ASD's Top Cyber Intrusion Mitigation Strategies
Transcription
ASD's Top Cyber Intrusion Mitigation Strategies
How Palo Alto Networks® Can Help With ASD's Top Cyber Intrusion Mitigation Strategies Palo Alto Networks: ASD Top 35 Table of Contents Introduction3 Executive Summary 3 A Systematic Approach to Network Application Whitelisting 4 Positive Security Model = Application Whitelisting 5 Application Control With Palo Alto Networks 5 User-based Policy Control 6 Defence in Depth: Application Whitelisting + Next-Generation Firewalls 8 The Last Line of Defence: Next-Generation Endpoint Protection 8 Top 35 Mitigation Steps – Where Palo Alto Networks Can Help9 PAGE 2 Palo Alto Networks: ASD Top 35 Introduction The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate (DSD) plays a lead role in protecting Australia’s critical infrastructure and other information networks from cyber intrusions that pose real and present threats to Australia’s national security and national interests. As part of their cyber security charter, the ASD has defined the top 35 cyber intrusion mitigation strategies that organisations can implement to help protect the nation’s digital assets. Within those top 35 strategies, ASD has mandated that four of them be implemented. Palo Alto Networks is a next generation cyber security company dedicated to the needs of global government. Today it is used within governments in 72 countries across five continents, and is serving widely within the military, civilian and intelligence establishments. Executive Summary It’s no secret that government networks are among the most targeted of virtually any sector. The stakes are high and attackers know they must use more evasive tactics to penetrate these networks. Sadly, many attackers are not only able to penetrate their target network, but often successfully establish a beachhead and remain undetected for a significant period of time while continuing evasive and damaging action. This leads to tremendous loss—whether of strategic, political, monetary or intelligence value. Additionally, government networks are undergoing change. Many agencies face the challenges of reducing data centre footprints, virtualising existing services to reduce costs and “go green”, or of advancing security strategies to thwart advanced attacks in the field or at home. These changes mean government agencies are demanding more from their cyber security solutions today. The ASD Top 35 mitigation strategies have been proven to help agencies protect their networks against targeted attacks. Palo Alto Networks’ Next Generation Security Platform can help agencies not only implement a large number of these strategies, but also supplement and augment these strategies with capabilities and best practices only provided by a real next generation security platform, to form an advanced coordinated approach to extensible defence-in-depth. NEXT-GENERATION THREAT INTELLIGENCE CLOUD Next-generation Firewall Next-generation Threat Intelligence Cloud • Gathers potential threats from network and endpoints • Inspects all traffic • Safely enables applications • Blocks networks-based threats OIN T DP RK O NEXT-GENERATION FIREWALL • Disseminates threat intelligence to network and endpoints CLOUD NETW NATIVELY INTEGRATED • Analyses and correlates threat intelligence AUTOMATED • Sends unknown threats to cloud EN EXTENSIBLE Next-generation Endpoint • Inspects all processes and files • Prevents both known and unknown exploits • Protects fixed, virtual and mobile endpoints • Lightweight client and cloud based. PAGE 3 NEXT-GENERATION ENDPOINT Palo Alto Networks: ASD Top 35 The Palo Alto Networks Next Generation Security Platform is a flexible and extensible, natively integrated and automated platform for the detection and prevention of known and unknown cyber threats. Spanning network and endpoint and augmented by a global Threat Intelligence Cloud, it has the ability to understand all traffic, no matter which port, protocol or encryption is used to provide granular control of applications, users, and content. It employs automated “closed-loop” protection mechanisms that are deployed in-line and that are uniform across traditional infrastructure at the Internet Edge, the cloud (whether public/private, cloud-delivered applications, or virtualised infrastructure), and mobile devices. In its number one mitigation strategy, ASD mandates the whitelisting of applications on the endpoint. This is critical in preventing targeted malicious code from executing on an endpoint. Similarly, Palo Alto Networks believes that the whitelisting of applications at the network level is also critical in defeating targeted attacks. Application whitelisting at the network level greatly reduces the attack surface and the number of attack vectors into a network, and makes hiding lateral movement and command-and-control traffic that much more difficult. A Systematic Approach to Network Application Whitelisting The best approach to regaining control over your network activity, application or otherwise, is a systematic one that includes learning what is in use, and by whom, establishing the associated business requirements in conjunction with the users, documenting associated policies, and then enforcing them with technology. Equally important is the ongoing policy review and update to account for changing application and user behaviors. • Visibility: The old adage of ‘Knowledge is Power” is appropriate in the quest to regain control over the applications, users and content at both the workstation and network levels. Without full knowledge of what users are doing, policy control efforts may miss the mark entirely, leave gaping holes, or create a user environment where they are able to take steps to avoid control efforts. • Policy establishment: Once an in depth picture of which applications are in use and by whom, appropriate policy rules need to be established that balances the business requirements outlined by users and the associated risks from a security and business perspective. Once agreement has been established, is it critically important that the policy is documented and users be made aware via ongoing education that these policies are in place and the reasons why. • Enforcement and review: Using network and workstation level controls, the next step is to begin enforcing the established policies. As policies are violated, users should be notified of their actions via pop-up pages, email alerts or other means. Here too, a balance must be struck that enables the user, without exerting unreasonable levels of control. Over time, the policies on what is or is not allowed need to be reviewed and updated. From a technology perspective there are two approaches to executing a systematic approach towards regaining control. • End-point level control: Application whitelisting is client or end-point focused approach that defines which applications are or are not allowed to be installed (executed). Policies are established at a central control point as a means of determining what is allowed and all else is blocked. • Network level control: Using next-generation firewalls that are designed to identify and control applications (not ports), such as Palo Alto Networks, is a network level approach that allows organisations to establish positive security model rules that determine which applications are allowed, and by default, which applications are implicitly denied. Both alternatives help organisations work towards the end-goal of protecting the network and the digital assets while enabling users to accomplish their daily tasks. From a defense in depth perspective, PAGE 4 Palo Alto Networks: ASD Top 35 application whitelisting and next-generation firewalling are a perfect compliment. The remainder of this paper will focus on how Palo Alto Networks can help Australian organisations fulfill the #1 mitigation strategy of application whitelisting while assisting in fulfilling many of the other 35 recommended strategies. Positive Security Model = Application Whitelisting By definition, application whitelisting has the same criteria found in the positive security model that firewalls adhere to, albeit at the network level. As a reminder, a firewall operates on the premise of allowing what is defined by policy, then denying all else either implicitly or explicitly. This is exactly what application whitelisting does but at the client level. The challenge that traditional port-based firewalls face is that their positive security model policies are defined by ports, protocols and IP addresses, not applications specifically, making positive security model application level control nearly impossible. Palo Alto Networks next-generation firewalls are different to traditional firewalls in that the first task executed when it sees network traffic is to determine what the application is, irrespective of port, protocol, encryption or evasive technique employed. The application then becomes the basis of the positive security model policy that says allow these specific applications and deny all others. The knowledge of which application is traversing the network is used to create firewall security policies, including allow, deny, inspect for threats, apply traffic shaping and more. All policy decisions are made and enforced at the network level. Application Control With Palo Alto Networks At one time, controlling which applications an employee could use was easy. Applications were tied specifically to port or protocol and controlling them was as simple as allow or deny. Today, application developers want their application to be as easy to access as possible so they may not adhere to this development process because it may limit the acceptance of the application. Today, it is easy to find applications, both business and personal use, that: • Are fully functional applications that are browser-based, yet may or may not use port 80. • Are capable of running off of a high speed USB drive. • Are client-server applications operating across port 80 or port 443. • Use SSL, hop ports or both. These are just a few of the tactics that applications may use to enable user access and at the same time, enable the application to bypass traditional detection mechanisms. The result is that organisations have lost the ability to see, much less control the applications traversing the network. In order to help organisations regain control over the applications traversing the network at the firewall, Palo Alto Networks uses up to four different mechanisms: application decoders and signatures, protocol decoders, heuristics and SSL decryption to accurately identify more than 1,750 applications, regardless of port, protocol, encryption or evasive tactic employed. It’s important that the term “application” be clarified since it doesn’t have an industry standard definition. In the context of Palo Alto Networks firewalls, an application is a specific program or feature of a program that can be detected, monitored, and/or controlled. For example, Facebook is an application, as is Facebook Chat. Each of them can be detected, monitored, and controlled independently as part of the positive enforcement security policy. PAGE 5 Palo Alto Networks: ASD Top 35 As traffic traverses the Palo Alto Networks firewall, the applications are identified and graphically summarised in near-real time, allowing administrators to see what’s happening on the network, learn more about the application if needed, then make an informed decision on how to treat the application. Application visibility: View application activity in a clear, easy-to-read format. Add and remove filters to learn more about the application, its functions and who is using them. User-based Policy Control The identity of the application can be mapped to specific users with User-ID, a technology that seamlessly integrates Palo Alto Networks firewalls with enterprise directory services (Active Directory, Exchange, LDAP, eDirectory, Citrix and Microsoft Terminal Services, XML API). With User-ID, administrators can see exactly who is using the application, and as needed, can enable a policy to allow (whitelist), deny (blacklist), shape, inspect, schedule, decrypt and more. Immediate access to the knowledge of which applications are traversing the network, who is using them, and the potential security risk empowers administrators to quickly and easily determine the appropriate response. Armed with these data points, administrators can apply policies with a range of responses that are more fine-grained than allow or deny. Examples include: • Enable only the IT group to use a fixed set of management applications such as SSH, telnet, and RDP. • Block bad applications such as P2P file sharing, circumventors, and external proxies. • Define and enforce an organisation-wide policy that allows and inspects specific webmail and instant messaging usage. PAGE 6 Palo Alto Networks: ASD Top 35 • Control the file transfer functionality within an individual application, allowing application use yet preventing file transfer. • Identify and block applications using port 80 or 443 that are used to provide anonymous access to the Internet or to evade traditional firewalls such as UltraSurf, tor, and CGIproxy • Identify and control the transfer of sensitive information such as credit card numbers or social security numbers, either in text or file format. • Deploy URL filtering policies that block access to obvious non-work related sites, monitor questionable sites, and “coach” access to others. • Implement QoS policies to allow media and other bandwidth intensive applications but limit their impact on business critical applications. Palo Alto Networks next-generation firewalls enable customers to deploy application usage policies to block certain applications, allow specific applications, as well as inspect them, shape them and schedule their use. This level of control, at the network layer, is a perfect complement to application whitelisting performed at the end-point. • Identify and control the transfer of sensitive information such as credit card numbers or social security numbers, either in text or file format. • Deploy URL filtering policies that block access to obvious non-work related sites, monitor questionable sites, and “coach” access to others. • Implement QoS policies to allow media and other bandwidth intensive applications but limit their impact on business critical applications. Palo Alto Networks next-generation firewalls enable customers to deploy application usage policies to block certain applications, allow specific applications, as well as inspect them, shape them and schedule their use. This level of control, at the network layer, is a perfect complement to application whitelisting performed at the end-point. Unified Policy Editor: A familiar look and feel enables the rapid creation and deployment of policies that control applications, users and content. PAGE 7 Palo Alto Networks: ASD Top 35 Defence in Depth: Application Whitelisting + Next-Generation Firewalls By mandating application whitelisting as a top priority in protecting against cyber intrusions, the Australian Signals Directorate has acknowledged that application control is a critical component in an agencies cyber security posture. Taking a complementary, defence-in-depth approach to cyber security, Palo Alto Networks next-generation firewalls can help agencies exert an added layer of security at the network level by identifying and controlling applications using positive control model security rules. The Last Line of Defence: Next-Generation Endpoint Protection The endpoint represents the last line of defence. Even with application whitelisting enforced, most endpoints run a large number of applications, some of which have bugs, or unknown Zero-Day vulnerabilities that could be triggered as part of an exploitation attempt. We estimate that as many as 5,000 of these new software vulnerabilities emerge each year. The problem agencies face when trying to defend against Zero-Day attacks is that traditional solutions rely on prior knowledge or behavior analysis to detect usage, and are incapable of preventing Zero-Day attacks since by definition, they are unknown. In addition, adversaries can craft an endless number of fully undetectable malware. This makes it impossible to become intimately familiar with every potential threat, which is why we shifted our focus to the exploit delivery phase of the attack. Your adversaries—whether nation-state, espionage-oriented, activist group, or black hat hacker—all share one commonality; they must use the same core exploit techniques to execute their attack. If an attacker’s critical path for exploitation is known, even when the vulnerability that is used or the malware planned to be delivered is not; it can be prevented before any malicious activity is ever executed. Only a few new exploitation techniques are published or used in the wild every few years. For example, the state-of-the-art Stuxnet attack featured several new Zero-Day exploits, yet it was completely based on known exploitation techniques. By addressing the exploit techniques required to execute an attack, Palo Alto Networks has built modules to mitigate and interfere with the attacker’s exploit techniques. Since an exploit is always based on a chain of techniques, preventing the use of any technique in the chain will block the exploitation attempt and the malware delivery entirely. This fundamentally different approach has enabled Palo Alto Networks to offer a future-proof solution—the EP Series—that can prevent both known and unknown attacks, regardless of the state of security patches or updates on the system. Our EP Series raises the bar on security by creating a new category of preventive cyber-defence that did not exist until now. With Palo Alto Networks EP Series installed on the endpoint, our proprietary mitigation modules are injected directly into the process every time a user launches a process. As this happens, the process initiated by the user will continue to run as intended, protecting it—and the endpoint—from exploitation attempts. Only when an exploit attempt is made, our EP Series activates the injected traps to block the finite exploit techniques the attacker must use—so malware is never delivered, and the exploit is prevented! As our EP Series blocks an exploitation attempt, a real-time picture of the process memory is taken, detailing the attack source and vectors used in the attempted attack. This forensic data is sent to the management centre, sharing invaluable information between the network and the endpoint, thus contributing to a greater threat intelligence. In addition to our proprietary exploit prevention methods, the EP Series protects against attacks from the execution of malicious executable files. This component provides the administrator with flexible and robust granular policy engine to enforce rules to prevent social engineering attacks which could endanger the organisation. PAGE 8 Palo Alto Networks: ASD Top 35 TOP 35 MITIGATION STEPS – WHERE PALO ALTO NETWORKS CAN HELP MITIGATION STRATEGIES HOW PALO ALTO NETWORKS CAN HELP Automated dynamic analysis of email and web content run in a sandbox to detect suspicious behaviour including network traffic, new or modified files, or configuration changes. Palo Alto Networks’ WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) by directly executing them in a scalable, virtual sandbox environment. For Government customers and those that for privacy or regulatory concerns can’t send information to the Palo Alto Networks Threat Intelligence Cloud, WildFire is deployed as a private cloud on a single WF-500 appliance. The WildFire architecture is uniquely designed to meet the demands of analysing large numbers of potentially malicious content. To support dynamic malware analysis across the enterprise’s network at scale, the virvual malware analysis environment is shared across all firewalls, as opposed to deploying single-use hardware at every ingress/egress point and network point of presence. This approach ensures maximum sharing of threat information, while minimising the hardware requirements of the task. When an unknown threat is discovered, WildFire automatically generates protections to block the threat across the cyber kill-chain, sharing these updates with all subscribers across the globe in as little as 15 minutes. These quick updates are able to stop rapidly spreading malware, as well as identify and block the proliferation of all future variants without any additional action or analysis. In conjunction with protection from malicious and exploitive files, WildFire analysis looks deeply into malicious outbound communication, disrupting command-control activity with anti-C2 signatures and DNS-based callback signatures. The information is also fed into PAN-DB, where newly discovered malicious URLs are automatically blocked. This correlation of data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks on a network. Extending the next-generation firewall platform that natively classifies all traffic across hundreds of applications, WildFire uniquely applies analysis regardless of ports or encryption, including full visibility into web traffic, email protocols (SMTP, IMAP, POP), FTP, and SMB. Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). PAGE 9 Palo Alto Networks next-generation endpoint protection provides comprehensive exploit mitigation and malware prevention through its proprietary exploit mitigation technology. The EP Series can prevent the following vectors of attack: • Memory corruption based exploits • Logic flaws based exploits (including Java exploits) • An executable spawning a malicious child process • DLL hijacking • Hijacking program control flow • Execution of malware from local folders commonly utilised by attackers • Execution from network shares, external storage devices, and optical drives • Execution of embedded exe files Palo Alto Networks: ASD Top 35 MITIGATION STRATEGIES Automated dynamic analysis of email and web content run in a sandbox to detect suspicious Operating system generic exploit mitigation behaviour including network traffic, new or mechanisms, eg, Data Execution Prevention (DEP), modified files, or configuration changes. Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication by Microsoft Active Directory. Software-based application firewall, blocking incoming network traffic that is malicious or otherwise unauthorised, and denying network traffic by default. Software-based application firewall, blocking outgoing network traffic that is not generated by whitelisted applications, and denying network traffic by default. Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Email content filtering allowing only businessrelated attachment types. Preferably analyse/ convert/sanitise links, PDF and Microsoft Office attachments. PAGE 10 Web content filtering of incoming and outgoing traffic, whitelisting allowed types of web content and using behavioral analysis, cloud-based reputation ratings, heuristics and signatures. Web domain whitelisting all domains, this Network segmentation andfor segregation intosince security approach is moresensitive proactive and thorough zones to protect information andthan critical blacklisting a tiny percentage of malicious domains. services such as user authentication by Microsoft command-control activity with anti-C2 signatures and DNS-based callback signatures. The information is also fed into PAN-DB, where newly discovered malicious URLs are automatically blocked. This correlation of data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks on a network. Extending the next-generation firewall platform that natively classifies all traffic across hundreds of applications, WildFire uniquely applies analysis regardless of ports or encryption, including full visibility into web traffic, email protocols (SMTP, IMAP, POP),ALTO FTP, NETWORKS and SMB. CAN HELP HOW PALO Palo Alto Networks’ WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Palo Alto Networks next-generation endpoint protection Threats (APTs) by directly executing them in a scalable, provides comprehensive exploit mitigation and malware virtual sandbox environment. prevention through its proprietary exploit mitigation technology. For Government customers and those that for privacy or regulatory concerns can’t send information to the Palo The EP Series can prevent the following vectors of Alto Networks Threat Intelligence Cloud, WildFire is attack: deployed as a private cloud on a single WF-500 • Memory corruption based exploits appliance. The WildFire architecture is uniquely designed • Logic flaws based exploits (including Java exploits) to meet the demands of analysing large numbers of • An executable spawning a malicious child process potentially malicious content. To support dynamic • DLL hijacking malware analysis across the enterprise’s network at • Hijacking program control flow scale, the virvual malware analysis environment is • Execution of malware from local folders commonly shared across all firewalls, as opposed to deploying utilised by attackers single-use hardware at every ingress/egress point • Execution from network shares, external storage and network point of presence. This approach ensures devices, and optical drives maximum sharing of threat information, while • Execution of embedded exe files minimising the hardware requirements of the task. When an unknown threat is discovered, WildFire automatically generates protections to block the threat Using a security zone-based architecture, organisations across the cyber kill-chain, sharing theserules updates can isolate restricted data behind firewall thatwith will all subscribers acrosstothe globeadded in as little segment the network provide levelsasof15 network minutes. These quick updates are able to stopzone rapidly security. For purposes of definition, a security is a spreading malware, as wellof asphysical identify interfaces, and block the logical container comprised VLANS proliferation of all Using futurezones, variants without any additional and IP addresses. organisations can: action or analysis. • Control exactly which applications are accessing the data, forcing them over standard ports. In•conjunction with protection from malicious and Validate which users are accessing the data, and exploitive files,applications. WildFire analysis looks deeply into associated malicious outbound communication, disrupting • Find and stop the use of rogue or misconfigured command-control applications. activity with anti-C2 signatures and DNS-based callback information is also • Identify and block signatures. a wide rangeThe of threats without fed degrading into PAN-DB, newly discovered malicious the where network performance. URLs are automatically blocked. This correlation of data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks Through its integration with VMware’s NSX network on a network. virtualization platform, Palo Alto Networks VM-Series virtual firewalls identify, control and safely enable Extending the next-generation firewall platform applications between virtual servers within the data that natively classifies all traffic across hundreds centre. This capability provides critical application of applications, WildFire uniquely applies analysis whitelistingof and segmentation of servers at the regardless ports or encryption, including fullhypervisor level. Additionally full Threat Prevention visibility into web traffic, email protocolsfeatures (SMTP, can be appliedPOP), to theFTP, traffic including IMAP, and SMB. IPS, AV, anti-spyware/C2, and anti-malware.The integration with VMware NSX enables the Palo Alto Networks next-generation VM-Series to be automatically deployed within every Palo AltoESXi Networks VMware server.next-generation endpoint protection provides comprehensive exploit mitigation and malware prevention through its proprietary exploit mitigation technology. In addition to Microsoft Exchange, Palo Alto Networks The EP Series canemail prevent the following vectors of in identifies 66 other applications that can be used attack: firewall security policies. For those email applications • Memory corruption based exploits that are allowed, organisations can also identify and • Logic flaws basedsuch exploits (including Java exploits) control 50+ file types as .doc, .docx, PDF. • An executable spawning a malicious child process • DLL hijacking • Hijacking program control flow of malware from local folders commonly As• aExecution complement to the application visibility and control utilised by attackers enabled by App-ID, URL categories can be used as a match • Execution from network criteria for policies. Instead ofshares, creatingexternal policies storage that are devices, and optical drives limited to either allowing all or blocking all behavior, URL • Execution of embedded exe files category as a match criteria allows for exception based behavior, resulting in increased flexibility, yet more granular policy enforcement. Examples of how using URL categories can bezone-based used in policies include: organisations Using a security architecture, • Identify and allow exceptions generalrules security can isolate restricted data behindtofirewall that will policies users who may belong multiple groups segment thefor network to provide addedtolevels of network outgoing network traffic that is not generated by whitelisted applications, and denying network traffic by default. Palo Alto Networks: ASD Top 35 Email content filtering allowing only businessrelated attachment types. Preferably analyse/ convert/sanitise links, PDF and Microsoft Office attachments. MITIGATION STRATEGIES Automated dynamic analysis of email and web content run in a sandbox to detect suspicious Web content filtering of incoming and outgoing behaviour including network traffic, new or traffic, whitelisting allowed types of web content modified files, or configuration changes. and using behavioral analysis, cloud-based reputation ratings, heuristics and signatures. Web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains. Deny direct internet access from workstations by using an IPv6-capable firewall to force traffic through a split DNS server, an email server or an authenticated web proxy server. Restrict access to Server Message Block (SMB) and NetBIOS services running on workstations and on servers where possible. and anti-malware.The integration with VMware NSX enables the Palo Alto Networks next-generation VM-Series to be automatically deployed within every VMware ESXi server. In addition to Microsoft Exchange, Palo Alto Networks identifies 66 other email applications that can be used in firewall security policies. For those email applications that are allowed, organisations can also identify and control 50+ file types such as .doc, .docx, PDF. HOW PALO ALTO NETWORKS CAN HELP Palo Alto Networks’ WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent As a complement to the application visibility and control Threats (APTs) by directly executing them in a scalable, enabled by App-ID, URL categories can be used as a match virtual sandbox environment. criteria for policies. Instead of creating policies that are limited to either allowing all or blocking all behavior, URL For Government customers and those that for privacy or category as a match criteria allows for exception based regulatory concerns can’t send information to the Palo behavior, resulting in increased flexibility, yet more Alto Networks Threat Intelligence Cloud, WildFire is granular policy enforcement. Examples of how using URL deployed as a private cloud on a single WF-500 categories can be used in policies include: appliance. The WildFire architecture is uniquely designed • Identify and allow exceptions to general security to meet the demands of analysing large numbers of policies for users who may belong to multiple groups potentially malicious content. To support dynamic within Active Directory (e.g., deny access to malware malware analysis across the enterprise’s network at and hacking sites for all users, yet allow access to scale, the virvual malware analysis environment is users that belong to the security group). shared across all firewalls, as opposed to deploying • Allow access to streaming media category, but apply single-use hardware at every ingress/egress point QoS to control bandwidth consumption. and network point of presence. This approach ensures • Prevent file download/upload for URL categories that maximum sharing of threat information, while represent higher risk (e.g., allow access to unknown minimising the hardware requirements of the task. sites, but prevent upload/download of executable files from unknown sites to limit malware propagation). When an unknown threat is discovered, WildFire Apply SSL decryption policies that allow encrypted access automatically generates protections to block the threat to finance and shopping categories but decrypt and inspect across the cyber kill-chain, sharing these updates with traffic to all other URL categories. all subscribers across the globe in as little as 15 minutes. These quick updates are able to stop rapidly spreading malware, as well as identify and block the proliferation of all future variantsIPv6 without any additional Palo Alto Networks fully support including IPv6 action orrouting analysis. dynamic protocols. In conjunction with protection from malicious and exploitive files, WildFire analysis looks deeply into malicious outbound communication, disrupting command-control activity with anti-C2 signatures and DNS-based callback signatures. information is also Using next generation application The based firewall security fed into PAN-DB, newly discovered policies, access towhere SMB and NetBIOS can bemalicious controlled by URLs are automatically user or user group at theblocked. networkThis level,correlation regardlessof of port. data and in-line protections are key to identifying and blocking ongoing intrusions as well as future attacks on a network. Extending the next-generation firewall platform that natively classifies all traffic across hundreds of applications, WildFire uniquely applies analysis regardless of ports or encryption, including full visibility into web traffic, email protocols (SMTP, IMAP, POP), FTP, and SMB. Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Palo Alto Networks next-generation endpoint protection provides comprehensive exploit mitigation and malware prevention through its proprietary exploit mitigation technology. The EP Series can prevent the following vectors of attack: • Memory corruption based exploits • Logic flaws based exploits (including Java exploits) • An executable spawning a malicious child process • DLL hijacking • Hijacking program control flow Copyright ©2014, Palo Alto Networks, All rights reserved. Palo Alto Networks, 4401 Great America Parkway • Execution of malware fromInc. local folders commonly the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Santa Clara, CA 95054 utilised by attackers Palo• Alto Networks, Inc.network All specifications subject tostorage change without notice. Execution from shares,are external Main:+1.408.753.4000 Palo Alto Networks assumes responsibility for any inaccuracies in this document devices, and opticalnodrives Sales: +1.866.320.4788 or for any obligation update information in this document. Palo Alto Networks • Execution of to embedded exe files Support:+1.866.898.9087 reserves the right to change, modify, transfer, or otherwise revise this publication www.paloaltonetworks.com Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication by Microsoft Active Directory. without notice. PAN_WP_ASD-Top35_091614 Using a security zone-based architecture, organisations can isolate restricted data behind firewall rules that will segment the network to provide added levels of network security. For purposes of definition, a security zone is a logical container comprised of physical interfaces, VLANS