications, and how they communicate
But without User Identity and Context, You Cannot Create
a True Comprehensive Security Policy For the End User
5. FAILURE OF LEGACY SECURITY ARCHITECTURES
5
Limited visibility Lacks correlation Manual response
Anti-APT for
port 80 APTs
Anti-APT for
port 25 APTs
Endpoint AV
DNS protection cloud
Network AV
DNS protection
for outbound
DNS
Internet
Anti-APT cloud
Enterprise Network
UTM/Blades
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Internet Connection
Malware
Intelligence
DNS Alert
SMTP Alert
Web Alert
AV Alert
Endpoint
Alert
DNS Alert
SMTP Alert
AV Alert
Endpoint
Alert
Web Alert
AV Alert
DNS Alert
Web Alert
6. Next-Generation Security Platform
Palo Alto Networks
• ~500,000 Wildfire Next-Generation samples/Threat Cloud
day
• ~5% determined to be Malware
• 1 new Android Malware App every 20 minutes
• 48% of all unknown PE files are Malware
Palo Alto Networks
Next-Generation Endpoint
Next-Generation Firewall
Inspects all traffic
Safely enables applications
Sends unknown threats to cloud
Blocks network based threats
Palo Alto Networks
Next-Generation Firewall
Next-Generation Threat Cloud
Gathers potential threats from
network and endpoints
Analyses and correlates threat
intelligence
Disseminates threat intelligence to
network and endpoints
Next-Generation Endpoint
Inspects all processes and files
Prevents both known and unknown exploits
Protects fixed, virtual, and mobile endpoints
Lightweight client and cloud based
7. Next-Generation Identity Management
Highly Scalable, Modular, Easy To Deploy Architecture
7
“All-in-One” solution delivered
as a single platform
Access to any application –
Enterprise, SaaS, Social, Mobile
Flexible and extensible
architecture
Social sign-on and one-time
mobile password
Architected for consumer scale
+100M users
FORGEROCK.COM | CONFIDENTIAL
8. Combine Capabilities To Reinvent Security
Creating A Unified Enterprise-wide Security Platform
Next-gen Network Security & Identity
Functions Natively Integrated In One Solution
9. 9
The Vision
Deliver the only unified identity security
platform that can make hyper intelligent
decisions based on both network security
and user identity context.
FORGEROCK.COM | CONFIDENTIAL
10. 10
Key Benefits
■ Understand more about the user before granting them access to
corporate resources
■ Create a feedback loop to take appropriate action on both ends:
– The network blocks traffic when suspicious identity activity occurs
– The identity platform blocks access when suspicious network activity occurs
■ Real-time, automated remediation of malicious activity
■ Organizations are much, much safer!!!!
12. 12
Security/Identity Feedback Loop
Data Center
FORGEROCK.COM | CONFIDENTIAL
Legitimate Traffic
As defined by user rights
13. 13
Security/Identity Feedback Loop
Feedback Identity of
Malicious Traffic
Data Center
FORGEROCK.COM | CONFIDENTIAL
Malware/Inappropriate Traffic
Block & Alarm
14. Change Identity Rights-
Restrict User Traffic to all resources
14
Security/Identity Feedback Loop
Data Center
FORGEROCK.COM | CONFIDENTIAL
■ Network violations modify Identity Rights
■ Feedback changes ID state and security state
15. 15
Identity & Security
2 sides of the same coin
€
■ Identity Assertion is the first step to
contextual security
– Simplify IdM infrastructure
– Ensure ID can be multifactor authenticated as needed
– Stay connected to security to manage ID changes
■ NG Security enforces policy based on
Application & on User Identity
– Valid Identity allows for appropriate security
– Changes in ID state can directly change security state
– Direct linkages between security & Identity ensures
that rules remain contextual
16. 16
Target data breach – APTs in action
Maintain access
Spearphishing
third-party HVAC
contractor
Moved laterally
within Target
network and
installed POS
Malware
Exfiltrated data
command-and-control
servers
over FTP
Recon on
companies
Target works with
Compromised
internal server
to collect
customer data
Breached Target
network with
stolen payment
system
credentials
17. Innovative Approach To Securing Today’s Enterprise
Eliminate Security Silios For A Unified Enterprise-wide Security Policy
Identity Provisioning
Management
Centralized Management
Any location
All Key Identity &
Network Security
Functions Natively
Integrated in One
Solution
Visibility & Control
Threat prevention
Any Infrastructure
Closed Loop Single
Enterprise Wide Policy
18. Unify Your Enterprise
Security Strategy
Protect the enterprise from known threats and zero-day attacks
Gain full control over your identity and network security investments
Make informed decisions based upon correlated events & data points
Adaptable closed loop security policy enforcement
Drive top line business initiatives faster
Slide 1: Significant changes in Identity world. Shift from IAM to IRM
Translate the business policy into a security policy
SAP for the finance users = SAP for the finance users
How does it work?
Classifying all applications, across all ports, all the time with App-ID. Palo Alto Networks next-generation firewalls are built upon App-ID, a traffic classification technology that identifies the applications traversing the network, regardless of port, encryption (SSL or SSH) or evasive technique employed. The knowledge of exactly which applications are traversing the network, not just the port and protocol, then becomes the basis for all security policy decisions. Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically categorized for systematic management, which can include policy control and inspection, threat forensics, creation of a custom App-ID, or submission of a packet capture App-ID for development.
Tying users and devices, not just IP addresses to applications with User-ID and GlobalProtect. The application identity is tied to the user through User-ID, allowing organizations to deploy enablement policies that are not based solely on the IP address. These policies can then be extended to any device at any location with GlobalProtect. User-ID integrates with a wide range of enterprise user repositories to provide the identity of the Microsoft Windows, Mac OS X, Linux, Android, or iOS users accessing the application. GlobalProtect ensures that the remote user is protected consistently, in the same manner as they would be if they were operating on the local network. The combined visibility and control over a users' application activity means organizations can safely enable the use of Oracle, SharePoint, or Exchange, or any other application being accessed from the datacenter, no matter where or how the user is accessing the datacenter.
Protecting against all threats, both known and unknown, with Content-ID and WildFire. To protect against a blend of known exploits, malware and spyware as well as completely unknown and targeted threats, organizations can first reduce the threat footprint through an explicit deny policy for unwanted applications. Content-ID can then be used to protect the applications and associated features by blocking known vulnerability exploits, viruses, and spyware in the allowed traffic. Content-ID addresses common threat evasion tactics by executing the prevention policy using the application and protocol context generated by the decoders in App-ID. Custom or unknown malware that is not controlled through traditional signatures is addressed through WildFire, which executes unknown files and monitors for more than 100 malicious behaviors in a virtualized sandbox environment. If malware is found, a signature is automatically developed and delivered to the user community.
Safe application enablement policies can help organizations improve their security posture, regardless of the deployment location. In the datacenter, application enablement translates to confirming the applications, users, and content are allowed and protected from threats – while simultaneously finding rogue, misconfigured applications - all at multi-Gbps speeds. In virtualized datacenter environments, organizations can apply consistent application enablement policies while addressing security challenges introduced by virtual machine movement and orchestration.
Most architectures today resemble what you see in this picture. A set of set of silo’d organizations, processes, and technical infrastructure that have largely been assembled like a manufacturing production line where a series of security events roll down a conveyor belt of individual point products, while different staff members perform their individual duties. Historically we’ve been able to get by. But as the attacks and the attackers evolve these architectures are beginning to show their weaknesses, and today we see how they’re costly both in their inability to prevent targeted attacks, and in their unnecessary cost to the organization.
There are three specific issues we’ve pinpointed:
Limited visibility: You can’t secure what you can’t see. Your security architecture must have the ability to see all applications, users and the individual devices on the network to prevent attacks that might utilize non-standard ports, protocols, or SSL encryption for evasion. Your security architecture must also have the ability to see and prevent new targeted attacks that are utilizing threats (malware, zero day vulnerability exploits) that have never been seen before. Eliminate all blind spots.
Lacks correlation: If attacks are multi-dimensional so to must be your defenses. Your architecture must act like a system of systems where individual technologies work together in a coordinated manner to prevent attacks. Making each element within the system smarter.
Manual response: With attacks evolving at a rapid pace it’s critical that we wean ourselves from the “man in the middle”. Your security architecture must employ a system of automation that’s constantly learning and applying new defenses without a requirement for any manual intervention. It must weed out the congestion, automatically handling low to medium level severity cases so you can focus your teams attention on only the highest priority incidents.
And that’s what we have built here at Palo Alto Networks. We believe that our next generation platform delivers on this promise, and with this platform, we think and hope that prevention becomes the byword for the battle and it is technically possible and can be continuously improved over time.
It is fundamentally built on three leading technologies:
The industries leading next-generation firewall, which was just recognized again as a leader in the Gartner Magic Quadrant.
Inspects all traffic
Safely enables applications
Sends unknown threats to cloud
Blocks network based threats
The most advanced next-generation threat cloud [WildFire, Threat Prevention, URL Filtering]
Gathers potential threats from network and endpoints
Analyses and correlates threat intelligence
Disseminates threat intelligence to network and endpoints
The market’s most compelling next-generation endpoint protection
Inspects all processes and files
Prevents both known and unknown exploits
Protects fixed, virtual, and mobile endpoints
Lightweight client and cloud based
And the result of that is better security at a lower cost for the good guys and less effective attacks at ever increasing costs for the bad guys. Through this security platform we can deliver complete and integrated protection across the kill-chain…
Slide 7: OpenAM
Took open source code from Sun Open SSO
Built out at ForgeRock with former sun folks like developers, engineers, Sun's director of engineering, the OpenAM product engineer etc.
Built thru R&D and open community – so it’s built the way customers want it
Traditional access management solutions authentication and authorization product, federation product web services security product adaptive auth product entitlements product – all would need to be incorporated. A lot of headaches and integration. They all have diff processes for their UIs, APIs, ways of connecting, documentation differences, etc. accidental acquisition architecture.
One system to manage all your resources
Traditional access management you can do. Federate to the cloud or apps outside the perimeter, you can do that, protect web services we also do thru the product, same with adaptive auth and fine grained auth and one time password and so on.
Gives you a model where you adopt what you need and you add on additional things. Enabling an app outside the perimeter and need one time password, you just enable it, you don’t have to deploy additional soft and hardware and maintain and upgrade diff things
AM is optimized for enterprise SaaS social and mobile deployments
Support Oauth2 and rest making it very easy to connect to iOS and android and other mobile platforms.
Architecture built for 100s of millions of users
Social sign on and one time mobile password built into this as well. You buy the modules that you want and you just add them thru the license instead of having to deploy all these diff things as you want to move on to diff services
Let’s get into the details of how the Target data breach happened, which is a great archetype for the type of multi-staged and complex attack APTs typically use:
First the attacker did sophisticated Recon activity, understand all the third-party contractors who worked with Target, and may have been a potential pivot point into their network. They scoured public records, corporate websites, social media, and could have gone so far as calling in and pretending to be a representative of one of the companies to get further information. There is a wealth of freely available information online if you just look for it.
They then identified their “target” – a third-party HVAC contractor who had an ongoing relationship with Target. They breached this contractor with a Spearphishing email and gained access to their network, and all the information they had on their clients – including credentials to Target’s systems.
The attackers used this stolen credential information to log into a third-party payment system within Target’s network, which gave them an initial foothold to begin their persistent movement throughout the network.
With this foothold, they are able to take that lateral movement and install the “BlackPOS” malware on POS systems.
The malware was able to read customer credit card data, which it was held in memory on the POS systems, before it was encrypted.
At the same time the attackers also took control of an internal server that acted as a repository for all the stolen customer information, being fed from each compromised POS system
All this time, the malware and compromised systems were reaching out and communicating with the attackers with sophisticated command-and-control traffic to receive additional instruction.
Once enough data had been collected on the internet server, it was exfiltrated out using FTP to those same CnC servers all around the world.
With this in mind a few key pieces of information bubble to the surface:
The attack was complex, and multi-threaded. Attackers always think of new ways to get in – and this requires the ability to do prevention at all key points in the network, and look at all the traffic as it comes in or goes out.
Third-party tools and applications, such as the payment processing software, were used by the attackers to gain access to the Target network. Think about what could have happened if they have enabled only the applications their business needed, with specific users or “security zones” only able to use them.
Segmentation of critical resources is critical, such as segmenting the “POS zone” so only finance employees, using approved applications could traverse it
Common protocols, over standard ports were used, such as FTP, SSL and Netbios – which can make the attack hard to spot when it is blending into normal traffic
What’s the ideal solution?
End-to-end security platform with all key security funcitons natively integrated.