Csa summit 2017 - Plataforma de Seguridad para entornos Cloud

Editor's Notes

• #4: Here are some additional facts you can use based on where we closed at the end of FY15. We’ll update these numbers quarterly following each earnings release. At the end of Q4, ‘15, we had more than 26,000 customers in over 140 countries across multiple industries. As of Q2 ’16, we now have more than 30,000 customers Palo Alto Networks has ranked an ”enterprise firewall market leader” by Gartner in 2011, 2012, 2013 and 2014 (published April 2015). FY’15 revenues grew 55% year over year We have consistently added more than 1,000 customers per quarter for the last 17 consecutive quarters, indicating a strong acceptance of our vision and strategy. We have over 3,300 employees worldwide. We’ve built a world-class global support operations with teams in the Americas, EMEA, Asia, and Japan.
• #7: Let’s talk about how the security industry has responded as both threats and I.T. trends have evolved. Network security started with the “traditional”, port-based firewall [click] As with many advancements in Enterprise I.T. – as threats and I.T. technologies evolved, security products were added “one at a time”… The problem is that these are point products. They are each designed to address one type of problem, but they don’t work together. The implications of this approach are: Costly (both CapEx and OpEx) Difficult to Manage (in addition to cost, this is also an agility concern) The main issue, though, is that it results in inferior security posture (based on fundamental limitations in how information, or context, is shared between security devices). [click] Even when “consolidated” into a single device, context is still not fully shared, and security capability suffers. We’ll get specific on why that’s the case shortly, but it shouldn’t be surprising given that this architecture is the result of point-products (or functions) being added “one at a time” without a focus on coordination. This slide represents a perimeter deployment, but the problem is the same for other use cases (including distributed I.T. environments). Namely, that it’s an architecture consisting of largely uncoordinated security functions in series, or layered… [click] In fact this is more of an “accidental architecture”, and it can’t provide the level of security needed to stop modern threats across today’s I.T. environments. We’ll come back to specific examples that show how this architecture is limited…
• #8: Most architectures today resemble what you see in this picture. A set of set of silo’d organizations, processes, and technical infrastructure that have largely been assembled like a manufacturing production line where a series of security events roll down a conveyor belt of individual point products, while different staff members perform their individual duties. Historically we’ve been able to get by. But as the attacks and the attackers evolve these architectures are beginning to show their weaknesses, and today we see how they’re costly both in their inability to prevent targeted attacks, and in their unnecessary cost to the organization. There are three specific issues we’ve pinpointed: Limited visibility: You can’t secure what you can’t see. Your security architecture must have the ability to see all applications, users and the individual devices on the network to prevent attacks that might utilize non-standard ports, protocols, or SSL encryption for evasion. Your security architecture must also have the ability to see and prevent new targeted attacks that are utilizing threats (malware, zero day vulnerability exploits) that have never been seen before. Eliminate all blind spots. Lacks correlation: If attacks are multi-dimensional so to must be your defenses. Your architecture must act like a system of systems where individual technologies work together in a coordinated manner to prevent attacks. Making each element within the system smarter. Manual response: With attacks evolving at a rapid pace it’s critical that we wean ourselves from the “man in the middle”. Your security architecture must employ a system of automation that’s constantly learning and applying new defenses without a requirement for any manual intervention. It must weed out the congestion, automatically handling low to medium level severity cases so you can focus your teams attention on only the highest priority incidents.
• #9: Now…this is probably what your current network infrastructure looks like: Behind your port blocking firewall there is most likely a stand alone IPS, Quality of Service, URL Filtering, Data Leakage Prevention, Proxy, Antivirus, and maybe others…but our position is that sprawl is not the answer. <Click to animate> And bolting it all in one box, as UTM vendors have done, doesn’t work for several reasons: UTMs are all stateful inspection based – it is part of the UTM definition: stateful inspection + IPS + AV as outlined by IDC around 10 years ago. In all UTMs, the port-based decision is made first – this cannot be changed. Then the application, IPS, AV, URL decisions are made sequentially using a silo-based scanning approach – but it is all still based on what the stateful inspection (port-based) decision was. None of the information learned by the first scan is shared with the second, third or fourth. So ultimately, the decisions are either allow or deny – nothing in between. Sheet metal integration merely puts everything in one box for the sole purpose of lowering costs – nothing more. Nothing has changed. It’s all the same stuff just a lot slower and cheaper. We believe that the firewall is STILL the ideal location to exert control over traffic flowing across the network. But we believe control needs to be based on the application identify, regardless of which port/ports it uses – and here’s why… ------------------- Explain why customers have deployed all of these devices – the control that once existed in the firewall has eroded over time. Added devices or scanning engines do not solve the problem. UTMs exist for the sole purpose of consolidating devices to save money UTMs suffer from performance issues, multiple policies, silo-based scanning, multiple databases, logs, etc UTMs are all stateful inspection based – the all make their first decision on port. This is not our value-add
• #10: We’d like to help you build a prevention-focused architecture that stops at nothing short of complete visibility into all traffic; is natively integrated in such a way that no gaps exist and context is delivered so you only have to react to the threats that are critically important; is highly automated to reduce or remove manual response; and enables you to drive seamless policy throughout your organization to reduce your attack surface and eliminate unnecessary risk. How do we do that? If you go back in time, the first thing we said we were going to do as a company was safely enable the use of all applications on your network. Why is that important? Attackers know that one of the easiest ways to get into your network is through an application. Back in the mid-90’s our founder, Nir Zuk, created the first stateful inspection firewall. Stateful inspection firewalls use port, protocol and IP addresses to make security policy decisions. That was OK in the mid-90’s when you had only two applications on your network – email and web that communicated over a very predictable set of ports. At the time there was also a very limited number of devices to contend with on your network. Fast forward to the early-2000’s and Nir could see that the number of applications landing on the network was about to explode, and that stateful-based firewalls would be incapable of handling this new environment where these applications utilized significantly more ports and followed non-standard patterns that the stateful firewall simply couldn’t anticipate. Mega trends like BYOD, mobility and cloud computing added further complications. Nir made the decision to re-invent the firewall and develop a new approach that took the guessing out of security, and provided a much more robust solution for managing applications, users and devices. That approach led to the formation of Palo Alto Networks in 2005, and the creation of the industries first next-generation firewall in 2007. The big different between stateful firewalls and next-generation firewalls is we don’t guess. We don’t guess about applications, we don’t guess about users, we don’t guess about content, and we don’t guess about devices. We definitively inspect and identify all applications, users, content, and devices operating across your network. That means you get real visibility on your network which leads to better security. The next thing we said we were going to do was prevent both known and unknown cyber threats for all users on any device across any network. To achieve this we developed a series of cloud-based services that integrate closely with the next-generation firewall and deliver automated threat detection and prevention. We have four cloud-based services today – Threat Prevention, URL Filtering, WildFire and GlobalProtect for mobile security. Let’s pick one of these services, WildFire, to demonstrate to power of this integrated approach. Now, if an attacker attempts to breach your organization using a known threat we’re going to automatically block that attack using a combination of our next-generation firewall and cloud-based services (Threat Prevention, URL Filtering and GlobalProtect). If the threat is unknown we’re going to quickly turn it into a known threat using WildFire which detects and analyzes potentially malicious files looking for new forms of malware, malicious URLs or command-and-control sites. As those unknown threats are detected, WildFire automatically develops new protections and within minutes routes those tools back to your cloud based services. We don’t just route those tools to your systems, we route them to the global customer base so you benefit from the multiplier effect of a large threat intelligence community. This automated process ensures that your platform can delivery the highest levels of security for all users on any device across your entire network. The newest technology we’ve brought to market is advanced endpoint protection. Let me tell you why we went down this path. Legacy providers have not been able to keep up with the challenges associated with advanced threats that have been finding their way onto the endpoint, then working their way into the network. We looked across the market, at all of the different approaches and decided something truly disruptive had to happen. Many of the “newer” technologies have effectively given up on prevention and instead focus their efforts on detection and remediation. Other prevention-based approaches were simply ineffective at stopping advanced threats, or imposed too much operational overhead to be viable on a large scale basis. We came up with a very unique approach that prevents all exploit and malware-based attacks, even those based on unknown zero-day vulnerabilities. And we do this with a very lightweight and scalable technology. This approach has proven to be highly effective at protecting endpoints from advanced attacks – including laptops, servers, industrial control systems, bank ATMs, medical devices and retail point of sale systems. So, to wrap it up our core value proposition is that we provide an enterprise security platform that safely enables all applications through granular use of controls and prevention of known and unknown cyber threats for all users on any device across any network. In doing so we’re able to deliver superior security with superior TCO.
• #12: Our platform is highly extensible and over the years we have added many subscription services that provide additional security capabilities to our end-customers and additional revenue opportunities to us. Some of these subscriptions come in the form of an attached service to our Next-Generation Firewalls, such as WildFire, Threat Prevention, URL Filtering, and GlobalProtect. The Traps subscriptions is based on the number of protected endpoints and servers. The AutoFocus subscription will be based on the number of SOC users that make use of the service. The Aperture subscription will be based on the number of users for each sanctioned SaaS application that is covered by the service.
• #14: Cloud architectures have fundamentally changed the way organizations manage their datacenter operations. The emergence of software defined data center powering private clouds (examples of which include VMware NSX and OpenStack), public cloud adoption of Amazon Web Services and Microsoft Azure growing at a rapid pace, organizations have rapidly adopted them to meet the business needs of agility, scale and competitive pressures. The third leg of the data center evolution is the expansive use of software as a service applications like Office365, Box, Dropbox and salesforce.com. During this evolution, the well understood principles of network security and defense in depth approaches practiced in traditional brick and mortar data centers are being challenged. Let’s look at these security challenges within cloud deployment… Not too long ago, data centers looked a bit like this. traditional on premises servers running all manner of apps. They might be a mix of different technology, from different acquisitions and mergers. Or merely from expansion over time. the challenge being a mixed environment that limits scale, agilty and competiveness. While increasing costs With the maturation of virtualization technology, a need to standardize their infrastructure and be more agile/flexible, customers have rapidly moved to a point where much of their on-premises DC is now virtualized. <click> Defined as a private cloud and/or as a software defined network, VMware NSX and Cisco ACI are the primary vendor examples here. Almost as rapidly as private cloud adoption occurred, organizations are moving workloads to public cloud environments such as amazon or azure. <click> Often referred to as IaaS or PaaS, these environments provide some added benefits over and above a private cloud, specifically they eliminate much of the underlying infrastructure management. The third leg of the data center evolution is the expansive use of software as a service applications like box, dropbox and salesforce.com. Further fueling this evolution is the goals and objectives of both the CISO and the CIO.
• #17: SaaS has it’s own specific dangers to deal with that the NGFW does not see Protection from unknowing users is just as dangerous as malicious outsiders. So we have shown how the NGFW treats SaaS apps like any other app with visibility and granular control of access. But once a SaaS app is defined sanctioned and data is sent to the cloud where that app resides there are new challenges. The data is no longer under the companies control and visibility is often lost. Even though the SaaS companies do their best to protect the data it is not their responsibility in the end. Just like any other piece of the customers network it is the sec ops teams responsibility to protect and control access to the data. [click] The first challenge is that the application becomes a new entry and distribution point for malware. This is often the breach point for malicious outsiders we showed before as the most common type of breach and needs to be protected. Some malware even target SaaS applications changing their shares to public so the data can be retrieved externally. [click] Next is the accidental data exposure by unknowing employees. This is one of the most common use cases and as we showed before was the second largest causes of breaches last year. This can be as simply as an employee sharing with someone who also has share privileges and it eventually gets out of control when someone down the line shares publicly. Another common occurrence is mistyping a name when sharing and sharing with the wrong person, a group or even someone externally. And very commonly as ghost shares of employees and vendors that are no longer working with the company but their shares remain. [click] Last you have to deal with internal malicious user that purposely share data for theft or revenge. This is less common as the third most common form of breach last year but still a threat that needs to be addressed. This can be as simple as an employee that is leaving the company setting all the folders to be shared publicly or with an external email address to steal the data.
• #18: Saas usage needs to be understood Know which apps are being used Know who is using them Know what data is going into them SaaS usage needs to be controlled Block apps where risk is unmanageable Control usage for apps that are allowed but not managed Apply deep security to apps that are sanctioned Apply device level access control from managed vs. unmanaged assets
• #19: Saas usage needs to be understood Know which apps are being used Know who is using them Know what data is going into them SaaS usage needs to be controlled Block apps where risk is unmanageable Control usage for apps that are allowed but not managed Apply deep security to apps that are sanctioned Apply device level access control from managed vs. unmanaged assets
• #25: N/A