Year: 2015

Summary

Existing endpoint security approaches that rely on malware identification can’t prevent sophisticated zero-day attacks because they don’t identify and utilize known malicious signatures, strings, or behaviors. As a result, compromised endpoints must await detection and remediation.

Our Advanced Endpoint Protection solution,Traps, takes a different approach that prevents advanced attacks originating from executables, data files, or network-based exploits—both known and unknown—before malicious activity can cause harm to the endpoints in your organization.

Here are some of the exciting new features in Traps 3.2, which we officially announced this week, as well as technical resources to help you learn more about Advanced Endpoint Protection.

New and Improved Protection Modules

Our unique focus on exploit and malware technique prevention is the center of our Advanced Endpoint Protection solution, intercepting the attacker at the core of the attack and preventing patient zero. While preventing just one technique would thwart the entire threat, our team continues to develop new prevention modules to prepare for the unthinkable, adding four more modules to the long list of inimitable protection.

For more information, see Exploit Prevention Features and Malware Prevention Features.

Unknown Executable Upload to WildFire

This feature bridges the gap between endpoint and network security intelligence by enabling you to automatically submit unknown executable files from the ESM (Endpoint Security Manager) to WildFire for further analysis.

 

For more information, see Unknown File Submission to WildFire.

Hash Control, Local Override of WildFire Verdicts

A powerful feature that gives the administrator the ability to import local hashes in the ESM and control the global verdicts on their local network, without impacting the global WildFire verdict.

For more information, see Local Override of WildFire Decisions.

Improved Scalability

Improvements in scalability and speed enable the Advanced Endpoint Protection solution to support large deployments, with extended support for 50K Traps agents per ESM and multiple ESM Server support.

For more information, see Multi-ESM Support.

Restriction Whitelisting

Want to apply execution restrictions on your endpoints but fear it will limit your work process? You can now configure restriction whitelists to control your global policies more granularly and to increase business flexibility without the security risk.

For more information, see Global Whitelist Functionality.

WildFire Inspection Reports

To provide greater clarity into WildFire hash verdicts, you can now view reports for any executable file that WildFire has previously analyzed. The WildFire report, which is available in PDF format, includes information that you can use to further analyze and manage a WildFire verdict.

For more information, see View WildFire Reports.

Automated Security Event Analysis

Traps prevention kicked in and you want to know more? This forensic feature provides secondary analysis of a Traps security event, by automatically analyzing the memory records to extract data and scan for traces of malicious activity, such as Heap Spray and ROP chains.

For more information, see Forensics Overview.

Customizable Prevention and Notification Pop-Ups

You can now customize the title, footer, and display image for prevention and notification pop-ups that Traps displays when a security event occurs on the endpoint. Traps displays prevention messages when a file or process violates a security policy and the termination behavior is configured to block the file. Traps displays notification messages when the notify behavior is configured to alert the user.

Traps Localization

The Traps Console is available in 7 languages; English, German, French, Spanish, Japanese, Chinese Simplified, and Chinese Traditional.

For more information, see Traps Localization.

Expanded Support

Traps is one of the few products that can protect all applications across nearly every Windows-based platform, both virtual and physical, and even those that no longer have continued support. Traps is now also supported on Windows Vista and Windows Server 2008 and on non-English Windows Operating Systems.

For more information, see Supported Traps Installations.

Improved Syslog and SIEM integrations

You can now integrate your Syslog server with Splunk, a third-party monitoring tool, which you can use to analyze log data. Find the Palo Alto Networks Splunk app that now supports Traps athttps://apps.splunk.com/app/491/.

Want More?

Here are a few resources to add to your Advanced Endpoint Protection 3.2 reading list!

• New Features Guide: Your go-to resource for all the new features in 3.2.
• Administrator’s Guide: Contains installation procedures and configuration workflows to get you up and running quickly.
• Release Notes: Provides important information about the Advanced Endpoint Protection 3.2 software including known issues and limitations.

Pro tip: On the documentation search, use the OS Version > 3.2 facet to filter results for only documentation about Advanced Endpoint Protection 3.2.

[Palo Alto Networks Blog]

VMware has been at the forefront of disruption in the datacenter, changing the notion of what it means to build the infrastructure that supports tomorrow’s applications and workloads. We’re very proud to work very closely with VMware to deliver the necessary security for the dynamic, virtualized data center.

But VMware is also a driving force for change in mobile computing, with its AirWatch technology providing the means for organizations to manage applications and data on both corporate and BYOD smartphones and tablets. Palo Alto Networks and VMware are proud to announce an expansion of our relationship to address the security requirements for mobile computing.

Users expect to access applications (both internal and in the cloud) at any time, and this introduces complexities to an organization that must make access secure. There are many concerns, including the use of mobile devices in an unsafe manner, the ongoing risk of exploits and malicious content, and the potential that a user may bring an infected device to work and expose the corporate network.

The new integrated capabilities between AirWatch and Palo Alto Networks address these needs by providing a tight link between the device state, security policy on what it can access, and threat intelligence on dangerous content.

There are three key integration points between AirWatch and Palo Alto Networks technology:

• Malware Detection:  Palo Alto Networks WildFire identifies known and previously unknown mobile malware. By integrating the intelligence provided by WildFire with AirWatch, joint customers can identify infected applications and take immediate and automated action for security and containment, such as creating an application blacklist.
• Network Protection:  Organizations need to make sure only approved devices are used with sensitive applications and networks. AirWatch integration with Palo Alto Networks GlobalProtect HIP (Host Information Profile) provides a direct tie between information about the mobile device, its configuration and what data and applications the device can access.
• VPN and Network Security:  Palo Alto Networks GlobalProtect provides a secure connection between AirWatch managed mobile devices and the Palo Alto Networks Next-Generation Firewall at the device or application level utilizing per-app VPN. This ensures there is consistent inspection of traffic and enforcement of network security policy for threat prevention, wherever the user goes.

These capabilities open the doors to new possibilities, for they allow organizations to support mobile computing and make it safe by providing the necessary security to address risk. Together with AirWatch we deliver true protection for mobile devices by addressing security at multiple levels: device security, network security, and application security.

To learn more about GlobalProtect, visit: http://paloaltonetworks.com/globalprotect

To learn more about VMware AirWatch, visit: http://www.air-watch.com/

[Palo Alto Networks Blog]

Trying to find advanced, targeted attacks can be an exercise in frustration, akin to finding a needle in a haystack. With so many potential threats traversing your network, how do you know which ones to pay attention to – and what actions to take to prevent damage?

It’s a challenge faced by security practitioners each day, who are overwhelmed by security data and alerts from a variety of intelligence sources and third-party contributions. The problem isn’t a lack of data, but finding the events important to your organization, often in the intelligence you already have available. No one wants an attack to pass through, but there are simply too many “alerts” to follow up on.

At Palo Alto Networks we have been working with our customers to answer this challenge, and like everything we do, we envisioned how we could approach it differently. We weren’t going to introduce “yet another” threat intelligence service that only adds to the problem. We sought to transform the industry by solving the critical question of how you focus limited security resources on the unique attacks, from the hundreds of alerts you receive today. And then, how do you turn those prioritized indicators into real, actionable cybersecurity intelligence – not just a data dump from which you can’t draw real conclusions?

We are excited to bring you an answer. Today at Ignite 2015 in Las Vegas, Palo Alto Networks officially announced AutoFocus: an innovative cyber threat intelligence service that provides prioritized, actionable intelligence on the attacks an organization must respond to. Using AutoFocus, you receive intelligence in a context specific to your network and industry, including the unique threats targeting you or your industry, information on adversaries and how attacks fit into campaigns, with the tools to quickly investigate related indicators.

What do you gain with AutoFocus? True threat intelligence, which we define as the ability to take a more proactive and timely stance against advanced attacks to shut them down before attackers can achieve their ultimate objectives, and understand how to prevent them in the future.

How AutoFocus works

The AutoFocus service gives security practitioners access to intelligence derived from an ever-expanding ecosystem of the service’s users. Through this approach, it provides:

• Priority alerts — Prioritized alerts of targeted, advanced attacks based on statistical analysis, human intelligence from Unit 42, and tagged indicators from a customer’s own network, as well as a global community of security experts using the AutoFocus service.
• Attack context — Web-based dashboard providing the tools to quickly investigate the context of attacks, adversaries and campaigns, and distinguish targeted attacks from commodity malware.
• High-fidelity threat intelligence — Analysis across millions of samples and billions of file artifacts from a rapidly growing pool of over 5,000 global enterprises, service providers and government organizations routinely targeted by advanced, customized attacks.

This is a true advantage in the cybersecurity battle, sourced from the collective insight of all users. It’s not just you against advanced attacks — it is all of us working together in a highly coordinated manner.

Palo Alto Networks is now accepting applications from current customers interested in evaluating AutoFocus through a limited-time Community Access program. We invite you to learn more about AutoFocus, and submit an application for Community Access, by visitingwww.paloaltonetworks.com/autofocus. General availability of AutoFocus, including full details on subscription pricing, will be in the second half of 2015.

AutoFocus is one of our big announcements this week at Ignite 2015 in Las Vegas. Follow along over the next few days to learn more about all our Ignite news, from the launch of Traps 3.2 to the latest milestone in our integration with VMware and this year’s honorees in the Cybersecurity Canon. 

[Palo Alto Networks Blog]