Cortex XDR

Glenn Hårseide
System Engineer – Major Accounts
Palo Alto Networks
@GlennHarseide
https://inkontheside.com/2011/01/03/how-to-get-a-computer-virus/
How often do you log on to your security device(s) and check the logs?
SILOED TOOLS SLOW DOWN INVESTIGATION & RESPONSE

Create tons of alerts instead

of effectively stopping attacks

5 | © 2019, Palo Alto Networks. All Rights Reserved.

 ”We dont have time or resources to actively work with security.”

6 | © 2018, Palo Alto Networks. All Rights Reserved.

 Firewalls and Anti-Virus

7 | © 2018, Palo Alto Networks. All Rights Reserved.

PREVENT ADVANCED ENDPOINT ATTACKS WITH TRAPS

Stop malware, ransomware

Traps with machine learning and
WildFire Cortex Data Lake behavioral threat protection

Block exploits and fileless

attacks by technique

Phone/Tablet Cloud Included with Cortex XDR to

coordinate enforcement and
Desktops Servers
accelerate response
Laptops

8 | © 2019, Palo Alto Networks. All Rights Reserved.

EXPLOIT PROTECTION FOCUSES ON TECHNIQUE

ROP

X
Heap Heap
Spray Spray
Utilize OS
Functions

Document Endpoint protected

opened by user from exploit

Attacker attempts to Exploit attempt blocked

exploit vulnerability before successful
in OS/application malicious activity

Traps focuses on exploit techniques rather than the exploit itself

9 | © 2018, Palo Alto Networks. All Rights Reserved.

PREVENT THREATS WITH TRAPS ENDPOINT PROTECTION

WildFire feeds known threat information back to Traps

Local analysis to stop Machine learning to Behavioral Threat Protection WildFire to detect
unknown malware prevent new malware for advanced malware unknown malware
User opens an Attack blocked;
executable file endpoint safe

Stop malware with local Apply knowledge

Block gained
exploits by to build
technique to
and cloud-based analysis detection
prevent rules & find&future
script-based filelessthreats
attacks

10 | © 2019, Palo Alto Networks. All Rights Reserved.

PULLING IT ALL TOGETHER: TRAPS vs. NOTPETYA

Master Boot Record

encrypted
User clicks upgrade and runs a Runs malicious
malicious EXE that kicks off DLL
unauthorized processes

Drops DoublePulsar tool

Exploits Microsoft SMB
capable of injecting and Runs malicious Runs malicious
vulnerability previously
Gains kernel level privileges running malicious code by EXE DLL
patched by Microsoft
by direct kernel exploitation calling legitimate processes

Runs malicious exe to collect user

credentials and passwords in case Runs malicious Runs malicious
systems are not vulnerable to SMB EXE
Gains access using stolen DLL
Exploit
credentials
11 | © 2017, Palo Alto Networks. All rights reserved.
PULLING IT ALL TOGETHER: TRAPS vs. NOTPETYA
Child
Process Malicious Master Boot Record
Protection DLL encrypted
User clicks upgrade and runs a Runs malicious
malicious EXE that kicks off DLL
unauthorized processes

Kernel Child
Malicious
Exploit Process
DLL
Prevention Protection
Drops DoublePulsar tool
Exploits Microsoft SMB
capable of injecting and Runs malicious Runs malicious
vulnerability previously
Gains kernel level privileges running malicious code by EXE DLL
patched by Microsoft
by direct kernel exploitation calling legitimate processes

Child
Known Malicious
WildFire Malicious
Threat Process Local
Process
Intelligence Protection Analysis Analysis
DLL
Runs malicious exe to collect user Protection
credentials and passwords in case Runs malicious Runs malicious
systems are not vulnerable to SMB EXE
Gains access using stolen DLL
Exploit
credentials
12 | © 2017, Palo Alto Networks. All rights reserved.
 Firewalls

13 | © 2018, Palo Alto Networks. All Rights Reserved.

NGFW

14 | © 2018, Palo Alto Networks. All Rights Reserved.

Traps – Endpoint protection NGFW – Next generation firewall

• Disadvantages: • Advantages:
• Has to be rolled out to all devices • Easy to implement
• Can’t inspect where its not installed • Can inspect all network traffic

• Advantages: • Disadvantages:
• Can see ’into’ encrypted traffic • Hard to inspect encrypted traffic
• Works when user is not in the office • Remote workers
• Can see everything happening on • Can’t see what is happening on
the endpoints endpoints
• Scaling • Scaling
16 | © 2018, Palo Alto Networks. All Rights Reserved.
THE RIGHT APPROACH REQUIRES THREE INTEGRATED CAPABILITIES

Great Prevention AI & Machine Learning Automation

to stop everything you can to detect sophisticated attacks to accelerate investigations

ACROSS NETWORK, ENDPOINT AND CLOUD DATA

17 | © 2019, Palo Alto Networks. All Rights Reserved.

INTRODUCING CORTEX

PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS

CORTEX
CORTEX DATA LAKE THREAT INTEL DATA

NETWORK ENDPOINT CLOUD

18 | © 2019, Palo Alto Networks. All Rights Reserved.

GAIN COMPLETE VISIBILITY ACROSS YOUR ENVIRONMENT

Cortex XDR

LOGS & DATA Cortex Data

Lake

Next-Generation Traps
Firewall

Branch Mobile Campus Endpoints Servers Cloud Data

Office Users Center

19 | © 2018, Palo Alto Networks. All Rights Reserved.

CORRELATE AND STITCH RICH DATA

Endpoint
Network User & Host File update
TCP port User name Process name
Source IP Hostname MD5/SHA Hash
Country Organizational unit File path
Dest IP
User
Operating system Registry change
Network
Sent Bytes
Received Bytes
Mac address
& Host Endpoint
Malware verdict
Threat App CLI arguments
App name
Intelligence
Protocol
Malware hashes
URL and Domain
Malicious IPs
Response Size
Threat
Phishing URLs
Response Code
URL Categories
Intel App
Referrer

Collect rich data for behavioral Automatically correlate data to

analytics and AI gain context for investigations

20 | © 2019, Palo Alto Networks. All Rights Reserved.

AUTOMATICALLY DETECT ATTACKS WITH BEHAVIORAL ANALYTICS
Corporate Network

Windows PC IT administrator

Standard User

Active Directory Server

Apple iPhone

1
Identify types of users &
devices by analyzing activity

21 | © 2019, Palo Alto Networks. All Rights Reserved.

AUTOMATICALLY DETECT ATTACKS WITH BEHAVIORAL ANALYTICS
Corporate Network

Transfers 3 TB
Uses SSH protocol
of data a day

Connects to 12 non-existent
destinations a day

Connects to 1,000
hosts a day

Connects to 30
hosts a day

1 2
Identify types of users & Profile behavior of devices,
devices by analyzing activity users and groups over time

22 | © 2019, Palo Alto Networks. All Rights Reserved.

AUTOMATICALLY DETECT ATTACKS WITH BEHAVIORAL ANALYTICS
Corporate Network

Internal Reconnaissance:
A host attempted to connect 90 non-
existent destinations; peers typically
connect to 7 non-existent destinations

1 2 3
Identify types of users & Profile behavior of devices, Detect anomalies indicative
devices by analyzing activity users and groups over time of malware, C&C, lateral
movement & exfiltration

23 | © 2019, Palo Alto Networks. All Rights Reserved.

PINPOINT THREATS UNIQUE TO YOUR ENVIRONMENT WITH AI

ATTACK DETECTION ALGORITHMS

Command Lateral
Malware Exfiltration
& Control Movement

Endpoint
Entity
Current Time Peer Profile
Network Behavior Profile Profile • Device Type:
workstation, server,
• User activity • Past user activity • Peer profile of user
server type
• Device activity • Past device activity and device activity
• User Type: admin,
standard user
Cloud

DATA PROFILING ENGINE

Profile behavior & detect anomalies indicative of an attack

24 | © 2019, Palo Alto Networks. All Rights Reserved.

ADVANCED ATTACKS REQUIRE DETECTION & RESPONSE

Easiest to
E xecute
Most Sop
histicate
d & Damag
ing

Known Evasive Zero-day Fileless attacks • Targeted attacks

threats malware attacks • Low and slow
• Insider threats

99%+ of attacks can be <1% require analysis over time &

prevented with the right tools across layers with machine
learning

25 | © 2019, Palo Alto Networks. All Rights Reserved.

 https://www.norskeserier.no/_the-norway-way-jenny-k-blake-9788251656283
26 | © 2018, Palo Alto Networks. All Rights Reserved.
27 | © 2018, Palo Alto Networks. All Rights Reserved.
28 | © 2018, Palo Alto Networks. All Rights Reserved.
29 | © 2018, Palo Alto Networks. All Rights Reserved.
ACCELERATE & SIMPLIFY INVESTIGATIONS

ENV21\Sauron

Traps alert
2

ROOT
CAUSE

12

chrome.exe 7zFM.exe cmd.exe powershell.exe wscript.exe

Clicks on URL in phishing email Downloads 7zip file 7zip runs *.pdf.bat file in zip *pdf.bat file creates Virtual basic Attempts C2 connection
script for Windows script engine

1 2 3

See chain of events with one Automatically understand Guide analysis with context,
click from alert dashboard the root cause intel and a forensic timeline

30 | © 2019, Palo Alto Networks. All Rights Reserved.

FURTHER INVESTIGATIONS WITH REMOTE TERMINAL

Task Manager Command Line

Security Compromised
Analyst Host
File Manager Python Shell

Extend investigations with full View & retrieve files, delete processes
remote access to an endpoint and perform unlimited commands

31 | © 2019, Palo Alto Networks. All Rights Reserved.

RESPOND AND ADAPT TO THREATS

Create custom rules as alerts or

information to aid investigations Optimize detection algorithms

YOUR SECURITY CortexTM XDR

TEAM UNIT 42 RESEARCH,
WILDFIRE, GSRT

Respond: CortexTM Data Lake

• Isolate endpoint
• Terminate process
• Block traffic Add new protections
NETWORK ENDPOINT CLOUD

1 2 3
Easily respond to threats Apply knowledge gained Analyze data to improve
by integrating with to detect future threats & detection and prevention
enforcement points ease investigations

32 | © 2019, Palo Alto Networks. All Rights Reserved.

SECURE YOUR ORGANIZATION WITH PALO ALTO NETWORKS

1 Prevent 2 Automatically Detect

Reduce the risk of a Cut dwell times by
breach with industry- detecting attacks with
leading prevention machine learning

Respond & Adapt Rapidly Investigate

4 3 Lower operating costs
Eliminate threats before by accelerating
the damage is done by investigations
coordinating enforcement

33 | © 2019, Palo Alto Networks. All Rights Reserved.

Key takeaways

• Hire more people or automate

• Cloud, Endpoint and Firewalls need to work together

• Log everything

• Stop working with logs – incidents are much more useful

• Cortex XDR can help with all of the above

34 | © 2018, Palo Alto Networks. All Rights Reserved.

THANK YOU

Email: gharseide@paloaltonetworks.com