Avr presentation

Application Visibility and Risk Report for Ekamai International School

INSTRUCTIONS TO SEs (Please delete)

Factory Reset box and upgrade to latest version of PAN-OS before starting AVR

Turn on all Threat Prevention / URL Filtering / Data Filtering / Wildfire

Make sure tapped zone has interesting data – User Zones

Make sure there’s data in all logs / ACC before leaving customer site

Run no more than 3-5 days of data collection

Download Raw Logs from monitor tab for further analysis

Fix presentation date to key stakeholders the following week of the AVR data collection

2 | ©2012, Palo Alto Networks. Confidential and Proprietary.

Agenda

How was the AVR captured ?

Summary applications found

Business Risks Introduced by High Risk Application Traffic

Top Applications (Bandwidth)

Applications that use HTTP (Port 80)

Top URL Categories

Top Threats

Recommendations



Port Mirror

Non-Intrusive

Data Gathering 3-5 days

Report Generation

Report contains no IP information, purely statistic data collection


Summary Of Applications Found

Personal applications are being installed and used Elevates business and security risks

Applications that can be used to conceal activity Hides activity that can be malicious (intended or unintended)

Applications that can lead to data loss Security risks, data loss, compliance and copyright infringements

Applications for personal communications Productivity loss, compliance and business continuity loss

Bandwidth hogging, time consuming applications Consumes corporate bandwidth and employee time



Data Loss (24%) - application file transfer can lead to data leakage

Compliance (24%) - ability to evade detection or tunnel other applications can lead to compliance risks

Operational Cost (12%) - high bandwidth consumption equates to increased costs

Productivity (18%) - social networking and media apps can lead to low productivity

Business Continuity (23%) - applications that are prone to malware or vulnerabilities can introduce business continuity risks.

“Identifying the risks an application poses to is the first step towards effectively managing the related business risks.”


High Risk Application Traffic – Key Observations

Key observations on the 85 high risk applications:

Activity Concealment:

Proxy (1) and remote access (3) applications were found. In addition, non-VPN related encrypted tunnel applications were detected.IT savvy employees are using these applications with increasing frequency to conceal activity and in so doing, can expose EIS tocompliance and data loss risks.

File transfer/data loss/copyright infringement:

P2P applications (12) and browser-based file sharing applications (6) were found. These applications expose EIS to data loss,possible copyright infringement, compliance risks and can act as a threat vector.

Personal communications:

A variety of applications that are commonly used for personal communications were found including instant messaging (8), webmail(6), and VoIP/video (3) conferencing. These types of applications expose EIS to possible productivity loss, compliance and business continuity risks.

Bandwidth hogging:

Applications that are known to consume excessive bandwidth including photo/video (14), audio (1) and social networking (11) were detected. These types of applications represent an employee productivity drain and can consume excessive amounts of bandwidth and can act as potential threat vectors.


Activity Concealment – Compliance, Data Loss Risks


ACC – Concealment (Example : tor)


File Transfer / Data Loss / Copyright Infringement- Data Loss, Copyright Infringement, Compliance Risks


ACC – Concealment (Example : bittorrent)


Personal Communications – Productivity Loss, Compliance, Business Continuity Risks


Personal Communications – (Example : Gmail)


Bandwidth Hogging – Productivity Loss Risks


Bandwidth Hogging – (Example : rtmp)


Bandwidth Hogging – (Example : youtube-base)


Top 35 Applications (Bandwidth Consumption)


Applications that use HTTP


Top URL Categories


URL Sites (example : Social Networking)


Top Application Vulnerabilities


Vulnerability ( SMB: User password Brute-Force Attempt )

Research from Internet – Google, Yahoo, Ect


Extract from ACC

Vulnerability ( SMB: User password Brute-Force Attempt )


Spywares and Virus discovered


Spyware and Virus ( Conficker )


Extract from ACC

Spyware and Virus ( Conficker )


APT / Zero Day Malware Detected by WildFire


WildFire Malware Analysis


Recommendations

Implement safe application enablement policies

Address high risk areas such as P2P and browser-based filesharing

Implement policies dictating use of activity concealment applications

Regain control over streaming media applications

Seek Application Visibility and Control


Thank You

Avr presentation

Technology

Transcript of Avr presentation