ASD's Top Cyber Intrusion Mitigation Strategies

Transcription

ASD's Top Cyber Intrusion Mitigation Strategies
How Palo Alto Networks® Can Help With
ASD's Top Cyber Intrusion Mitigation Strategies
Palo Alto Networks: ASD Top 35
Table of Contents
Introduction3
Executive Summary
3
A Systematic Approach to Network Application Whitelisting 4
Positive Security Model = Application Whitelisting
5
Application Control With Palo Alto Networks
5
User-based Policy Control
6
Defence in Depth: Application Whitelisting + Next-Generation Firewalls
8
The Last Line of Defence: Next-Generation Endpoint Protection
8
Top 35 Mitigation Steps – Where Palo Alto Networks Can Help9
PAGE 2
Palo Alto Networks: ASD Top 35
Introduction
The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate (DSD)
plays a lead role in protecting Australia’s critical infrastructure and other information networks
from cyber intrusions that pose real and present threats to Australia’s national security and
national interests. As part of their cyber security charter, the ASD has defined the top 35 cyber
intrusion mitigation strategies that organisations can implement to help protect the nation’s digital
assets. Within those top 35 strategies, ASD has mandated that four of them be implemented.
Palo Alto Networks is a next generation cyber security company dedicated to the needs of
global government. Today it is used within governments in 72 countries across five continents,
and is serving widely within the military, civilian and intelligence establishments.
Executive Summary
It’s no secret that government networks are among the most targeted of virtually any sector.
The stakes are high and attackers know they must use more evasive tactics to penetrate these
networks. Sadly, many attackers are not only able to penetrate their target network, but often
successfully establish a beachhead and remain undetected for a significant period of time while
continuing evasive and damaging action. This leads to tremendous loss—whether of strategic,
political, monetary or intelligence value.
Additionally, government networks are undergoing change. Many agencies face the challenges of
reducing data centre footprints, virtualising existing services to reduce costs and “go green”, or
of advancing security strategies to thwart advanced attacks in the field or at home. These changes
mean government agencies are demanding more from their cyber security solutions today.
The ASD Top 35 mitigation strategies have been proven to help agencies protect their networks
against targeted attacks. Palo Alto Networks’ Next Generation Security Platform can help agencies not only implement a large number of these strategies, but also supplement and augment these
strategies with capabilities and best practices only provided by a real next generation security
platform, to form an advanced coordinated approach to extensible defence-in-depth.
NEXT-GENERATION
THREAT INTELLIGENCE
CLOUD
Next-generation Firewall
Next-generation Threat Intelligence Cloud
• Gathers potential threats from network
and endpoints
• Inspects all traffic
• Safely enables applications
• Blocks networks-based threats
OIN T
DP
RK
O
NEXT-GENERATION
FIREWALL
• Disseminates threat intelligence to
network and endpoints
CLOUD
NETW
NATIVELY
INTEGRATED
• Analyses and correlates threat intelligence
AUTOMATED
• Sends unknown threats to cloud
EN
EXTENSIBLE
Next-generation Endpoint
• Inspects all processes and files
• Prevents both known and unknown exploits
• Protects fixed, virtual and mobile endpoints
• Lightweight client and cloud based.
PAGE 3
NEXT-GENERATION
ENDPOINT
Palo Alto Networks: ASD Top 35
The Palo Alto Networks Next Generation Security Platform is a flexible and extensible, natively
integrated and automated platform for the detection and prevention of known and unknown
cyber threats. Spanning network and endpoint and augmented by a global Threat Intelligence
Cloud, it has the ability to understand all traffic, no matter which port, protocol or encryption
is used to provide granular control of applications, users, and content. It employs automated
“closed-loop” protection mechanisms that are deployed in-line and that are uniform across
traditional infrastructure at the Internet Edge, the cloud (whether public/private, cloud-delivered
applications, or virtualised infrastructure), and mobile devices.
In its number one mitigation strategy, ASD mandates the whitelisting of applications on the
endpoint. This is critical in preventing targeted malicious code from executing on an endpoint.
Similarly, Palo Alto Networks believes that the whitelisting of applications at the network level
is also critical in defeating targeted attacks. Application whitelisting at the network level greatly
reduces the attack surface and the number of attack vectors into a network, and makes hiding
lateral movement and command-and-control traffic that much more difficult.
A Systematic Approach to Network Application Whitelisting
The best approach to regaining control over your network activity, application or otherwise, is
a systematic one that includes learning what is in use, and by whom, establishing the associated
business requirements in conjunction with the users, documenting associated policies, and then
enforcing them with technology. Equally important is the ongoing policy review and update to
account for changing application and user behaviors.
• Visibility: The old adage of ‘Knowledge is Power” is appropriate in the quest to regain control
over the applications, users and content at both the workstation and network levels.
Without full knowledge of what users are doing, policy control efforts may miss the mark
entirely, leave gaping holes, or create a user environment where they are able to take steps
to avoid control efforts.
• Policy establishment: Once an in depth picture of which applications are in use and by whom,
appropriate policy rules need to be established that balances the business requirements
outlined by users and the associated risks from a security and business perspective. Once
agreement has been established, is it critically important that the policy is documented and
users be made aware via ongoing education that these policies are in place and the reasons
why.
• Enforcement and review: Using network and workstation level controls, the next step is to
begin enforcing the established policies. As policies are violated, users should be notified
of their actions via pop-up pages, email alerts or other means. Here too, a balance must be
struck that enables the user, without exerting unreasonable levels of control. Over time, the
policies on what is or is not allowed need to be reviewed and updated.
From a technology perspective there are two approaches to executing a systematic approach
towards regaining control.
• End-point level control: Application whitelisting is client or end-point focused approach
that defines which applications are or are not allowed to be installed (executed). Policies
are established at a central control point as a means of determining what is allowed and all
else is blocked.
• Network level control: Using next-generation firewalls that are designed to identify and
control applications (not ports), such as Palo Alto Networks, is a network level approach
that allows organisations to establish positive security model rules that determine which
applications are allowed, and by default, which applications are implicitly denied.
Both alternatives help organisations work towards the end-goal of protecting the network and the
digital assets while enabling users to accomplish their daily tasks. From a defense in depth perspective,
PAGE 4
Palo Alto Networks: ASD Top 35
application whitelisting and next-generation firewalling are a perfect compliment. The remainder
of this paper will focus on how Palo Alto Networks can help Australian organisations fulfill the
#1 mitigation strategy of application whitelisting while assisting in fulfilling many of the other 35
recommended strategies.
Positive Security Model = Application Whitelisting
By definition, application whitelisting has the same criteria found in the positive security
model that firewalls adhere to, albeit at the network level. As a reminder, a firewall operates
on the premise of allowing what is defined by policy, then denying all else either implicitly or
explicitly. This is exactly what application whitelisting does but at the client level. The challenge that traditional port-based firewalls face is that their positive security model policies
are defined by ports, protocols and IP addresses, not applications specifically, making positive
security model application level control nearly impossible.
Palo Alto Networks next-generation firewalls are different to traditional firewalls in that the first
task executed when it sees network traffic is to determine what the application is, irrespective of
port, protocol, encryption or evasive technique employed. The application then becomes the basis
of the positive security model policy that says allow these specific applications and deny all others.
The knowledge of which application is traversing the network is used to create firewall security
policies, including allow, deny, inspect for threats, apply traffic shaping and more. All policy
decisions are made and enforced at the network level.
Application Control With Palo Alto Networks
At one time, controlling which applications an employee could use was easy. Applications
were tied specifically to port or protocol and controlling them was as simple as allow or deny.
Today, application developers want their application to be as easy to access as possible so
they may not adhere to this development process because it may limit the acceptance of the
application. Today, it is easy to find applications, both business and personal use, that:
• Are fully functional applications that are browser-based, yet may or may not use port 80.
• Are capable of running off of a high speed USB drive.
• Are client-server applications operating across port 80 or port 443.
• Use SSL, hop ports or both.
These are just a few of the tactics that applications may use to enable user access and at the
same time, enable the application to bypass traditional detection mechanisms. The result is
that organisations have lost the ability to see, much less control the applications traversing
the network.
In order to help organisations regain control over the applications traversing the network at
the firewall,
Palo Alto Networks uses up to four different mechanisms: application decoders and signatures,
protocol decoders, heuristics and SSL decryption to accurately identify more than 1,750
applications, regardless of port, protocol, encryption or evasive tactic employed.
It’s important that the term “application” be clarified since it doesn’t have an industry standard definition. In the context of Palo Alto Networks firewalls, an application is a specific
program or feature of a program that can be detected, monitored, and/or controlled. For
example, Facebook is an application, as is Facebook Chat. Each of them can be detected,
monitored, and controlled independently as part of the positive enforcement security policy.
PAGE 5
Palo Alto Networks: ASD Top 35
As traffic traverses the Palo Alto Networks firewall, the applications are identified and graphically
summarised in near-real time, allowing administrators to see what’s happening on the network,
learn more about the application if needed, then make an informed decision on how to treat the
application.
Application visibility: View application activity in a clear, easy-to-read format. Add and remove filters to
learn more about the application, its functions and who is using them.
User-based Policy Control
The identity of the application can be mapped to specific users with User-ID, a technology that
seamlessly integrates Palo Alto Networks firewalls with enterprise directory services (Active
Directory, Exchange, LDAP, eDirectory, Citrix and Microsoft Terminal Services, XML API). With
User-ID, administrators can see exactly who is using the application, and as needed, can enable a
policy to allow (whitelist), deny (blacklist), shape, inspect, schedule, decrypt and more.
Immediate access to the knowledge of which applications are traversing the network, who is using
them, and the potential security risk empowers administrators to quickly and easily determine the
appropriate response. Armed with these data points, administrators can apply policies with a range
of responses that are more fine-grained than allow or deny. Examples include:
• Enable only the IT group to use a fixed set of management applications such as SSH,
telnet, and RDP.
• Block bad applications such as P2P file sharing, circumventors, and external proxies.
• Define and enforce an organisation-wide policy that allows and inspects specific webmail
and instant messaging usage.
PAGE 6
Palo Alto Networks: ASD Top 35
• Control the file transfer functionality within an individual application, allowing
application use yet preventing file transfer.
• Identify and block applications using port 80 or 443 that are used to provide anonymous
access to the Internet or to evade traditional firewalls such as UltraSurf, tor, and CGIproxy
• Identify and control the transfer of sensitive information such as credit card numbers
or social security numbers, either in text or file format.
• Deploy URL filtering policies that block access to obvious non-work related sites,
monitor questionable sites, and “coach” access to others.
• Implement QoS policies to allow media and other bandwidth intensive applications
but limit their impact on business critical applications.
Palo Alto Networks next-generation firewalls enable customers to deploy application
usage policies to block certain applications, allow specific applications, as well as
inspect them, shape them and schedule their use. This level of control, at the network
layer, is a perfect complement to application whitelisting performed at the end-point.
• Identify and control the transfer of sensitive information such as credit card numbers
or social security numbers, either in text or file format.
• Deploy URL filtering policies that block access to obvious non-work related sites,
monitor questionable sites, and “coach” access to others.
• Implement QoS policies to allow media and other bandwidth intensive applications
but limit their impact on business critical applications.
Palo Alto Networks next-generation firewalls enable customers to deploy application usage
policies to block certain applications, allow specific applications, as well as inspect them,
shape them and schedule their use. This level of control, at the network layer, is a perfect
complement to application whitelisting performed at the end-point.
Unified Policy Editor: A familiar look and feel enables the rapid creation and deployment of policies that control
applications, users and content.
PAGE 7
Palo Alto Networks: ASD Top 35
Defence in Depth: Application Whitelisting + Next-Generation Firewalls
By mandating application whitelisting as a top priority in protecting against cyber intrusions,
the Australian Signals Directorate has acknowledged that application control is a critical
component in an agencies cyber security posture. Taking a complementary, defence-in-depth
approach to cyber security, Palo Alto Networks next-generation firewalls can help agencies
exert an added layer of security at the network level by identifying and controlling applications
using positive control model security rules.
The Last Line of Defence: Next-Generation Endpoint Protection
The endpoint represents the last line of defence. Even with application whitelisting enforced,
most endpoints run a large number of applications, some of which have bugs, or unknown
Zero-Day vulnerabilities that could be triggered as part of an exploitation attempt.
We estimate that as many as 5,000 of these new software vulnerabilities emerge each year.
The problem agencies face when trying to defend against Zero-Day attacks is that traditional
solutions rely on prior knowledge or behavior analysis to detect usage, and are incapable of
preventing Zero-Day attacks since by definition, they are unknown. In addition, adversaries
can craft an endless number of fully undetectable malware. This makes it impossible to
become intimately familiar with every potential threat, which is why we shifted our focus
to the exploit delivery phase of the attack.
Your adversaries—whether nation-state, espionage-oriented, activist group, or black hat
hacker—all share one commonality; they must use the same core exploit techniques to
execute their attack. If an attacker’s critical path for exploitation is known, even when the
vulnerability that is used or the malware planned to be delivered is not; it can be prevented
before any malicious activity is ever executed. Only a few new exploitation techniques are
published or used in the wild every few years. For example, the state-of-the-art Stuxnet
attack featured several new Zero-Day exploits, yet it was completely based on known
exploitation techniques.
By addressing the exploit techniques required to execute an attack, Palo Alto Networks has
built modules to mitigate and interfere with the attacker’s exploit techniques. Since an exploit
is always based on a chain of techniques, preventing the use of any technique in the chain will
block the exploitation attempt and the malware delivery entirely. This fundamentally different
approach has enabled Palo Alto Networks to offer a future-proof solution—the EP Series—that
can prevent both known and unknown attacks, regardless of the state of security patches or
updates on the system. Our EP Series raises the bar on security by creating a new category
of preventive cyber-defence that did not exist until now.
With Palo Alto Networks EP Series installed on the endpoint, our proprietary mitigation
modules are injected directly
into the process every time a user launches a process. As
this happens, the process initiated by the user will continue to run as intended, protecting
it—and the endpoint—from exploitation attempts. Only when an exploit attempt is made,
our EP Series activates the injected traps to block the finite exploit techniques the attacker
must use—so malware is never delivered, and the exploit is prevented!
As our EP Series blocks an exploitation attempt, a real-time picture of the process memory
is taken, detailing the attack source and vectors used in the attempted attack. This forensic
data is sent to the management centre, sharing invaluable information between the network
and the endpoint, thus contributing to a greater threat intelligence.
In addition to our proprietary exploit prevention methods, the EP Series protects against
attacks from the execution of malicious executable files. This component provides the
administrator with flexible and robust granular policy engine to enforce rules to prevent
social engineering attacks which could endanger the organisation.
PAGE 8
Palo Alto Networks: ASD Top 35
TOP 35 MITIGATION STEPS – WHERE PALO ALTO NETWORKS CAN HELP
MITIGATION STRATEGIES
HOW PALO ALTO NETWORKS CAN HELP
Automated dynamic analysis of email and web
content run in a sandbox to detect suspicious
behaviour including network traffic, new or
modified files, or configuration changes.
Palo Alto Networks’ WildFire identifies unknown
malware, zero-day exploits, and Advanced Persistent
Threats (APTs) by directly executing them in a scalable,
virtual sandbox environment.
For Government customers and those that for privacy or
regulatory concerns can’t send information to the Palo
Alto Networks Threat Intelligence Cloud, WildFire is
deployed as a private cloud on a single WF-500
appliance. The WildFire architecture is uniquely designed
to meet the demands of analysing large numbers of
potentially malicious content. To support dynamic
malware analysis across the enterprise’s network at
scale, the virvual malware analysis environment is
shared across all firewalls, as opposed to deploying
single-use hardware at every ingress/egress point
and network point of presence. This approach ensures
maximum sharing of threat information, while
minimising the hardware requirements of the task.
When an unknown threat is discovered, WildFire
automatically generates protections to block the threat
across the cyber kill-chain, sharing these updates with
all subscribers across the globe in as little as 15
minutes. These quick updates are able to stop rapidly
spreading malware, as well as identify and block the
proliferation of all future variants without any additional
action or analysis.
In conjunction with protection from malicious and
exploitive files, WildFire analysis looks deeply into
malicious outbound communication, disrupting
command-control activity with anti-C2 signatures and
DNS-based callback signatures. The information is also
fed into PAN-DB, where newly discovered malicious
URLs are automatically blocked. This correlation of
data and in-line protections are key to identifying and
blocking ongoing intrusions as well as future attacks
on a network.
Extending the next-generation firewall platform
that natively classifies all traffic across hundreds
of applications, WildFire uniquely applies analysis
regardless of ports or encryption, including full
visibility into web traffic, email protocols (SMTP,
IMAP, POP), FTP, and SMB.
Operating system generic exploit mitigation
mechanisms, eg, Data Execution Prevention (DEP),
Address Space Layout Randomisation (ASLR) and
Enhanced Mitigation Experience Toolkit (EMET).
PAGE 9
Palo Alto Networks next-generation endpoint protection
provides comprehensive exploit mitigation and malware
prevention through its proprietary exploit mitigation
technology.
The EP Series can prevent the following vectors of
attack:
• Memory corruption based exploits
• Logic flaws based exploits (including Java exploits)
• An executable spawning a malicious child process
• DLL hijacking
• Hijacking program control flow
• Execution of malware from local folders commonly
utilised by attackers
• Execution from network shares, external storage
devices, and optical drives
• Execution of embedded exe files
Palo Alto Networks: ASD Top 35
MITIGATION STRATEGIES
Automated dynamic analysis of email and web
content run in a sandbox to detect suspicious
Operating system generic exploit mitigation
behaviour including network traffic, new or
mechanisms, eg, Data Execution Prevention (DEP),
modified files, or configuration changes.
Address Space Layout Randomisation (ASLR) and
Enhanced Mitigation Experience Toolkit (EMET).
Network segmentation and segregation into security
zones to protect sensitive information and critical
services such as user authentication by Microsoft
Active Directory.
Software-based application firewall, blocking
incoming network traffic that is malicious or
otherwise unauthorised, and denying network
traffic by default.
Software-based application firewall, blocking
outgoing network traffic that is not generated by
whitelisted applications, and denying network
traffic by default.
Operating system generic exploit mitigation
mechanisms, eg, Data Execution Prevention (DEP),
Address Space Layout Randomisation (ASLR) and
Enhanced Mitigation Experience Toolkit (EMET).
Email content filtering allowing only businessrelated attachment types. Preferably analyse/
convert/sanitise links, PDF and Microsoft Office
attachments.
PAGE 10
Web content filtering of incoming and outgoing
traffic, whitelisting allowed types of web content
and using behavioral analysis, cloud-based
reputation ratings, heuristics and signatures.
Web domain
whitelisting
all domains,
this
Network
segmentation
andfor
segregation
intosince
security
approach
is moresensitive
proactive
and thorough
zones
to protect
information
andthan
critical
blacklisting
a tiny
percentage
of malicious
domains.
services
such
as user
authentication
by Microsoft
command-control activity with anti-C2 signatures and
DNS-based callback signatures. The information is also
fed into PAN-DB, where newly discovered malicious
URLs are automatically blocked. This correlation of
data and in-line protections are key to identifying and
blocking ongoing intrusions as well as future attacks
on a network.
Extending the next-generation firewall platform
that natively classifies all traffic across hundreds
of applications, WildFire uniquely applies analysis
regardless of ports or encryption, including full
visibility into web traffic, email protocols (SMTP,
IMAP,
POP),ALTO
FTP, NETWORKS
and SMB. CAN HELP
HOW PALO
Palo Alto Networks’ WildFire identifies unknown
malware, zero-day exploits, and Advanced Persistent
Palo Alto Networks next-generation endpoint protection
Threats (APTs) by directly executing them in a scalable,
provides comprehensive exploit mitigation and malware
virtual sandbox environment.
prevention through its proprietary exploit mitigation
technology.
For Government customers and those that for privacy or
regulatory concerns can’t send information to the Palo
The EP Series can prevent the following vectors of
Alto Networks Threat Intelligence Cloud, WildFire is
attack:
deployed as a private cloud on a single WF-500
• Memory corruption based exploits
appliance. The WildFire architecture is uniquely designed
• Logic flaws based exploits (including Java exploits)
to meet the demands of analysing large numbers of
• An executable spawning a malicious child process
potentially malicious content. To support dynamic
• DLL hijacking
malware analysis across the enterprise’s network at
• Hijacking program control flow
scale, the virvual malware analysis environment is
• Execution of malware from local folders commonly
shared across all firewalls, as opposed to deploying
utilised by attackers
single-use hardware at every ingress/egress point
• Execution from network shares, external storage
and network point of presence. This approach ensures
devices, and optical drives
maximum sharing of threat information, while
• Execution of embedded exe files
minimising the hardware requirements of the task.
When an unknown threat is discovered, WildFire
automatically
generates
protections
to block
the threat
Using a security
zone-based
architecture,
organisations
across
the cyber
kill-chain,
sharing
theserules
updates
can isolate
restricted
data behind
firewall
thatwith
will
all
subscribers
acrosstothe
globeadded
in as little
segment
the network
provide
levelsasof15
network
minutes.
These
quick updates
are able
to stopzone
rapidly
security. For
purposes
of definition,
a security
is a
spreading
malware,
as wellof
asphysical
identify interfaces,
and block the
logical container
comprised
VLANS
proliferation
of all Using
futurezones,
variants
without any additional
and IP addresses.
organisations
can:
action
or analysis.
• Control
exactly which applications are accessing the
data, forcing them over standard ports.
In•conjunction
with
protection
from malicious
and
Validate which
users
are accessing
the data, and
exploitive
files,applications.
WildFire analysis looks deeply into
associated
malicious
outbound
communication,
disrupting
• Find and
stop the use
of rogue or misconfigured
command-control
applications. activity with anti-C2 signatures and
DNS-based
callback
information
is also
• Identify and
block signatures.
a wide rangeThe
of threats
without
fed degrading
into PAN-DB,
newly
discovered malicious
the where
network
performance.
URLs are automatically blocked. This correlation of
data and in-line protections are key to identifying and
blocking ongoing intrusions as well as future attacks
Through
its integration with VMware’s NSX network
on
a network.
virtualization platform, Palo Alto Networks VM-Series
virtual firewalls
identify, control
and safely
enable
Extending
the next-generation
firewall
platform
applications
between virtual
servers
within
the data
that
natively classifies
all traffic
across
hundreds
centre.
This capability
provides
critical
application
of
applications,
WildFire
uniquely
applies
analysis
whitelistingof
and
segmentation
of servers
at the
regardless
ports
or encryption,
including
fullhypervisor
level. Additionally
full Threat
Prevention
visibility
into web traffic,
email
protocolsfeatures
(SMTP, can be
appliedPOP),
to theFTP,
traffic
including
IMAP,
and
SMB. IPS, AV, anti-spyware/C2,
and anti-malware.The integration with VMware NSX
enables the Palo Alto Networks next-generation
VM-Series to be automatically deployed within every
Palo
AltoESXi
Networks
VMware
server.next-generation endpoint protection
provides comprehensive exploit mitigation and malware
prevention through its proprietary exploit mitigation
technology.
In addition to Microsoft Exchange, Palo Alto Networks
The
EP Series
canemail
prevent
the following
vectors
of in
identifies
66 other
applications
that can
be used
attack:
firewall security policies. For those email applications
• Memory
corruption
based exploits
that
are allowed,
organisations
can also identify and
• Logic
flaws
basedsuch
exploits
(including
Java exploits)
control
50+
file types
as .doc,
.docx, PDF.
• An executable spawning a malicious child process
• DLL hijacking
• Hijacking program control flow
of malware
from local
folders
commonly
As• aExecution
complement
to the application
visibility
and
control
utilised
by
attackers
enabled by App-ID, URL categories can be used as a match
• Execution
from network
criteria
for policies.
Instead ofshares,
creatingexternal
policies storage
that are
devices,
and
optical
drives
limited to either allowing all or blocking all behavior, URL
• Execution
of embedded
exe files
category
as a match
criteria allows
for exception based
behavior, resulting in increased flexibility, yet more
granular policy enforcement. Examples of how using URL
categories
can bezone-based
used in policies
include: organisations
Using
a security
architecture,
• Identify
and allow exceptions
generalrules
security
can
isolate restricted
data behindtofirewall
that will
policies
users who
may belong
multiple
groups
segment
thefor
network
to provide
addedtolevels
of network
outgoing network traffic that is not generated by
whitelisted applications, and denying network
traffic by default.
Palo Alto Networks: ASD Top 35
Email content filtering allowing only businessrelated attachment types. Preferably analyse/
convert/sanitise links, PDF and Microsoft Office
attachments.
MITIGATION STRATEGIES
Automated dynamic analysis of email and web
content run in a sandbox to detect suspicious
Web content filtering of incoming and outgoing
behaviour including network traffic, new or
traffic, whitelisting allowed types of web content
modified files, or configuration changes.
and using behavioral analysis, cloud-based
reputation ratings, heuristics and signatures.
Web domain whitelisting for all domains, since this
approach is more proactive and thorough than
blacklisting a tiny percentage of malicious domains.
Deny direct internet access from workstations by
using an IPv6-capable firewall to force traffic
through a split DNS server, an email server or an
authenticated web proxy server.
Restrict access to Server Message Block (SMB) and
NetBIOS services running on workstations and on
servers where possible.
and anti-malware.The integration with VMware NSX
enables the Palo Alto Networks next-generation
VM-Series to be automatically deployed within every
VMware ESXi server.
In addition to Microsoft Exchange, Palo Alto Networks
identifies 66 other email applications that can be used in
firewall security policies. For those email applications
that are allowed, organisations can also identify and
control 50+ file types such as .doc, .docx, PDF.
HOW PALO ALTO NETWORKS CAN HELP
Palo Alto Networks’ WildFire identifies unknown
malware, zero-day exploits, and Advanced Persistent
As a complement to the application visibility and control
Threats (APTs) by directly executing them in a scalable,
enabled by App-ID, URL categories can be used as a match
virtual sandbox environment.
criteria for policies. Instead of creating policies that are
limited to either allowing all or blocking all behavior, URL
For Government customers and those that for privacy or
category as a match criteria allows for exception based
regulatory concerns can’t send information to the Palo
behavior, resulting in increased flexibility, yet more
Alto Networks Threat Intelligence Cloud, WildFire is
granular policy enforcement. Examples of how using URL
deployed as a private cloud on a single WF-500
categories can be used in policies include:
appliance. The WildFire architecture is uniquely designed
• Identify and allow exceptions to general security
to meet the demands of analysing large numbers of
policies for users who may belong to multiple groups
potentially malicious content. To support dynamic
within Active Directory (e.g., deny access to malware
malware analysis across the enterprise’s network at
and hacking sites for all users, yet allow access to
scale, the virvual malware analysis environment is
users that belong to the security group).
shared across all firewalls, as opposed to deploying
• Allow access to streaming media category, but apply
single-use hardware at every ingress/egress point
QoS to control bandwidth consumption.
and network point of presence. This approach ensures
• Prevent file download/upload for URL categories that
maximum sharing of threat information, while
represent higher risk (e.g., allow access to unknown
minimising the hardware requirements of the task.
sites, but prevent upload/download of executable files
from unknown sites to limit malware propagation).
When an unknown threat is discovered, WildFire
Apply SSL decryption policies that allow encrypted access
automatically generates protections to block the threat
to finance and shopping categories but decrypt and inspect
across the cyber kill-chain, sharing these updates with
traffic to all other URL categories.
all subscribers across the globe in as little as 15
minutes. These quick updates are able to stop rapidly
spreading malware, as well as identify and block the
proliferation
of all future
variantsIPv6
without
any additional
Palo Alto Networks
fully support
including
IPv6
action
orrouting
analysis.
dynamic
protocols.
In conjunction with protection from malicious and
exploitive files, WildFire analysis looks deeply into
malicious outbound communication, disrupting
command-control activity with anti-C2 signatures and
DNS-based
callback signatures.
information
is also
Using next generation
application The
based
firewall security
fed
into PAN-DB,
newly
discovered
policies,
access towhere
SMB and
NetBIOS
can bemalicious
controlled by
URLs
are
automatically
user or
user
group at theblocked.
networkThis
level,correlation
regardlessof
of port.
data and in-line protections are key to identifying and
blocking ongoing intrusions as well as future attacks
on a network.
Extending the next-generation firewall platform
that natively classifies all traffic across hundreds
of applications, WildFire uniquely applies analysis
regardless of ports or encryption, including full
visibility into web traffic, email protocols (SMTP,
IMAP, POP), FTP, and SMB.
Operating system generic exploit mitigation
mechanisms, eg, Data Execution Prevention (DEP),
Address Space Layout Randomisation (ASLR) and
Enhanced Mitigation Experience Toolkit (EMET).
Palo Alto Networks next-generation endpoint protection
provides comprehensive exploit mitigation and malware
prevention through its proprietary exploit mitigation
technology.
The EP Series can prevent the following vectors of
attack:
• Memory corruption based exploits
• Logic flaws based exploits (including Java exploits)
• An executable spawning a malicious child process
• DLL hijacking
• Hijacking program control flow
Copyright
©2014, Palo
Alto Networks,
All rights
reserved.
Palo Alto Networks,
4401 Great America Parkway
• Execution
of malware
fromInc.
local
folders
commonly
the Palo
Alto Networks
Logo, PAN-OS, App-ID and Panorama are trademarks of
Santa Clara, CA 95054
utilised
by attackers
Palo• Alto
Networks,
Inc.network
All specifications
subject tostorage
change without notice.
Execution
from
shares,are
external
Main:+1.408.753.4000
Palo Alto
Networks
assumes
responsibility for any inaccuracies in this document
devices,
and
opticalnodrives
Sales:
+1.866.320.4788 or for
any obligation
update information
in this document. Palo Alto Networks
• Execution
of to
embedded
exe files
Support:+1.866.898.9087
reserves the right to change, modify, transfer, or otherwise revise this publication
www.paloaltonetworks.com
Network segmentation and segregation into security
zones to protect sensitive information and critical
services such as user authentication by Microsoft
Active Directory.
without notice. PAN_WP_ASD-Top35_091614
Using a security zone-based architecture, organisations
can isolate restricted data behind firewall rules that will
segment the network to provide added levels of network
security. For purposes of definition, a security zone is a
logical container comprised of physical interfaces, VLANS