Our recently released PAN-OS 8.0 offers scalable prevention through automation, speed and accuracy. It builds on the powerful capabilities of the Palo Alto Networks Next-Generation Security Platform and empowers financial institutions to prevent today’s advanced threats with better integration and information sharing across the network, endpoints and cloud. This is achieved through automated workflows and security with fast and precise protections that are generated and shared globally.
PAN-OS 8.0 has a number of specific enhancements that security and risk professionals within the financial services industry may find particularly interesting.
Phishing Attack Prevention
Phishing continues to be a highly effective technique to steal user credentials for illicit purposes. Specific to the financial services industry, the theft and subsequent use of these credentials has been reported as a key factor in the fraudulent transfers perpetuated at a number of SWIFT (Society for Worldwide Interbank Financial Telecommunications) member institutions over the past 18 months. Similarly, credential theft likely played a role in the delivery of ATM malware via the internal networks of multiple banks across Asia and Europe over the past year. Consequently, the prevention of phishing attacks and the protection of user credentials are key priorities for security professionals.
- Palo Alto Networks next-generation security appliances can block users from submitting their corporate credentials to untrusted (external) websites based on their URL categorization. This keeps these logins and passwords from falling into the hands of malicious actors, even when well-crafted phishing sites are used.
- Additionally, we now offer the ability to detect and categorize previously unknown phishing sites and update our global customer base of URL categories within five minutes. These timely and frequent updates ensure the next-generation security appliances have the most current information to detect and block access to malicious and phishing sites.
- New authentication policies on our next-generation security appliances may be used to enforce multi-factor authentication (MFA) before users access sensitive, internal resources. In this capacity, our security appliances function as MFA gateways at the network level for disparate applications or resources – even where MFA is not natively supported.
With these additional capabilities in PAN-OS 8.0, financial institutions can better protect their critical and sensitive resources from account takeover (ATO) attacks that use compromised simple or single-factor authentication credentials.
Prevention of Advanced Persistent Threats
Advanced attackers are increasingly using stealthy, persistent methods to evade traditional security measures. Such advanced persistent threats (APT) typically target specific users and/or vulnerable versions of applications. Designed to be inconspicuous, APTs often go unnoticed for long periods before they’re even identified.
Palo Alto Networks prevents APTs by providing up-to-date protections through various stages of the attack. The SWIFT-related and ATM attacks mentioned earlier are examples of multi-stage attacks, where phishing and the introduction of malware likely occurred in the earlier phases.
As part of PAN-OS 8.0, Palo Alto Networks has improved its ability to detect and prevent even the most evasive unknown malware and zero-day exploits. This is accomplished by WildFire automated threat analysis, which:
- Counteracts malware capable of sandbox evasion by using a custom new virtual environment and bare-metal analysis for detonation. These advancements outsmart malware that detects virtual machines used in traditional sandboxing solutions.
- Detects and prevents command-and-control (C2) traffic with new machine learning for accurate and timely automated C2 signature generation, to address rapidly changing host or URL names. This allows continued control of C2 traffic despite arbitrary changes by the attacker to evade detection.
- Provides a more complete perspective on threats targeting your network with the automatic submission of even blocked files to WildFire for analysis. This additional information will improve the efficiency of incident response and threat research.
WildFire does these things and then creates and publishes protections against newly identified malware to all Palo Alto Networks next-generation security appliances in as little as five minutes.
Securing Branch Networks
Many financial institutions continue to be under pressure to reduce expenses. A network of remote offices (e.g., retail branches, back-office sites) contributes to this expense base. In addition to the reduction and/or consolidation of such offices, there has been a movement to adopt broadband internet as a lower-cost WAN (Wide Area Network) transport. In parallel, the growing dependency of remote offices on the internet and SaaS applications demands more efficient solutions than internet access via corporate data centers only. Factoring in the growing SD-WAN (software-defined WAN) market that seamlessly aggregates traditional WAN with internet and even 4G/LTE services, an even greater need to secure remote offices has emerged.
Network segmentation of remote sites from the data center is a good idea and can be done centrally. However, if these offices have their own internet connections – especially with local breakout, then a next-generation security appliance at the remote site is warranted. In addition to securing the internet connection, capabilities such as URL filtering, intrusion prevention, and policies to control branch-to-branch traffic are possible.
As part of the PAN-OS 8.0 announcement, we also introduced two new products that are suitable for remote office deployments. These offer the same next-generation security that is available for data centers, where your critical information resides, to the smallest branch offices serving your end users. They are:
- PA-220: This appliance provides up to 250 Mbps of throughput, and is suitable for rack or wall-mounting.
- VM-50: This virtual form factor appliance provides up to 200 Mbps of throughput. As a part of our VM-Series family, it can run directly on SD-WAN appliances from certain vendors as well.
[Palo Alto Networks Research Center]