Carbon Black and Palo Alto Networks Bring Together Next-Generation Endpoint and Network Security Solutions
Endpoints and Servers in the Crosshairs of According to a 2013 study, 70 percent of businesses believe that of all their IT assets, endpoint user devices are the most vulnerable to a cyber attack. 1 Why? End users are easily fooled by targeted attacks and are typically the weakest link in the security chain. From social engineering attacks to spearphishing attacks to drive-by-download attacks, end users can fall victim to sophisticated methods of compromise without even knowing it. For the attacker, this means that the user and the user s endpoint is likely the easiest entryway into the network. The trouble is twofold. First, traditional endpoint security solutions such as antivirus, which rely on blacklists and malware signatures, are not designed to detect and prevent advanced attacks. The reason for this is that advanced attackers often use customized and polymorphic malware. Customized malware is typically a slightly modified version of known malware that has been tailored to slip past anti-virus solutions. Similarly, polymorphic malware dynamically creates different forms of itself to thwart detection by signature-based endpoint security solutions. Second, once an attacker has gained access to an endpoint and begun moving across the network, traditional firewalls may not detect the intrusion, the malware or the exfiltration of data. Fortunately, next-generation endpoint and network security solutions are designed to detect and prevent these sophisticated advanced attacks. What s more, when these solutions work together, customers can achieve end-to-end visibility of what s happening on the endpoints, network, and servers to better protect their organizations from advanced attacks. This whitepaper will explore how the integration of Carbon Black s next-generation endpoint and server security solution with Palo Alto Network s next-generation firewall and cloud-based WildFire solution closes the loop between the network and the endpoints to prevent advanced attackers from penetrating your systems and compromising your organization s sensitive data. 1 2013 Cyber Security Survey, commissioned by Carbon Black and conducted by Information Security Media Group. 2
Historically, customers were given two basic choices when it came to network security: either block everything in the interest of network security or enable everything in the interest of business. These choices left little room for compromise. With this in mind, Palo Alto Networks has pioneered solutions to enable customers to accomplish both objectives: safely enable applications while protecting against both known and unknown threats. Palo Alto Networks Next-Generation Firewall. The Palo Alto Networks next-generation firewall offers a traffic classification that natively inspects all applications, threats and content, then ties that traffic to the user, regardless of location or device type. The application, content and user the elements that run your business then become integral components of the enterprise security policy. The result is the ability to align security with key business initiatives. Organizations can safely enable applications based on the business use case while simultaneously preventing threats by blocking unknown and untrusted applications. Palo Alto Networks WildFire. Complementary to the next-generation firewall is Palo Alto Networks WildFire. WildFire identifies unknown malware, zero-day exploits and Advanced Persistent Threats through dynamic analysis in a cloud-based, virtual environment. The WildFire platform has full visibility into all network traffic, including that through non-standard ports and SSL encryption tunnels, to prevent known and unknown exploits, malware, malicious URLs and command-and-control activity. As threats are analyzed, WildFire disseminates the results to the customer ecosystem in near real-time to facilitate the information sharing needed to help organizations more proactively defend against cyber attacks. By using the Palo Alto Networks next-generation firewall with WildFire, organizations are able to analyze unknown files identified in all traffic flows from all ports, including Web, email, FTP and server message blocks (SMBs). This provides extended threat detection across all common file types as well as any embedded content. To further strengthen protections, based on file analysis results, WildFire can automatically update the firewall alert logic to provide true in-line blocking of exploitive and malicious files, as well as command-and-control traffic, at the network level. To complement their powerful analysis and threat prevention tools on the network level, Palo Alto Networks has partnered with Carbon Black to help customers better protect their endpoints and servers, as well. These integrations between network and endpoint security solutions help customers address two main challenges. First, once a security team determines that a threat is present on the network, analysts need to locate the threat and understand the true scale of the incident. Second, security teams need the ability to analyze unknown and suspicious files that arrive directly on endpoints without crossing the network. What if you could take all the network alerts and threat data that you can see with Palo Alto Networks and automatically correlate those with your endpoint data to see the exact location, scope and severity of each threat in real-time? Also imagine if you could leverage WildFire to analyze and block suspicious files and malware that target your endpoints directly. The scenarios below will demonstrate how you can leverage Carbon Black and Palo Alto Networks together to achieve these powerful capabilities. 3
As we ve discussed, advanced attacks target users at the perimeter because user and their endpoints are typically the easiest points of entry into a network. However, since the endpoint is merely a stepping stone in a multi-phase campaign, attackers tend to move quickly and stealthily once they are inside. In fact, once malware breaches an endpoint, it will typically execute in 15 minutes or less. That means timing and intelligence are critical. Organizations need the ability to immediately detect an attack the moment it executes, which means that organizations should monitor every: Desktop and laptop, Windows or Mac, on- or off-network Server, physical or virtual Fixed-function device However, simply detecting the initial attack is not enough. Security teams also need to know exactly what the malware did once it executed in order to understand the full scope of the attack, rapidly respond to the incident, and remediate the threat. By recording every action that executes on the endpoint, security analysts can gain actionable intelligence about exactly when the malware executed, what it did, what files were impacted, and to which other devices it spread. One major challenge of advanced attacks is that the malware used is not like conventional malware such as viruses or Trojans; you cannot expect to detect these attacks based on signatures. Advanced attackers are smart, and they are well-versed in evading traditional signature-based malware detection solutions. The malware used in advanced attacks can be custom-built for a specific attack and is often a modified version of known malware that has been designed specifically to evade traditional defenses. Rather than relying on a blacklist of known-bad files, organizations should look to solutions that offer real-time analysis of executable software to identify and prevent known malware, unknown malware, and zero-day attacks. Organizations also should look to solutions that enable security teams to customize rules about what types of software are allowed to run in their environment, what types of software are prevented from running, and what types of software require a deeper analysis in order to make an intelligence-based decision. 4
The Carbon Black is designed to help organizations strengthen their defenses and more rapidly respond to incidents by correlating network and endpoint threat data. The integration of the Carbon Black Security Platform with the Palo Alto Networks Next-Generation Firewall and WildFire helps organizations address two major challenges. First, the integration of the Cb Security Platform with Palo Alto Networks firewall helps security teams correlate network alerts with real-time endpoint and server activity. This enables organizations to identify actionable network alerts quickly so they can accelerate incident response time and reduce the overall operational effort of managing network security. Second, the integration between the Cb Security Platform and WildFire extends Palo Alto Networks powerful analysis capabilities to files on the endpoint. When new files arrive on endpoints from removable storage devices or while users are off the network, those files bypass the firewall. However, with the Carbon Black, security teams are able to monitor all ingress points to quickly identify, analyze, and respond to new files as they arrive on endpoints. 5
The Carbon Black in Action Correlate Firewall Alerts with Carbon Black Endpoint Data The Carbon Black enables the Carbon Black Endpoint Security and Palo Alto Networks platforms to share information and correlate threat data. When the Palo Alto Networks firewall detects suspicious files or abnormal activity, the firewall generates alerts that Carbon Black Enterprise Response can process. Using the Connector, Cb Enterprise Response is able to automatically receive firewall alerts and correlate that data to Figure 1. Correlate network and endpoint data Based on this real-time information, security analysts can prioritize alerts based on the severity and scope of the threat and gain the opportunity to respond before the incident becomes serious. 6
immediately identify if the malware has landed on an endpoint or server, if it executed, and which machines have been affected. Endpoints and Servers in the Crosshairs of Locate Every Instance of Malware on Endpoints and Servers Based on the data in Figure 1, security analysts can determine which threats require action. Typically, an analyst would home in on the threats that have landed, spread and executed on the greatest number of systems. As a next step in the incident investigation process, the analyst will want to determine exactly which machines have been affected by a malicious file or activity. By clicking on a number in the Affected Systems column, the analyst can see exactly which machines have been impacted by a specific threat and locate every instance of that threat across the enterprise. Figure 2. Locate every instance of a threat 7
Contain the Threat and Prevent Future Attacks The Carbon Black Security Platform offers security teams a variety of options to detect and prevent threats on their endpoints. Security teams can set custom rules about which files to ban and which to permit based on the organization s unique needs and security posture. For example, organizations that prioritize usability over security will often chose to permit all files to run by default. However, the security teams at these organizations will also closely monitor malicious and unknown software, report on threats, and remediate when necessary. Conversely, organizations that prioritize security above usability often will opt to prevent all unknown files from executing by default. Regardless of where your organization falls in the security versus usability spectrum, the Cb Security Platform console enables your administrators to write policies that are tailored to the specific needs and requirements of your organizations. One way to enforce policies that prevent malicious files from executing while permitting safe, yet unknown, files to run is to leverage the Carbon Black. Using the Carbon Black Security Platform, organizations can write rules to automatically ban only those files that WildFire has deemed malicious. In this scenario, customers have the option to allow unknown files to execute unless they are determined to be malicious by WildFire. These automated policies are created using Event Rules. Figure 3. Enforce software bans based on network alerts 8
In Figure 3 you can see that this analyst has chosen to write an event rule that directs Carbon Black Enterprise Protection and Enterprise Response to ban all files that the network connector reported to be malicious. As WildFire analyzes unknown files, it communicates to the Carbon Black Security Platform via the network connector information about which files are malicious and which are safe. This means that the next time a file or piece of software that WildFire deemed malicious attempts to execute on a Cb Enterprise Response-protected endpoint or server, the Cb Security Platform will automatically prevent the execution and thereby thwart the attack. Using the Carbon Black Security Platform Event Rules, security analysts can write policies that define which software is allowed to run seamlessly, which software should be automatically banned, and which requires further analysis before making a determination. With the click of a button these policies can be enforced on all protected endpoints and servers within your environment. Intelligence-Driven Decisions Based on Palo Alto Networks WildFire Customers can benefit greatly from correlating network and endpoint data to detect, respond to, and prevent threats, but what happens when users are off the network? Users today are increasingly mobile, which means they tend to work from home, hotels and cafes. Users also tend to use third-party devices and plug those devices into their laptops. From USB storage devices that are used to store PowerPoint presentations and spreadsheets to mobile devices that plug in to sync music and videos, a variety of third-party devices which could potentially carry malware can find their way onto the network without passing through any of your network defenses. The Carbon Black enables security teams to take back control of what happens outside the perimeter, analyze files before permitting them to run on the network, and block all malware that a user may have picked up while on a public network, from a malicious file or link accessed off the network, or from a third-party device. The Carbon Black Security Platform 9
Automatic analysis of new files on endpoints. Much like the event rule in Figure 3, administrators can write policies to automatically analyze all newly arriving files before permitting them to execute. Since the Carbon Black Security Platform runs on the endpoint itself, it can enforce policies regardless of whether the user is inside or outside the perimeter. For the most security-conscious organizations, security administrators may opt to ban all unknown and malicious files from executing, even when a user is off the network. Other organizations may choose to allow unknown files to execute while a user is off the network but write policies that require those new files to be analyzed as soon as the user plugs back in. This last option provides a balance between end-user convenience and security. In Figure 4, an administrator has written a policy to automatically analyze all new files as they arrive on the network, taking into account file size and type. Since the Carbon Black Security Platform monitors all endpoint activity both on and off the network the platform is able to keep an inventory of new files that require analysis. In this example, using the Carbon Black, the Cb Security Platform will automatically submit all new application files or supporting files smaller than 5 MB to WildFire for analysis. Based on the result, the file can be manually or automatically banned or approved, thus allowing or disallowing its execution. Figure 4. Automatically analyze new files on endpoints 10
On-demand analysis of new files on endpoints. In certain cases, administrators may want the ability to analyze files on a one-off basis. One such example is when a user submits a request to run an unapproved file. When a user believes that he or she needs the specific file or application for work or productivity purposes, the user is able to submit an approval request. In this scenario, the administrator will want to ensure that the file is not malicious before granting the approval. Using the Carbon Black Enterprise Protection and Cb Enterprise Response consoles, the administrator can quickly and directly submit the file to WildFire for analysis. Figure 5. Analyze new files on endpoints on-demand In Figure 5, the administrator has selected two files to submit to WildFire. Based on the results of WildFire s file analysis, the administrator can make an informed decision to either approve or not approve the file. If the administrator opts to approve the file, he or she can further specify if the file is approved locally, meaning it may only run on that user s individual system, or globally, so that it may run on all systems within the environment. 11
As you can see in these examples, the Carbon Black brings together next-generation network and endpoint security in a way not previously possible. By correlating firewall alerts with real-time endpoint data, security analysts can quickly prioritize alerts, investigate incidents, and contain and remediate attacks. The Connector also brings a new level of visibility and control even as users are outside of the perimeter. As a result, organizations can strengthen their security postures and better protect themselves from advanced attacks that target end users. for Fortune 500 Petroleum Refiner A top mining and crude-oil production company saw an escalating number of attacks against companies in their industry. Given the spike in attacks, this refiner wanted to improve its security operations before it became yet another headline. This refiner was using Palo Alto Networks and WildFire for network security and a traditional anti-virus solution for endpoint security. However, the company realized that its legacy anti-virus solution was incapable of stopping sophisticated threats, including zero-day and targeted attacks such Shamoon, which shut down approximately 30,000 workstations at the largest oil company in Saudi Arabia for a week. After considering offerings from a number of vendors, the company selected the Carbon Black Security Platform with the Connector for Palo Alto Networks. Upon deploying the Cb Security Platform, the company s IT and security staff saw immediate benefits. The security team initially created a few simple policies to define the software it would allow to run and the files it wanted to block. Right away, the team noticed that the ongoing management of the platform solution required less effort than the former legacy security solution and was much more effective in protecting the organization from a wide range of threats. The refiner next deployed the Carbon Black. As security analysts saw suspicious file come across the firewall, they automatically directed those files to WildFire for analysis. The company leveraged Carbon Black Enterprise Protection and Carbon Black Enterprise Response to write policies that banned all files WildFire deemed malicious from executing on any of endpoints or servers in the environment. Now, using these integrated solutions from Carbon Black and Palo Alto Networks, this refiner has been able to correlate network threat data with endpoints and server data to strengthen their defenses and bolster their security operations. 12
Conclusion Workforce mobility will continue to increase, and with it, the attack surface will grow. Users and their devices outside the perimeter will not be as well protected as those within the perimeter. As a result, as you invest in solutions such as Palo Alto Networks to prevent attacks at the network level, it s equally crucial to strengthen defenses on your endpoints to prevent attackers from achieving the initial point of compromise. The Carbon Black Security Platform provides advanced threat protection for endpoints and servers, and the Carbon Black Connector for Palo Alto Networks is the only endpoint solution that can integrate with Palo Alto Networks to confirm the location, scope and severity of threats in real-time. The Carbon Black is also the only solution of its kind that can submit files to WildFire for analysis and then ban or approve them based on WildFire results. This tightly integrated network and endpoint security solution can help you reduce the overall operational effort of managing network security, accelerate incident response time and improve your organization s overall security posture. About Carbon Black Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity, making it easy to track an attacker s every action, instantly scope every incident, unravel entire attacks and determine root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to: Disrupt. Defend. Unite. 2016 Carbon Black is a registered trademark of Carbon Black, Inc. All other company or product names may be the trademarks of their respective owners. 20151228 RKB 13