ML-Powered NGFW

PAN-OS 10.0
 Your World Is Changing

Attacks are constantly and New devices are proliferating Surface areas of attack are
automatically morphing rapidly and silently increasing rapidly
But Typical Industry Response Is Manual

React to New Attacks React to New Devices React to Environment

Changes

Result: First victim gets Result: Unidentified, Result: Breaches due to

compromised before protection unsecured devices pose human errors and
is delivered massive risk to the network misconfigurations

Mean Time To Identify: 206 Days Casino breached through fish tank 99% of firewall breaches due to misconfig, Gartner

3 | © 2020 Palo Alto Networks, Inc. All rights reserved.

A New Disruptive Approach Is
Needed
The World Needs A New Type of Firewall That uses ML to...

Prevent Never-before- Recommend Detect

seen Items Policy & Config Changes Through Cloud-scale

Identifies new variants of threats Analyzes device behavior to Enables machine learning at
& new devices without relying on automatically create IoT Security cloud scale through
signatures policies, uses infrastructure continuous collection of data
changes for configuration changes and telemetry

5 | © 2020 Palo Alto Networks, Inc. All rights reserved.

 A PARADIGM SHIFT IN CYBERSECURITY…
INTELLIGENT NETWORK SECURITY

Introducing The World’s First ML-Powered NGFW

6 | © 2020 Palo Alto Networks Confidential. Internal Use Only. Do Not Share Externally.
With Multiple Industry-Firsts...

Instant protection from Near real-time Complete, natively Automatic policy

threats using ML protection via integrated IoT security recommendations
signatures

Up to 95% of unknown file- <10 second signature delivery, 3x IoT devices detected 99% of breaches are caused
and web-based threats resulting in 99.5% reduction in by misconfiguration,
prevented inline systems infected (testing with beta customer) according to Gartner

7 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Delivered As Part Of a Platform

Network Security Platform

Panorama Management

Security Subscriptions

Hardware Software Cloud Service

PA-Series VM-Series / CN-Series Prisma Access

9 | © 2020 Palo Alto Networks, Inc. All rights reserved.

 IoT Security
Trust every device on your network
Massive Increase in Connected Devices

$1.1T 25B 85%

IoT devices Connected Decision makers

market by 2026 devices by 2025 with IoT project
budgets today
IoT is a Business Necessity that Introduces Risk

Massive Increase in Pose a Huge Securing IoT

Connected devices Security Risk Devices is Hard

30% of devices on enterprise Shipped with vulnerabilities Incredibly diverse devices;

networks today are IoT and difficult to patch, yet have traditional IT security
unfettered access controls do not work

12 | © 2020 Palo Alto Networks, Inc. All rights reserved.

75% of businesses say IoT security is a top priority, yet
only 16% feel prepared
“

13 | © 2020 Palo Alto Networks, Inc. All rights reserved.

”
McKinsey
Digital McKinsey and Global Risk Practice, March 2019: Perspectives on transforming cybersecurity
Why Current Solutions Fail

Limited Visibility No Protection Hard to Implement

Cannot identify previously Existing visibility-centric Require changes to network

unseen IoT devices, accuracy solutions do not offer native infrastructure, security team
requires constant effort prevention or enforcement workflows and integrations

14 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Introducing IoT Security

Complete Visibility In-depth Risk Analysis Built-in Enforcement

Accurately identify and classify all Quickly understand anomalies, Safely automate enforcement on your
devices with ML, including those vulnerabilities and severity to make next-gen firewall with a new Device-
never seen before confident decisions ID policy construct

15 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Best-in-Class Enterprise IoT Security Deployed Effortlessly

Available on all NGFW form

factors - Hardware, Software,
Cloud Service

Data Lake
Start with your
existing firewall
Data Policy
Scale linearly with multi-
tenant cloud infrastructure
NGFW

Leverage prevention from

HQ Campus
Data
Center
Branch Mobile existing subscriptions

IoT OT
DEVICES DEVICES

16 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Trust Every Device On Your Network

Use Your Leverage Get Complete

Infrastructure Existing Talent IoT Security

Deploy within minutes, Maintain current operations Discover, secure and

no siloed sensors or and empower your existing prevent threats on every
enforcement products Network Security team IoT device in your network
required to protect IoT with one solution

18 | © 2020 Palo Alto Networks, Inc. All rights reserved.

 CN-Series
Industry’s First Containerized NGFW for Kubernetes
Container Adoption is Increasing

By 2023, more than 70% of global organizations

will be running three or more containerized
“
applications in production.

20 | © 2020 Palo Alto Networks, Inc. All rights reserved.

”
Gartner, 2019
Container Network Security Challenges for Network Security Teams

Lack of visibility Inconsistent tools Lack of automation and

and control and management scalability

21 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Other FW Form Factors Lack Container Visibility and Context

Ordering Payments !
Container
Cluster
!
NODE NODE NODE

INTERNET

22 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Introducing CN-Series Container Firewalls

NGFW for Kubernetes Environments

Containerized L7 Network Security & Kubernetes
PAN-OS Threat Protection Integrated

23 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Network Visibility and Threat Protection in Kubernetes

Visibility into K8’s Consistent policy Automate and

constructs for creation and scale with deep
context-based management with Kubernetes integration
control Panorama

24 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Supported Cloud Native Infrastructures

Self-Managed Cloud-Managed

On-premises Public Cloud

25 | © 2020 Palo Alto Networks, Inc. All rights reserved.

CN-Series Container Firewall Use Cases

East-West Layer 7 Traffic Outbound Traffic Inbound Threat

Protection Protection Prevention

Enforce trust boundaries URL filtering and Stop known and

between namespaces and other content inspection unknown threats
workload types

26 | © 2020 Palo Alto Networks, Inc. All rights reserved.

 CN-Series Container Firewall Differentiated Capabilities

Centralized Management DevOps-Ready Kubernetes Visibility Best-in-Class Security

Orchestration & Context

30 | © 2020 Palo Alto Networks, Inc. All rights reserved.

ML-Based Inline Prevention
Every Second Matters
Attackers Have 2 Critical Advantages...

5 minutes = 9,864 instances

15 minutes = 27,492 instances

30 minutes = 45,457 instances

Speed of Proliferation and Polymorphism

Existing Solutions Struggle to Prevent Net-New Attacks in Time

Siloed Require Stop

Approach Compromise Business

Can’t keep up with the scale Accurate prevention depends Current hold, trickle and
of new attacks on on a first victim modify approaches impact
users and revenue

35 | © 2020 Palo Alto Networks, Inc. All rights reserved.

 Today’s Prevention of Unknown Threats Through Cloud Scale

Cloud-delivered security
services scale prevention
DNS Security
Partner
Integrations Cyber Threat
capabilities
URL Filtering Alliance
Shared intelligence allows
WildFire
Data Lake
the fastest distribution
of protections
Infinite scale | Trillions of samples analyzed
| Fast, high fidelity updates File Protections: 5 min

URL
URL Protections : 1 min

DNS Protections: Instant

Industry-leading security subscriptions
offer unknown threat protection within
minutes or less

36 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Today’s Prevention of Unknown Threats Through Cloud Scale

Cloud-delivered security
services scale prevention
DNS Security
Partner
Integrations Cyber Threat
capabilities
URL Filtering Alliance
Shared intelligence allows
WildFire
Data Lake
the fastest distribution
of protections
Infinite scale | Trillions of samples analyzed
| Fast, high fidelity updates File Protections: Instant

URL
URL Protections : Instant

DNS Protections: Instant

Up to of common file & web- WildFire Inline ML
based threats prevented in-
95% line URL Filtering Inline ML

37 | © 2020 Palo Alto Networks, Inc. All rights reserved.

How It Works: Inline ML-based Prevention for Files and Web-Based Attacks

NEW
1. Prevent unknown file/web 2. Analyze all unknowns in cloud
threats on the NGFW ● Multiple advanced techniques for malware
● ML-based signatureless prevention ● Best-in-class URL categorization engines
● Acts at line speed ● Shared intelligence improves analysis
● No productivity delays

Phishing Attacks 3. Generate and Distribute Protections & Models

● Protections for all threats in as fast as single-digit seconds
JavaScript Attacks ● Daily intel trains new models
UPDATED
● Delivered directly to NGFWs daily
Common File and Fileless attacks
(PE and PowerShell)

40 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Slashing Our Industry-Leading Time for Distributed Protections

Seconds PAN-OS 10.0

Threat detected across Content-Based Protection streamed All customers with

35K+ WF installed base Signature Created in seconds WildFire updated

BEFORE
With PAN-0S 10.0
Industry-leading
Protection streams
5-minute signature
to NGFW in
generation/
single-digit seconds
distribution time

41 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Stopping Attacker Advantage

Data Lake

Total New
Threats
Polymorphic Fast Moving/
Threats Proliferation

Machine Cloud-Based Analysis

Learning with Real-Time Sigs

Enabled by the Prevents initial No Business

Platform scale infection Disruption
 TLS Decryption
Never been more essential to decrypt
Massive Risks Within Encrypted Traffic

Encrypted traffic is now the norm And attackers are taking advantage

70%
95%
of internet traffic
today is encrypted More than 70% of malware campaigns in 2020
will use some type of encryption to conceal
malicious activity, says Gartner
2016 2020

Source: Encrypted Traffic (2016) | Encrypted Traffic (2020) | Encrypted Walwave (Gartner)

44 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Decryption is Necessary for Protection

Protection requires Deploying decryption Cloud apps making the need

decryption is usually hard to decrypt more urgent

Without decryption, security Lack of expertise, fear of business Increasing adoption of

tools cannot effectively stop disruption, troubleshooting HTTP/2 and encryption with
malware complexity modern protocols like TLS 1.3

45 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Deploying Decryption Is Now Easier Than Ever

Mitigate Deploy decryption, Secure cloud

security risks worry-free apps quickly

Control use of legacy TLS Easily deploy and maintain Secure traffic that uses
protocols, insecure ciphers & decryption using purpose-built protocols like TLS 1.3 and
incorrectly configured certs troubleshooting & visibility HTTP/2. Now with up to 2X
performance boost

46 | © 2020 Palo Alto Networks, Inc. All rights reserved.

SD-WAN Enhancements
Legacy Approaches Lack Full Visibility Into a Path’s Health
Inaccurate path measurements impact user experience and performance

Ping timings have delays

https://salesforce.com
in measurements

LTE Current vendors monitor

ISP 1 SaaS App IP or
SaaS static IPs/FQDN rather
application than the applications
HTTPS server
Branch ISP 2
Retail

Lack flexibility in how

10.72.99.222
IP Address:
to monitor applications

Businesses need accurate, end-to-end application health measurements

53 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Introducing SaaS Application Path Monitoring

Accurate path health Exceptional user Flexible monitoring

measurements experience options

From the branch to the SaaS Determine optimal path Preserve bandwidth while
application server with accurate path health ensuring great user experience
measurements

54 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Flexible Monitoring Options: Active & Passive

Passive Method
● Adaptive algorithm determines app’s
health by measuring latency, jitter,
packet loss through the apps’ native
application flows

Active Method
● ICMP or HTTP/S ping sends to target
IP address or specific URL

55 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Forward Error Correction & Packet Duplication

Improved User Granular

Experience Control

Reliable performance for Ability to finetune packet loss

highly sensitive, real-time thresholds to preserve
applications bandwidth

56 | © 2020 Palo Alto Networks, Inc. All rights reserved.

HA Clustering
Challenges with Horizontal Scaling and Multi-Data Center

Lack of Need Scalable Always-On

Scalability Availability

Need a simple and Need the ability to redirect and

cost effective way to load share traffic to multiple
add firewalls locations, including when a data
center goes down

58 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Simply Scale with High Availability Clustering

Simply add new

appliances to scale
performance and capacity

Enable always-on
availability for exceptional
user experience

Gain consistent security

that seamlessly scales
with your applications

59 | © 2020 Palo Alto Networks, Inc. All rights reserved.

HA Clustering Highlights

● Up to 16 members in a cluster Vendor Neutral

Session Distribution Mechanism
● Layer 3, virtual wire support (load balancer, router, switch)

● Supported on:
○ PA-3200 Series Flexible clustering with
HA Pair & individual
○ PA-5200 Series A/P members A/A

○ PA-7000 Series
(XM and 100G NPCs only)
○ VM-300, 500, 700
HA4 Session Sync over L2 VLAN

60 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Quarantine Compromised Devices
Current Approach is Not Enough for Today’s Mobile Workforce

Hostname: win721-host IP Address: IP Address: IP Address:

Username: domain\jdoe 10.72.99.100 10.72.99.100 10.1.1.50

!
NGFW

App-ID Threat URL

C2 WildFire

User’s endpoint NGFW sees malicious But endpoint’s IP address

gets compromised network activity and restricts changes and reconnects to
endpoint’s IP address the network

62 | © 2020 Palo Alto Networks, Inc. All rights reserved.

GlobalProtect Device Quarantine

Identify and quarantine Automatically

infected devices apply restrictions

Leveraging immutable On external and

characteristics internal network

63 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Enhancements & Innovations
for Security Subscriptions
Threat Prevention
Critical Use Cases for Open Source Network IDPS Signatures

ISACs Gov

Existing Prevention
Snort Rules
Controls

Share & Consume Threat Address Threats Integrate

Definitions Unique to Environment Coverage

Key Challenge: Automating ingestion and deployment of new signatures

66 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Introducing Snort Support in Threat Prevention

Snort
Suricata Customized Protection
Snort on PAN-OS
Easily add unique rules to
Delivered Upload Threat Prevention coverage

Manage

Convert
Flexible Management Sanitize Powerful API Support
Rapidly apply new coverage
GUI, CLI, or API
across environment

67 | © 2020 Palo Alto Networks, Inc. All rights reserved.

DNS Security
One Year in, Amazing Growth...

14

12

11
DNS requests analyzed

9
(Billions)

0
Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan

69 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Modern Risks Presented by the DNS Protocol

80% of Rate of New Data

Malware Domains Exfiltration

DNS is abused for Malware using domain Modern adversaries

command and control generation algorithms evade using DNS tunneling
and data theft detection

70 | © 2020 Palo Alto Networks, Inc. All rights reserved.

DNS Security

Blocks known Stops malicious DNS Integration with NGFW

bad bomains traffic with ML and means it cannot be
predictive analytics bypassed

Data

WildFire Analysis Passive DNS URL Filtering Honeynets Unit 42 Whois

71 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Introducing Category-Based Visibility and Control for DNS

Severity: Critical

Command and Control Sinkhole

Categories Policy
• Sinkhole C2 domains with a “critical” threat log
• Trigger automated containment workflow

DNS Tunneling DGA

C2 Malware

Severity: Medium
Newly Registered
Dynamic DNS
Domains Malware

• Block malware domains with a “medium” threat log

Policy
• Does not require a follow-up action

72 | © 2020 Palo Alto Networks, Inc. All rights reserved.

DNS Analytics

DNS Visibility
● Complete visibility across all DNS traffic and
trends
● Filter based on DNS categories
and timeframes
● Abuse of DNS (malware, C2, tunneling, DGA)

DNS Intelligence Context

● Why a domain was blocked
● Pivot to related threat intel
● AutoFocus Tags
● Whois and passive DNS data

DNS Hygiene
● Quickly view which firewalls in your estate
are covered by DNS Security

73 | © 2020 Palo Alto Networks, Inc. All rights reserved.

WildFire
Detect and Prevent New Threats with WildFire
Bare metal analysis

Machine learning Dynamic unpacking

Dynamic analysis Network traffic profiling

Static analysis Recursive analysis

WEB Malware, URLs, DNS, Auto-C2

FLASH

Protections
Unknowns
SCRIPTS
Updated within seconds, globally
ARCHIVE
BINARIES
Prevent Patient Zero with inline ML
DOCUMENTS

NETWORK ENDPOINT CLOUD 40+ PARTNERS

Data collected from a vast global Analysis techniques far beyond Automated protection against
community traditional sandboxing multiple attack variants

76 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Attackers Continue to Employ Sophisticated Multi-Vector Attacks

1 2 3

TACTICS

Break attack into

Victim Receives Clicks link to trusted smaller components
Downloads a
Phishing email file sharing site Deploy range of threats
Word document
across stages

6 5 4 Use multiple points of entry

(attack vectors)

Hide malicious content

Behind benign URLs and
legitimitate cloud
infrastructure
Fileless Attack Remote object
(Secondary payload) Downloads a Word
link accesses
Runs on host document with
another URL
PowerShell script
WildFire’s Unique Multi-Vector Recursive Analysis

Crawl Each Stage Apply Cloud-Scale Recursive Generate Protections Share Protections &
Of Attack Analysis for Each Stage Visualize Campaign

Multiple vectors / file Analyze each sample in net Full attack +

stages / network hops new environments all other payloads

Attackers Must Replace All Stages of Attack Workflow

The WildFire Advantage

Unbeatable Cloud Best-in-Class File Unique view of entirety
Analysis Infrastructure Analysis & URL Crawling of attacker campaign

78 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Supercharged Static Analysis Engine Delivers Quicker Detection

WildFire Static Analysis Engine

● Part of WildFire’s multi-step malware analysis system
● Examines potentially malicious code without executing
● Critical to identifying variants of known malware
● Depends on timely and accurate threat models

What We Did Results What It Means

14.5%
Incorporated best-in-class Improved final detection
ML engine from XDR rates for malicious files

Leveraged WildFire’s Faster determinations for

infinite scale and compute Improvement to immediate verdicts
Static analysis model

79 | © 2020 Palo Alto Networks, Inc. All rights reserved.

A Single Platform to Connect and Secure Everything

Data Public Internet SaaS

Center Cloud

Network Security Platform

Branch HQ Campus Partner Mobile IoT

Consistent Integrated Best-in-class

80 | © 2020 Palo Alto Networks, Inc. All rights reserved.

70+ New Capabilities in PAN-OS 10.0

IoT Security Networking Data Processing Card

● Visibility into IoT devices ● HA clustering ● New card for the PA-7000 Series:
● Behavioral anomaly detection ● HA additional path monitoring groups data processing card with 33%
● Risk-based policy recommendations ● Ethernet SGT protection increase in throughput
● Native enforcement
GlobalProtect Policy Features
Prevention of Patient Zero ● Identification and quarantine ● X-Forwarded-For HTTP header data
● Inline machine learning at the of compromised devices support in policy
network level
● WildFire and URL Filtering prevent SD-WAN 5G Security
weaponized files, credential phishing, ● SaaS app path monitoring ● 5G network slice security
and malicious scripts ● Forward error correction ● 5G and 4G equipment ID security
● Patented signatureless based ● Packet duplication ● 5G and 4G subscriber ID security
approach WildFire
CN-Series ● Multi-vector recursive analysis to prevent
● Containerized form factor of NGFW multi-stage, multi-hop, attacks
● Native deployment within ● Improvement to static analysis model
Kubernetes delivering verdicts in seconds from over
● Centralized management 90% of malicious PE samples
with Panorama Snort Support
Decryption ● UI and API support of both SNORT
● Support for TLS 1.3 and Suricata signatures
● Better visibility ● Automatically convert, sanitize, upload,
● Enhanced troubleshooting and manage IDPS signatures

81 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Strata Network Security Platform
Delivering better business outcomes

Speed & Consistent Security Reduced Operational Improved User

Agility & Compliance Cost & Complexity Experience

82 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Thank you

paloaltonetworks.com