1 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Palo Alto Networks
PDF-Edition for visitors of Detect & Defend 2018 at Secure Link Germany for internal use only. Improperuse, including placing on Internet or transfer toadditional third parties is not permitted.
2 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Agenda
• Palo Alto Networks
• Migration Scenarios to product portfolio 2018
• Connection to your cloud provider
• VPN: Global Protect cloud service and decentral collection of Logfiles in Logging Services
• Magnifier Behavioural Analytics: Secondary evaluation of Logfiles in Logging Services
• Upcoming Events
3 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Palo Alto Networks
Founded in 2005; first customer shipment in 2007
More than 48,000 customers in 150+ countries
FY17 $1.8B revenue28% YoY growth that significantly outpaced the industry
Over 85 of the Fortune 100 and 63% of the Global 2000 rely on us
Excellent global support, awarded by J.D. Power and TSIA
Experienced team of more than 4,800 employees
4 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Palo Alto Networks (Germany) GmbH
• Country Office in Munich, Germany
• Team: Sales Representatives, System Engineers, Professional Services, Marketing in HomeOffice
• Partner focused, no direct Sales
• Support via Authorized Support Centers (Direct, Distributors or Partners), Backend-Support via Palo Alto Networks Support Center in Amsterdam
• Account Teams: Territory, Named, Major, Global, Public; Channel, Service Providers
5 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Migration scenariosto product portfolio 2018
6 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
New hardware portfolio
PA-200
PA-220
PA-800 SERIES
PA-3000 SERIES
PA-5000 SERIES
PA-5200 SERIES
PA-7000 SERIES
PA-500
NEW
NEW
PA-220R NEW
PA-3200 SERIES
7 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Palo Alto Networks: PA-3200 series
Up to 7x decryption performance increase
Up to 20x decryption session capacity increase
Up to 5x performance increase
Front-to-back cooling
Interface speeds up to 40G for flexible connectivity
PA-3200 Series
PA-32506.3 Gbps App-ID3.0 Gbps threat
PA-32205.0 Gbps App-ID2.2 Gbps threat
PA-32608.8 Gbps App-ID4.7 Gbps threat
PA-3250
8 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Palo Alto Networks: PA-3200 series
• Hot swappable fans, power supplies • Single SSD system drive (240GB) field replaceable• Dedicated HA and management interfaces• 2U, 2 and 4 post rackmount• Front to back airflow
PA-3220
• 5 Gbps App-ID• 2.2 Gbps Threat Prevention• 1,000,000 sessions• (4) 1G/10G SFP/SFP+• (4) 1G SFP• (12) 10/100/1000 copper
PA-3250
• 6.3 Gbps App-ID• 3 Gbps Threat Prevention• 2,000,000 sessions• (8) 1G/10G SFP/SFP+• (12) 10/100/1000 copper
PA-3260
• 8.8 Gbps App-ID• 4.7 Gbps Threat Prevention• 3,000,000 sessions• (4) 40G QSFP+• (8) 1G/10G SFP/SFP+• (12) 10/100/1000 copper
9 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Typical customer environment
• Perimeter security and lots of local routing
• Subscription: Threat Prevention and URL Filtering (incl. fishing links in e-mails)
• Subscription: WildFire Sandbox to prevent 0-day attacks typically requested
• SSL Decryption with reasonable throughput needed
• Full High Availability using a second device typically requested (no further lic. costs)
• Second power supply incl.
• Medium size central office incl. HA
10 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Migration scenarios
• Existing customer• PA-500 -> PA-3200 (upsizing)• PA-800 -> PA-3200 (upsizing)• PA-2000 -> PA-3200 (upsizing)• PA-3000 (+3 years) -> PA-3200 (successor product)• PA-5000 -> PA-3200 (downsizing)
• New customer• Comparable products by market companion
11 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Palo Alto Networks: PA-3200 series specifications• App-ID firewall throughput: 5000/6300/8800 Mbps
• Threat prevention throughput: 2200/3000/4700 Mbps
• IPSec VPN throughput: 3000/3000/4700 Mbps
• Connections per second / max. sessions: 57k/1M / 92k/2M / 135k/3M
• IPv4 forwarding table size: 16000 / 44000 / 44000
• ARP/MAC: 16k / 72k / 72k
• Virtual Router / Virtual Systems: 10 / 1(6)
• Security Policies: 2500 / 5000 / 5000
• Zones: 60
• Full HA, Aggregate Interfaces (8)
12 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Connection to your cloud provider
13 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
14 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Private Cloud (NSX, OpenStack, ACI)
Pubic Cloud (AWS, Azure, GCP)
Software as a Service (SaaS)
Expanded data and application locations
15 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Public/Private cloud trends
NFV deployments increasing across the industry – from data center to branch office
Significant public cloud adoption for production workload deployments
Continued expansion in private cloud and virtualization initiatives
16 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Our comprehensive approach
Consistent security across the
organization
Diversity of clouds Cloudscalability
Operational/ orchestration
integration
17 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Microsoft Azure
• App Gateway and Load Balancer integration enables managed scale out and cloud-centric resiliency
AWS
• Integration with Auto Scaling and ELB/ALB allows security to scale dynamically, yet independently of workloads
• Native CloudWatch support
Cloud-centric scalability and resiliency
Microsoft Azure
Resource Group
VNET
Availability Set
Azure Load Balancer
AppGW
External ELB
Internal ELB
AZ1 AZ2
18 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Panorama Driven Workflows for NSX
• Security policy, tag configuration and automated workload quarantine streamlines security workflows
Automate Firewall Deployments
• Dynamically provision virtual firewalls at run-time within OpenStack Config-Drive
Automatic workflows
Advanced Security Policies
API Integration Quarantine
Security GroupsCreation
Traffic Redirection
OpenStackConfig-Drive
19 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Google Cloud PlatformHybrid cloud (IPSec VPN) – Extending the enterprise datacenter into GCP via IPSec VPN. This allows utilization of the full NGFW feature set.
IPSec VPN
Cloud-centric scalability and resiliency
20 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
VPN: GlobalProtectcloud service
21 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Security for all networks and users
• Appliances at HQ and branch offices
• GlobalProtect gateways on-premises or in the cloud
• Managed centrally by Panorama
22 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
• Provides remote network and mobile user security alternative
• Enables deployment of consistent security from corporate to all locations and users
• Reduces the operational burden associated with consistent security for all locations and users
GlobalProtect cloud service
23 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
GlobalProtect cloud service for remote networks
• Protect remote networks with consistent, next generation security policies
• Use Panorama to onboard sites, manage policies, query Logging Service
• Includes all subscriptions (TP, URL, WF) with Autofocus and Aperture as optional add-ons
WWW
IPsecAdd/remove locations, manage policy
Headquarters
WWW
GlobalProtectCloudService
LoggingService
24 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
GlobalProtect cloud service for mobile users
IPsec/SSL VPNAdd/remove locations, manage policy
• Delivers coverage to protect mobile users and devices regardless of location
• Automatically scales to handle growth for mobile population
• Centralized policy, management and reporting through Panorama
• Includes all subscriptions (TP, URL, WF) with AutoFocus and Aperture as optional add-ons
Headquarters
WWWWWW
GlobalProtectCloudService
LoggingService
25 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Choosing the approach that best fits your needs
Considerations GlobalProtectcloud service
Deploy & manage security yourself
On-premises On AWS or Azure
Speed of global deployment Hours Days/months Days
Automatically scale based on demand Yes No Auto Scale (AWS)Manual Scale (Azure)
Reduced IT footprint at remote networks Yes No Yes
Predictable OPEX security model Yes No No
Require local segmentation, VWire, VLANs No Yes No
Multiple interfaces on premises No Yes No
Scope of control Partial Full Full
Connection type/speed IPsec VPN/<300M, SD-WAN
Any type/any speed
Any type/any speed
GlobalProtect cloud service: Considerations
26 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Decentral collection of Logfiles in LoggingService
27 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Logging Service
• Designed to collect and store large amounts of our high-value log data from all NGFWs and GlobalProtect cloud service
• Leverages powerful, elastic cloud-based computing to provide visibility and insights on large amounts of data
• A centralized access point for the data of innovative apps in the Palo Alto Networks Application Framework
28 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Logging Service: Customer Benefits
• Provides operational simplicity
• Reduces both work and guesswork from log management
• Improves business agility (new firewalls, acquisitions, new offices, etc.)
• Allows leveraging of the log data to enable innovative security capabilities
• Offers economic model of choice: pay for what you need, when you need it
29 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
MagnifierBehavioral Analytics
30 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Successful attacks require multiple steps
Disrupt every step to prevent successful cyberattacks
• Occurs in seconds to minutes• Involves a small number of network actions• Can often be identified by IoCs
• Occurs over days, weeks, or months• Involves a large number of network actions• Can rarely be identified by IoCs
Attack Lifecycle
Data Exfiltration
Lateral Movement
Malware Installation
Vulnerability Exploit
Command and Control
31 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Detection and response must be different
• Attackers must perform thousands of actions to achieve their objective• Each individual action may look innocent
By profiling behavior, organizations can detect the behavioral changes that attackers cannot conceal
Connectivity rate change
Vulnerability Exploit
Malware Installation
Command and Control
Lateral Movement
Data Exfiltration
Repeated access to an unusual site
Unusually large upload
32 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Today’s detection and response doesn’t work
Static RulesManually-defined correlation rules • Hard to develop
and maintain• False positives
Slow InvestigationsRepetitive processes
Manual endpoint forensics
• Days or weeks to block threats
Wrong DataInconsistent logs; mostly violations
Collecting right data requires deploying
sensors and agents
Lack of ScaleNot built for big data Cost-prohibitive to log necessary data
Slow software release cycles
33 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Slow InvestigationsRepetitive processes
Manual endpoint forensics
• Days or weeks to block threats
Static RulesManually-defined correlation rules • Hard to develop
and maintain• False positives
Lack of ScaleNot built for big data Cost-prohibitive to log necessary data
Slow software release cycles
Wrong DataInconsistent logs; mostly violations
Collecting right data requires deploying
sensors and agents
Rich DataComprehensive
network, endpoint and cloud data
collected by existing infrastructure
Cloud Scale& Agility
Cloud elasticity for data storageRapid innovation
Machine Learning
Machine learning to profile behavior and automatically
detect attacks
Rapid ResponseSmall number of actionable alerts
Threat intelligence and endpoint analysisFirewall remediation
What is needed
34 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Magnifier Behavioral Analytics
• Analyze rich network, endpoint and cloud data with machine learning
• Accelerate investigations with endpoint analysis
• Gain scalability, agility and ease of deployment as a cloud-delivered app
CLOUD-DELIVERED SECURITY SERVICES
DATA FROM LOGS & TELEMETRY
NETWORK
MAGNIFIERMACHINE LEARNING
ENDPOINT CLOUD
35 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
2 3Investigate attacks fast with
automated endpoint interrogationTake Action by blocking devices
Campus Network Data Center
Endpoint
Cloud Data Center
Pathfinder VM
MAGNIFIER
LOGGING SERVICE
How Magnifier finds and stops attacks
1Detect attacks based on rich
network, endpoint, and cloud data
36 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
2 3Investigate attacks fast with
automated endpoint interrogationTake Action by blocking devices
Campus Network Data Center
Endpoint
Cloud Data Center
Pathfinder VM
MAGNIFIER
LOGGING SERVICE
How Magnifier finds and stops attacks
1Detect attacks based on rich
network, endpoint, and cloud data
37 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
2 3Investigate attacks fast with
automated endpoint interrogationTake Action by blocking devices
Campus Network Data Center
Endpoint
Cloud Data Center
Pathfinder VM
MAGNIFIER
LOGGING SERVICE
How Magnifier finds and stops attacks
1Detect attacks based on rich
network, endpoint, and cloud data
Access blocked by firewall
38 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
How Magnifier finds internal reconnaissance
• Profiles devices, their types and their availability
• Detects an unusual number of failed connections to nonexistent devices
• Compared to past behavior• Compared to peer behavior
• Shows other alerts for the device, helping conclude it’s a network scanner
By detecting behavioral anomalies rather than simply lots of connections, Magnifier generates fewer false positives
39 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
An average of 2420 alerts per day is orders of magnitude more than what security teams can handle
Accurate detection enables an efficient process
Source: Ponemon survey of 700 enterprises with average 14,000 endpoints and 16,937 alerts per week
Industry State
61%of alerts were investigated and not whitelisted
Magnifier’s Technology
A few actionable alerts per day enable the security team to cover the attack surface and effectively respondSource: LightCyber customer telemetry 2016
40 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Palo Alto Networks Platform: open & extensible
PALO ALTO NETWORKS APPS 3RD PARTY PARTNER APPS CUSTOMER APPS
CLOUD-DELIVERED SECURITY SERVICES
APPLICATION FRAMEWORK & LOGGING SERVICE
NETWORK SECURITY ADVANCED ENDPOINT PROTECTION CLOUD SECURITY
41 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Upcoming Events
42 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Upcoming Events
• Palo Alto Networks - Cyber Security Summit Germany: 07. Juni 2018, München, Germany
• Palo Alto Networks - Ignite EMEA 2018: 08.-10. Oct. 2018, Amsterdam, Netherlands
• IT security fair “it-sa 2018”: 09.-11. Oct. 2018, Nürnberg, Germany
43 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.
Upcoming Events
• https://events.paloaltonetworks.com
• Ultimate Test Drives (remote or onsite with local Partner)
• Germany, Austria, Switzerland:Die Zwei um Zwölf: jeden ersten Freitag im Monat, online Webinar, 60 min.
44 | © 2017 Palo Alto Networks, Inc. Confidential and Proprietary.