Ides Vanneuville, Palo Alto Networks Sr. Director Systems Engineering EMEA

1. Modern Malware & Application Control in an infected world with Next-Generation Firewall…and why it needs to be a Next-Generation firewall! Ides Vanneuville, Palo Alto Networks Sr. Director Systems Engineering EMEA

2. the need for innovation

3. the next bigthing

4. it’s time to fix the firewall

5. it’s time to fix malware protection !

7. data breach mythology

8. we invest in protecting our datacenters

9. rarely the datacenter is attacked directly

10. no more vulnerability scanning

11. the new attacker

12. the attacker is not a bored geek

13. nation states and organized crime

14. data breaches in 2011

15. step one: baitan end-user

16. step one: baitan end-user spear phishing

17. step one: baitan end-user

18. step two: exploit a vulnerability

19. step three: download a backdoor

20. step four: establish a back channel

21. step five: explore and steal

22. the  state of malware protection

23. bait protection is needed at all stages exploit download back channel steal

24.  baitprotection

25.  exploitprotection exploits come in thru many applications

26.  exploit protection many months pass between black-hat discovery, white-hat discovery, and protection being available

27.  download protection targeted attacks mean few instances in the wild

28.  downloadprotection anti-malware vendors take several days to come up with a signature

29.  back channelprotection + + not only attacks are targeted and IPS signatures take time to develop, back channels are often encrypted

30. explore-and-stealprotection minimal internal security means that once inside, an attacker can roam the network freely

31. blueprint for stopping modern malware

32. need to protect all applications

33. response timeis key

34. automationis a must

35. a sandboxat the core

36. perform the analysis for all devices centrally

37. automatically generate multiplesignatures • Anti-malware download signatures • IPS back-channel signatures • Malware URLs • IPS signatures for identified new vulnerabilities • Deliver signatures within one hour

38. stopping modern malware in practice

39. bait protection is needed at all stages exploit download back channel steal

40. bait protection  • Block unneeded applications • Control file transfers by user, application, and file type • Block access to Malware URLs

41. exploit protection  • Discover vulnerabilities before the bad guys • IPS signature for newly identified vulnerabilities

42. discovering Microsoft vulnerabilities number of vulnerability discoveries credited to each vendor over the last 4 years Source: OSVDB; as of June 15th 2011

43. discovering Adobe Flash vulnerabilities number of vulnerability discoveries credited to each vendor over the last 4 years Source: OSVDB; as of August 15th 2011

44. download protection  • Anti-Malware signatures available to the entire participant base within one hour of first discovery • Generic drive-by-download protection for HTTP/S downloads

45. back-channel protection  • Block unknown application traffic • Use heuristics to detect back channel communication • Signatures available for newly discovered malware • Need to decrypt SSL connections to look inside

46. explore-and-steal protection  • Network segmentation • Control access to data by user and application

47. the role of NGFW in stopping modern malware

48. solution has to be enterprise-wide

49. protection has to be real-time, inline

50. needs user-based access control