Cybersecurity Financial Services

Cybersecurity Imperatives in Financial Services: Take Unnecessary Complexities (and Costs) Out of Security

Palo Alto Networks: Cybersecurity Imperatives in Financial Services

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Take Unnecessary Complexities (and Costs) Out of Security . . . . . . . . . . . . . . . . . . . . . . 4

Cyberattacks and APTs: How to Evolve From Passive Detection to Proactive Prevention . 4

• Detect and Block Advanced and Unknown Threats . . . . . . . . . . . . . . . . . . . . . . . 5

• The Benefits of a Closed-Loop Approach and Shared Intelligence . . . . . . . . . . . . 5

• Shorten Investigation and Incident Response Times . . . . . . . . . . . . . . . . . . . . . . . 6

• Today’s Threats Hide in Encrypted Communications—Why You Don’t Need Yet Another Security Product to Find Them . . . . . . . . . . . . . . . . . . . . . . . . 7

Modern Computing: Put Security First When Consolidating or Virtualizing Your Datacenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

• Realize the True Benefits of Datacenter Virtualization . . . . . . . . . . . . . . . . . . . . . 7

• Regain Control and Full Visibility Over East-West Traffic . . . . . . . . . . . . . . . . . . 7

• High-Performance Security – There’s No Need to Compromise Between Performance and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

• Summary: A Complete Security Portfolio for Datacenter Initiatives . . . . . . . . . . 8

Manage a New Wave of Mobility Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Network Segmentation: More Than a Best Practice; a Must Have—Especially For Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Security at Scale: Manage Thousands of Security Appliances . . . . . . . . . . . . . . . . . . . . . 10

Summary: Palo Alto Networks for Financial Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

From Reactive Detection to Proactive Prevention: Take the First Step Today . . . . . . . . . . 12


Executive SummaryFinancial institutions around the world are targeted by cybercriminals more than any other industry . To minimize risks, you need to evaluate the current state of your security, aggressively identify the most significant risks, and then make rapid improvements to modernize your security infrastructure and lower your exposure .

Unfortunately, like many other organizations, you have probably been adding security products organically to your networks and endpoints for years in order to patch contemporary security concerns . As a result, now you have a patchwork of siloed security solutions that are hard to manage, costly to maintain, and do not provide enough timely and integrated threat intelligence to systematically identify and block APTs .

Palo Alto Networks can help you remove complexity from your current security infrastructure so you can more efficiently block today’s high-volume cyberattacks and APTs . Our enterprise security platform takes a modern approach to security, with innovative and efficient technologies that allow you to monitor and control all network traffic and automate threat prevention—all while optimizing your computing resources and human capital .

With our modern approach to cybersecurity, you can achieve significant operational benefits and improve overall security . These include:

• Minimize the business risks related to cyberattacks, whether from advanced targeted threats (APTs) or insider breach .

• Improve your visibility and control over operational costs related to security .

• Support the secure and timely deployment of the innovative technologies your business needs to remain competitive in today’s global economy .

• Build confidence that your security solution will scale with increases in network loads as more and more transactions get digitalized .

• Centralize threat intelligence to gain better insights into incidents, and correlate events to accelerate your ability to respond .

• Streamline compliance audits and more easily meet various requirements for the ever-increasing list of industry regulations .

Networks, endpoints, and computing infrastructure must be continuously monitored for intrusions and protected against cyberattacks . Palo Alto Networks security platform gives you:

• Visibility into who and what is on your network at all times .

• Control and enforcement over who has access to what at any point in time .

• Continuous monitoring with rules and automated alerts .

• Automation of basic, high-volume security tasks so that security teams can focus on the most dangerous threats .

“Seeing how well the firewall performed in our production environment, and the ease with which we were able to set up and run our policies on our network in just one day, really sold our team on Palo Alto Networks… We are keenly aware of the sensitivity of the data running on our network every day. We need a solution that ensures our clients’ assets are protected while at the same time ensuring high performance access to applications that help our business run efficiently.”

— Chief information security officer for Raymond James Financial.

Take Unnecessary Complexities (and Costs) Out of Security Over the years, complexity has quietly invaded security as additional layers of technology were brought in to patch security products that were designed when the Internet was in its infancy . One common challenge and weak point in many enterprises’ defense today is the myriad of point products that do not always integrate with each other .

Even if you have well-resourced cybersecurity teams, you can no longer expect your security staff to put all of the pieces together—it has simply become too hard to solely rely on the manual processing of incidents to keep up with the unabated rise in cyberattacks . Deploying point products is expensive and complex, brings high-risk of network performance degradation, and, in many cases, does more harm than good . A fragmented approach provides too many holes for cyberattacks to hide, requires too many manual steps, and slows down your ability to respond and take action when a breach occurs .

Palo Alto Networks solution eliminates some of the complexities involved with point products—firewall, IPS, IDS, URL filtering, and more . Our next-generation enterprise security platform provides visibility at all layers, and into every step in an advanced attack . Moreover, it does so with a single inline security appliance designed from the ground up to make defensive decisions based on one pass of your data, and at a fraction of the cost to deploy and manage an equivalent set of point products .

Figure 1: Palo Alto Networks enterprise security platform eliminates complexities out of security

Cyberattacks and APTs: How to evolve from passive detection to proactive prevention For financial institutions, the stakes are high; many have already allocated significant resources to protect their assets . As a result, attackers know they have to use more evasive tactics to penetrate enterprise networks in the financial services industry .

Unfortunately, too often attackers are not only able to penetrate a targeted network, but they also successfully establish a beachhead and remain undetected for significant periods of time while inflicting damage . This can lead to tremendous losses ranging from reputation, monetary, or intellectual property damage . An effective response to today’s advanced attacks must move beyond protective measures to add preventive strategies and early detection of the indicators of compromise .

Identify, control& decrypt

Detect & prevent

threats

Automatedclosed-loop

protections & forensics

known & unknown

Network

Threat Cloud

Endpoint

Traditional Infrastructure Mobile DevicesCloud

PublicCloud

PrivateCloud

SaaS


Palo Alto Networks threat prevention is built on our platform’s unique ability to inspect all traffic on all ports, regardless of evasion tactics, combined with a next-generation architecture that brings multiple security disciplines natively together into a single engine . Armed with significantly improved contextual intelligence about traffic and threats, your security teams can easily see beyond individual security events and recognize the interconnection between applications, exploits, malware, URLs, DNS queries, and anomalous network behaviors .

The insights your security teams glean from our enterprise security platform allows them to automate some of the mundane, time-consuming tasks related to security, and spend more time on in-depth research . The benefits of full access to a wider range of correlated information about your traffic, applications, users, malware, and more—all in one single engine—streamlines security management and reporting, simplifies the analysis of security incidents, and enables you to reach key conclusions faster .

Detect and Block Advanced and Unknown Threats

For APTs and unknown threats, Palo Alto Networks uses a cloud-based virtual environment—“a virtual sandbox”—that analyzes the behavior of traffic and payloads suspected to be malicious . Our service, WildFire™, can discover the delivery of malicious and executable code by observing malware’s behavior, rather than solely relying on pre-existing signatures . WildFire also looks into malicious outbound communication, disrupting command-control (C2) activity with anti-C2 signatures and DNS-based callback signatures that are created and distributed back to our next-generation firewalls in as little as 30 minutes .

In addition, you will receive integrated logs, analysis, and visibility into events in your Palo Alto Networks management interface, Panorama, or your personal WildFire portal . This allows your security team to quickly investigate and correlate events observed in your networks .

These quick updates also help you stop malware from spreading further, and identify and block the proliferation of all future variants without any additional action or analysis .

The Benefits of a Closed-loop Approach and Shared Intelligence

Detecting a new threat is always the first step, but the real value of WildFire lies in automatically protecting your users and network with a closed-loop approach: the intelligence about newly discovered threats is immediately shared and distributed to our next-generation firewalls deployed in your network for enforcement .

When an unknown threat is discovered, WildFire generates protections to block the threat across the cyber kill-chain by sending updates to your next-generation firewalls deployed inline in your network . Next, the newly distributed signatures are immediately used, with no manual intervention, to block any further malicious traffic related to the discovered threats . This blocks all typical inbound and outbound malware communication mechanisms such as outbound C2 traffic or DNS-based callback . Our closed-loop approach eliminates many of the manual tasks required by fragmented legacy solutions, supports the systematic automation of time-critical security tasks, and frees your security resources to pursue more proactive security activities .

All threat intelligence is shared with our customer base worldwide in as little as 30 minutes, enabling our entire user community to benefit from the rapid, collective discovery of malware at more than 16,000 organizations worldwide .


Advanced Persistent Threats (APT) employ evasive techniques to enter a network, establish a beachhead, and then move laterally within the targeted organization. APTs sometimes disguise or bundle themselves with legitimate traffic and payload, which has proven challenging for traditional security solutions to detect. Once inside the targeted organization, an APT can maintain communication channels with its controller(s)/ handler(s). It can steal information and receive further instruction through an encrypted tunnel to and from an external command and control entity. In addition, it can receive malicious code updates, which are reassembled within the compromised target network. This can make signature detection more difficult and add more damaging capabilities to the resident malware.

Figure 2: Closed-loop approach to threat prevention: from detection to in-line enforcement

Shorten Investigation and Incident Response Time

Because our enterprise security platform provides immediate access and visibility into threat intelligence—with no additional data transformation or integration required—administrators receive integrated logs, analysis, and visibility into WildFire events . Your security teams can quickly investigate and correlate events observed in your networks, locate the data needed for timely investigations and incident response—such as host-based and network-based indicators of compromise—and make this data actionable through log queries or custom signatures .


Top recommendations for systematic and proactive prevention1. Review your current network segmentation. Ensure that what is most critical is treated that way. Use ‘zones’ to com-

partmentalize different segments of your network; protect assets from unauthorized applications or users; reduce the exposure of vulnerable or non-patchable systems; and prevent the lateral movement of malware throughout the net-work. Default to a ‘zero trust’ approach and inspect all traffic regardless of what it is and its location on your network. The advent of APTs has made ‘no trust’ adoption critical.

2. Establish a baseline view of all applications on your network. Create a detailed inventory of applications generating traf-fic on specific zones of your network to help inform a constructive dialogue between IT and the business about which applications are legitimate and critical to the business. With this benchmark in hand, you can start applying appropriate security controls such as raising alerts on rogue applications, and ensuring ongoing visibility into legitimate applica-tions—their payload, and the employees, users, and departments accessing them—to detect anomalies.

3. Use your benchmark to make important application decisions. Once you have vetted the list of legitimate applica-tions on any section of your network, you can progressively start to apply more drastic security controls in sensitive zones such as “block all, except the few applications that are explicitly identified as legitimate.” Use the detailed level of visibility that Palo Alto Networks gives you into applications, users, and content for the flexibility and granular control to choose which applications and content should be available to which departments. Then give only authorized users access to your approved applications.

4. Maintain visibility at the user, content, and application level at all times. This is not a log analysis exercise, but one of contextual awareness, visibility, and anomaly detection that your security team can leverage to effectively identify indicators of compromise.

Today’s Threats Hide in Encrypted Communications—Why You Don’t Need Yet Another Security Product to Find Them

About one-third of application traffic today is SSL-encrypted, and this percentage is swiftly growing as applications default to encryption to strengthen security . It is a misconception to think encryption will protect you from APTs . Many malicious attacks can hide within encrypted traffic . Unfortunately, encrypted traffic is frequently not processed by security products, or requires an additional security device to be processed . This is not the case with Palo Alto Networks . We provide visibility into threat communications that hide within encrypted communications, and can detect and prevent threats within both cleartext and encrypted communications .

Modern Computing: Put Security First When Consolidating or Virtualizing Your DatacentersWhether it is to optimize the use of existing datacenters, or part of a consolidation project, virtualization and cloud computing are core to every modernization initiative . Given the promise of these new computing models to deliver greater efficiencies, improved flexibility, and cost savings, financial institutions have been pioneers in the modernization of their datacenters and in the adoption of virtualization . Unfortunately, security is often an afterthought, or is viewed as slowing down key transformational datacenter and infrastructure initiatives .

Palo Alto Networks began investing many years ago in virtualization technologies, products, and partnerships to transform security from an impediment to an enabler for datacenter projects . Our next-generation security products are now available not only as physical appliances, but also in virtual forms to fit directly into a virtualized infrastructure . We have global partnerships with many of the leading datacenter ecosystem vendors, and enable deep, seamless integration with various technologies that enable virtualization .

Realize the True Benefits of Datacenter Virtualization

One of the main goals of datacenter virtualization for IT organizations in financial services is to realize some economy of scale by maximizing the use of available computing power across applications, geographies, and initiatives . However, the true promise of virtualization and cloud computing continues to be elusive .

One of the barriers slowing down the deployment of virtualized datacenters is network security . Traditional security approaches were never designed to keep pace with today’s pace of application and server provisioning . While IT teams can deploy virtual servers in a matter of minutes, the related security policies still often follow manual, paper-intensive processes that can take weeks, if not months .

To address this challenge, Palo Alto Networks integrates directly with management orchestration services for datacenter virtualizations . For example, Palo Alto Networks and VMware partnered to fully integrate our next-generation security with VMware’s NSX network virtualization platform . With this joint solution, you can unlock the full potential of your software-defined datacenter by unifyving network security across your physical and virtual environments . This affords a single point of management and you can provision security policies automatically as new servers and applications are provisioned .

Regain Control and Full Visibility Over East-West Traffic

Another challenge for datacenter virtualization initiatives is the lack of visibility into virtual machine-to-virtual machine (east-west) traffic, which opens doors for malware to make lateral moves .

Resources on your virtualized servers can be assigned to the deployment of our VM-series—the virtual form of our next-generation firewalls—so that you can tie security policies to virtual machine movements (adds, moves, and changes), and create security policies that instantly sync with virtual workload creation . Once deployed, our VM-Series provides you with the same application visibility and control and traffic inspection as our physical security appliances, protecting your deployed virtual environment against all known and unknown threats .

With security capabilities dynamically following virtualized servers, your IT team will regain full control over inter-machine (east-west) traffic and can prevent lateral movements of threats between servers .


High-Performance Security—No Need to Compromise Between Performance and Security

Protecting your datacenter requires keeping up with a high volume of traffic . Any latency introduced by multiple layers of security, or add-on products, will often result in security being pulled out of the line of traffic by the network operation teams .

Our innovative security architecture enables you to control and inspect all traffic, including for threats in a single pass, so that your IT team does not have to make compromises between security and performance . The latest addition to our portfolio of next-generation security appliances can protect your datacenter environments at speeds of up to 120 Gbps .

Figure 3: Protect modern datacenters - perimeter and virtualized environments

Summary: A complete security portfolio for datacenter initiatives

Palo Alto Networks provides a security architecture that protects, scales, and evolves with your datacenter’s need for physical, virtual, and mixed-mode environments . Our next-generation security platform addresses key virtualization and cloud challenges; from the inspection of intra-host communications and tracking security policies, to virtual machine creation and movement, to integration with orchestration software .

Palo Alto Networks eliminates the unacceptable compromises you previously faced with your datacenter network security . We enable you to deploy a simplified, high-performance, flexible network security infrastructure that safely enables business-critical applications and supports ever-increasing volumes of traffic in your datacenter .

Manage a New Wave of Mobility Initiatives In the past, the broad adoption of smartphones was instrumental to increasing the work flexibility and productivity of employees in the financial industry . For example, many organizations sponsored their employees’ use of a corporate Blackberry . Now we are dealing with an even more ubiquitous deployment of mobile technologies, with many devices running on different operating systems such as Android or iOS .

Today, as part of a device refresh cycle, many financial organizations are starting to retire their Blackberry portfolio in favor of a full BYOD model, which allows employees to use their chosen devices to connect to the enterprise network . This completely breaks the traditional enterprise perimeter and creates new challenges for security teams .


When deploying the Palo Alto Networks security platform, you can extend the protection that our technology provides to your enterprise to the mobile devices that your employees use to connect to your network . GlobalProtect™, our solution for securing mobile devices, is comprised of three steps or components: manage the device, protect the communications, and control the data .

As part of GlobalProtect, our Mobile Security Manager (MSM) manages mosbile device configurations and oversees device usage throughout your organization . As new devices are brought into the business environment, MSM validates their configuration and state, and automatically flags devices with pre-existing malware infections . GlobalProtect also ensures the consistent enforcement of network security policies, and the establishment of a secure connection (IPsec/SSL VPN tunnel) to your enterprise network . Finally, the GlobalProtect Gateway provides granular control over who can access sensitive applications and data, and file and data filtering capabilities, to control data movement .

Figure 4: A new approach to mobile security.

Network Segmentation: More Than a Best Practice, a Must Have—Especially to Support ComplianceNetwork segmentation by zones of sensitivity is widely recognized as one of the best practices to protect and isolate highly regulated data and processes . This is one of our top recommendations to support compliance to regulations, and simplify the audit process by reducing the scope of the infrastructure that needs auditing .

Segmentation is also very effective for protecting financial institutions with a global presence from attacks initiated in high-risk geographies . Applying tight controls, such as limiting network traffic between zones to legitimate applications only, will drastically reduce your exposure to global cyberattacks . It will also prevent the lateral movement of malware from remote offices to headquarters or datacenter facilities .

Network segmentation is also a great approach for implementing a multi-layer defense . With more and more of today’s attacks coming from the inside, you have to assume that some threats are present on your network at any given time . Network segmentation and systematic compartmentalization stops a threat’s ability to make a lateral move, or move from the edge to the core of your network .

Palo Alto Networks innovative approach to network security enables you to identify and classify all traffic on your network based on applications, users, and content . This unique capability is a key differentiator as you proceed with the segmentation of your network: a higher level classification allows you to use criteria and attributes that make business sense to codify the policies that allow or deny traffic in your specific network zones .


Security at Scale: Manage Thousands of Security AppliancesOne challenge unique to large, global financial institutions is the ongoing management of a large portfolio of security products . It is not uncommon for global organizations to have to manage several hundreds—

and even thousands—of security appliances . Ensuring that all of your appliances have up-to-date configurations, that security policies satisfy local and global regulations, and that incremental updates to security rules and policies do not overwrite each other, can be daunting .

This is why simplifying the deployment and management of various functions in our platform is always front-and-center in our product strategy . Below are some of the many ways Palo Alto Networks helps you simplify the management of deployed next-generation appliances:

• Our low-to high-end firewalls are built on the same underlying technology and deliver the same capabilities regardless of their respective bandwidth capacity . You can deploy a PA-7050 in your datacenter, and a PA-2050 in a remote location, and receive the same benefits from either .

• Using Panorama, our centralized management product, you can manage a distributed set of security ap-pliances from one central location: view all traffic, manage all aspects of device configuration, push global policies, and generate reports on traffic patterns or security incidents .


“…Everything has become a lot easier… With the old firewall, it took us days to unearth the information. Now it’s simply a click on a button. I’m now more in control. Also the IPS capabilities are doing a great job for us.”

— Head of ICT Exploitation Department, Crédit Agricole Consumer Finance

Figure 5: Comparison of flat vs segmented network.

• For large deployments, tiered administration enables you to structure the deployment of your portfolio and our technology in a way that matches your network infrastructure and your organization .

• From a policy point of view, many customers have experienced a significant reduction in the number of security policies that they have to manage after migrating to Palo Alto Networks . Due to the higher level of aggregation at which we identify traffic—applications, users, and content rather than ports and IP addresses—our platform might require only one rule where legacy solutions might need five .

Summary: Palo Alto Networks for Financial ServicesPalo Alto Networks provides the most innovative, advanced, and flexible enterprise security platform available to meet today’s cybersecurity requirements for financial institutions . Our platform natively combines multiple security functions to more effectively protect your enterprise networks:

• Next-generation security firewalls (rated as ‘leader’ in the Gartner Group Magic Quadrant for Enterprise Firewalls several years in a row) .

• Threat detection and prevention: cloud-based threat sandboxing analysis with signature creation and threat prevention in as little as 30 minutes .

• Innovative endpoint protection that stops malware before it even tries to install on the device .

• IPS for fast detection and prevention of known threats

• Anti-malware

• URL filtering

• File and content blocking to control known threats

• Visibility into, and prevention of, threats within encrypted communications .

• Closed-loop approach that stops zero-day threats from spreading further into your network .

CLOUD

NETW

O R K E N DPOINT

NATIVELYINTEGRATED

NEXT-GENERATIONFIREWALL

NEXT-GENERATIONTHREAT INTELLIGENCE

CLOUD

NEXT-GENERATIONENDPOINT

EXTENSIBLE

AUTOMATED


Figure 6: Our next generation enterprise security platform

4401 Great America ParkwaySanta Clara, CA 95054

Main: +1.408.753.4000Sales: +1.866.320.4788 Support: +1.866.898.9087

www.paloaltonetworks.com

Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_FS_033115

Our financial services customers consistently voice how they have been able to minimize risks related to cyberattacks, and eliminate unnecessary complexities in their security infrastructure, by replacing their legacy security infrastructure with Palo Alto Networks .

From Reactive Detection to Proactive Prevention: Take the First Step TodayWhether you already use Palo Alto Networks to protect your organization’s traditional perimeter or are new to our technology, discover the advantages of using our platform to implement policy controls that reduce the scope of your cybersecurity challenges . Evaluate for yourself how our close-looped approach can help you automatically block attacks from propagating throughout your infrastructure .

Take action today by signing up for of one of the following:

• Online product demonstration that we can tailor to the unique needs of your organization

• Ultimate test drives in which your teams can get hands-on experience with our technology

• Our Application Usage and Threat report can reveal—in less than a week—your must urgent vulnerabilities

Visit http://connect.paloaltonetworks.com/AVR-alt to learn more .


Empower your team to automatically block basic, high-volume malware, while using advanced techniques to detect Zero-Day attacks and prevent them from propagating into your network.

Cybersecurity Financial Services

Documents

Transcript of Cybersecurity Financial Services