Executive Summary
Cybersecurity has become a leading topic both within and beyond the corporate boardroom. This attention is well-founded and marks a transition from information security being a concern primarily for businesses and governments to it being broadly acknowledged as an issue that impacts and requires the attention of everyone, from individual consumers to entire countries. With all of the renewed attention, potentially shifting priorities, media and political activity surrounding cybersecurity, it is important for enterprises not to lose sight of the role network security plays as a crucial element and first line of defense in their cybersecurity strategies. Equally imperative, however, is that cybersecurity architects and managers recognize the dramatically diminished effectiveness of legacy network security solutions that continue to rely on methods and technologies designed for the threats of yesterday.
What enterprises need to stop the escalation of cyberattacks is a network security approach that is designed from the outset to enable the safe use of the applications and technologies required to support a thriving business. The solution must also be sufficiently capable and flexible to provide protection against a wide range of constantly evolving cyberthreats, regardless of users’ locations, and without any performance degradation, all while reducing total cost of ownership through simplification.
The Rise of Cybersecurity
The reason cybersecurity is such a hot topic these days is that society as a whole is finally coming to realize both the potential magnitude of modern cyberthreats and the fact that they impact everything and everyone—not just corporations or critical infrastructure, but individual consumers, entire countries and the global economy as well.
Corporations. More significant than the increasing diversity and frequency of cyberattacks have been the mounting disclosures of breaches, particularly among high-profile organizations such as The New York Times, Bank of America, RSA and Lockheed Martin, and the numerous companies impacted by Operation Aurora. Along with highly revealing reports—such as those published by Mandiant and Verizon—these disclosures have transformed cyberattacks from nebulous uncertainties into distinct realities, often with very significant material consequences. Critical Infrastructure. The foundation of today’s global economy, critical infrastructure— including energy grids, financial trading networks, water distribution systems, telecommunication or healthcare networks, has become a natural target for cybercriminals. Many of these systems are now subject to what’s being referred as Advanced Persistent Threats, or APTs, a term that describes their nature as the cybercriminals behind these attacks use a combination of more and more sophisticated malware and are willing to pursue their targets over a significant period of time.
Consumers. Because so many individuals— not just corporations —now rely on the Internet and related web applications and services so heavily, they too are now tuned in when it comes to cybersecurity issues. They too have come to recognize the potential impact, if not of cyberthreats directly targeted at them, then at least of those targeted at commercial and public sector organizations that retain their personal data or provide services they take advantage of daily. A recent finding by Tenable Network Security confirms this mentality, with 66 percent of those surveyed indicating that corporations should be responsible when cyberattacks that impact them occur1.
of observed malware behaviors focused on evading security or analysis.
Source: Palo Alto Networks “Modern Malware Review”, 2013
of breaches remain undiscovered for months or more. Source: Verizon 2013 DBIR
66%
Countries. Primarily in response to the heightened interest and concern of their citizens, countries, in the form of federal governments, are now stepping into the fray and also contributing to the conflagration that is cybersecurity. The Executive Order by the U.S. President that seeks to improve “critical infrastructure cybersecurity” is but one example. Pre-dating it by more than a year is the publication of the Cyber Security Strategy for the United Kingdom. An accompanying statement by Francis Maude, Minister for the Cabinet Office, nicely sums up the overall importance of cybersecurity:
“One of our key aims is to make the UK one of the most secure places in the world to do business. Currently, around 6 percent of the UK’s GDP is enabled by the internet and this is set to grow. But with this opportunity comes greater threats. Online crime including intellectual property theft costs the UK economy billions each year. So we must take steps to preserve this growth, by tackling cyber crime and bolstering our defences, to ensure that confidence in the internet as a way of communicating and transacting remains.”2
The Need for Better Network Security
Although network security is only one component of a comprehensive cybersecurity strategy— others include identity, endpoint, application, system and data security—its importance cannot be over-stated. Responsible for controlling which traffic is able to enter, transit and exit a computing environment, network security is typically an enterprise’s first line of defense against cyberattacks— and sometimes, its only one.
The foundation for this first line of defense is the enterprise firewall. Deployed in-line at critical network junctions, firewalls can not only see and control all traffic, but they can also detect and prevent cyberthreats and APTs. The problem, however, is that most firewalls squander this opportunity. Originally designed at a time when network traffic consisted of little more than email, web and a handful of business applications —and threats were easily identified as “everything else”—most firewalls continue to rely on outdated techniques and technologies. They’ve failed to adequately keep pace with changes to the nature of applications, threats, users and the network infrastructure itself. As a result, their effectiveness is falling off precipitously at the same time that their cost of ownership continues to migrate upward. A straightforward example involves reliably identifying a web-based file transfer utility and further qualifying whether it is being used for “good” or “bad” purposes in any given instance. The bottom line is that legacy firewalls are simply incapable of addressing this need.
Not All Network Security Solutions are Created Equal
To better address today’s cybersecurity requirements, Palo Alto Networks has re-invented network security from the ground up. By focusing on applications, users and content—elements that make the most sense to the business—we’re delivering a truly innovative platform that provides enterprises with the ability to safely enable the modern applications required to operate a business successfully while protecting against all types of cyberthreats and APTs and not impacting performance. The Palo Alto Networks security platform helps enterprises simplify and reduce the cost of ownership of their network security infrastructure. Details on how each of these capabilities and benefits are delivered and what makes the Palo Alto Networks security platform better than legacy alternatives are covered in the sections that follow.
IDENTIFY DATA APPLICATIONS ENDPOINTS SYSTEMS COMPUTING environment components Comprehensive Cybersecurity starts with the NETWORK
Safely Enabling Applications and Technologies Needed by the Business
The application landscape is now far more complex than it was when the first firewalls were designed. Instead of a clear 1:1 relationship between an application and its communication channel, now hundreds of applications often share the same network channel. Some applications even have the ability to switch channels or leverage other evasive techniques as a means to bypass an organization’s cyberdefenses. And instead of all applications being either “good” or “bad,” many now vary depending on how they are being used in any given instance.
Why legacy security solutions no longer match how today’s applications operate: Legacy network security products continue to rely on the same techniques first introduced over 15 years ago. For the most part, they are only capable of allowing or blocking entire network channels (ports), as opposed to individual applications. As a result, administrators are often stuck choosing between saying “yes” and allowing undesirable (i.e., high risk, low reward) applications to operate alongside essential ones, or just saying “no” and blocking entire classes of applications that might otherwise be beneficial to the business. Even those products that have “bolted on” the ability to distinguish individual applications still rely on the old techniques to initially classify all traffic. In addition to being inherently unreliable, this approach introduces greater management complexity, has a higher potential for configuration errors, and invariably degrades performance.
Palo Alto Networks innovative approach: Designed to fix the problem with legacy products at its core, the Palo Alto Networks security platform classifies all applications regardless of the network channel they use or any bypass techniques they might employ. This classification is then used as the basis for all other policies and inspections that are performed. Because it can identify users, content and data associated with each session, our security platform is also able to solve the mystery of “gray” applications that can be either “good” or “bad” in any given instance. For example, policies can be set up to allow a group of engineers in R&D to use a personal productivity application to share product specifications with an approved integration partner, but block use of the same application by the entire accounting department to forward financial records to anyone other than senior management. Application control can be very granular, even down to the level of individual functions. The result is the ability to confidently say “yes” to whatever applications are needed to best support the business without concern for incurring undue risk, policy management complexity or potential performance problems.
SQLIA
APPLICATIONS, USERS AND CONTENT – ALL UNDER YOUR CONTROL
EMR, Dev Tools, Trading Apps SQLIA
Authorized Finance User
Authorized User
Authorized Marketing User
Authorized User General Business Applications and Systems Specialized Applications
(Industry or Function) EMR, Dev Tools,Trading Apps
EMR, Dev Tools, Trading Apps
Productivity Applications
Consumer Applications
Protecting Against All Threats—Known and Unknown
Following a similar trajectory as applications, cyberthreats have also proliferated in type and sophistication. Most notably, they’ve evolved to take advantage of “allowed” applications and their vulnerabilities as a means to gain access to enterprise networks.
Legacy solutions cannot keep up with today’s cyberthreats: Because early firewalls did not directly concern themselves with cyberthreats, most vendors had to incorporate add-ons, such as anti-virus and intrusion prevention engines. This provides a basic capability for stopping known cyberthreats, but offers minimal protection against unknown ones—including APTs and zero-day attacks. Adding standalone network security products for threat detection, web filtering and data loss prevention is another possibility. However, this leads to device sprawl and a familiar set of problems: operational complexities, convoluted policies, and diminished network performance. Most importantly, this fragmented approach prevents security teams from getting to a comprehensive, single view of what’s happening on their network.
Palo Alto Networks delivers threat prevention and detection, natively. Being able to view, control and in many cases proactively define which applications can access any specific zone of the network is the first step to limiting the reach of today’s cyberthreats and APTs. But it’s not enough. This is why Palo Alto Networks has brought back, native to the firewall, the ability to inspect and thoroughly screen all allowed application traffic for all types of cyberthreats, both known and unknown. This is accomplished by incorporating a combination of proven technologies to stop known threats, prevent the exploitation of known vulnerabilities, and limit the exfiltration of sensitive files and data, along with a range of new capabilities to protect against previously undiscovered malware, APTs, and targeted cyberattacks. In particular, advanced inspection techniques and cloud-based computing resources are applied to identify, and investigate any suspicious traffic that might carry zero-day attacks and protection is returned within one hour of any malware being found. Beyond being highly scalable and cost effective, this centralized approach has the further benefit of protecting enterprises within a matter of hours when a new cyberthreat or APT is found anywhere in the world, by any Palo Alto Networks customer.
The net result is no device sprawl, no performance degradation, no convoluted policy models and no cyberthreats slipping through the cracks. We refer to this as delivering security without compromises. Moreover, support for additional mechanisms that address new types of threats, such as today’s much discussed APTs, can easily and efficiently be incorporated, without the need for an expanded physical footprint.
Figure 2: Security Platform that Delivers Native Threat Prevention
Extending Coverage To Any Location and Any User
Rarely is it sufficient to provide protection solely at the major entry and exit points of a network. Most enterprises also need to address a variety of locations both outside and within the perimeter, including distributed offices, operational networks, datacenters—both physical and virtualized— and an increasingly mobile workforce.
Typical shortcomings of legacy solutions include having reduced feature sets for smaller capacity appliances targeted at branch offices (or completely different product lines), and having absolutely no answer for mobile users.
Applications
• All traffic, all ports, all the time • Application signatures • Heuristics • Decryption
Exploits & Malware • Block threats on all ports • NSS Labs Recommended IPS • Millions of malware samples
Dangerous URLs • Malware hosting URLs • Newly registered domains • SSL decryption of high-risk sites
Unknown & Targeted Threats • WildFire detection of unknown and targeted malware • Unknown traffic analysis • Anomalous network behaviors • Reduce the attack surface
• Remove the ability to hide •• Prevents known threats Exploits, malware, C&C traffic
•Block known sources of threats
•Be wary of unclassified and new domains
• Pinpoints live infections and targeted attacks
Palo Alto Networks ensures consistent security policies across the enterprise regardless of location. Palo Alto Networks is keenly aware of the complexity and dynamic nature of modern networks. Our network security platform accounts for the unique requirements of all users and locations, providing a consistent set of protection and application enablement capabilities—all without having to manage a completely separate set of policies and infrastructure. This is accomplished as follows:
• Branch Offices. Enterprises can establish a consistent and cost effective level of protection across all offices and facilities, regardless of size, by taking advantage of our portfolio of a dozen firewall appliances which blanket the performance/throughput spectrum. Consistent capabilities and features across the entire portfolio drastically simplifies the management of security policies across any distributed enterprise and supports rapid configuration of secure, inter-office communications.
• Cloud Computing, Data Center, and Operational Networks. Our platform’s high-performance architecture and support for a wide range of networking technologies keeps it from becoming a bottleneck. We offer a variety of deployment options. For example, you can operate multiple independent firewall instances within a single physical firewall appliance as a convenient, low-cost option for simultaneously meeting the needs of multiple business units. A full-featured virtual appliance deployment option can also be used to support the transition to dynamic, cloud-like data centers.
• Mobile Initiatives and Remote Users: BYOD, roaming users and mobility initiatives introduce additional security challenges. By leveraging the GlobaProtect component of our platform, you can extend the same security policies and protection enforced within the physical perimeter to all users, no matter where they are located. Unlike with other solutions, there is no need to create and manage multiple, separate sets of policies for mobility.
Reducing Total Cost of Ownership
There’s no way around it: implementing a comprehensive cybersecurity strategy featuring effective network defenses is far more complex than it was in the past. The challenge, of course, is finding a way to deliver robust protection that fully accounts for the proliferation of applications, threats, network locations and mobile users—not to mention compliance—all within reasonable costs. Concerned about rising security costs and diminishing returns? Besides being subject to the technical deficiencies discussed earlier, bolting-on additional capabilities and/or relying on separate, standalone products to address each new requirement also incurs a significant financial penalty. At a minimum, the resulting solution is inefficient to operate, with administrators constantly having to bounce between numerous consoles, first to pull together a complete picture of what’s actually happening on their networks, and then to establish appropriate policies and enforcement rules. At the extreme, there is also the cost of having to purchase, deploy, integrate and maintain a small fleet of additional appliances.
Palo Alto Networks gives back control over your network security and related costs. With our next-generation network security platform, everything is simpler. The high-performance extensible architecture eliminates the need for separate appliances, as well as bolted-on feature sets. New capabilities are added as native features not as add-on devices. Full visibility into network traffic based on business-oriented parameters—applications, users, or content—is the foundation that ensures a future-proof design capable of meeting emerging requirements without having to negotiate tradeoffs between protection and performance, or having to deploy additional devices. The Palo Alto Networks solution is also highly efficient to operate. Administrators benefit from a centralized management system, Panorama, which gives them visibility into traffic patterns and enables them to deploy policies, generate reports and deliver content updates from a central location. Unlike with alternative solutions, they gain access, in one view, to all the information they require to better understand and more effectively respond to whatever’s happening on the network—with unparalleled visibility into applications, users, threats and content.
4301 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788
Copyright ©2013, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks
The Palo Alto Networks Difference
Network security is a core component and first line of defense in a modern cybersecurity strategy. However, legacy network security products that have failed to adequately account for changes to applications, threats and users can no longer be considered effective in this role. In addition to failing to deliver adequate protection for today’s enterprises, they also increase infrastructure and operational complexity and have an ever-growing cost of ownership. In comparison, the Palo Alto Networks security solutions have been built from the ground up to account for the realities of the modern computing environment: more and increasingly sophisticated applications, users, threats and networks. The result is a network security platform that allows organizations to pursue the deployment of the innovative technologies and applications they need to thrive and protect their assets against all types of cyberthreats without having to strike a compromise between security and performance.
At Palo Alto Networks we recognize the significance of innovation and the role it played in getting our Next-Generation Firewall to where it is today. As demonstrated by the numerous product updates we’ve delivered over the years, we remain committed to re-inventing all aspects of network security so that you can stay ahead of the constantly evolving threat landscape.
Footnotes:
1. Tenable Network Security Survey Reveals Consumer Alarm About Cyberattacks and the Nation’s Ability to Protect Government, Private Networks, Feb. 14, 2013
2. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60962/WMS_ The_UK_Cyber_Security_Strategy.pdf
