financial services it

FINANCIAL SERVICES IT
Security Reference Blueprint for Financial Services
IT security and network teams at financial institutions around the
world must address demands to rapidly adopt new technology,
protect intellectual property, secure a myriad of mass market and
­custom applications and comply with regulations. While d
­ oing
the above, they must also enable secure access to personal and
­commercial financial data and corporate data from a variety of
­access points – retail branches, campuses sites, mobile devices,
ATM networks, and third-party business partner networks in light
of an ­increasing volume and sophistication of threats. The S
­ ecurity
­Reference B
­ lueprint for Financial Services enables institutions to
address all of these concerns, augment the security of existing
­infrastructure, e
­ nable new applications, provide greater access
to data, and prevent advanced threats without disrupting vital
­business ­operations.
Palo Alto Networks | White Paper
Table of Contents
I.
Executive Summary
3
II.
Security Concerns for the Banking Industry
3
Complex Environments
3
Security Sprawl
3
The Response
3
III. Reference Blueprint Goals and Security Principles
4
IV. Core Security Principles
4
V.
Policy-Based Application Visibility and Enforcement
4
Network Segmentation and Zero Trust
6
Protection Across the Network
7
a. Private, Public and Hybrid Clouds
7
b. Endpoints
8
Advanced or Zero-Day Attack Prevention
9
Timely Reporting, Threat Intelligence and Correlation
9
Security Reference Blueprint for Financial Services IT
9
DMZ
10
Corporate Data Center Zone
10
Endpoints
11
Centralized Monitoring and Management
11
Migration to Palo Alto Networks Next-Generation Security Platform
11
VI. Conclusion
Palo Alto Networks | White Paper
12
2
I. EXECUTIVE SUMMARY
The Security Reference Blueprint for Financial Services IT enables institutions to augment the security of
existing infrastructure, enable new applications, provide greater access to data, and prevent advanced threats
without disrupting vital operations. This approach allows the institution to more effectively focus on today’s
evolving security threats, protect customer data from compromise, better address the expanding scope of
compliance, improve uptime and availability, and meet technological and competitive challenges, such as
networked mobile devices or the shift to cloud-based computing. All of this can be done while complementing
existing security capabilities as part of a layered defense approach.
II. SECURITY CONCERNS FOR THE FINANCIAL SERVICES
As the primary custodians of both personal and corporate financial assets, the financial services industry
remains one of the largest targets for attack. Financial services is among the top three industries for security
incidents, and the top for confirmed data loss.1 Moreover, financial services accounted for 35 percent of
breaches across all industries. Cyber attackers seek to drain accounts of their funds, by obtaining personally
identifiable information (PII) for identity theft or credit card fraud, or to destabilize global financial markets in
order to further political or other agendas. At the same time, changing end-user dynamics, such as mobility,
and network dynamics, such as SaaS, IaaS and PaaS cloud-based extensions to internal networks, have the
potential to increase business, operational, market and reputational risks, if not appropriately secured. The
combination of these realities with the growth in demand from customers, employees, business partners and
investors for anytime, anywhere access to financial information; and the considerable regulatory, business and
technological changes in financial services environments today, have increased the need for secure networks
that can seamlessly evolve.
Complex Environments
In addition to malware attacks, financial institutions face challenges that include:
• Managing a complex mix of applications, such as internally developed software, commercial applications
(which are often highly customized) or the result of mergers and acquisitions.
• Maintaining a multi-vendor approach for technology to address resiliency and vendor management concerns.
• Coordinating among geographically dispersed stakeholders who span organizational boundaries and have
differing responsibilities and perspectives.
• Supporting IT infrastructure for multiple lines of business that have varying requirements. For example,
low-latency trading applications have distinct needs from other banking applications.
• Adhering to a complex mix of regional, national, state and industry regulations, resulting in increased
costs for compliance, as well as causing dramatic operational and business model changes. Some of these
call for a layered defense approach and other recommendations that may not necessarily improve cybersecurity, but are required as a cost of doing business.
• Shifting working capital (for example, the Volcker Rule of the Dodd-Frank Act in the U.S.) affecting ­investments in operations and businesses. Consequently, many institutions have been in a cost
­optimization mode for a number of years.
Security Sprawl
The complexity of these challenges is exacerbated by the fact that many institutions have acquired multiple
instances of security products that are blind to one another, cannot function cohesively, and thus reduce
effectiveness. Some of this security infrastructure sprawl was intentional in support of a layered defense
approach along with the belief that “defense in depth” equates to “vendor in depth” (i.e., if one system missed
the attack or malware, the other would catch it). Whatever the intention, the sophistication of the attacker
soon outpaced the capabilities of the current tools, leading financial institutions to buy yet again the nextbest, available technology to defend themselves.
The Response
Unfortunately, large financial institutions can neither easily unwind nor consolidate their legacy security
packages without potentially causing significant operational and business risk. To prevent today’s threats, a
new and effective approach to security, which incorporates key security principles focused on the current
threat environment, can complement or replace, where possible, existing security infrastructures.
An effective security approach that incorporates several key security principles can address the types of
1. The 2016 Verizon Data Breach Investigations Report.
Palo Alto Networks | White Paper
3
exposure and damage cited above, as well as reduce inefficiencies caused by unauthorized applications or
misuse of network resources. This paper discusses a security reference blueprint using the Palo Alto Networks®
Next-Generation Security Platform to enable financial institutions to implement these principles to detect and
prevent threats to their networks, and improve network efficiency, while reducing complexity and unnecessary
overhead. It also provides a way not only to secure these environments but also to gather intelligence about the
incursion so that the damage from future attacks can be mitigated or eliminated.
III. REFERENCE BLUEPRINT GOALS AND SECURITY PRINCIPLES
This Reference Blueprint for Financial Services IT describes a transparent, non-disruptive security framework
that uses the capabilities of the Palo Alto Networks Next-Generation Security Platform to buttress and enhance
the security of existing financial technology infrastructure. Using the Reference Blueprint enables IT security
and networking professionals to:
• Reduce the overall, exposed attack surface.
• Eliminate the ability of a risky, unknown application to access or embed itself within the network.
• Prevent data breaches and the loss of sensitive, confidential customer financial information and other
sensitive records.
• Focus on key network infrastructure assets that require extra scrutiny to preserve security and prevent
data leakage. For example, any resources open to third parties, such as business process outsourcing, direct
customer access, and external business partners, warrant tighter controls.
• Protect vital operational networks from unwanted downtime or service interruption caused by a security breach.
• Comply with relevant global and regional government regulatory bodies (e.g., Federal Reserve, OCC, SEC,
FCA, EBA, MAS) and industry standards (e.g., PCI DSS, FINRA).
• Utilize desired elements of the Palo Alto Networks Next-Generation Security Platform to complement
existing investments in security products. Palo Alto Networks has extensive technology partnerships with
many leading companies (e.g., Proofpoint, Tanium, VMware) to ensure that mutual customers experience
seamless integration.
The Reference Blueprint allows financial institutions to not only detect and prevent today’s network threats
but also extend protection to endpoints. In addition, it will provide an opportunity to gather and correlate
data about the intrusion from multiple, integrated data collection points to help the solution evolve and keep
pace with the adversary. The Reference Blueprint incorporates core security principles that will effectively and
efficiently protect the institution, whether the traffic travels on its network or off, the threat is from the inside
or the outside, that threat is known or unknown, or the exposure is intentional or accidental.
These core security principles include:
• Visibility and effective control and enablement of applications and activity to reduce the threat footprint
and minimize needless bandwidth consumption.
• Segmentation to prevent the movement of malware and cybercriminals throughout the entire network to
protect and defend systems at all portions of the network.
• Protection and defense of systems includes endpoints that are temporarily off-network (e.g., mobile devices,
laptops).
• Advanced malware detection to identify and prevent zero-day, as well as known, attacks.
• Timely reporting to enable IT, cybersecurity and intelligence professionals to coordinate actions.
• Immediate and automatic sharing and distribution of threat intelligence between systems.
The subsequent sections address each of these principles in detail.
IV. CORE SECURITY PRINCIPLES
Policy-Based Application Visibility and Enforcement
To effectively protect a financial network, security and network teams must have visibility into applications,
connected devices, and individual users and their impact on security. Internal teams can make contextual, policybased decisions regarding which applications to allow or block for specific user communities or groups. This provides
much more flexibility when catering to the needs of specially designated network users, or groups of users, while
drastically reducing the threats on the network.
Palo Alto Networks | White Paper
4
By using a next-generation security appliance to characterize
applications, financial institutions can immediately reduce
their threat posture. The institution can choose to block
applications that carry the highest risk (such as P2P
applications), which immediately reduces the network’s threat
footprint, exposure to potentially malicious software, and the
likelihood of a data breach.
Palo Alto Networks can provide a free Security
Lifecycle Review that consists of a one-week
analysis of your environment with a complete
report at the conclusion. For more information:
https://go.paloaltonetworks.com/slrdm
To protect the network using this level of visibility, the security platform can provide:
• Application identification that provides visibility and control over applications which attempt to evade
detection by masquerading as legitimate traffic, hopping ports, or sneaking into the network using encryption (SSL and SSH).
• User identification that allows you to safely enable applications and content based on the employee and
group identity information stored in enterprise directories.
• Content identification that combines a real-time threat prevention engine with a comprehensive URL database and elements of application identification to limit unauthorized data and file transfers and detect and
block a wide range of exploits, malware and dangerous web surfing, as well as targeted and unknown threats.
As part of the application policy creation process, financial institutions can approve applications by user group in
context – ensuring access to the applications that they need. It is important to note that using a port-based firewall
or applying port-based policies on a firewall cannot distinguish the status of an application as risky, simply unauthorized, or safe and of business value.
To move to an application-based threat prevention model:
• Start implementing application-based security policies for a few non-critical applications with smaller
user bases in order to demonstrate success.
• Develop a strategy to implement application-based security policies in-line with the institution’s business
objectives. For example, some may decide to start with the highest-risk and business-critical applications;
others may prefer a location-based rollout of application-based rules.
• Identify locally developed business applications and build custom App-IDs to enable recognition by the
next-generation security appliance. Financial institutions may have homegrown applications for their
bank tellers, financial advisors, etc. Multiple instances of these may exist if the organization came together via a merger or acquisition.
• Alternatively lock down applications according to the approved strategy, and enforce consistent security
policy rules for users and groups with similar access and application requirements.
Application-based security policies can help control access in the following ways:
• Identify frequently used applications, so you can more easily highlight unknown or potentially risky applications. You can first monitor traffic across your next-generation security appliance to learn and understand what’s legitimate or not and put a traffic classification strategy in place.
• Identify risky applications, for instance:
◦◦
◦◦
◦◦
◦◦
Cloud-based file sharing sites (e.g., Dropbox)
Data transfer and exfiltration
Suspicious DNS (e.g., new, uncategorized domain names)
P2P
• Look for other dynamics within your environment such as:
◦◦ Port scanners and/or vulnerability scanners
◦◦ Third-party networks that are not approved
• Build groups for traffic types to always block:
◦◦ Such applications as Tor, BitTorrent and Dropbox
◦◦ IP ranges based on geographic location (e.g., does your data center need to talk to addresses on the
China internet?)
Palo Alto Networks | White Paper
5
• Identify, monitor and analyze all encrypted traffic (SSL/TLS) especially from external websites. While
many applications and websites use encryption for privacy, malware authors are increasingly delivering
encrypted malware payloads. All encrypted network traffic should be examined for the presence of malware or inappropriate usage.
By implementing granular application identification, not just port-based filtering, the administrator is in a
position to gain greater visibility and control and reduce risk significantly.
As shown in Figure 1, the Application Command Center (ACC) within the security platform depicts the top
applications and sources on the network, which you can use to understand the needs of your particular
organization while making decisions on how best to reduce risk with application whitelisting.
Figure 1: : ACC indicates the top applications in use on the network, activity by user, threats, and other
blocked activity to help you gain visibility and develop and evolve policies for your network.
Network Segmentation and Zero Trust
In some of the latest targeted attacks, attackers have used spear phishing and social engineering techniques to
gain access through an unwitting victim on the target network. Many attackers are not only able to penetrate
their target network but often successfully establish a beachhead and remain undetected for a significant period
of time while continuing damaging, evasive action.
The Zero Trust approach to enterprise network architecture, first coined by Forrester2, makes it very difficult for
such an adversary to succeed. This same approach makes it difficult for everyday malware to move across the
network. Based upon verification of all users, devices and applications traversing your network, establishing
Zero Trust boundaries3 effectively compartmentalizes your user groups, devices and/or data types (such as PCI
and banking-regulated data).
There are three major benefits of segmenting your network into discrete zones:
• Limit the scope of vulnerability: Separate vulnerable parts of the network, or older legacy servers that
cannot be patched, from others.
• Segmentation limits the amount of data that may be exposed and compromised in the event of a breach.
• Limit the scope of compliance: Fewer systems are subject to compliance audits.
2. www.forrester.com
3. M
any organizations use virtual local area networks (VLANs) to segment their network, but
VLANs simply isolate network traffic – they are unable to enforce the control of privileged
information. In addition, by itself, a VLAN cannot inspect traffic for threats.
Palo Alto Networks | Financial Services IT White Paper
6
Network segmentation can focus on isolating and protecting systems based primarily on the sensitivity level
of the data contained within the zone and the level of risk if that data is exposed. The next-generation security
appliance can be configured to block all traffic into the zone and use whitelisting to allow only known, trusted
traffic. Whitelisted applications are then continuously monitored for security vulnerabilities and malicious activity.
This tactic stops unknown, malicious software from entering the zone. The appliance can be configured to control
which users have access to data or applications within the zone. It also reduces the effort required to demonstrate
compliance (e.g., during an audit) by limiting compliance reviews to only the type of data stored in that zone.
There are two separate, but complementary, segmentation strategies:
• Control “north-south” traffic entering a network perimeter zone or private, public or hybrid cloud.
• Control “east-west” traffic entering and exiting virtual machines (VMs).
These Zero Trust boundaries, zones or virtual segments of the network enable you to defend each zone from any
malicious traffic either entering or exiting that zone. To prevent malware movement and defeat lateral movement of advanced attackers through a target financial services network and thwart the attack, it is necessary to
apply the controls at all of these key entry and exit points. Segmentation zone examples can include:
• Applications and databases containing personal financial information (customer information file, loan ­­
processing, credit card, etc.) belonging to one line of business (e.g., consumer banking)
• Administrative data and applications (HR, payroll, legal, etc.)
• Networked or mobile financial devices
• Specialized geographic zones that are considered high-risk areas (e.g., due to a pending acquisition or
geo-political conditions)
• Access to external business partners, such as market data providers, stock exchanges, payment networks,
external ATM networks, etc. Some specific examples include Thomson Reuters, Bloomberg, NYSE, LSE,
Deutsche Boerse, and SWIFT.
• Customer-accessible applications and resources either via the internet or direct WAN connections
Each zone in the network should be protected by its own next-generation security appliance, which brings
several benefits. Beyond validating the whitelisted applications and their intended users, the security platform
performs several other important security functions on traffic entering and exiting a zone:
• Threat prevention, which blocks malicious files, with signatures for known threats.
• On-premises or cloud-based malware execution and analysis environment, which detects and subsequently blocks zero-day threats.
• URL filtering, which blocks access to malicious websites and URLs and shares newly discovered malicious
domains and IP addresses internally or with the community cloud as they’re discovered.
Although Zero Trust can be viewed as the ultimate goal, it may be still perceived as a significant challenge
as many financial institutions have essentially flat and open networks. However, even by taking a few steps
toward a Zero Trust approach with network segmentation, institutions can protect critical financial functions
and sensitive information from exfiltration by unauthorized applications or users, reduce the exposure of
vulnerable systems, and prevent the movement of malware throughout the network.
Protection Across the Network
In addition to application visibility and network
segmentation, to ensure effective security
across the cyberattack lifecycle, there are a few
other considerations for your network.
Private, Public and Hybrid Clouds
A significant trend in the financial services
industry is the move from a traditional data
center architecture to a private, public or hybrid
cloud infrastructure. Implementing virtualization
for existing applications within the data center
reduces costs, enhances business flexibility,
and improves security. Moreover, it provides a
Palo Alto Networks | Financial Services IT White Paper
VMware and Palo Alto Networks have integrated security for
software-defined networks to provide:
• Automated, transparent insertion of next-generation network security services in software-defined data centers
• Complete next-generation security capabilities for all
traffic within the data center
• Dynamic security policies that understand the context of
the virtual machines in the data center
https://www.paloaltonetworks.com/partners/vmware.html
7
foundation that simplifies future migration to a cloud computing environment. Although the financial services
industry has been relatively slow to adopt the public cloud due to security concerns, many institutions
are finally taking steps to explore, if not embrace it. In line with their multi-vendor philosophy, financial
institutions will likely adopt at least two public cloud providers for
diversity and flexibility.
While network segmentation addresses the protection of both
“north-south” traffic entering and exiting the data centers and
“east-west” (VM segmentation) traffic between applications within
those data centers on their own segments, it is worth noting a few
more considerations for these environments:
• R
eliability: Consider active/active high availability for your
“north-south” boundary appliances to synchronize their
configuration and session information continuously, ensuring
that, in the event of a hardware failure, no traffic is lost and
performance is not degraded.
Did you know?
Palo Alto Networks Next-Generation
­Security Platform provides visibility and
control over SaaS applications in your
network. Then, among your sanctioned
SaaS applications, Palo Alto Networks
Aperture™ SaaS security service provides
protection of your data in those SaaS
environments, with complete visibility
across user, folder and file activity to
prevent exposure.
• Orchestration and management: Use centralized management to ensure policies can keep pace with the rate of change to your virtualized workloads. In VMware®
NSX™ deployments, automate virtualized next-generation security appliance provisioning through predefined APIs.
• Policy consistency: Centrally define and consistently apply policies to all devices to reduce complexity
and use centralized management to serve as a single point of control for all security appliances both physical and virtual; otherwise gaps in threat protection are possible.
Additionally, extending next-generation security capabilities to your
SaaS environments is important to protect data from accidental
disclosure and the network from threats originating in SaaS. Ensure
only approved SaaS applications are allowed on your network, and
then extend your security policies to that of your SaaS applications.
Endpoints
To effectively protect all endpoints on the network, IT teams should
enforce the Zero Trust model down to the laptops, PCs, and servers.
Particular attention should be paid to the endpoints where threats
from external sources can impact critical business processes.
For example, endpoints dedicated for use by business process
outsourcing or third-party software developers may warrant greater
protection than employee desktops. Even employee endpoints are
not all created equal. Desktops for bank tellers or financial advisors
are more valuable targets than those of Procurement team members.
This is particularly true where the organization may be running legacy
endpoint systems or those with unpatched or unpatchable systems,
such as Windows XP, which are no longer supported by their
vendors. All endpoints should be covered by your endpoint security
strategy, including virtual and physical desktops, laptops, servers and
ATMs, regardless of patch, signature or software-update levels.4
There are two main threats to the endpoint: executable malware
(.exe) and exploits that target specific application vulnerabilities (.doc/
docx, .ppt/.pptx., .pdf, etc.). It is critical to protect against both, but
exploit prevention is particularly important, even within whitelisted
applications, as zero-day threats can appear at any time.
To effectively protect the endpoint:
• Employ lightweight agents to monitor for both exploit
­techniques and malicious executables.
The Palo Alto Networks Next-Generation
Security Platform is a natively integrated
platform that brings network, cloud and
endpoint security into a common architecture, with complete visibility and control.
This platform approach ensures your organization can detect and prevent attacks,
streamlines day-to-day operations, boosts
security efficacy, and prevents threats at
each stage of the attack lifecycle. https://
www.paloaltonetworks.com/products/
platforms.html
Security subscriptions on the platform are
seamlessly integrated to add protection
from both known and unknown threats,
classification and filtering of URLs, and the
ability to build logical policies based on the
specific security posture of a user’s device.
https://www.paloaltonetworks.com/
products/platforms/subscriptions.html
Palo Alto Networks WildFire cloudbased or on-premises malware analysis
environment, provides dynamic analysis
of suspicious content in a virtual environment to discover unknown threats. It
then automatically creates and enforces
content-based malware protections. It also
detects malicious links in email, proactively
blocking access to malicious websites.
4. L aptops can be especially at risk if users are hit with malware on a public network, such as a
Wi-Fi hot spot at a hotel or airport. If a returning user then connects an infected laptop to the
corporate network, the risk of infecting other systems undetected increases significantly.
Palo Alto Networks | Financial Services IT White Paper
8
• Apply policy-based restrictions: Organizations can easily set up policies restricting specific execution scenarios. For example, you may want to prevent the execution of files in the Outlook® temporary directory
or the execution of a particular file type directly from a USB drive.
• Reconsider your antivirus strategy. Antivirus solutions have proven to be ineffective as compromises
continue to grow.
Security and IT teams should also enforce the Zero Trust model for mobile and specialized devices. There are three
major categories of mobile and specialized devices to consider: Windows® or Mac® laptops, smartphones and
tablets (e.g., iPad®, iPhone®, Android™), and specialized devices (ATMs, POS, etc.) Depending on the type of device,
these capabilities should be incorporated into the security program for mobile devices, where possible:
• Secure connectivity via a VPN tunnel over the internet to the corporate network should be used to protect
communications.
• All managed devices should be checked for security status ­regularly to ensure they have updated security
protections.
• All mobile malware on the device that could impact the ­institution’s network should be identified and addressed.
• When a device is verified to be up-to-date and clean of malware, granular policies should be established to
determine which users and devices can access sensitive applications and data from a mobile device. The policy
criteria can be based on application, user, content, device and device state:
◦◦
◦◦
◦◦
◦◦
◦◦
Identify device types, such as iOS, Android, Windows and Mac devices.
Identify device ownership, such as personal (BYOD) or company-issued.
Identify undesirable, insecure device states, such as rooted or jailbroken.
Apply file blocking based on content and content type.
Control data movement between apps on the mobile device.
• On an ongoing basis, the same scanning should be applied as that on the network: ongoing vulnerability
(IPS) and malware protection for mobile threats and URL filtering for malicious websites.
Advanced or Zero-Day Attack Prevention
Advanced attacks and zero-day malware must be handled swiftly, and automation must be used to ensure threat
prevention immediately upon attack or zero-day discovery. This is critical to prevent subsequent evasion and
attack attempts. When any unknown file attempts to enter a trusted perimeter or network zone, that file should be
detonated within an advanced malware execution environment for static and dynamic analysis. Automatic signature
generation of any newly discovered threats are then published to all subscribed next-generation security appliances.
Moreover, newly discovered command-and-control domains and other malicious website information are
automatically pushed to update URL filtering databases.
Timely Reporting, Threat Intelligence and Correlation
Cohesion between IT, cybersecurity and intelligence professionals is important for reducing the threats to any
network. Coordinate across endpoint, data center, networking and security teams to understand the potential
threats to your financial institution’s network to improve security, ensure immediate access to priority events,
and enable the automatic sharing and distribution of intelligence.
With a next-generation security platform approach, this coordination and collaboration is easier because of
the interoperability across all of the security capabilities discussed above. Individual next-generation security
appliance and management appliance views can be customized per administrator or department while still
sharing a view into alerts and other activities of interest across the financial institution’s network. Refer to
Section V for an overview of specific capabilities that improve this reporting and threat intelligence correlation.
V. THE SECURITY REFERENCE BLUEPRINT FOR FINANCIAL SERVICES IT
The key security principles outlined in this paper can be fully realized with the capabilities of the Palo Alto Networks
Next-Generation Security Platform to protect your organization from endpoint to network core. This section
provides a high-level reference blueprint for Financial Services IT that incorporates the security principles using the
security platform.
While your architecture decisions, including appropriate network segmentation, will be determined by your own
unique network requirements, in this example, the financial institution’s network is segmented into multiple security
zones: a two-part DMZ, a corporate data center zone, private/hybrid cloud, internal corporate access points (campus,
remote offices), and external zones for third parties (partners, vendors, customers). Within the data center, further
segmentation by line of business (e.g., consumer banking, institutional banking, corporate services) is also depicted.
Palo Alto Networks | Financial Services IT White Paper
9
Software as a
Service (SaaS)
Consumers
Online
Teleworkers
Public Cloud
Third-Party Services
TR
TR
GP
GlobalProtect
AP
Retail Branches
V
SeM
ries
Virtual
Next-Generation
Security Appliance
Next-Generation
Security
Appliance
Wi-Fi
Campus/HQ
TR
Wi-Fi
Teller
Next-Generation
Security Appliance
Next-Generation
Security Appliance
Aperture
WF
WildFire
Private
WAN
INTERNET
Private
LAN/WAN
DMZ
Next-Generation
Security Appliance
GP
Web Server
VPN Gateway
Proxy
Data Center
Next-Generation
Security Appliance
TR
A
M
RA
O
N
PA
V
SeM
ries
Virtual
Next-Generation
Security Appliance
Private
Cloud
Network
Security Mgmt.
Consumer
Banking
Institutional
Banking
WF
WildFire Appliance
Development
Corporate
Active Directory
(LDAP)
Traps
Figure 2: Financial Services Reference Blueprint
* All Palo Alto Networks security appliances can be either physical or virtual
All traffic into and out of all zones (DMZ, data center, etc.) can be scanned by Palo Alto Networks nextgeneration appliances – virtual or physical – to guard against malicious payloads or inappropriate data leakage
with the enforcement of policies leveraging the aforementioned application, user and content identification.
• URL filtering: Enables access to all whitelisted sites with bandwidth control for designated categories and more.
• Known threat prevention: Detects and blocks common or known malware on the network. Commandand-control signatures flag both inbound and outbound requests to malicious domains, protecting your
data from being stolen, while DNS sinkhole technology allows an administrator to redirect any outbound
request to a malicious domain or IP address to an internal IP address. This feature prevents those requests from ever leaving the network and compiles a report of compromised machines on which incident
response teams can act.
• Advanced or zero-day attack prevention: Advanced threat detection and prevention using a malware
execu- tion environment for automatic signature generation for all deployed security appliances. All
unidentified files should be sent to the Palo Alto Networks WildFire™ environment for the static and
dynamic analysis of potential threats. This capability can be deployed as an on-premises appliance or as
a cloud-based subscription service. Data on previously unknown, zero-day threats that are identified are
automatically distributed to all subscribed ­WildFire customers.
DMZ
The DMZ is externally facing as shown in Figure 2. The outer portion of the DMZ provides the primary line
of defense, including protection against DDoS attacks with the Palo Alto Networks Next-Generation Security
Appliance. Behind it, at the inner portion of the DMZ, is either a virtual or physical appliance that limits traffic
toward the internal network and implements first-level URL and content filtering for outbound traffic.
Note that, while the diagram illustrates a single security appliance for the network perimeter, it can also easily
be configured with a separate security appliance for each external entry point, such as online customers using
Palo Alto Networks | Financial Services IT White Paper
10
a mobile app via the internet or branch tellers
using a private WAN. This may be warranted to
reduce the fault domain and suit business-specific change control windows.
A separate security appliance controls traffic into
and out of the data center zone. Using the Zero
Trust model, the security platform is programmed
to reject all traffic that is not whitelisted. This
ensures that only authenticated applications,
users or content can enter the network.
Corporate Data Center Zone
Palo Alto Networks Traps advanced endpoint protection
is designed to identify exploits as they attempt to execute
and block the execution of malicious code. Traditional antivirus software depends on malware signatures, which may
not always be up-to-date in the case of zero-day malware
or exploits. Rather than run as a separate process scanning
for malware, the Traps agent automatically injects itself into
each process as it is started and monitors all application
activity, looking for patterns of behavior that are unusual or
that have been seen with previously documented exploits.
When it identifies such behavior, the agent will automatically trigger and block the advanced attack that would
otherwise evade detection.
Remote and external users, such as branch
tellers and ATMs, access the data center zone
via a WAN or the internet, while internal
users and mobile devices (e.g., laptops, tablets
and smartphones) in the corporate HQ zone access it via a private WAN or LAN. Desktop computers and
servers in the Campus/HQ zone are protected by another security appliance, ensuring those systems are not
vulnerable to attack. Furthermore, different departments may also be segmented from one another to provide
additional compartmentalization.
The use of private and public clouds is growing rapidly, so the cloud zones are also protected by their own
next-generation security appliance (physical or virtual) instances.
For orchestration, Palo Alto Networks offers an XML management API that enables external cloud
orchestration software to connect over an encrypted SSL link to manage and configure the next-generation
security appliances. The exhaustive and fully documented REST-based API allows configuration parameters
to be seen, set and modified as needed. Turnkey service templating can be defined for cloud orchestration
software, so that the security features within the next-generation security appliance become part of the data
center workflow. Palo Alto Networks Panorama can also centralize management to ensure policies keep pace
with the rate of change to your virtualized workloads. In VMware NSX deployments, automated appliance
provisioning is accomplished through predefined APIs.
The Palo Alto Networks VM-Series virtualized appliances support the same security features available with
the physical appliances, allowing for the safe enablement of applications flowing into and across your private,
public and hybrid cloud computing environments. The VM-Series supports VMware® ESXi™, NSX™ and
vCloud® Air™, Amazon® Web Services (including AWS® GovCloud), Microsoft® Azure™, KVM/OpenStack™
(open source), and Citrix® Netscaler® SDX™. For a complete list of private and public cloud security
considerations, refer to Security Considerations for Private vs. Public Clouds.
Endpoints
Due to the challenges with patch management, current software levels on endpoints are difficult to maintain.
Traps, with its multi-method prevention techniques for malware and exploits, can serve as a compensating
control and is also a suitable replacement for antivirus.
Internal endpoints (e.g., Windows® XP with SP3, Windows Vista®, Windows 7, Windows 8.1, Windows 10)
and Windows Server® platforms (e.g., Windows Server 2003, Windows Server 2008, Windows Server 2012)
can be protected with Palo Alto Networks Traps™ advanced endpoint protection to ensure that any exploits
on vulnerable systems, regardless of patch status, are immediately thwarted. The agent will automatically
prevent attacks with blocking techniques, such as thread injection. When unknown .exe files are discovered,
the Traps agent will automatically query the WildFire threat intelligence cloud with a hash and submit any
unknown .exe files to assess their standing within the community.
Mobile devices (including both PCs and handheld devices) can be protected by Palo Alto Networks
GlobalProtect™ network security client for endpoints. All unidentified files should be sent to the WildFire
environment for the static and dynamic analysis of potential mobile threats. Enable GlobalProtect with twofactor authentication for even more protection for mobile devices.
Centralized Monitoring and Management
Panorama™ network security management enables you to control your distributed network of our nextgeneration security appliances from one central location. View all your next-generation security appliance
Palo Alto Networks | Financial Services IT White Paper
11
Palo Alto Networks GlobalProtect consists of 3 components:
GlobalProtect Gateway
Prevents mobile threats and policy enforcement based on applications,
users, content, device and device state. Extends a VPN tunnel to
mo- bile devices with the GlobalProtect application. Integrates with
advanced malware analysis environment to prevent new malware.
GlobalProtect Application
Manages device, provides device state information, like encryption
status, and establishes secure connectivity. Connects to the GlobalProtect Gateway to access applications and data in accordance to
policy. Exchanges device configuration and device state with the
GlobalProtect Mobile Security Manager.
traffic, manage all aspects of device
configuration, push global policies, and
generate reports on traffic patterns or
security incidents — all from a single
console. Panorama reduces network
complexity with logical, functional device
groups, simplifies network management
with easy, global policy control, and
reduces the time threats linger on your
network with actionable data highlighting
critical information for response
prioritization. Leading automated threat
correlation enables users to detect
advanced threats that would otherwise
go unnoticed by connecting the dots
between indicators of compromise (IoCs)
across your entire network.
GlobalProtect Mobile Security Manager
Threat Intelligence and Correlation
Provides device management to configure the device. Uses advanced
malware signatures to identify devices with infected applications. Shares
information about the device and device state with GlobalProtect
Gateway for enforcing security policies. Hosts an enterprise app store
for managing business apps. Isolates business data by controlling lateral
data movement between business and personal apps.
The combination of these products and
their integrated reporting capabilities
allows security administrators to coordinate insights to improve security, ensure
immediate access to priority events, and
enable the automatic sharing and distribution of intelligence.
This coordination and collaboration is
easier with interoperability across all of
the security capabilities discussed above. Individual next-generation security appliance and management
appliance views can be customized per administrator or department while still sharing a view into alerts and
other activities of interest across the institution’s network.
Within your own financial services network, Palo Alto Networks provides prioritized, actionable security intelligence on attacks that merit immediate attention in the AutoFocus™ contextual threat intelligence service.
AutoFocus builds on billions of threat artifacts from over 10,000 WildFire subscribers and applies unique
large-scale statistical analysis, human intelligence from the Palo Alto Networks threat intelligence team, and
tagged indicators from your organization and a global community of cybersecurity experts who are also using
the service. AutoFocus provides full context on attacks, such as the perpetrator(s), how they are attempting to
compromise the network, and if any indicators of compromise are already present on the network. Moreover,
AutoFocus can filter security intelligence explicitly for the financial services industry.
Often, the same industry faces attacks by the same adversary, which rationalizes the need to share intelligence within the community. Palo Alto Networks Threat Intelligence Cloud community enables swift sharing
of threat signatures so that all parties can benefit from threats discovered across all organizations and within
your industry, while AutoFocus enables organizations within the same industry to understand what others
have already seen within their networks.
Through MineMeld, an open-source tool, organizations can integrate public, private and commercial intelligence feeds. Moreover, AutoFocus can also feed indicators into MineMeld, which can then automatically
create new prevention controls for Palo Alto Networks security appliances. Ultimately, this enables organizations to take action on the indicators of compromise (IOCs) by generating new prevention-based enforcement
for their security services.
Migration to Palo Alto Networks Next-Generation Security Platform
When you are ready to realize the threat prevention benefits of the Palo Alto Networks Next-Generation
Security Platform, the Palo Alto Networks Migration Tool5 makes it easy to migrate from IP/port-based
firewall rules in legacy firewalls4 to application-based rules in Palo Alto Networks next-generation appliances
while minimizing the risks of the change. As previously shown in Figure 1, the Palo Alto Networks Application
Command Center depicts the top applications and sources that you can use in establishing visibility to
understand the needs of your particular organization while making decisions on how best to reduce risk.
5. The Palo Alto Networks Migration Tool is compatible with Juniper, Cisco, Check Point, Fortinet and McAfee configuration files.
Palo Alto Networks | Financial Services IT White Paper
12
A phased approach via documented change control is highly recommended. Successful deployments typically
first perform a like-for-like migration of firewall rules to the Palo Alto Networks appliance. Then, after about
15 days, the deployment team uses the migration tool to begin the iterative process of defining applicationbased policies to replace the legacy port-based rules. After the last migration phase, the port-based rules are
removed and the application-based policies remain.
In future phases, the deployment team can work with the institution’s business departments to take full
advantage of the application policies’ technology by restricting access to individual applications based on the
desired criteria (for example, Active Directory security groups or location-based user IP address ranges).
VI. CONCLUSION
Financial institutions that implement effective security controls with a network segmentation focus can
protect critical operational environments and data against compromise. In an environment characterized by
legacy platforms, multiple solutions, and diverse content sources, the great challenge is to implement new
security controls that reduce the attack surface and improve protections without causing disruptions and
outages. Properly deployed as outlined above, the reference blueprint described here can improve legacy
network efficiency and defeat advanced malware attacks by positively controlling applications, users and
content everywhere across the network, all while enabling even the most demanding business users. Notably,
financial institutions can start their journey with the Palo Alto Networks Next-Generation Security Platform
at the network perimeter or at the endpoint to complement existing security investments. Adoption of
additional elements of the platform will further improve your cybersecurity posture.
For more information, please visit the Palo Alto Networks website at www.paloaltonetworks.com.
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:+1.866.320.4788
Support:+1.866.898.9087
www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a
registered trademark of Palo Alto Networks. A list of our
trademarks can be found at http://www.paloaltonetworks.
com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies.
fsi-banking-reference-wp-090216