SECURING YOUR MICROSOFT ENVIRONMENT

Transcription

1 SECURING YOUR MICROSOFT ENVIRONMENT From the Network to the Cloud to the Endpoint Your business relies on a Microsoft infrastructure that stretches from your network to the cloud to endpoints located around the world. In many ways, the success of your business relies on how secure your Microsoft infrastructure is. Your users do not care where the applications and data reside; they only care about getting their job done. SharePoint, Skype for Business, or Active Directory deployed on the network, in Azure, or as part of your Office 365 subscription should have no impact on the success of your business. Attackers do not care where your applications and data reside, either. Their attack patterns are the same: Gain access to the network, oftentimes by compromising an endpoint mobile or otherwise. Once on the network, their goal may be to steal customer data, utilize your network to harvest Bitcoin, or become part of a botnet. The challenge your organization faces is how best to protect your highly distributed Microsoft infrastructure from cyberattacks. Palo Alto Networks Securing Your Microsoft Environment White Paper

2 Contents Prevention or Acceptance and Remediation? 3 Hiding in Plain Sight 3 Whac-A-Mole Security 3 A Platform Approach to Prevention 4 Native Integration 4 Platform Components 4 A Platform Approach for Microsoft Environments 5 Prevention for the Network 5 Identification and Control 5 Prevent Known and Unknown Threats 6 Consistent Security for All Locations and Users 6 Prevention in Azure 7 Controlling Access to Your Azure Deployment 7 Segmentation for Improved Security and Compliance 7 Automated Deployments and Streamlined Management 8 Prevention for Office Visibility Into SaaS Usage on the Network 9 Control SaaS Application Usage 9 Prevent Malware Insertion and Data Loss 10 Prevention for Endpoints and Servers 10 Multi-Method Malware Prevention 11 Multi-Method Exploit Prevention 11 Automating Prevention With the Next-Generation Security Platform 12 Extend Network Security Policies to the Endpoint 12 Summary 13 Palo Alto Networks Securing Your Microsoft Environment White Paper 2

3 Prevention or Acceptance and Remediation? It seems that nary a day goes by that we do not hear about a security breach resulting in the loss of data, userinformation exposure and massive damage to a company s reputation. According to the Breach Level Index, dating back to 2013, roughly 4.8 billion records have been lost through a variety of attack techniques. For some, this staggering statistic has led to a shift away from an attack-prevention mentality to one of acceptance, in which attackers have won and the focus is on attack remediation and recovery from damages inflicted. The basis for an acceptance and remediation mentality may be explained not only by the volume of security incidents reported publicly but also by the interconnected and distributed nature of IT infrastructure. Image 1: Your threat footprint spans the network, the cloud and the endpoint The greater the distribution of your applications, the greater the exposure and the greater the challenge to protect it. Your application workloads may be running in Azure, or perhaps you re using Office 365. Your data is distributed between on-premises and cloud resources. Remote users may be accessing applications from a Windows-based phone, tablet or laptop. Further increasing your exposure is how business applications operate on your network. Microsoft Skype for Business, SharePoint and Active Directory can be deployed on premises, in the cloud or as a service, each using a wide range of contiguous ports including TCP/80, TCP/443 and a range of high-number ports. The more ports that are opened on your network, even for business purposes, the greater your risk footprint becomes. Hiding in Plain Sight Attackers are taking full advantage of your highly distributed Microsoft infrastructure, executing their attacks in relatively consistent patterns. Initially attackers will compromise a user to gain access to your network. The compromise may be spear phishing, a drive-by download or other means. The attack may or may not target specific Microsoft-based applications or resources. The attack mechanism or the endpoint device does not matter. The goal is to gain access to the network. Once on the network, attackers will hide in plain sight, using common applications, such as DNS, SSH and HTTP, to hide their activities. As an example, the Wekby Group, a group that is well-known for launching zero-day attacks using newly announced application vulnerabilities, recently kicked off the Pisloader attack. Using web compromise or spear phishing to infect an endpoint and subsequently gain access to the network, the Pisloader attack then used DNS on its standard port (TCP/53) for command-and-control traffic. This meant that, no matter how tightly the ports were locked down, the Pisloader C&C passed through the open port for DNS looking just like normal traffic. Every network, virtualized or otherwise, uses DNS. Whac-A-Mole Security History has shown that, when a significant security risk arises, a point solution is applied to address it. Playfully termed a Whac-A-Mole approach, this methodology of solving a security problem is limited in many different ways: Lacks application awareness: Application developers have long moved past the port-and-protocol development methodology to an approach in which the port or ports used are based upon ease of application access. In many cases, business-critical applications are flowing across TCP/80 and TCP/443 alongside common web traffic. Microsoft SharePoint and Skype for Business are two perfect examples of applications that fit this mold. Both applications use a wide range of ports, increasing the threat footprint. No shared context: With point solutions, the ability to gain contextual knowledge needed to perform a risk assessment, make an informed policy decision, or investigate an incident is non-existent. Information on the threat, the application vector it may have used, whether it was on its standard port, and the associated user all become valuable tools in the lifecycle of security management. Palo Alto Networks Securing Your Microsoft Environment White Paper 3

4 Limited feedback mechanisms: Point products lacking integration and the ability to share context means that those solutions are is unable to dynamically ingest feedback as a means of improving the solution features needed to improve the security posture. Clearly the Whac-A-Mole approach to protecting digital assets is no longer effective. A new approach is needed to protect an organization s digital way of life, one that is platform-based yet supports your prevention efforts, from the network to the cloud to the endpoint. A Platform Approach to Prevention The Palo Alto Networks Next-Generation Security Platform approach to prevention begins with visibility into the applications in use on your network, in the cloud and SaaS environments, as well as the endpoints. The knowledge of which applications are in use, and by whom, provides you with the power to make more informed security decisions and, more importantly, begin reducing your attack surface area by enabling business applications based on user identity, allowing access only when two-factor authentication is in use. By definition, application enablement is based on a positive-control security model, which means unsanctioned or unwanted applications are implicitly denied, thereby reducing the attack surface area. Complete visibility Reduce attack surface area Enable business apps Block bad apps Limit app functions Limit high-risk websites and content Require multi-factor authentication Prevent all known threats Detect & prevent new threats Unknown malware Zero-day exploits Custom attack behavior Network & endpoint (different views) All applications, including cloud & SaaS All users & devices, including all locations Encrypted traffic Exploits Malware Command & control Malicious & phishing websites Bad domains Image 2: A prevention approach to protecting your Microsoft applications Complementing the application control and threat prevention capabilities is a URL filtering solution that categorizes URLs based on their content at the domain, file and page level and is dynamically updated based on new contextual information collected by the threat intelligence cloud. To protect enabled applications, threat prevention policies can be applied to specific flows, inspecting and blocking known attacks (e.g., vulnerability exploits, command and control, viruses, malware, etc.). A final, yet critical, piece to our platform approach is to make unknown attacks those on the network, in the cloud, and on the endpoint known through a range of detection and analysis techniques that result in the dynamic creation and delivery of new protection mechanisms. Native Integration The immediate impact of our security platform can be seen in our ability to help you reduce your attack surface area and improve your security posture. Each element of our platform is natively integrated, sharing contextual information on the attack, the application it may have used, and the victim. Information learned about the attack is used to continually improve each of the prevention elements in a dynamic and automated manner, making it increasingly difficult for cyber criminals to execute a successful attack. Native integration is key to delivering consistent security capabilities applied to all users, applications and locations from the network, to the cloud, to the endpoint. Platform Components The Palo Alto Networks Next-Generation Security Platform reduces your threat exposure by controlling sanctioned and unsanctioned application flows, preventing known and unknown threats within allowed traffic and on the endpoints, and continually strengthening prevention efforts based on ongoing threat analysis. The security technologies that power our Next-Generation Security Platform include: Next-Generation Firewall: Delivered as either a hardware appliance or a virtualized instance for both public and private cloud deployment, the Next-Generation Firewall natively inspects all traffic, inclusive of applications, threats and content, then ties that traffic to the user, regardless of location or device type. The application, content and user, or the elements that run your business, then become integral components of your enterprise security policy. The result is the ability to align security with key business initiatives. Mobile device protection enforces a consistent security posture for all users and all devices, regardless of location. Threat Intelligence Cloud: This provides centralized intelligence capabilities and automated delivery of cyberattack preventative measures that can eliminate new and previously unknown threats within 300 seconds from attacks on the network, cloud and endpoint. The threat intelligence cloud also extends to securely enable SaaS applications with policies that control access and prevent threats and data loss. Palo Alto Networks Securing Your Microsoft Environment White Paper 4

5 Advanced Endpoint Protection: This replaces traditional antivirus with true prevention by preemptively blocking malware and exploits, including zero-day threats, before they compromise endpoints. The Next-Generation Security Platform empowers organizations to adopt a prevention-first security posture that protects their network and digital assets from cyberattacks. Complete Visibility Prevent Unknown Threats Reduce Attack Surface Cloud Network Prevent Known Threats Endpoint Image 3: Palo Alto Networks Next-Generation Security Platform components A Platform Approach for Microsoft Environments With prevention capabilities that span the network, the cloud including Azure and Office 365 and the endpoint, the Palo Alto Networks Next-Generation Security Platform is well-suited to protect Microsoft-centric environments. On the network, both physical and virtualized form factors can be deployed and extended into the cloud to protect Azure workloads and Office 365 environments. Advanced endpoint protection can be deployed on Windows endpoints to prevent attacks from compromising the end user and eventually, your network. Prevention for the Network On the network, in either a physical appliance or a virtualized form factor deployed in Hyper-V, our next-generation firewall allows you to safely enable Microsoft applications while eliminating risky and unsanctioned applications and preventing both known and unknown attacks. Identification and Control Our firewall natively applies multiple classification mechanisms to the traffic stream to identify applications, threats and malware. The application, the content within, and the user can all be used as the basis for your security policy. All traffic is classified, regardless of port, encryption (SSL or SSH), or evasive technique employed. Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically categorized for systematic management. Identified applications include a wide range of Microsoft applications, like Office 365, including SharePoint and OneDrive, Microsoft Lync, Skype for Business, Windows Update, Xbox Live, Microsoft Exchange and SQL server traffic. In many cases, individual application functions are identified and can be used for policy control. For example, SharePoint Docs, Admin and Blog all can be enabled individually for different groups of users within Active Directory. App developer All users Marketing Image 4: Application control based on users improves your security posture Palo Alto Networks Securing Your Microsoft Environment White Paper 5

6 With SharePoint as the basis of your security policy, as opposed to the wide range of ports commonly used by SharePoint, your attack footprint is reduced dramatically to only the SharePoint applications and the required supporting elements, such as DNS and NetBIOS. The result is an improved security posture and a reduction in administrative effort. To improve your security posture and reduce incident-response times, it s critical to map application usage to user and device type and be able to apply that context to your security policies. Integration with a wide range of enterprise user repositories provides the identity of the user and device accessing the application, including Microsoft Windows PCs and handheld devices. The combined visibility and control over both users and devices means you can safely enable the use of any application traversing your network, no matter where the user is or the type of device being used. Prevent Known and Unknown Threats A key element for enabling your Microsoft applications includes preventing both known and unknown threats within the individual application flows. Intrusion prevention system (IPS) features block network- and applicationlayer vulnerability exploits, buffer overflows, DoS attacks and port scans. Antivirus/anti-spyware protection blocks millions of malware variants, including those hidden within compressed files or web traffic (compressed HTTP/ HTTPS), as well as known PDF viruses. For traffic encrypted with SSL, you can selectively apply policy-based decryption and then inspect the traffic for threats, regardless of port. Unknown or targeted malware (e.g., advanced persistent threats) hidden within PE, Office, PDF or Android APK files can be identified and executed by WildFire cloud-based threat analysis service, which directly observes and executes unknown files in a virtualized sandbox environment across multiple operating systems and application versions. WildFire monitors more than 420 malicious behaviors and, if malware is found, a signature is automatically developed and delivered to all WildFire users globally in as little as five minutes. To help eliminate spear phishing attacks, WildFire can analyze links in and block the delivery of malicious files. WF Protection delivered Threat Intelligence Cloud Unknown threats Image 5: Prevent unknown threats, improve all protection mechanisms As WildFire detects and prevents unknown attacks, the value of a natively integrated platform comes to light. The information collected based on the behavioral techniques observed by WildFire is fed back into the Threat Prevention engine in the form of new or updated signatures, which are then delivered to all users via scheduled content updates. Malicious URLs that were used as part of the attack are fed into the URL filtering database to improve its threat prevention capabilities for all users. Consistent Security for All Locations and Users Our next-generation firewall is available in either a purpose-built hardware platform that scales from an enterprise branch office to a high-speed data center or in a virtualized form factor to support your cloud-based computing initiatives. This provides your data and assets with consistent protection, no matter where they are located. Your security policies can be extended to control which devices can access particular applications and network resources. For example, ensure that laptops are compliant with the corporate image before allowing access to the data center. Check if the mobile device is up-to-date, corporate-owned, and fully patched before accessing sensitive data. The end result is that your security policy extends from your organizational boundary to wherever your users and devices are located. Palo Alto Networks Securing Your Microsoft Environment White Paper 6

7 Prevention in Azure Complementing native Azure security services, our next-generation firewall can be deployed from the Azure Marketplace as a bring-your-own-license or as a pay-as-you-go subscription. In either case, protecting your workloads and data deployed in Azure with the same next-generation firewall and advanced threat prevention features that are available in our security appliances is the end goal. Controlling Access to Your Azure Deployment Most organizations integrate Azure into their IT infrastructure using a hybrid approach that extends their corporate network into Azure via a secure connection, such as an IPsec VPN. This allows Azure to become an active application deployment environment that expands and contracts accordingly. Typical Azure deployments will have fewer applications when compared to a physical network, but because attackers do not care where the applications and data reside, equal or greater efforts to protect your Azure deployments should be made. To that end, visibility into, and control over, the applications and users moving across the secure link is of paramount importance. A common use case for Azure is for new application development, which means there are a range of development tools and users accessing the environment. To simplify the process of which tools are available to whom, policies can be set that grant access to the different environments based on user credentials and need. If warranted, two-factor authentication can also be used. As users move from project to project, their user credentials in Active Directory can be moved from group to group. For example, Dev group has full access to the Dev VNET, while only IT admins have RDP/SSH access to the production VNET. This limits the attack footprint based not only on applications but also on users, thereby improving your security posture. WF Threat Intelligence Cloud VM- Series Image 6: Securely expand your data center into Azure As more workloads are deployed in Azure, funneling the commercial application update process through the corporate connection and then back out to the vendor for the updates may become cumbersome and costly. An alternative approach is to implement internet gateway security policies that allow the workloads to reach out to very specific websites and internet resources for their regularly scheduled updates. This maintains strict control over the applications moving in and out of your Azure environment. Segmentation for Improved Security and Compliance Today s cyberthreats commonly compromise an individual workstation or user and then move laterally to find their target, regardless of their deployment location. Just as if it were a physical data center, segmentation in Azure can be used to improve security by establishing application-based policies that force the application to operate on its default ports, implicitly enforcing the deny all else premise that a firewall is based upon, thereby reducing the attack surface area. When combined with Active Directory integration, your segmentation policies can grant workload access based on the user identity and business need. From a compliance perspective, segmentation policies allow you to control which applications are communicating with each other across different subnets and between VNETs while keeping them separate from your data sources. Some examples of segmentation policies might include: Validate that SharePoint is in use, forcing it over its standard ports and implicitly blocking any other applications from being used. Palo Alto Networks Securing Your Microsoft Environment White Paper 7

8 Limit access to the Microsoft SQL database to the SharePoint application itself, implicitly blocking the web front-end from connecting to the database while blocking attacks specifically targeting SQL databases. Grant the finance group access to the SQL database that houses the credit card information. Allow marketing users, based on their user-group membership, to access only SharePoint documents and no other features. Enable only the IT group to use SharePoint Admin while inspecting the traffic that uses application-specific threat prevention policies. Just as if it were a physical data center, segmentation policies in Azure can be used to improve security by establishing application-based policies that include threat prevention to not only stop attacks from gaining access to your workloads but also block them from moving laterally from workload to workload. Automated Deployments and Streamlined Management A key benefit to cloud computing is the ability to be more agile, responding quickly with feature updates or entirely new application deployments. Security, in some cases, can become a bottleneck because, as an industry best practice, policy updates are typically a controlled process. Automation in the form of bootstrapping and dynamic policy updates can help alleviate the bottlenecks, ensuring security can keep pace with the business. Bootstrapping is a standard next-generation firewall feature that enables users to create a bootstrap image that includes a fully configured firewall, including licenses, policy settings, and connections to Panorama network security management. The bootstrapped file is stored in Azure, which can then can be accessed for rapid deployment by administrators or via scripting. With bootstrapping, security can keep pace with the business. Firewall configuration Security policies BYOL licenses Software updates Dynamic content PANORAMA Azure data disk Bootstrap package VM- Series VM- Series Attach to Panorama Device group Image 7: Automating fully configured firewall deployments In both physical data centers and in Azure, you are challenged with managing the changes that may occur between compute workload additions, removals or modifications and how quickly a security policy can be updated. To help minimize these delays, our next-generation firewall provides a rich set of native management features that streamlines policy deployment so that security can keep pace with the changes in your compute workloads. An XML API allows our next-generation firewall to consume changes in workloads and dynamically feed those changes into the security policy, eliminating a potential firewall change control bottleneck. Panorama allows you to centrally manage all of your Palo Alto Networks Next-Generation Firewall deployments in both the physical and virtual form factors thereby ensuring policy consistency and cohesiveness. Panorama allows you to manage all aspects of our next-generation firewall including: Policy deployment, including security, NAT, QoS, policy-based forwarding, decryption, application override, captive portal and DoS protection. Shared policies that leverage pre- and post-rules deployed by the Panorama administrators to enforce shared policies while allowing local policy editing. Rules in between the pre- and post-rules can be edited locally or by a Panorama administrator. Software and content updates (applications, threats, antivirus, WildFire ) and licenses can be managed across all deployed instances from a central location. Aggregate logging and reporting across dynamic or locally queried data gathered from all managed firewalls. Using the same look and feel that the individual device management interface carries, Panorama eliminates any learning curve associated with switching from one user interface to another. Palo Alto Networks Securing Your Microsoft Environment White Paper 8

9 Prevention for Office 365 The pervasiveness of shadow IT is a result of the tremendous value SaaS applications are providing to end users. However, the risks of data exposure and threat insertion are far too great to allow SaaS usage to remain unchecked. This has never been more obvious than with Office 365. While other SaaS applications can be considered optional and their use more easily prevented, Microsoft Office is often a standard application for most organizations. Now that it comes with cloud applications automatically enabled, it has the potential to allow every employee to use SaaS applications, regardless of the organization s size or policy. Securely enabling SaaS applications begins with visibility into the applications and users and a firm understanding of whether the SaaS application is sanctioned, unsanctioned or tolerated. Visibility into SaaS usage is a key piece to enablement, but so is the prevention of malware insertion and data loss, which is often facilitated by standard Office 365 file storage and file-sharing features. To protect your Office 365 deployment, threat prevention and data loss policies should be applied to further reduce the attack surface area and improve the security posture. Visibility Into SaaS Usage on the Network Properly controlling SaaS usage is impossible without the knowledge of which applications are being used in the network and how they are being used. This requires granular, application-level visibility of usage. To help ensure that our platform was able to accurately identify Office 365, Palo Alto Networks and Microsoft collaborated to ensure superior identification of Office 365 application usage on the network. This includes the ability to detect application usage and the direction of transfer (upload versus download) even in encrypted flows. In addition to accuracy and directional control, the next-generation firewall can decrypt Office 365 flows to inspect the files within those flows, allowing detailed analysis of threats through WildFire. To further aid in controlling SaaS usage at the network level, the next-generation firewall includes the ability to mark individual SaaS applications as either sanctioned or unsanctioned for improved visibility and reporting. This foundation enables a detailed SaaS report that can be generated as needed and, when paired with Active Directory integration through User-ID, can provide details of who is using which application and in what quantity. This allows continuous reporting of SaaS usage to become a regular part of your security posture analysis. Even more importantly it provides the key visibility needed to define a SaaS usage policy and a means to begin migrating users to sanctioned SaaS applications. Control SaaS Application Usage Enterprise-sanctioned applications, such as Office 365, are typically allowed without restrictions. Unsanctioned SaaS applications, such as those that are known threat vectors, hosted in dangerous geographic regions with poor security and governance controls, or with bad end-user license agreements (EULAs) and service-level agreements (SLAs) are usually blocked outright. Policies to control these applications are relatively straightforward. Less straightforward are those SaaS applications that are tolerated, falling somewhere between enterprisesanctioned and unsanctioned applications. Tolerated applications represent a unique challenge, requiring a more granular and measured policy to control their usage. Tolerated applications typically fall into two main categories: External partners: These are applications that to your users for sharing and collaboration. These applications are often controlled by a third party or partner who is sharing data with your internal users. Non-enterprise applications: These are applications that internal users rely on that are not enterprise applications and cannot, or should not be sanctioned. Since there is no way to ensure the safety of data in the third party s SaaS application or the safety of files entering your organization, a few steps need to be taken to ensure their use does not compromise your network security. Prevent malware insertion: Block encrypted connections that could deliver malware into the network invisibly, possibly bypassing existing security. Prevent data loss: Set the next-generation firewall policy to allow only the downloading of files preventing data from leaving your network without visibility or control. File uploads should be restricted to enterprise-sanctioned applications that are secured with our Next-Generation Security Platform. Exceptions can be set based on users or groups via policies based on User-ID user identification technology. Standardizing on an enterprise-sanctioned application, such as Office 365, opens up the opportunity to move users off of tolerated applications, increasing security while providing more capabilities to end users. Simply cutting off access to these applications often isn t a valid option since corporate data likely already resides in them and cutting them off only traps the data in the tolerated SaaS applications. Instead, a policy should be set to allow only the downloading of data with no upload rights. Have the users move their data to Office 365 over a period of time. Once the data has been migrated, the application can be moved from tolerated to unsanctioned and blocked. Palo Alto Networks Securing Your Microsoft Environment White Paper 9

10 Prevent Malware Insertion and Data Loss SaaS applications are often the first insertion point for malware and the last exfiltration point for data loss. Because of this critical point in the infrastructure, the cloud applications themselves should be protected in the same manner as the network applications. Put differently, once the traffic, files and data begin moving off the network into Office 365, or other SaaS applications, you need the ability to exert a consistent control and prevention policy. WF Threat Intelligence Cloud AP Image 8: Securely enable Office 365, prevent threats and protect data The SaaS-based component of our security platform adds the ability to connect directly to SaaS applications, such as Office 365, to provide data classification, sharing/permission visibility, and threat detection within the application. This yields unparalleled visibility, enabling organizations to inspect content for data risk violations as it moves to the cloud, controlling access to shared data via a contextual policy. To prevent threats within controlled SaaS applications, our SaaS security offering is integrated with WildFire, providing advanced threat prevention to prevent known and unknown malware while simultaneously eliminating a new malware insertion point. As with threats discovered and prevented on the network, new malware discovered is used to continually improve the Threat Prevention and URL Filtering elements of our security platform. Prevention for Endpoints and Servers Threat actors rely primarily on two attack vectors to compromise Windows systems: malicious executables (malware) and vulnerability exploits in system or application software. Regardless of their delivery method (e.g., via , over the internet, or through SaaS applications, such as Office 365), preventing attackers from compromising endpoints and servers requires that you prevent both known and unknown variants of each malware and exploit. Additionally, this prevention must be present whether a machine is online or offline, on- or off-premise, connected to the organization s network or not. In fact, effective breach prevention cannot be achieved unless all of these requirements are met simultaneously. Due to the fundamental differences between malware and exploits, meeting these requirements necessitates an approach that combines multiple threat prevention methods that are optimized to prevent either the execution of malicious programs or vulnerability exploits from subverting legitimate applications. Traps advanced endpoint protection replaces traditional antivirus with a multi-method prevention approach that combines the most effective, purpose-built malware and exploit prevention methods to protect Windows systems from known and unknown threats. Palo Alto Networks Securing Your Microsoft Environment White Paper 10

11 Multi-Method Malware Prevention To prevent malicious executables, Traps implements a multi-method prevention approach that maximizes the coverage against malware while simultaneously reducing the attack surface and increasing the accuracy of malware detection. This approach delivers several layers of protection that, when combined, instantaneously prevent known and unknown malware from infecting a system. Traps evaluates executables as they launch to determine if they are benign or malicious. It checks each executable against hash-based administrative override policies that deliver fine-grained whitelisting and blacklisting capabilities, as well as against policy-based restrictions that control what types of applications are allowed to run in your environment and from where within the Windows file system they can execute (e.g., Traps can prevent the execution of files from the Outlook temp directory). Traps automatically and immediately identifies new executable files published and digitally signed by trusted and reputable software publishers (such as Microsoft). These executable files are allowed to run without delay or impact to the user, as long as they do not violate any restriction policies. For files that are not signed by trusted publishers, Traps queries WildFire with the hash of each executable file before it is allowed to run, in order to assess its standing within the global threat community. If an executable file has been deemed malicious, Traps prevents it from execution and quarantines it for further administrative actions. If an executable file is unknown, Traps submits it to WildFire for complete inspection and analysis and evaluates it via static analysis for an instant verdict. The machine learning algorithm deployed in the static analysis engine of Traps examines hundreds of characteristics of an executable file to determine if it is likely to be malicious or benign. Traps quarantines all malicious executables to prevent the dissemination of infected files to other users. Although essential in most environments, this capability is particularly useful in preventing the inadvertent dissemination of malware in organizations where network- or cloud-based data storage and SaaS applications (such as Office365 and SharePoint) automatically sync files across multiple users and systems. + Multi-method malware prevention Multi-method exploit prevention Image 9: Multi-method malware and exploit prevention Multi-Method Exploit Prevention Many targeted attacks begin with an exploit delivered as a data file (such as a Microsoft Office file) through a website, via or over the network. When the user opens the file, the malicious code embedded inside leverages a software vulnerability in the application that is used to view the file to subvert the application and execute an arbitrary set of instructions. Because this type of attack is difficult to distinguish from normal application behavior, it bypasses traditional antivirus and most endpoint security solutions. In addition, if the application being exploited is a whitelisted one, the attack will bypass those controls as well. Traps uses an entirely new and unique approach to preventing exploits. Instead of focusing on the millions of individual attacks or their underlying software vulnerabilities, Traps focuses on the core exploitation techniques used by all exploit-based attacks. Although there are many thousands of exploits, they all rely on a small set of core exploitation techniques that change infrequently. Furthermore, each exploit must use a series of those exploitation techniques to successfully subvert an application. By blocking the core techniques, Traps effectively prevents the exploitation of application vulnerabilities, whether they are known or unknown. Organizations using Traps can run any application, including those developed in-house and those that no longer receive security support (such as Internet Explorer versions older than 11), without the imminent threat to their environment. Traps implements a multi-method approach to exploit prevention, combining several layers of protection to block exploitation techniques, including Memory Corruption and Manipulation (e.g., Heap Spray, ROP), Logic Flaw (e.g., DLL Hijacking), and Malicious Code Execution. Palo Alto Networks Securing Your Microsoft Environment White Paper 11

12 Automating Prevention With the Next-Generation Security Platform As a component of the Palo Alto Networks Next-Generation Security Platform, Traps both shares and receives threat intelligence information with WildFire. Threat intelligence information is passed to WildFire by each component of the security platform, and Traps uses this information to block threats on the endpoint, no matter where they originated. WF Threat Intelligence Cloud Network Endpoints Image 10: Automate prevention based on intelligence gained elsewhere The automatic reprogramming and conversion of threat intelligence into prevention all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system. An attacker can use each piece of malware at most once, anywhere in the world, and only has seconds to carry out an attack before WildFire renders it entirely ineffective. Extend Network Security Policies to the Endpoint The network plays several roles in the attack lifecycle on the endpoint. It is used as a vehicle for the delivery of exploits and malware. It provides the means for ongoing communication with the attacker. It is also the conduit for exfiltration of credentials and data. In addition, some types of attacks, such as phishing, take place by intercepting the traffic or impersonating legitimate websites in order to steal credentials. Network security provides the means to disrupt such attack methods, but it can only protect the traffic that it sees. As workforces adopt mobile platforms, such as laptops, tablets and smartphones, a growing amount of network traffic is uninspected and thus creates a dangerous set of conditions that increases the attacker s capabilities to communicate directly with a victim s endpoint. WF Threat Intelligence Cloud GP VM- Series Image 11: Enforce policy consistency from the network to the endpoint Extend the protection of the Next-Generation Security Platform with GlobalProtect network security client for endpoints. GlobalProtect provides organizations with the means to maintain visibility and enforce security policy for all traffic, even when the user is away from the office. This is done by automatically establishing a connection to a next-generation firewall operating as an internet gateway (in hardware, Hyper-V or Azure), enabling the organization to consistently enforce policy for all traffic in the same manner. Palo Alto Networks Securing Your Microsoft Environment White Paper 12

13 By stopping an attack in network traffic, organizations can reduce the attack surface by preventing malicious content,such as exploits and malware, from reaching the endpoint. In addition, GlobalProtect applies the platform to block communication to a hostile domain or phishing site, intercept communication to a command-and-control server, and block the exfiltration of data. Summary Your Microsoft infrastructure encompasses network, cloud and endpoints components that are at the heart of your business operations. Microsoft Exchange, Active Directory and Skype for Business enable worldwide communications; Office 365 and SharePoint facilitate team collaboration; while Windows drives your server farms and your employee endpoints Image 12: Threat prevention is continually improved based on intelligence gained from platform components Palo Alto Networks protects your distributed Microsoft environment with a natively integrated security platform that spans your network, cloud and endpoints. Each of our platform components provides you with the ability to reduce your attack surface area, prevent threats and make unknown attacks known. Native integration provides threat intelligence that continually improves your ability to prevent known and unknown attacks across your entire Microsoft infrastructure Great America Parkway Santa Clara, CA Main: Sales: Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. securingyour-microsoft-environment-white-paper-wp