Category: Palo Alto Networks

We are excited to announce that Palo Alto Networks Traps advanced endpoint protection has achieved a “Recommended” rating, and is positioned in the upper-right corner of the NSS Labs AEP Security Value Map (SVM), indicating outstanding protection and low total cost of ownership.

Attackers must complete a certain sequence of events to successfully accomplish their objectives, whether stealing information or running ransomware. Nearly every attack relies on compromising an endpoint, and although most organizations have deployed endpoint protection, infections are still common.

By combining multiple methods of prevention, Traps stands apart in its ability to protect endpoints. Traps blocks security breaches and successful ransomware attacks that leverage malware and exploits, known or unknown, before they can compromise an endpoint. The NSS Labs AEP test validates Palo Alto Networks prevention-first philosophy.

The Palo Alto Networks Security Operating Platform addresses these challenges by integrating network, cloud and endpoint security with threat intelligence to provide automated protection that prevents successful cyberattacks. Our platform natively integrates security capabilities across the entire ecosystem and applies them at the right place, addressing all stages of an attack lifecycle.

NSS Labs performed an independent test of Palo Alto Networks Traps v4.1. The product was subjected to thorough testing at the NSS Labs facility in Austin, Texas, based on the Advanced Endpoint Protection (AEP) Test Methodology v2.0, which is available at www.nsslabs.com. This test was conducted free of charge, and NSS did not receive any compensation in return for our inclusion.

Highlights from the test include:

• 100% malware delivered via docs and scripts blocked
• 100% exploits detected and blocked
• 100% evasions blocked
• 0% false positives
• Low TCO due to high block rate and low operational overhead

Read the full report.

 

Eila Shargh and Danny Milrad

[Palo Alto Networks Research Center]

Today, Microsoft announced the public preview of their Microsoft Graph Security API. The security API enables a single point of programmatic access to aggregated security insights from Microsoft and partner security solutions, as well as business information from other Microsoft Graph entities (Office 365, Azure Active Directory, Intune, and more) that can add high-value context to threat analysis.

Palo Alto Networks has built a proof-of-concept application to demonstrate our ability to consume alerts from the Graph API, enrich those alerts with additional threat intelligence from AutoFocus, and send alert notifications to the Graph API. This information has the potential to provide security teams with a holistic view of their environment, and enable more coordinated policy updates, to ensure a consistent security posture across the security portfolio. We will be demonstrating a proof of concept for these use cases at the Microsoft Intelligent Security Graph demo station at RSA (booth 3501 in the Moscone North Exhibit Hall).

Because Context Matters

Traditional security approaches are suited to protect against known threats, and adversaries get around these defenses by making slight changes to existing exploits and attack vectors. Microsoft and Palo Alto Networks actively hunt to identify these variants, new attack profiles, and IPs (indicators of comprise and attacks, collectively) being used by bad actors for attacks, exfiltration, and command and control.

You can minimize your exposure to these attacks by blocking at the network layer, and we have built a proof of concept to show how we can both add this additional contextual information to any alerts surfaced through the security API and take action on those alerts to block the attacker IPs and domains across all of the Palo Alto Networks next-generation firewalls deployed in your environment.

For the demo, we will showcase an application that uses the security API to poll alerts from multiple security solutions – in this case, we’ll focus on an alert from Azure Security Center. The alert is enriched with additional information from Panorama and AutoFocus, and action is taken to block the threat across all of the firewalls deployed within the customer environment. For this scenario:

1. Azure Security Center detects communication to a malicious IP address, likely a command-and-control center. The alert is surfaced in the Security Center, and our demo application via the security API.
2. Our demo application then correlates the alert with logs from Panorama to determine whether this attack has been detected by a firewall. The application also queries AutoFocus, our threat intelligence service, to pull all of the information we know about that attack: the attacker, the family of this attack, indicators of compromise, and known IPs and domains used by these attackers for their activities.
3. The demo application will then update the tags of the original alert, via the security API, with the threat intelligence from AutoFocus – sharing these added insights with other security products that integrate with the Graph.
4. Finally, the demo application can then be used to block the malicious IPs associated with the attack. In the future, the security API will enable programmatic response, such as updating the policies on all your firewalls to block this traffic in the event they are not already configured to do so.

Today, you can create automated playbooks to update your firewall policies via Panorama based on Security Center alerts. In the future, this orchestration will be enabled via the security API across providers and consumers connected to the Graph.

Give Me More Data!

The logical next question is how to enable alerting from Palo Alto Networks firewalls to feed into the Intelligent Security Graph. We have also developed a Palo Alto Networks Provider as part of this proof of concept. Applications and services consuming alert data through the security API can access alerts from our firewalls via the API and this provider. This provider could be extended in the future to enable more functions from the Panorama API, such as to implementing policy updates and blocking.

There are two components for this proof of concept: a provider application that acts as the intermediary between Panorama and the security API, and the Microsoft Graph Security API Demo App that is subscribed to our provider. To enable applications to subscribe to Palo Alto Networks alerts via the Graph, we did the following:

1. Register this demo provider with the Microsoft Security Graph.
2. Microsoft Graph Security API Demo App subscribes to notifications from our provider.
3. When new alerts are available, our demo provider will send a webhook notification to the Microsoft Demo App.
4. After receiving the notification that new alerts are available, Microsoft Demo App will query our provider to retrieve the security alerts.

What’s Next?

Microsoft and Palo Alto Networks are working together to help our customers better defend against increasingly sophisticated attacks. In fact, we are one of the founding members of the Microsoft Intelligent Security Association. We are partnering across multiple teams and products to share alerts and threat intelligence to enable faster detection, remediation, and prevention so your organization can stay ahead of these attacks. The proofs of concept demonstrated here at RSA are just the first steps in our collaboration.

Stop by the Microsoft booth, #3501, in the Moscone North Exhibit Hall to view these demos in action, and you can learn more about Palo Alto Networks just a few feet away at booth #3715. You can also learn more information about the Microsoft Graph Security API by following this link.

Vince Bryant

[Palo Alto Networks Research Center]

When meeting with organizations across EMEA, I often hear them cite concerns about putting security in the cloud. However, in the following discussions, they typically admit that doing just that is inevitable. There’s a mindset change here that needs to be embraced on all sides of the cybersecurity equation.

I’ve worked previously with companies operating on the mantra that change is the only constant, yet cybersecurity experts often perceive change as a loss of control that they have to regain. This is perhaps why 70 percent of cybersecurity professionals across Europe and the Middle East say a rush to the cloud is not taking full account of the security risks, according to a recent survey conducted by Palo Alto Networks[1].

At the same time, there is increasing pressure from regulation, such as GDPR, to be mindful of what data (specifically PII) is put into the cloud. Unlike databases or other IT systems, the concern is typically around how PII data can be accidentally captured by security tools being used.

With all this in mind, it’s not surprising that the initial idea of moving cybersecurity to the cloud makes many security leaders anxious, just as IT leaders felt when it came to moving their applications.

 

The Benefits of Agility

Perhaps the biggest cybersecurity challenge today relates to our ability to normalise and process the increasing volume of artefacts we gather through security tools and turn them into intelligence we can act on in a timely manner to prevent business impact. With many businesses now processing millions of artefacts per month, the key challenge is the time required to achieve this. How much is your business processing today, and what are the growth predictions for the next three years? The cloud effectively gives unlimited compute power with no big Capex investments, so the same rationale for moving applications and data to the cloud surely applies to cybersecurity. Indeed, our research highlighted that 75 percent of cybersecurity professionals agree embracing the cloud could be a method of enhancing cybersecurity capabilities in their organizations.

 

Inevitability

As more applications and data move to the cloud, the cybersecurity tools that gather all these artefacts are themselves having to move to the cloud. This must be natively integrated to detect the artefacts and understand the environment in order to effectivity secure it. However, the natural tendency of cybersecurity professionals is to haul this data back into their own organizations for analysis.

 

Human Emotions

It is a typical human emotional response to want to keep precious things close at hand, and information that pertains to potential breaches is precious. However, if you look at traditional endpoint security, most security point products today share information about attacks against you with the security provider via the cloud, with the aim being to better detect and understand attack trends. Other organizations have already gone much further and send their security logs to managed security service providers to analyse and act upon.

Taking this into account, why are some cybersecurity teams more open to sharing than others? And what’s different between sharing in this way and storing artefacts or indicators in a private cloud?

In certain circles, data classification means that “no information leaves the building; where data is confidential or top secret”, yet for most, that’s not the limiting factor. All too often, regulation may be the justification, but it may not actually be the case. Security vendors and partners don’t want your PII, so they work hard to filter it out and give you control over what is shared. Likewise, regulations such as GDPR recognise the value of cybersecurity tools when it comes to helping protect PII, and this should allow for a little more leniency should personal data mistakenly get caught up in the process.[2]

 

Trust

Not so long ago, people would bury treasures or hide their money under the bed, yet today, such prized items would typically be kept in a bank. This is because we recognize and trust that banks can better protect valuables, and there is incremental value – in terms of interest – in putting them there.  Did you known Monzo bank was launched in April 2017 in the UK as one of the first cloud based banks utilised through an app.  Banks are shifting to the cloud!

Now, consider cybersecurity. Security professionals apply it themselves as they trust in their own capabilities. This is absolutely valid, yet cloud services typically have more budget and resource to protect security data, and – most importantly – have the incremental value of agility, in terms of elastic compute power, to process it. The matter at hand therefore becomes how each business builds trust in storing its security data in the cloud. I would suggest that this starts with transparency and control: where and what is gathered, how it is stored and used, who has access to it and why. More and more cloud security services are sharing this information to ensure you can have trust in their capabilities.  Likewise, there is also a growth in 3^rd party tools that provide governance of your cloud services based on this growing need.  Palo Alto Networks has recently acquired Evident.IO[3]

 

You Can’t Stop It, Even If You Want To

Not so long ago, many held the same concerns for any use of the cloud, yet cloud-first strategies are commonplace today. I believe the same applies for cybersecurity, as most companies are now leveraging the cloud to enable or apply some level of their cybersecurity capabilities. However, at some point, each security professional will go through his or her own mindset shift, where concerns about the risk of putting security information in the cloud will be overtaken by the value of leveraging the elastic compute power to apply the latest smart AI algorithms against security artefacts, or by the growing need for security to be natively applied in the cloud to protect the business processes that have moved there.

The important things, at this point, are knowing when that mindset shift will occur in your business, and being clear and confident on what you and your business require to embrace it. Typically, business leaders are pushing IT teams to transform faster, which can potentially lead to bigger lag with cybersecurity teams. What’s clear is that business isn’t going to wait, so the longer it takes to make that mindset shift, the more catching up there will be to do.

 

[1] https://www.paloaltonetworks.com/company/press/2018/cloud-research

[2] The processing of personal data by public authorities, computer emergency response teams, computer security incident response teams, providers of electronic communications networks and services, and providers of security technologies and services – to the extent strictly necessary and proportionate to ensure network and information security – constitutes a legitimate interest of the data controller concerned. This could include, for example, preventing unauthorised access to electronic communications networks and malicious code distribution as well as stopping “denial of service” attacks and damage to computer and electronic communication systems.

[3] https://evident.io

Greg Day

[Palo Alto Networks Research Center]