How Palo Alto Networks Can Help With ASD's Top Cyber Intrusion Mitigation Strategies

Transcription

1 How Palo Alto Networks Can Help With ASD's Top Cyber Intrusion Mitigation Strategies

2 Table of Contents Introduction 3 Executive Summary 3 A Systematic Approach to Network Application Whitelisting 4 Positive Security Model = Application Whitelisting 5 Application Control With Palo Alto Networks 5 User-based Policy Control 6 Defence in Depth: Application Whitelisting + Next-Generation Firewalls 8 The Last Line of Defence: Next-Generation Endpoint Protection 8 Top 35 Mitigation Steps Where Palo Alto Networks Can Help 9 PAGE 2

3 Introduction The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate (DSD) plays a lead role in protecting Australia s critical infrastructure and other information networks from cyber intrusions that pose real and present threats to Australia s national security and national interests. As part of their cyber security charter, the ASD has defined the top 35 cyber intrusion mitigation strategies that organisations can implement to help protect the nation s digital assets. Within those top 35 strategies, ASD has mandated that four of them be implemented. Palo Alto Networks is a next generation cyber security company dedicated to the needs of global government. Today it is used within governments in 72 countries across five continents, and is serving widely within the military, civilian and intelligence establishments. Executive Summary It s no secret that government networks are among the most targeted of virtually any sector. The stakes are high and attackers know they must use more evasive tactics to penetrate these networks. Sadly, many attackers are not only able to penetrate their target network, but often successfully establish a beachhead and remain undetected for a significant period of time while continuing evasive and damaging action. This leads to tremendous loss whether of strategic, political, monetary or intelligence value. Additionally, government networks are undergoing change. Many agencies face the challenges of reducing data centre footprints, virtualising existing services to reduce costs and go green, or of advancing security strategies to thwart advanced attacks in the field or at home. These changes mean government agencies are demanding more from their cyber security solutions today. The ASD Top 35 mitigation strategies have been proven to help agencies protect their networks against targeted attacks. Palo Alto Networks Next Generation Security Platform can help agencies not only implement a large number of these strategies, but also supplement and augment these strategies with capabilities and best practices only provided by a real next generation security platform, to form an advanced coordinated approach to extensible defence-in-depth. Next-generation Firewall Inspects all traffic Safely enables applications Sends unknown threats to cloud Blocks networks-based threats NEXT-GENERATION THREAT INTELLIGENCE CLOUD AUTOMATED CLOUD Next-generation Threat Intelligence Cloud Gathers potential threats from network and endpoints Analyses and correlates threat intelligence Disseminates threat intelligence to network and endpoints NATIVELY INTEGRATED N E T W O R K E N D P O I N T EXTENSIBLE NEXT-GENERATION FIREWALL Next-generation Endpoint Inspects all processes and files Prevents both known and unknown exploits Protects fixed, virtual and mobile endpoints Lightweight client and cloud based. NEXT-GENERATION ENDPOINT PAGE 3

4 The Palo Alto Networks Next Generation Security Platform is a flexible and extensible, natively integrated and automated platform for the detection and prevention of known and unknown cyber threats. Spanning network and endpoint and augmented by a global Threat Intelligence Cloud, it has the ability to understand all traffic, no matter which port, protocol or encryption is used to provide granular control of applications, users, and content. It employs automated closed-loop protection mechanisms that are deployed in-line and that are uniform across traditional infrastructure at the Internet Edge, the cloud (whether public/private, cloud-delivered applications, or virtualised infrastructure), and mobile devices. In its number one mitigation strategy, ASD mandates the whitelisting of applications on the endpoint. This is critical in preventing targeted malicious code from executing on an endpoint. Similarly, Palo Alto Networks believes that the whitelisting of applications at the network level is also critical in defeating targeted attacks. Application whitelisting at the network level greatly reduces the attack surface and the number of attack vectors into a network, and makes hiding lateral movement and command-and-control traffic that much more difficult. A Systematic Approach to Network Application Whitelisting The best approach to regaining control over your network activity, application or otherwise, is a systematic one that includes learning what is in use, and by whom, establishing the associated business requirements in conjunction with the users, documenting associated policies, and then enforcing them with technology. Equally important is the ongoing policy review and update to account for changing application and user behaviors. Visibility: The old adage of Knowledge is Power is appropriate in the quest to regain control over the applications, users and content at both the workstation and network levels. Without full knowledge of what users are doing, policy control efforts may miss the mark entirely, leave gaping holes, or create a user environment where they are able to take steps to avoid control efforts. Policy establishment: Once an in depth picture of which applications are in use and by whom, appropriate policy rules need to be established that balances the business requirements outlined by users and the associated risks from a security and business perspective. Once agreement has been established, is it critically important that the policy is documented and users be made aware via ongoing education that these policies are in place and the reasons why. Enforcement and review: Using network and workstation level controls, the next step is to begin enforcing the established policies. As policies are violated, users should be notified of their actions via pop-up pages, alerts or other means. Here too, a balance must be struck that enables the user, without exerting unreasonable levels of control. Over time, the policies on what is or is not allowed need to be reviewed and updated. From a technology perspective there are two approaches to executing a systematic approach towards regaining control. End-point level control: Application whitelisting is client or end-point focused approach that defines which applications are or are not allowed to be installed (executed). Policies are established at a central control point as a means of determining what is allowed and all else is blocked. Network level control: Using next-generation firewalls that are designed to identify and control applications (not ports), such as Palo Alto Networks, is a network level approach that allows organisations to establish positive security model rules that determine which applications are allowed, and by default, which applications are implicitly denied. Both alternatives help organisations work towards the end-goal of protecting the network and the digital assets while enabling users to accomplish their daily tasks. From a defense in depth perspective, PAGE 4

5 application whitelisting and next-generation firewalling are a perfect compliment. The remainder of this paper will focus on how Palo Alto Networks can help Australian organisations fulfill the #1 mitigation strategy of application whitelisting while assisting in fulfilling many of the other 35 recommended strategies. Positive Security Model = Application Whitelisting By definition, application whitelisting has the same criteria found in the positive security model that firewalls adhere to, albeit at the network level. As a reminder, a firewall operates on the premise of allowing what is defined by policy, then denying all else either implicitly or explicitly. This is exactly what application whitelisting does but at the client level. The challenge that traditional port-based firewalls face is that their positive security model policies are defined by ports, protocols and IP addresses, not applications specifically, making positive security model application level control nearly impossible. Palo Alto Networks next-generation firewalls are different to traditional firewalls in that the first task executed when it sees network traffic is to determine what the application is, irrespective of port, protocol, encryption or evasive technique employed. The application then becomes the basis of the positive security model policy that says allow these specific applications and deny all others. The knowledge of which application is traversing the network is used to create firewall security policies, including allow, deny, inspect for threats, apply traffic shaping and more. All policy decisions are made and enforced at the network level. Application Control With Palo Alto Networks At one time, controlling which applications an employee could use was easy. Applications were tied specifically to port or protocol and controlling them was as simple as allow or deny. Today, application developers want their application to be as easy to access as possible so they may not adhere to this development process because it may limit the acceptance of the application. Today, it is easy to find applications, both business and personal use, that: Are fully functional applications that are browser-based, yet may or may not use port 80. Are capable of running off of a high speed USB drive. Are client-server applications operating across port 80 or port 443. Use SSL, hop ports or both. These are just a few of the tactics that applications may use to enable user access and at the same time, enable the application to bypass traditional detection mechanisms. The result is that organisations have lost the ability to see, much less control the applications traversing the network. In order to help organisations regain control over the applications traversing the network at the firewall, Palo Alto Networks uses up to four different mechanisms: application decoders and signatures, protocol decoders, heuristics and SSL decryption to accurately identify more than 1,750 applications, regardless of port, protocol, encryption or evasive tactic employed. It s important that the term application be clarified since it doesn t have an industry standard definition. In the context of Palo Alto Networks firewalls, an application is a specific program or feature of a program that can be detected, monitored, and/or controlled. For example, Facebook is an application, as is Facebook Chat. Each of them can be detected, monitored, and controlled independently as part of the positive enforcement security policy. PAGE 5

6 As traffic traverses the Palo Alto Networks firewall, the applications are identified and graphically summarised in near-real time, allowing administrators to see what s happening on the network, learn more about the application if needed, then make an informed decision on how to treat the application. Application visibility: View application activity in a clear, easy-to-read format. Add and remove filters to learn more about the application, its functions and who is using them. User-based Policy Control The identity of the application can be mapped to specific users with User-ID, a technology that seamlessly integrates Palo Alto Networks firewalls with enterprise directory services (Active Directory, Exchange, LDAP, edirectory, Citrix and Microsoft Terminal Services, XML API). With User-ID, administrators can see exactly who is using the application, and as needed, can enable a policy to allow (whitelist), deny (blacklist), shape, inspect, schedule, decrypt and more. Immediate access to the knowledge of which applications are traversing the network, who is using them, and the potential security risk empowers administrators to quickly and easily determine the appropriate response. Armed with these data points, administrators can apply policies with a range of responses that are more fine-grained than allow or deny. Examples include: Enable only the IT group to use a fixed set of management applications such as SSH, telnet, and RDP. Block bad applications such as P2P file sharing, circumventors, and external proxies. Define and enforce an organisation-wide policy that allows and inspects specific webmail and instant messaging usage. PAGE 6

7 Control the file transfer functionality within an individual application, allowing application use yet preventing file transfer. Identify and block applications using port 80 or 443 that are used to provide anonymous access to the Internet or to evade traditional firewalls such as UltraSurf, tor, and CGIproxy Identify and control the transfer of sensitive information such as credit card numbers or social security numbers, either in text or file format. Deploy URL filtering policies that block access to obvious non-work related sites, monitor questionable sites, and coach access to others. Implement QoS policies to allow media and other bandwidth intensive applications but limit their impact on business critical applications. Palo Alto Networks next-generation firewalls enable customers to deploy application usage policies to block certain applications, allow specific applications, as well as inspect them, shape them and schedule their use. This level of control, at the network layer, is a perfect complement to application whitelisting performed at the end-point. Identify and control the transfer of sensitive information such as credit card numbers or social security numbers, either in text or file format. Deploy URL filtering policies that block access to obvious non-work related sites, monitor questionable sites, and coach access to others. Implement QoS policies to allow media and other bandwidth intensive applications but limit their impact on business critical applications. Palo Alto Networks next-generation firewalls enable customers to deploy application usage policies to block certain applications, allow specific applications, as well as inspect them, shape them and schedule their use. This level of control, at the network layer, is a perfect complement to application whitelisting performed at the end-point. Unified Policy Editor: A familiar look and feel enables the rapid creation and deployment of policies that control applications, users and content. PAGE 7

8 Defence in Depth: Application Whitelisting + Next-Generation Firewalls By mandating application whitelisting as a top priority in protecting against cyber intrusions, the Australian Signals Directorate has acknowledged that application control is a critical component in an agencies cyber security posture. Taking a complementary, defence-in-depth approach to cyber security, Palo Alto Networks next-generation firewalls can help agencies exert an added layer of security at the network level by identifying and controlling applications using positive control model security rules. The Last Line of Defence: Next-Generation Endpoint Protection The endpoint represents the last line of defence. Even with application whitelisting enforced, most endpoints run a large number of applications, some of which have bugs, or unknown Zero-Day vulnerabilities that could be triggered as part of an exploitation attempt. We estimate that as many as 5,000 of these new software vulnerabilities emerge each year. The problem agencies face when trying to defend against Zero-Day attacks is that traditional solutions rely on prior knowledge or behavior analysis to detect usage, and are incapable of preventing Zero-Day attacks since by definition, they are unknown. In addition, adversaries can craft an endless number of fully undetectable malware. This makes it impossible to become intimately familiar with every potential threat, which is why we shifted our focus to the exploit delivery phase of the attack. Your adversaries whether nation-state, espionage-oriented, activist group, or black hat hacker all share one commonality; they must use the same core exploit techniques to execute their attack. If an attacker s critical path for exploitation is known, even when the vulnerability that is used or the malware planned to be delivered is not; it can be prevented before any malicious activity is ever executed. Only a few new exploitation techniques are published or used in the wild every few years. For example, the state-of-the-art Stuxnet attack featured several new Zero-Day exploits, yet it was completely based on known exploitation techniques. By addressing the exploit techniques required to execute an attack, Palo Alto Networks has built modules to mitigate and interfere with the attacker s exploit techniques. Since an exploit is always based on a chain of techniques, preventing the use of any technique in the chain will block the exploitation attempt and the malware delivery entirely. This fundamentally different approach has enabled Palo Alto Networks to offer a future-proof solution the EP Series that can prevent both known and unknown attacks, regardless of the state of security patches or updates on the system. Our EP Series raises the bar on security by creating a new category of preventive cyber-defence that did not exist until now. With Palo Alto Networks EP Series installed on the endpoint, our proprietary mitigation modules are injected directly into the process every time a user launches a process. As this happens, the process initiated by the user will continue to run as intended, protecting it and the endpoint from exploitation attempts. Only when an exploit attempt is made, our EP Series activates the injected traps to block the finite exploit techniques the attacker must use so malware is never delivered, and the exploit is prevented! As our EP Series blocks an exploitation attempt, a real-time picture of the process memory is taken, detailing the attack source and vectors used in the attempted attack. This forensic data is sent to the management centre, sharing invaluable information between the network and the endpoint, thus contributing to a greater threat intelligence. In addition to our proprietary exploit prevention methods, the EP Series protects against attacks from the execution of malicious executable files. This component provides the administrator with flexible and robust granular policy engine to enforce rules to prevent social engineering attacks which could endanger the organisation. PAGE 8

9 TOP 35 MITIGATION STEPS WHERE PALO ALTO NETWORKS CAN HELP MITIGATION STRATEGIES Automated dynamic analysis of and web content run in a sandbox to detect suspicious behaviour including network traffic, new or modified files, or configuration changes. HOW PALO ALTO NETWORKS CAN HELP Palo Alto Networks WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) by directly executing them in a scalable, virtual sandbox environment. For Government customers and those that for privacy or regulatory concerns can t send information to the Palo Alto Networks Threat Intelligence Cloud, WildFire is deployed as a private cloud on a single WF-500 appliance. The WildFire architecture is uniquely designed to meet the demands of analysing large numbers of potentially malicious content. To support dynamic malware analysis across the enterprise s network at scale, the virvual malware analysis environment is shared across all firewalls, as opposed to deploying single-use hardware at every ingress/egress point and network point of presence. This approach ensures maximum sharing of threat information, while minimising the hardware requirements of the task. When an unknown threat is discovered, WildFire automatically generates protections to block the threat across the cyber kill-chain, sharing these updates with all subscribers across the globe in as little as 15 minutes. These quick updates are able to stop rapidly spreading malware, as well as identify and block the proliferation of all future variants without any additional action or analysis. In conjunction with protection from malicious and exploitive files, WildFire analysis looks deeply into malicious outbound communication, disrupting command-control activity with anti-c2 signatures and DNS-based callback signatures. The information is also fed into PAN-DB, where newly discovered malicious URLs are automatically blocked. This correlation of data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks on a network. Extending the next-generation firewall platform that natively classifies all traffic across hundreds of applications, WildFire uniquely applies analysis regardless of ports or encryption, including full visibility into web traffic, protocols (SMTP, IMAP, POP), FTP, and SMB. PAGE 9 Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Palo Alto Networks next-generation endpoint protection provides comprehensive exploit mitigation and malware prevention through its proprietary exploit mitigation technology. The EP Series can prevent the following vectors of attack: Memory corruption based exploits Logic flaws based exploits (including Java exploits) An executable spawning a malicious child process DLL hijacking Hijacking program control flow Execution of malware from local folders commonly utilised by attackers Execution from network shares, external storage devices, and optical drives Execution of embedded exe files

10 MITIGATION STRATEGIES Automated dynamic analysis of and web content run in a sandbox to detect suspicious Operating system generic exploit mitigation behaviour including network traffic, new or mechanisms, eg, Data Execution Prevention (DEP), modified files, or configuration changes. Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication by Microsoft Active Directory. Software-based application firewall, blocking incoming network traffic that is malicious or otherwise unauthorised, and denying network traffic by default. Software-based application firewall, blocking outgoing network traffic that is not generated by whitelisted applications, and denying network traffic by default. Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). content filtering allowing only businessrelated attachment types. Preferably analyse/ convert/sanitise links, PDF and Microsoft Office attachments. Web content filtering of incoming and outgoing traffic, whitelisting allowed types of web content and using behavioral analysis, cloud-based PAGE 10 reputation ratings, heuristics and signatures. Network Web domain segmentation whitelisting and for segregation all domains, into since security this zones approach to protect is more sensitive proactive information and thorough and than critical services blacklisting such a tiny as user percentage authentication of malicious by Microsoft domains. command-control activity with anti-c2 signatures and DNS-based callback signatures. The information is also fed into PAN-DB, where newly discovered malicious URLs are automatically blocked. This correlation of data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks on a network. Extending the next-generation firewall platform that natively classifies all traffic across hundreds of applications, WildFire uniquely applies analysis regardless of ports or encryption, including full visibility into web traffic, protocols (SMTP, IMAP, HOW PALO POP), ALTO FTP, NETWORKS and SMB. CAN HELP Palo Alto Networks WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Palo Alto Networks next-generation endpoint protection Threats (APTs) by directly executing them in a scalable, provides comprehensive exploit mitigation and malware virtual sandbox environment. prevention through its proprietary exploit mitigation technology. For Government customers and those that for privacy or regulatory concerns can t send information to the Palo The EP Series can prevent the following vectors of Alto Networks Threat Intelligence Cloud, WildFire is attack: deployed as a private cloud on a single WF-500 Memory corruption based exploits appliance. The WildFire architecture is uniquely designed Logic flaws based exploits (including Java exploits) to meet the demands of analysing large numbers of An executable spawning a malicious child process potentially malicious content. To support dynamic DLL hijacking malware analysis across the enterprise s network at Hijacking program control flow scale, the virvual malware analysis environment is Execution of malware from local folders commonly shared across all firewalls, as opposed to deploying utilised by attackers single-use hardware at every ingress/egress point Execution from network shares, external storage and network point of presence. This approach ensures devices, and optical drives maximum sharing of threat information, while Execution of embedded exe files minimising the hardware requirements of the task. When an unknown threat is discovered, WildFire automatically Using a security generates zone-based protections architecture, to block organisations the threat across can isolate the cyber restricted kill-chain, data behind sharing firewall these rules updates that with will all segment subscribers the network across to the provide globe added in as little levels as of 15 network minutes. security. For These purposes quick updates of definition, are able a security to stop zone rapidly is a spreading logical container malware, comprised as well of as physical identify interfaces, and block the VLANS proliferation and IP addresses. of all Using future zones, variants organisations without any additional can: action Control or analysis. exactly which applications are accessing the data, forcing them over standard ports. In conjunction Validate which with users protection are accessing from malicious the data, and exploitive associated files, applications. WildFire analysis looks deeply into malicious Find and outbound stop the use communication, of rogue or misconfigured disrupting command-control applications. activity with anti-c2 signatures and DNS-based Identify and callback block signatures. a wide range The of threats information without is also fed degrading into PAN-DB, the where network newly performance. discovered malicious URLs are automatically blocked. This correlation of data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks on Through a network. its integration with VMware s NSX network virtualization platform, Palo Alto Networks VM-Series Extending virtual firewalls the next-generation identify, control firewall and safely platform enable that applications natively classifies between virtual all traffic servers across within hundreds the data of centre. applications, This capability WildFire provides uniquely critical applies application analysis regardless whitelisting of and ports segmentation or encryption, of servers including at the full hypervisor visibility level. Additionally into web traffic, full Threat Prevention protocols features (SMTP, can be IMAP, applied POP), to the FTP, traffic and including SMB. IPS, AV, anti-spyware/c2, and anti-malware.the integration with VMware NSX enables the Palo Alto Networks next-generation VM-Series to be automatically deployed within every Palo VMware Alto ESXi Networks server. next-generation endpoint protection provides comprehensive exploit mitigation and malware prevention through its proprietary exploit mitigation technology. In addition to Microsoft Exchange, Palo Alto Networks The identifies EP Series 66 other can prevent applications the following that can vectors be used of in attack: firewall security policies. For those applications that Memory are allowed, corruption organisations based exploits can also identify and control Logic 50+ flaws file types based such exploits as.doc, (including.docx, PDF. Java exploits) An executable spawning a malicious child process DLL hijacking Hijacking program control flow As a Execution complement of malware to the application from local visibility folders and commonly control enabled utilised by App-ID, by attackers URL categories can be used as a match criteria Execution for policies. from network Instead of shares, creating external policies storage that are limited devices, to either and allowing optical drives all or blocking all behavior, URL category Execution as a match of embedded criteria allows exe files for exception based behavior, resulting in increased flexibility, yet more granular policy enforcement. Examples of how using URL Using categories a security can be zone-based used in policies architecture, include: organisations can Identify isolate restricted and allow exceptions data behind to firewall general rules security that will segment policies the for network users who to provide may belong added to levels multiple of network groups

11 outgoing network traffic that is not generated by whitelisted applications, and denying network traffic by default. and anti-malware.the integration with VMware NSX enables the Palo Alto Networks next-generation VM-Series to be automatically deployed within every VMware ESXi server. Palo Alto Networks: ASD Top 35 content filtering allowing only businessrelated attachment types. Preferably analyse/ convert/sanitise links, PDF and Microsoft Office attachments. MITIGATION STRATEGIES Automated dynamic analysis of and web content run in a sandbox to detect suspicious Web content filtering of incoming and outgoing behaviour including network traffic, new or traffic, whitelisting allowed types of web content modified files, or configuration changes. and using behavioral analysis, cloud-based reputation ratings, heuristics and signatures. Web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains. Deny direct internet access from workstations by using an IPv6-capable firewall to force traffic through a split DNS server, an server or an authenticated web proxy server. Restrict access to Server Message Block (SMB) and NetBIOS services running on workstations and on servers where possible. In addition to Microsoft Exchange, Palo Alto Networks identifies 66 other applications that can be used in firewall security policies. For those applications that are allowed, organisations can also identify and control 50+ file types such as.doc,.docx, PDF. HOW PALO ALTO NETWORKS CAN HELP Palo Alto Networks WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent As a complement to the application visibility and control Threats (APTs) by directly executing them in a scalable, enabled by App-ID, URL categories can be used as a match virtual sandbox environment. criteria for policies. Instead of creating policies that are limited to either allowing all or blocking all behavior, URL For Government customers and those that for privacy or category as a match criteria allows for exception based regulatory concerns can t send information to the Palo behavior, resulting in increased flexibility, yet more Alto Networks Threat Intelligence Cloud, WildFire is granular policy enforcement. Examples of how using URL deployed as a private cloud on a single WF-500 categories can be used in policies include: appliance. The WildFire architecture is uniquely designed Identify and allow exceptions to general security to meet the demands of analysing large numbers of policies for users who may belong to multiple groups potentially malicious content. To support dynamic within Active Directory (e.g., deny access to malware malware analysis across the enterprise s network at and hacking sites for all users, yet allow access to scale, the virvual malware analysis environment is users that belong to the security group). shared across all firewalls, as opposed to deploying Allow access to streaming media category, but apply single-use hardware at every ingress/egress point QoS to control bandwidth consumption. and network point of presence. This approach ensures Prevent file download/upload for URL categories that maximum sharing of threat information, while represent higher risk (e.g., allow access to unknown minimising the hardware requirements of the task. sites, but prevent upload/download of executable files from unknown sites to limit malware propagation). When an unknown threat is discovered, WildFire Apply SSL decryption policies that allow encrypted access automatically generates protections to block the threat to finance and shopping categories but decrypt and inspect across the cyber kill-chain, sharing these updates with traffic to all other URL categories. all subscribers across the globe in as little as 15 minutes. These quick updates are able to stop rapidly spreading malware, as well as identify and block the proliferation Palo Alto Networks of all future fully support variants IPv6 without including any additional IPv6 action dynamic or routing analysis. protocols. In conjunction with protection from malicious and exploitive files, WildFire analysis looks deeply into malicious outbound communication, disrupting command-control activity with anti-c2 signatures and DNS-based Using next generation callback signatures. application The based information firewall security is also fed policies, into PAN-DB, access to where SMB and newly NetBIOS discovered can be malicious controlled by URLs user or are user automatically group at the blocked. network This level, correlation regardless of of port. data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks on a network. Extending the next-generation firewall platform that natively classifies all traffic across hundreds of applications, WildFire uniquely applies analysis regardless of ports or encryption, including full visibility into web traffic, protocols (SMTP, IMAP, POP), FTP, and SMB. Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET) Great America Parkway Santa Clara, CA Main: Sales: Support: Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication by Microsoft Active Directory. Palo Alto Networks next-generation endpoint protection provides comprehensive exploit mitigation and malware prevention through its proprietary exploit mitigation technology. The EP Series can prevent the following vectors of attack: Memory corruption based exploits Logic flaws based exploits (including Java exploits) An executable spawning a malicious child process DLL hijacking Hijacking program control flow Copyright Execution 2014, Palo of malware Alto Networks, from Inc. local All rights folders reserved. commonly Palo Alto Networks, the Palo utilised Alto Networks by attackers Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Execution Networks, from Inc. network All specifications shares, are external subject to storage change without notice. Palo Alto devices, Networks and assumes optical no drives responsibility for any inaccuracies in this document or for Execution any obligation of to embedded update information exe files in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_ASD-Top35_ Using a security zone-based architecture, organisations can isolate restricted data behind firewall rules that will segment the network to provide added levels of network security. For purposes of definition, a security zone is a logical container comprised of physical interfaces, VLANS