SECURITY LIFECYCLE REVIEW 

NEC 
21 October 2015 

Report Period: 7 Days 
Start: Tue, Oct 13, 2015 
End: Tue, Oct 20, 2015 

PREPARED BY: 
Calix 
Palo Alto Networks 

www.paloaltonetworks.com 
SECURITY LIFECYCLE REVIEW

EXECUTIVE SUMMARY
FOR NEC

Key Findings: 320

320 total applications are in use, presenting potential business APPLICATIONS
and security challenges. As critical functions move outside of an IN USE
organization’s control, employees use non-work-related
applications, or cyberattackers use them to deliver threats and
steal data. 104
104 high-risk applications were observed, including those that HIGH RISK
can introduce or hide malicious activity, transfer files outside the APPLICATIONS
network, or establish unauthorized communication.
2,653,712 total threats were found on your network, including
vulnerability exploits, known and unknown malware, and 2,653,712
outbound command and control activity. TOTAL THREATS

The Security Lifecycle Review summarizes the business and
2,582,996
security risks facing NEC. The data used for this analysis was
VULNERABILITY
gathered by Palo Alto Networks during the report time period. The
EXPLOITS
report provides actionable intelligence around the applications,
URL traffic, types of content, and threats traversing the network,
including recommendations that can be employed to reduce the 58,809
organization’s overall risk exposure.
KNOWN THREATS

11,907
UNKNOWN THREATS

Report Period: 7 Days
Start: Tue, Oct 13, 2015
End: Tue, Oct 20, 2015

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  2
Applications at a Glance
Applications can introduce risk, such as delivering threats, potentially allowing data to leave the network,
enabling unauthorized access, lowering productivity, or consuming corporate bandwidth. This section will
provide visibility into the applications in use, allowing you to make an informed decision on potential risk
versus business benefit.

Key Findings:
High-risk applications such as social-networking, file-sharing and email were observed on the
network, which should be investigated due to their potential for abuse.
320 total applications were seen on the network across 26 sub-categories, as opposed to an industry
average of 226 total applications seen in other High Technology organizations.
5.49TB was used by all applications, including general-internet with 2.8TB, compared to an industry
average of 4.36TB in similar organizations.

High-Risk Applications social-networking 30

INDUSTRY AVERAGE 19
The first step to managing security and business file-sharing 25
INDUSTRY AVERAGE 19
risk is identifying which applications can be email 16
abused to cause the most harm. We recommend INDUSTRY AVERAGE 10
encrypted-tunnel 7
closely evaluating applications in these INDUSTRY AVERAGE 6
categories to ensure they are not introducing remote-access 7
INDUSTRY AVERAGE 7
unnecessary compliance, operational, or cyber
security risk.

Number of Applications on Network Bandwidth Consumed by Applications

NEC 320 NEC 5.49 TB

INDUSTRY AVERAGE 226 INDUSTRY AVERAGE 4.36 TB
ALL ORGANIZATIONS 144 ALL ORGANIZATIONS 4.25 TB

Categories with the Most Applications Categories Consuming the Most Bandwidth
The following categories have the most Bandwidth consumed by application category
applications variants, and should be reviewed for shows where application usage is heaviest, and
business relevance. where you could reduce operational resources.

collaboration 84 general-internet 2.80 TB

INDUSTRY AVERAGE 55 INDUSTRY AVERAGE 722.40 GB
media 75 media 1.19 TB
INDUSTRY AVERAGE 42 INDUSTRY AVERAGE 306.18 GB
business-systems 60 collaboration 499.53 GB
INDUSTRY AVERAGE 54 INDUSTRY AVERAGE 168.44 GB
general-internet 58 networking 474.77 GB
INDUSTRY AVERAGE 44 INDUSTRY AVERAGE 991.42 GB
networking 43 business-systems 153.15 GB
INDUSTRY AVERAGE 35 INDUSTRY AVERAGE 2.29 TB

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  3
Applications that Introduce Risk
The top applications (sorted by bandwidth consumed) for application subcategories RISK LEVEL

that introduce risk are displayed below, including industry benchmarks on the 5
4
number of variants across other High Technology organizations. This data can be 3
used to more effectively prioritize your application enablement efforts. 2
1

Key Findings:
A total of 320 applications were seen in your organization, compared to an
industry average of 226 in other High Technology organizations.
The most common types of application subcategories are photo-video, internet-
utility and social-networking.
The application subcategories consuming the most bandwidth are internet-
utility, file-sharing and audio-streaming.

Email - 275.46GB 16 10 Remote-Access - 32.08MB 7 7

APPLICATION VARIANTS  APPLICATION VARIANTS 
VS INDUSTRY AVERAGE VS INDUSTRY AVERAGE

TOP EMAIL APPS TOP REMOTE-ACCESS APPS

smtp 134.32 GB telnet 16.27 MB

gmail-base 84.15 GB vnc-base 7.54 MB

yahoo-mail 17.88 GB dameware-mini-remote 4.68 MB

imap 11.06 GB rlogin 1.32 MB

pop3 10.41 GB rsh 902.20 KB

gmail-enterprise 8.55 GB vnc-encrypted 837.95 KB

hotmail 5.05 GB synergy 582.83 KB

comcast-webmail 1.85 GB

File-Sharing - 1.1TB 25 19 Encrypted-Tunnel - 438.11GB 7 6

APPLICATION VARIANTS  APPLICATION VARIANTS 
VS INDUSTRY AVERAGE VS INDUSTRY AVERAGE

TOP FILE-SHARING APPS TOP ENCRYPTED-TUNNEL APPS

bittorrent 740.61 GB ssl 423.50 GB

rapidshare 369.67 GB ssh 14.20 GB

gnutella 8.98 GB ipsec-esp 265.48 MB

megaupload 4.65 GB dtls 102.54 MB

ftp 1.06 GB ike 43.78 MB

skydrive-base 647.74 MB ciscovpn 5.76 MB

putlocker 557.32 MB freenet 3.48 MB

google-drive-web 508.93 MB

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  4
Applications that Introduce Risk (Continued)

Instant-Messaging - 11.2GB 19 11 Social-Networking - 108.48GB 30 19

APPLICATION VARIANTS  APPLICATION VARIANTS 
VS INDUSTRY AVERAGE VS INDUSTRY AVERAGE

TOP INSTANT-MESSAGING APPS TOP SOCIAL-NETWORKING APPS

qq-base 2.81 GB facebook-base 66.70 GB

facebook-chat 2.60 GB myspace-base 19.32 GB

myspace-im 2.44 GB cyworld 6.48 GB

google-hangouts-chat 1.19 GB renren-base 4.60 GB

irc-base 1.07 GB twitter-base 2.73 GB

yahoo-im-base 551.08 MB ning-base 1.07 GB
msn-base 155.92 MB google-plus-base 1.03 GB

chatango 121.06 MB kaixin001-base 913.97 MB

Photo-Video - 554.8GB 47 27 Proxy - 108MB 1 2

APPLICATION VARIANTS  APPLICATION VARIANTS 
VS INDUSTRY AVERAGE VS INDUSTRY AVERAGE

TOP PHOTO-VIDEO APPS TOP PROXY APPS

youtube-base 200.84 GB http-proxy 108.00 MB

sling 75.28 GB

ppstream 51.13 GB
rtmp 46.47 GB
rtp-base 42.35 GB

netflix-streaming 30.86 GB
rtmpe 21.83 GB
dailymotion 19.40 GB

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  5
Applications that Introduce Risk — Detail

Risk Application Category Sub Category Technology Bytes Sessions

5 smtp collaboration email client-server 134.32GB 1378134

4 gmail-base collaboration email browser-based 84.15GB 422667

3 yahoo-mail collaboration email browser-based 17.88GB 450422

4 imap collaboration email client-server 11.06GB 47169

4 pop3 collaboration email client-server 10.41GB 50270

4 gmail-enterprise collaboration email browser-based 8.55GB 103021

4 hotmail collaboration email browser-based 5.05GB 184979

3 comcast-webmail collaboration email browser-based 1.85GB 26872

4 ssl networking encrypted-tunnel browser-based 423.5GB 11136963

4 ssh networking encrypted-tunnel client-server 14.2GB 3019

2 ipsec-esp networking encrypted-tunnel client-server 265.48MB 192

1 dtls networking encrypted-tunnel client-server 102.54MB 203

2 ike networking encrypted-tunnel client-server 43.78MB 3961

3 ciscovpn networking encrypted-tunnel client-server 5.76MB 103

5 freenet networking encrypted-tunnel peer-to-peer 3.48MB 17028

5 bittorrent general-internet file-sharing peer-to-peer 740.61GB 3592036

4 rapidshare general-internet file-sharing browser-based 369.67GB 5759

5 gnutella general-internet file-sharing peer-to-peer 8.98GB 636074

4 megaupload general-internet file-sharing browser-based 4.65GB 6388

5 ftp general-internet file-sharing client-server 1.06GB 130661

4 skydrive-base general-internet file-sharing browser-based 647.74MB 12930

4 putlocker general-internet file-sharing browser-based 557.32MB 1147

5 google-drive-web general-internet file-sharing browser-based 508.93MB 935

4 qq-base collaboration instant-messaging client-server 2.81GB 393873

3 facebook-chat collaboration instant-messaging browser-based 2.6GB 187599

Notes:

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  6
Risk Application Category Sub Category Technology Bytes Sessions
3 myspace-im collaboration instant-messaging client-server 2.44GB 47734

4 google-hangouts-chat collaboration instant-messaging browser-based 1.19GB 40613

5 irc-base collaboration instant-messaging client-server 1.07GB 9593

4 yahoo-im-base collaboration instant-messaging client-server 551.08MB 150988

4 msn-base collaboration instant-messaging client-server 155.92MB 8794

1 chatango collaboration instant-messaging client-server 121.06MB 38193

4 youtube-base media photo-video browser-based 200.84GB 61412

2 sling media photo-video client-server 75.28GB 32

4 ppstream media photo-video peer-to-peer 51.13GB 443138

4 rtmp media photo-video browser-based 46.47GB 13837

3 rtp-base media photo-video client-server 42.35GB 4796

3 netflix-streaming media photo-video browser-based 30.86GB 8694

4 rtmpe media photo-video browser-based 21.83GB 5549

4 dailymotion media photo-video browser-based 19.4GB 20050

5 http-proxy networking proxy browser-based 108MB 37987

2 telnet networking remote-access client-server 16.27MB 3789

5 vnc-base networking remote-access client-server 7.54MB 441

3 dameware-mini-remote networking remote-access client-server 4.68MB 203

4 rlogin networking remote-access client-server 1.32MB 835

4 rsh networking remote-access client-server 902.2KB 203

2 vnc-encrypted networking remote-access client-server 837.95KB 400

1 synergy networking remote-access client-server 582.83KB 223

4 facebook-base collaboration social-networking browser-based 66.7GB 2306568

4 myspace-base collaboration social-networking browser-based 19.32GB 555146

4 cyworld collaboration social-networking browser-based 6.48GB 88333

Notes:

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  7
Risk Application Category Sub Category Technology Bytes Sessions
3 renren-base collaboration social-networking browser-based 4.6GB 171428

2 twitter-base collaboration social-networking browser-based 2.73GB 306207

3 ning-base collaboration social-networking browser-based 1.07GB 3171

2 google-plus-base collaboration social-networking browser-based 1.03GB 10621

3 kaixin001-base collaboration social-networking browser-based 913.97MB 65937

Notes:

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  8
SaaS Applications

SaaS–based application services continue to redefine the network perimeter. Often labeled “shadow IT,”
most of these services are adopted directly by individual users, business teams, or even entire
departments. In order to minimize data security risks you need control over SaaS applications used your
network .

NUMBER OF SAAS APPLICATIONS

NEC 40
INDUSTRY AVERAGE 43
320  ALL ORGANIZATIONS 24
total apps 
40 
SaaS apps PERCENTAGE OF ALL APPLICATIONS

NEC 12.5%
INDUSTRY AVERAGE 19.03%
ALL ORGANIZATIONS 16.67%

SAAS APPLICATION BANDWIDTH

NEC 599.97 GB
INDUSTRY AVERAGE 142.25 GB
5.49TB  ALL ORGANIZATIONS 109.49 GB
total data flow 
599.97GB 
for SaaS apps PERCENTAGE OF ALL BANDWIDTH

NEC 10.67%
INDUSTRY AVERAGE 3.18%
ALL ORGANIZATIONS 2.51%

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  9
TOP SAAS APPLICATION SUBCATEGORIES

The following displays the number of applications in each application subcategory. This allows you to
assess the most used applications organization.

Top SaaS application subcategories by total number of applications

email 10
file-sharing 10
office-programs 5
internet-utility 3

The following shows the top used applications by data movement within the subcategories identified
above.

Email - 114.48GB 10 10 File-Sharing - 371.27GB 10 19

APPLICATION VARIANTS  APPLICATION VARIANTS 
VS INDUSTRY AVERAGE VS INDUSTRY AVERAGE

TOP EMAIL APPS TOP FILE-SHARING APPS

gmail-base 84.15 GB rapidshare 369.67 GB

yahoo-mail 17.88 GB skydrive-base 647.74 MB

gmail-enterprise 8.55 GB google-drive-web 508.93 MB

comcast-webmail 1.85 GB docstoc-base 452.07 MB

aim-mail 1.55 GB dropbox 11.12 MB

facebook-mail 404.82 MB sourceforge-base 9.87 MB

gmx-mail 53.86 MB office-live 3.71 MB

naver-mail 29.39 MB mendeley-base 3.56 MB

Office-Programs - 4.11GB 5 6 Internet-Utility - 6.71GB 3 26

APPLICATION VARIANTS  APPLICATION VARIANTS 
VS INDUSTRY AVERAGE VS INDUSTRY AVERAGE

TOP OFFICE-PROGRAMS APPS TOP INTERNET-UTILITY APPS

google-docs-base 3.65 GB google-analytics 4.31 GB

google-calendar-base 324.25 MB icloud-base 2.39 GB

yahoo-calendar 86.46 MB yahoo-web-analytics 5.97 MB

evernote-base 39.00 MB
google-calendar-enterprise 21.20 MB

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  10
TOP SAAS APPLICATIONS

The following displays the top 10 SaaS applications used in your organization and the application usage
comparison against your industry peers and all other Palo Alto Networks customers.

Top SaaS Applications by Data Movement

Rapidshare 369.67 GB
    INDUSTRY AVERAGE 14.67 GB
369.67 GB

Blackboard 102.15 GB
    INDUSTRY AVERAGE 2.19 GB
369.67 GB

Gmail-Base 84.15 GB
    INDUSTRY AVERAGE 4.83 GB
369.67 GB

Yahoo-Mail 17.88 GB
    INDUSTRY AVERAGE 1.14 GB
369.67 GB

Gmail-Enterprise 8.55 GB
    INDUSTRY AVERAGE 393.48 MB
369.67 GB

Google-Analytics 4.31 GB
    INDUSTRY AVERAGE 867.77 MB
369.67 GB

Google-Docs-Base 3.65 GB
    INDUSTRY AVERAGE 3.68 GB
369.67 GB

Icloud-Base 2.39 GB
    INDUSTRY AVERAGE 1.86 GB
369.67 GB

Comcast-Webmail 1.85 GB
    INDUSTRY AVERAGE 1021.47 MB
369.67 GB

Aim-Mail 1.55 GB
    INDUSTRY AVERAGE 244.66 MB
369.67 GB

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  11
URL Activity
Uncontrolled Web surfing exposes organizations to security and business risks, including exposure to
potential threat propagation, data loss, or compliance violations. The most common URL categories
visited by users on the network are shown below.

Key Findings:
High-risk URL categories were observed on the network, including educational-institutions,
computer-and-internet-info and web-advertisements.
Users visited a total of 28,594,018 URLs during the report time period across 58 categories.
There was a variety of personal and work-related Web activity present, including visits to potentially
risky websites.

High-Risk URL Categories unknown 288,784

INDUSTRY AVERAGE 547,365
The Web is a primary infection vector for private-ip-addresses 172,382
INDUSTRY AVERAGE 864,519
attackers, with high-risk URL categories dynamic-dns 4,940
posing an outsized risk to the INDUSTRY AVERAGE 2,090
proxy-avoidance-and-anonymizers 1,617
organization. Solutions should allow for INDUSTRY AVERAGE 4,652
fast blocking of undesired or malicious
sites, as well as support quick
categorization and investigation of
unknowns.

High-Traffic URL Categories Commonly Used URL Categories

The top 5 commonly visited URL categories, The top 20 most commonly visited URL
along with industry benchmarks across your peer categories are shown below.
group, are shown below.
SEARCH-ENGINES 1,445,713
CONTENT-DELIVERY-NETWORKS 1,307,012
EDUCATIONAL-INSTITUTIONS 6,978,479 INTERNET-PORTALS 1,057,513
INDUSTRY AVERAGE 262,526 WEB-BASED-EMAIL 1,004,875
BUSINESS-AND-ECONOMY 865,040
COMPUTER-AND-INTERNET-INFO 3,509,999
2,120,568 NEWS 832,453
INDUSTRY AVERAGE
STREAMING-MEDIA 740,235
WEB-ADVERTISEMENTS 2,498,663 SHOPPING 666,525
INDUSTRY AVERAGE 931,116 PARKED 615,120
GOVERNMENT ENTERTAINMENT-AND-ARTS 391,420
1,601,924
INDUSTRY AVERAGE 183,680 REFERENCE-AND-RESEARCH 358,587
PERSONAL-SITES-AND-BLOGS 308,953
SOCIAL-NETWORKING 1,531,091 UNKNOWN 288,784
INDUSTRY AVERAGE 220,441 INTERNET-COMMUNICATIONS-AND-TELEPHONY 288,194
FINANCIAL-SERVICES 262,499
ONLINE-STORAGE-AND-BACKUP 220,919
SPORTS 182,514
PRIVATE-IP-ADDRESSES 172,382
SHAREWARE-AND-FREEWARE 159,408
TRAVEL 152,163

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  12
File Transfer Analysis
Applications that can transfer files serve an important business function, but they also potentially allow
for sensitive data to leave the network or cyber threats to be delivered. Within your organization, 241
unique file types were observed, across 44 different file types, delivered via a total of 66 total
applications. The image below correlates the applications most commonly used to transfer files, along
with the most prevalent file and content types observed.

Applications File Types

FLASH 1,049,515 SHOCKWAVE 1,068,437

YOUTUBE-BASE 48,291 MP3 387
CONFIDENTIAL 146
FLV 28,326
MP4 510
GOOGLE-EARTH 23,625 ZIP 23,625

SMTP 133,597 EMAIL LINK 133,084

LNK 146
WORD 52
HTA (HTML APPLICATION) 315
TORRENT 292
WEB-BROWSING 730 HTML APPLICATION 146
SSN 146
JAVA CLASS 146

66 44
transferred
Applications File Types

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  13
Threats at a Glance
Understanding your risk exposure, and how to adjust your security posture to prevent attacks, requires
intelligence on the type and volume of threats used against your organization. This section details the
application vulnerabilities, known and unknown malware, and command and control activity observed on
your network.

Key Findings:
2,582,996 total vulnerability exploits were observed in your organization, including brute-force, code-
execution and Other.
70,716 malware events were observed, versus an industry average of 446,557 across your peer group.
104,796 total command and control requests were identified, indicating attempts by malware to
communicate with attackers to download additional malware, receive instructions, or exfiltrate data.

78% 73% 58%

2,104,642: brute-force
2,582,996 264,397: code-execution
42%
Vulnerability 91,076: overflow 22% 27%
Exploits 215,439: Other
NEC INDUSTRY ALL
AVERAGE ORGANIZATIONS

16% 5% 12%
84% 95% 88%

70,716 11,907: Unknown Malware
Malware 58,809: Known Malware
Detections
NEC INDUSTRY ALL
AVERAGE ORGANIZATIONS

104,796
Command and 104,796: Known Connections
Control Detections

Files Leaving the Network

Transferring files is a required and
via
common part of doing business, but you
must maintain visibility into what content 32
different applications
is leaving the network via which
applications, in order to limit your
organization’s exposure to data loss.
326,375
files potentially
leaving the network

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  14
High-Risk and Malicious File Type Analysis
Today’s cyber attackers use a variety of file types to deliver malware and exploits, often focusing on
content from common business applications present in most enterprise networks. The majority of
commodity threats are delivered via executable files, with more targeted and advanced attacks often
using other content to compromise networks.

Key Findings:
A variety of file-types were used to deliver threats, and prevention strategies should cover all major
content types.
You can reduce your attack surface by proactively blocking high-risk file-types, such as blocking
executable files downloaded from the Internet, or disallowing RTF files or LNK files, which are not
needed in daily business.

High-Risk File Types

The file types shown represent a greater risk to the organization due to a combination of new
vulnerabilities being discovered, existing and unpatched flaws, and prevalence of use in attacks.

Email Link 8.43%
INDUSTRY AVERAGE 16.85%
ZIP 5.14%
INDUSTRY AVERAGE 32.81%
74.08%
MSOFFICE 4.92%
of all files INDUSTRY AVERAGE 1.79%
PE 3.75%
are Shockwave INDUSTRY AVERAGE 3.12%
Confidential 3.7%
INDUSTRY AVERAGE 0%

Files Delivering Unknown Malware

We recommend investigating the files that may be used to deliver threats both within your organization,
and across your peer group. Together, these trends allow you to take preventive action such as blocking
high-risk file types across different user groups.

92.45% Microsoft Excel 97 - 2003 Document 5.2%

INDUSTRY AVERAGE 0.98%
of all files DLL 2.35%
INDUSTRY AVERAGE 1.22%
are PE

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  15
Application Vulnerabilities
Application vulnerabilities allow attackers to exploit vulnerable, often unpatched, applications to infect
systems, which often represent one of the first steps in a breach. This page details the top five
application vulnerabilities attackers attempted to exploit within your organization, allowing you to
determine which applications represent the largest attack surface.

Key Findings:
71 total applications were observed delivering exploits to your environment.
2,582,996 total vulnerability exploits were observed across the following top three applications: web-
browsing, ftp and smtp.
897 unique vulnerability exploits were found, meaning attackers continued to attempt to exploit the
same vulnerability multiple times.

  Applications delivering Total vulnerability Unique vulnerability

exploits exploits exploits
NEC 71 2,582,996 897
INDUSTRY AVERAGE 23 4,462,180 358
ALL ORGANIZATIONS 24 3,886,896 306

Vulnerability Exploits per Application (top 5 applications with most detections)

DETECTIONS APPLICATION & VULNERABILITY EXPLOITS SEVERITY THREAT TYPE CVE ID

2,289,080 web-browsing
2,639 Windows Graphics Rendering Engine WMF SetAbortProc Code Critical code-execution CVE-2005-4560
Execution
813 Microsoft Office Access ActiveX Controls Remote Code Execution Critical overflow CVE-2010-0814
Vulnerability
811 Microsoft Internet Explorer Uninitialized Memory Corruption Critical code-execution CVE-2009-2530
Vulnerability
609 Microsoft Office PICT Filter Parsing Remote Code Execution Critical code-execution CVE-2008-3021
Vulnerability
609 Microsoft Office PowerPoint Legacy File Format Vulnerability Critical code-execution CVE-2009-0227
609 Microsoft Windows Paint JPEG Integer Overflow Vulnerability Critical overflow CVE-2010-0028
611 Novell eDirectory iMonitor Overflow Exploit Vulnerability Critical code-execution CVE-2005-2551;CVE-
2006-2496
406 Microsoft Windows Media Format Runtime Media File Remote Critical code-execution CVE-2008-0011
Code Execution Vulnerability
407 Microsoft Outlook MAILTO URI Parsing Vulnerability Critical code-execution CVE-2008-0110
406 Microsoft Windows Shell Validation Remote Code Execution Critical code-execution CVE-2010-0027
Vulnerability

68,597 ftp
429 Internet Explorer DirectAnimationPath Control KeyFrame Method Critical code-execution CVE-2006-4777;CVE-
Vulnerability 2006-4446
225 Microsoft Internet Explorer Source Name Buffer Overflow Critical code-execution CVE-2008-4261
Vulnerability
204 Microsoft Visual Studio MSHFLXGD.OCX ActiveX Control Code Critical code-execution CVE-2008-4254
Execution Vulnerability
204 Microsoft Internet Explorer CSS Strings Parsing Memory Corruption Critical code-execution CVE-2007-0943
Vulnerability
204 Internet Explorer DHTML Engine Race Condition Vulnerability Critical code-execution CVE-2005-0553
204 Microsoft Visual Studio MSCHRT20.OCX ActiveX Control Code Critical code-execution CVE-2008-4256
Execution Vulnerability
225 Microsoft IE COM Object Instantiation Memory Corruption Critical overflow CVE-2005-2087
204 Ipswitch WS_FTP Server FTP Command Buffer Overrun Critical overflow CVE-2003-0772
Vulnerabilities
204 Microsoft Internet Explorer Print Preview Cross Zone Script Injection Critical code-execution CVE-2008-2259
Vulnerability
212 Microsoft Internet Explorer Vector Markup Language VGX.DLL Critical code-execution CVE-2007-1749

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  16
Remote Buffer Overflow Vulnerability

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  17
DETECTIONS APPLICATION & VULNERABILITY EXPLOITS SEVERITY THREAT TYPE CVE ID
44,947 smtp
1,131 Microsoft Office PowerPoint Legacy File Format Vulnerability Critical code-execution CVE-2009-0227
1,224 Windows Media Header Parsing Invalid Free Remote Code Critical code-execution CVE-2009-2498
Execution Vulnerability
816 Microsoft Word RTF Object Parsing Vulnerability Critical code-execution CVE-2008-4031
816 Microsoft Wordpad and Office Text Converters OLE Data Remote Critical code-execution CVE-2009-0087
Code Execution Vulnerability
816 Microsoft Windows GDI Remote Integer Overflow Vulnerability Critical overflow CVE-2008-2249
408 Microsoft File Converter Buffer Overflow Vulnerability Critical code-execution CVE-2009-1533
408 Microsoft DirectShow Remote Code Execution Vulnerability Critical overflow CVE-2010-0480
405 Microsoft Windows GDI+ PNG Remote Code Execution Vulnerability Critical code-execution CVE-2009-3126
408 Microsoft Word RTF Object Parsing Vulnerability Critical code-execution CVE-2008-4030
407 Microsoft Word Memory Corruption Vulnerability Critical code-execution CVE-2008-4024

37,963 pop3
1,223 Windows Media Header Parsing Invalid Free Remote Code Critical code-execution CVE-2009-2498
Execution Vulnerability
1,224 Microsoft Office PowerPoint Legacy File Format Vulnerability Critical code-execution CVE-2009-0227
816 Microsoft Word RTF Object Parsing Vulnerability Critical code-execution CVE-2008-4031
816 Microsoft Windows GDI Remote Integer Overflow Vulnerability Critical overflow CVE-2008-2249
816 Microsoft Wordpad and Office Text Converters OLE Data Remote Critical code-execution CVE-2009-0087
Code Execution Vulnerability
393 Microsoft Office PowerPoint TextHeaderAtom/OutlineTextRefAtom Critical code-execution CVE-2009-0556
Remote Code Execution Vulnerability
408 Microsoft DirectShow Invalid Quicktime File Record Remote Code Critical code-execution CVE-2009-1537
Execution Vulnerability
408 Microsoft Works File Converter Field Length Remote Code Critical overflow CVE-2008-0108
Execution Vulnerability
408 Microsoft File Converter Buffer Overflow Vulnerability Critical code-execution CVE-2009-1533
408 Microsoft Windows Paint JPEG Integer Overflow Vulnerability Critical overflow CVE-2010-0028

37,096 webdav
204 Apache APR_PSPrintf Memory Corruption Vulnerability High code-execution CVE-2003-0245
204 Microsoft Internet Information Services Could Allow Elevation of High code-execution CVE-2009-1535
Privilege Vulnerability
204 Sun Java System Web Server 7.0u7 WEBDAV Format String High overflow CVE-2010-0388
36,484 HTTP OPTIONS Method Info info-leak

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  18
Known and Unknown Malware
Applications are the primary vectors used to deliver malware and infect organizations, communicate
outbound, or exfiltrate data. Adversaries’ tactics have evolved to use the applications commonly found on
the network into which traditional security solutions have little or no visibility.

Key Findings:
4 total applications were observed delivering malware to your organization, out of 320 total applications
on the network.
Many applications delivering malware are required to run your business, which means you need a
solution that can prevent threats, while still enabling the applications.
While most malware is delivered over HTTP or SMTP, advanced attacks will often use other
applications, including those on non-standard ports or employing other evasive behavior.

KNOWN MALWARE UNKNOWN MALWARE

56562              SMTP              11482

80  INDUSTRY AVERAGE  164209

710      WEB-BROWSING      111

71  INDUSTRY AVERAGE  9687

KNOWN MALWARE UNKNOWN MALWARE

818              POP3              210

13  INDUSTRY AVERAGE  2956

719              IMAP              104

883  INDUSTRY AVERAGE  310

4
applications found
delivering malware

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  19
Command and Control Analysis
Command-and-control (CnC) activity could indicates a host in the network has been infected by malware,
and may be attempting to connect outside of the network to malicious actors, reconnaissance attempts
from outside, or other command-and-control traffic. Understanding and preventing this activity is critical,
as attackers use CnC to deliver additional malware, provide instruction, or exfiltrate data.

Key Findings:
4 total applications were used for command-and-control communication.
104,796 total command-and-control requests were seen on your network.
0 total suspicious DNS queries were observed.

COMMAND AND CONTROL Spyware Phone Home: 104,796

ACTIVITY BY APPLICATION
This image below represents compromised hosts attempting to
connect external malicious CnC servers.
ZeroAccess.Gen Command and Control Traffic 37,413
vbcheman.Gen Command And Control Traffic 13,689
Bot: Mariposa Command and Control 1,216
Upatre.Gen Command And Control Traffic 24,986
Suspicious.Gen Command And Control Traffic 488
WEB-BROWSING - 46,740 WireLurker.Gen Command and Control Traffic 3,360
Trojan-Virtumondo.Phonehome 4,462
Suspicious user-agent strings 243
Sipvicious.sundayddr User-Agent Traffic 18,939

UNKNOWN-UDP - 38,629

SIP - 18,939

BITTORRENT - 488

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  20
Summary: NEC

The analysis determined that a wide range of applications and cyber
320
attacks were present on the network. This activity represents potential
APPLICATIONS
business and security risks to NEC, but also an ideal opportunity to
IN USE
implement safe application enablement policies that, not only allow
business to continue growing, but reduce the overall risk exposure of the
organization. 104
HIGH RISK
Highlights Include: APPLICATIONS
High-risk applications such as social-networking, file-sharing and
email were observed on the network, which should be investigated due
2,653,712
to their potential for abuse.
320 total applications were seen on the network across 26 sub- TOTAL THREATS
categories, as opposed to an industry average of 226 total applications
seen in other High Technology organizations. 2,582,996
2,582,996 total vulnerability exploits were observed across the following
VULNERABILITY
top three applications: web-browsing, ftp and smtp.
EXPLOITS
70,716 malware events were observed, versus an industry average of
446,557 across your peer group.
4 total applications were used for command and control communication. 58,809
KNOWN THREATS

11,907
UNKNOWN THREATS

Recommendations:
Implement safe application enablement polices, by only allowing the applications needed for business,
and applying granular control to all others.
Address high-risk applications with the potential for abuse, such as remote access, file sharing, or
encrypted tunnels.
Deploy a security solution that can detect and prevent threats, both known and unknown, to mitigate
risk from attackers.
Use a solution that can automatically re-program itself, creating new protections for emerging threats,
sourced from a global community of other enterprise users.

SECURITY LIFECYCLE REVIEW | PALO ALTO NETWORKS  21