Advanced Endpoint Protection Overview

Similar documents
Manage the Endpoints. Palo Alto Networks. Advanced Endpoint Protection Administrator s Guide Version 3.1. Copyright Palo Alto Networks

WildFire Overview. WildFire Administrator s Guide 1. Copyright Palo Alto Networks

Manage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright Palo Alto Networks

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Analyzing HTTP/HTTPS Traffic Logs

Carbon Black and Palo Alto Networks

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Persistence Mechanisms as Indicators of Compromise

IBM Security re-defines enterprise endpoint protection against advanced malware

WildFire. Preparing for Modern Network Attacks

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

THREAT INTELLIGENCE CLOUD

Best Practices for Deploying Behavior Monitoring and Device Control

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

24/7 Visibility into Advanced Malware on Networks and Endpoints

The Hillstone and Trend Micro Joint Solution

Practical Threat Intelligence. with Bromium LAVA

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Technical Product Overview. Employing cloud-based technologies to address security risks to endpoint systems

Symantec Endpoint Protection Small Business Edition Installation and Administration Guide

Sophos Computer Security Scan startup guide

Cisco Advanced Malware Protection

CLOUD SECURITY FOR ENDPOINTS POWERED BY GRAVITYZONE

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Host-based Intrusion Prevention System (HIPS)

Sophos for Microsoft SharePoint startup guide

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

WildFire Cloud File Analysis

Security Intelligence Services.

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

End-user Security Analytics Strengthens Protection with ArcSight

WildFire Cloud File Analysis

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

System Administrator Guide

Sophos Endpoint Security and Control Help. Product version: 11

Trend Micro OfficeScan Best Practice Guide for Malware

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

PROTECTION FOR SERVERS, WORKSTATIONS AND TERMINALS ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

How to Use Windows Firewall With User Account Control (UAC)

Sophos Endpoint Security and Control Help

WHITE PAPER. Understanding How File Size Affects Malware Detection

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Content-ID. Content-ID URLS THREATS DATA

Security Consultant Scenario INFO Term Project. Brad S. Brady. Drexel University

KASPERSKY PRIVATE SECURITY NETWORK: REAL-TIME THREAT INTELLIGENCE INSIDE THE CORPORATE INFRASTRUCTURE

Symantec Endpoint Protection Small Business Edition Getting Started Guide

Agenda , Palo Alto Networks. Confidential and Proprietary.

Xerox Next Generation Security: Partnering with McAfee White Paper

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Symantec Endpoint Protection Analyzer Report

The Trivial Cisco IP Phones Compromise

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

Windows Operating Systems. Basic Security

Online Payments Threats

A Case for Managed Security

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Getting Started Guide

Unified Security, ATP and more

Content Security: Protect Your Network with Five Must-Haves

Securing Remote Vendor Access with Privileged Account Security

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Malwarebytes Enterprise Edition Best Practices Guide Version March 2014

DETECTING THE ENEMY INSIDE THE NETWORK. How Tough Is It to Deal with APTs?

Configuring WildFire. Version 1.0 PAN-OS Johan Loos.

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Penetration Testing Service. By Comsec Information Security Consulting

Redline Users Guide. Version 1.12

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

Contents. McAfee Internet Security 3

Product Guide. McAfee Endpoint Security for Mac Threat Prevention

HoneyBOT User Guide A Windows based honeypot solution

Cisco Advanced Malware Protection for Endpoints

_Firewall. Palo Alto. How Logtrust works with Palo Alto Networks

McAfee.com Personal Firewall

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Sophos for Microsoft SharePoint Help. Product version: 2.0

SYMANTEC ENDPOINT PROTECTION SMALL BUSINESS EDITION

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Enterprise Security Platform for Government

Sophos for Microsoft SharePoint Help

Cisco Advanced Malware Protection for Endpoints

Top five strategies for combating modern threats Is anti-virus dead?

Next Generation Enterprise Network Security Platform

What Do You Mean My Cloud Data Isn t Secure?

BitDefender Security for Exchange

Module 4 Protection of Information Systems Infrastructure and Information Assets. Chapter 6: Network Security

5 Steps to Advanced Threat Protection

Ovation Security Center Data Sheet

Transcription:

Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking attack vectors before any malware is initiated. The following topics describe the Advanced Endpoint Protection in more detail: Advanced Endpoint Protection Overview Advanced Endpoint Protection Components Advanced Endpoint Protection Administrator s Guide 1

Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview Cyber-attacks are attacks performed on networks or endpoints to inflict damage, steal information, or achieve other goals that involve taking control over computer systems that belong to others. Adversaries perpetrate cyber-attacks either by causing a user to unintentionally run a malicious executable, or by exploiting a weakness in a legitimate executable to run malicious code behind the scenes without the knowledge of the user. One way to prevent these attacks is to identify executables, dynamic-link libraries (DLLs), or other pieces of code as malicious, and then prevent them from running by testing each potentially dangerous code module against a list of specific, known threat signatures. The weakness of this method is that signature-based solutions take time to identify newly created threats known only to the attacker (also known as Zero-Day attacks or exploits) and add them to lists of known threats, leaving the endpoint vulnerable until the signatures are updated. The Advanced Endpoint Protection solution, which consists of a central Endpoint Security Manager and endpoint protection software called Traps, takes a more effective approach to preventing attacks. Rather than trying to keep up with the ever-growing list of known threats, Traps sets up a series of roadblocks that prevent the attacks at their initial entry points, when legitimate executables are about to unknowingly allow malicious access to the system. Traps targets software vulnerabilities in processes that open non-executable files using exploit prevention techniques. Traps also uses malware prevention techniques to prevent malicious executable files from running. Using this two-fold approach, the Advanced Endpoint Protection solution can prevent all types of attacks, whether they are known or unknown threats. All aspects of endpoint security settings the endpoints and groups to which they are applied, the applications they protect, the defined rules, restrictions and actions are all highly configurable. This allows each organization to tailor Traps to its needs so that it provides maximum protection with minimal disruption of day-to-day activities. Exploit Prevention Malware Prevention Exploit Prevention An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use exploits as a means to access and use a system to their advantage. To gain control of a system, the attacker must bypass a chain of vulnerabilities in the system. Blocking any attempt to exploit a vulnerability in the chain will block the exploitation attempt entirely. In a typical attack scenario, an attacker uses attempts to gain control of a system by first attempting to corrupt or bypass memory allocation or handlers. Using memory-corruption techniques such as buffer overflows and heap corruption, the hacker can then trigger a bug in software or exploit a vulnerability in a process. The attacker must then manipulate a program to run code provided or specified by the attacker and evade detection. If the attacker gains access to the operating system, the attacker could then upload Trojan horses, malware programs that contain malicious executables, or otherwise use the system to their advantage. Traps prevents such exploit attempts by employing roadblocks or traps at each stage of the exploitation attempt. 2 Advanced Endpoint Protection Administrator s Guide

Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview When a user opens a non-executable file, such as a PDF or Word document, the Traps agent seamlessly injects drivers into the software that opens the file. The drivers are injected at the earliest possible stage before any files belonging to the process are loaded into memory. If the process that opens the file is protected, Traps injects a code module called an Exploitation Prevention Module (EPM) into the process. The EPM targets a specific exploitation technique and is designed to prevent attacks on program vulnerabilities based on memory corruption or logic flaws. Examples of attacks that the EPMs can prevent include: Memory corruption Java code from running in browsers, under certain conditions Executables from spawning child processes, under certain conditions Dynamic-link library (DLL) hijacking (replacing a legitimate DLL with a malicious one of the same name) Hijacking program control flow Inserting malicious code as an exception handler In addition to automatically protecting processes from such attacks, Traps reports any prevention events to the Endpoint Security Manager, and performs additional actions according the settings of the policy rules. Common actions that Traps performs include collecting forensic data and notifying the user about the event. Traps does not perform any additional scanning or monitoring actions. The default endpoint security policy protects the most vulnerable and most commonly used applications, but you can also add other third-party and proprietary applications to the list of protected processes. For more information, see Add a Protected, Provisional, or Unprotected Process. Malware Prevention Malicious executable files, known as malware, are often disguised as or embedded in non-malicious files. These files, sometimes referred to as Trojan horses, can harm computers by attempting to gain control, gather sensitive information, or disrupt the normal operations of the system. To protect endpoints from malicious executable files, Traps employs the Malware Prevention Engine as another type of security roadblock. The Malware Prevention Engine uses a combination of policy-based restrictions and malware prevention modules to limit the surface area of an attack and control the source of file installation such Advanced Endpoint Protection Administrator s Guide 3

Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview as from external media. The Malware Prevention Engine also uses technique-based mitigations that limit or block child processes, Java processes initiated in web browsers, creation of remote threads and processes, and execution of unsigned processes. When a user or machine attempts to open an executable, Traps first verifies that the executable does not match any restriction policy rules. If a restriction policy rule, such a folder restriction, applies to the executable, Traps blocks the attempted launch and reports the security event to the Endpoint Security Manager. If no restriction policy rules apply and WildFire is enabled, Traps creates a file hash and checks it against a local cache of hash values. If the file hash is unknown in the local cache, Traps forwards the hash value to the Endpoint Security Manager which checks its local database. If the file hash is unknown in the local database, the Endpoint Security Manager forwards the hash value to WildFire which responds with the results of the hash lookup, either malicious, benign, or unknown. If any of the file hash checks reveals that an executable is malicious, no further checking is done: Traps reports the security event to the Endpoint Security Manager and handles the executable as determined by the security policy. Common actions that Traps performs include preventing the file from executing, collecting forensic data, and notifying the user about the event. Traps does not perform any additional scanning or monitoring actions. If any of the file hash checks reveals that an executable is benign, no further checking is done: Traps allows the executable file to continue. 4 Advanced Endpoint Protection Administrator s Guide

Advanced Endpoint Protection Overview Advanced Endpoint Protection Components Advanced Endpoint Protection Components The Advanced Endpoint Protection solution uses a central Endpoint Security Manager (ESM) comprised of an ESM Console, a database, and an ESM Server, to manage policy rules, and distribute the security policy to endpoints in your organization. The Endpoint Security Manager components communicate with the protection software, called Traps, that is installed on each endpoint in your organization. The following diagram displays the Advanced Endpoint Protection components. The following topics describe the elements in more detail. Endpoint Security Manager Console Endpoint Security Manager Server Database Endpoints Traps External Logging Platform WildFire Forensic Folder Advanced Endpoint Protection Administrator s Guide 5

Advanced Endpoint Protection Components Advanced Endpoint Protection Overview Endpoint Security Manager Console The Endpoint Security Manager (ESM) Console is a web interface that provides an administrative dashboard for managing security events, endpoint health, and policy rules. You can install the web interface on the same server as the ESM Server, on a separate server, or on a cloud-based server. The ESM Console communicates with the database independently from the ESM Server. Endpoint Security Manager Server On a regular basis, the Endpoint Security Manager (ESM) Server retrieves the security policy from the database and distributes it to all Traps agents. Each Traps agent relays information related to security events back to the ESM Server. The following table displays the types of messages that the Traps agent sends to the ESM Server: Message Type Traps status Notifications Update messages Prevention reports Description The Traps agent periodically sends messages to the ESM Server to indicate that it is operational, and to request the latest security policy. The Notifications and Health pages in the Endpoint Security Manager display the status for each endpoint. By default, the duration between messages, known as the heartbeat period, is 5 minutes; the heartbeat period is configurable. The Traps agent sends notification messages about changes in the agent, such as the start or stop of a service, to the ESM Server. The server logs these notifications in the database. You can view the notifications in the Endpoint Security Manager. By default, Traps sends notifications every two hours. An end user can request an immediate policy update by clicking the Update now button in the Traps console. This causes the Traps agent to request the latest security policy from the ESM Server without waiting for the end of the heartbeat period. If a prevention event occurs on an endpoint where the Traps agent is installed, the Traps agent reports all of the information pertaining to the event to the ESM Server in real-time. Database The database stores administrative information, security policy rules, endpoint history, and other information about security events. The database is managed over the MS-SQL platform. Each database requires a license and can communicate with one or more ESM Servers. The database may be installed on the same server as the ESM Console and ESM Server, such as in a standalone environment, or the database can be installed on a dedicated server. During the proof-of-concept stage, the SQLite database is also supported. 6 Advanced Endpoint Protection Administrator s Guide

Advanced Endpoint Protection Overview Advanced Endpoint Protection Components Endpoints An endpoint is a Windows-based computer, server, virtual machine, or mobile device running the client-side protection application called Traps. Traps Traps is comprised of a console that provides a user-interface application, an agent that protects the endpoint and communicates with the ESM Server, and the service that collects forensic data. The Traps agent protects the endpoint by implementing the security policy defined for the organization in the Endpoint Security Manager. When a user creates or opens a protected process on the endpoint, the Traps agent injects its drivers into the process at the earliest possible stage, before the process files are loaded into memory. The agent also protects the Traps software from being disabled or uninstalled. If the Traps agent encounters a prevention event, the Traps service collects forensic information and transmits data related to the event back to the Endpoint Security Manager. The Traps service is also responsible for communicating status information about the endpoint on a regular basis. The Traps console displays information about protected processes, event history, and current security policy. Usually, users will not need to run the Traps console, but the information can be useful when investigating a security-related event. You can choose to hide the console tray icon that launches the console, or prevent users from launching it altogether. For more information, see Hide or Restrict Access to the Traps Console. External Logging Platform The Endpoint Security Manager can write logs to an external logging platform, such as security information and event management (SIEM), Service Organization Controls (SOCs), or syslog, in addition to storing its logs internally. Specifying an external logging platform allows an aggregated view of logs from all ESM Servers. Advanced Endpoint Protection Administrator s Guide 7

Advanced Endpoint Protection Components Advanced Endpoint Protection Overview WildFire The Traps agent is designed to block attacks before any malicious code can run on the endpoint. While this approach ensures the safety of data and infrastructure, it enables the collection of forensic evidence only at the moment of prevention. Thus, it cannot fully reveal the purpose of the attack or its entire flow. The WildFire service is an optional, post-prevention analysis system that performs forensic analysis of malicious files. Enabling WildFire Integration allows the Endpoint Security Manager to create a file hash from the executable file and check it against the WildFire Cloud. If WildFire confirms that a file is known malware, the Traps agent blocks the file for future exposures and notifies the Endpoint Security Manager. As WildFire detects new malware, it generates new signatures within the hour. Palo Alto Networks next-generation firewalls equipped with a WildFire subscription can receive the new signatures within 15 minutes; firewalls with only a Threat Prevention subscription can receive the new signatures in the next Antivirus signature update within 24-48 hours. If WildFire Integration is enabled in the Endpoint Security Manager, the Status page of the Traps console displays a next to Anti-Malware Protection. If WildFire is not enabled, the Traps console displays a next to Anti-Malware Protection. For more information, see Enable WildFire. Forensic Folder When Traps encounters a security-related event, such as a file execution, interference with the Traps service, or an exploit attack, it logs real-time forensic details about the event on the endpoint. The forensic data includes the event history, memory dump, and other information associated with the event. You can retrieve the forensic data by creating an action rule to collect the data from the endpoint. After the endpoint receives the security policy that includes the action rule, the Traps agent sends all the forensic information to the forensic folder, which is sometimes referred to as the quarantine folder. During the initial installation, you specify the path of the forensic folder that the Endpoint Security Manager uses to store forensic information that it retrieves from the endpoints. The path can be local to the server or on the network and must allow all endpoints to write to the folder. You can change the path to the folder at any time using the Endpoint Security Manager. 8 Advanced Endpoint Protection Administrator s Guide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information