TRAPS ADVANCED ENDPOINT PROTECTION

Transcription

1 TRAPS ADVANCED ENDPOINT PROTECTION Technology Overview Palo Alto Networks White Paper

2 Most organizations deploy a number of security products to protect their endpoints, including one or more traditional antivirus solutions. Nevertheless, cyber breaches continue to increase in frequency, variety and sophistication. Faced with the rapidly changing threat landscape, current endpoint security solutions and antivirus can no longer prevent security breaches on the endpoint. Palo Alto Networks Traps advanced endpoint protection replaces traditional antivirus with a unique combination of the most effective, purpose-built, malware and exploit prevention methods that pre-emptively block known and unknown threats from compromising a system. Multi-Method Prevention Threat actors rely primarily on two attack vectors to compromise endpoints: malicious executables (malware) and vulnerability exploits. These attack vectors are used individually or in various combinations, but they are fundamentally different in nature: Malware is an often self-contained malicious executable that is designed to perform nefarious activities on a system. Exploits are weaponized data files or content (such as a Microsoft Word document) that is designed to leverage software flaws or bugs in legitimate applications to provide an attacker with remote code execution capabilities. Preventing attackers from compromising endpoints and servers requires an advanced endpoint protection product that prevents both known and unknown variants of each malware and exploit, and also delivers this prevention whether a machine is online or offline, on-premise or off, connected to the organization s network or not (Figure 1). In fact, effective breach prevention cannot be achieved unless all of these requirements are met simultaneously. Execute Malicious Programs Exploit Software Vulnerabilities Must prevent known and unknown malware from infecting endpoints. Online Offline On-Prem Off-Prem Must prevent known and unknown exploits, including zero-day exploits. Figure 1: Effective Endpoint Security Must Prevent Both Malware and Exploits Due to the fundamental differences between malware and exploits, meeting these requirements necessitates an approach that combines multiple threat prevention methods that are optimized to either prevent the execution of malicious programs or prevent vulnerability exploits from subverting legitimate applications. Traps advanced endpoint protection replaces traditional antivirus with a multi-method prevention approach that combines the most effective, purpose-built, malware and exploit prevention methods to protect endpoint systems from known and unknown threats. Multi-Method Malware Prevention Traps prevents malicious executables with a unique, multi-method prevention approach that maximizes the coverage against malware while simultaneously reducing the attack surface and increasing the accuracy of malware detection. This approach blends several layers of protection that, when combined, instantaneously prevent known and unknown malware from infecting a system (Figure 2). Static Analysis via Machine Learning: This method delivers an instantaneous verdict on any unknown executable file before it is allowed to run. By examining hundreds of the file s characteristics in a fraction of a second, this method determines if it is likely to be malicious or benign without reliance on signatures, scanning or behavioral analysis. The threat intelligence available through WildFire cloud-based malware analysis environment is used to train the machine learning model of Traps to autonomously recognize malware, especially variants that have never been seen before, with unmatched effectiveness and accuracy. WildFire Inspection and Analysis: This method leverages the power of WildFire to rapidly detect unknown malware and automatically reprogram Traps to prevent known malware. Traps queries WildFire with the hash of any executable file before it is allowed to run, in order to assess its standing within the global threat community. If it has been deemed malicious, Traps automatically reprograms itself to prevent the execution of that file from that moment on. If the executable file is unknown, Traps submits it to WildFire for complete inspection and analysis. WildFire, in turn, eliminates the threat of the unknown by transforming it into known in about 300 seconds. Palo Alto Networks White Paper 2

3 Trusted Publisher Execution Restrictions: This method allows organizations to identify executable files that are among the unknown good because they are published and digitally signed by trusted publishers, entities that Palo Alto Networks recognizes as reputable software publishers. Policy-Based Execution Restrictions: Organizations can easily define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment. For example, Traps can prevent the execution of files from the Outlook temp directory or prevent the execution of a particular file type directly from a USB drive. Admin Override Policies: This method allows organizations to define policies, based on the hash of an executable file, to control what is allowed to run in any environment and what is not. This delivers a finegrained whitelisting and blacklisting capability that enables administrators to override the verdicts issued by WildFire or static analysis to suit an organization s needs. In addition to the malware prevention methods above, Traps quarantines malicious executables to prevent the dissemination of infected files to other users. Although essential in most environments, this capability is particularly useful in preventing the inadvertent dissemination of malware in organizations where network- or cloud-based data storage and SaaS applications automatically sync files across multiple users and systems. Admin Override Policies Trusted Publisher WildFire Inspection and Analysis Static Analysis via Machine Learning Execution Restrictions Figure 2: Traps Multi-Method Malware Prevention Multi-Method Exploit Prevention Many targeted attacks begin with an exploit delivered as a data file (such as a Microsoft Office or Adobe Acrobat file) through a website, via , or over the network. When the user opens the file, the malicious code embedded inside leverages a software vulnerability in the application that is used to view the file to subvert the application and executes an arbitrary set of instructions. Because this type of attack is difficult to distinguish from normal application behavior, it bypasses traditional antivirus and most endpoint security solutions. In addition, if the application being exploited is whitelisted, the attack will bypass those controls as well. Traps uses an entirely new and unique approach to preventing exploits. Instead of focusing on the millions of individual attacks or their underlying software vulnerabilities, Traps focuses on the core exploitation techniques used by all exploit-based attacks. Although there are many thousands of exploits, they all rely on a small set of core exploitation techniques that change infrequently. Furthermore, each exploit must use a series of those exploitation techniques to successfully subvert an application. By blocking the core techniques, Traps effectively prevents the exploitation of application vulnerabilities, whether they are known or unknown. Organizations using Traps can run any application, including those developed in-house and those that no longer receive security support, without the imminent threat to their environment. Traps implements a multi-method approach to exploit prevention, combining several layers of protection to block exploitation techniques (Figure 3): Memory Corruption/Manipulation Prevention: Memory corruption is a category of exploitation techniques where the exploit manipulates the operating system s normal memory management mechanisms for the application opening the weaponized data file that contains the exploit. The Memory Corruption Prevention method recognizes and stops these exploitation techniques before they have a chance to subvert the application. Memory Corruption Prevention Logic Flaw Prevention Malicious Code Execution Prevention Figure 3: Traps Multi-Method Exploit Prevent Palo Alto Networks White Paper 3

4 Logic Flaw Prevention: Logic flaw is a category of exploitation techniques that allow the exploit to manipulate the operating system s normal processes that are used to support and execute the target application opening the weaponized data file. For example, the exploit may alter the location where dynamic link libraries (DLLs) are loaded from into an application s execution environment so that the exploit s malicious DLLs can replace legitimate ones. The Logic Flaw Prevention method recognizes these exploitation techniques and stops them before they succeed. Malicious Code Execution Prevention: In most cases, the end goal of every exploit is to execute some arbitrary code the attacker s commands that are embedded in the exploit data file. The Malicious Code Execution Prevention method recognizes the exploitation techniques that allow the attacker s malicious code to execute and blocks them before they succeed. NEXT-GENERATION FIREWALL NATIVELY INTEGRATED THREAT INTELLIGENCE CLOUD NET WORK AUTOMATED CLOUD EXTENSIBLE ADVANCED ENDPOINT PROTECTION Figure 4: Palo Alto Networks Next-Generation Security Platform ENDPOINT Next-Generation Security Platform With the ever-decreasing cost of computing power, threat actors can launch increasingly numerous and sophisticated attacks with far greater ease than before. Disjointed layers of security and point solutions that rely on obsolete technologies or human response to alerts are no longer sufficient or scalable. Only a platform that consolidates, automates and natively integrates multiple preventive technologies can ensure the prevention of advanced, targeted and evasive attacks. The native integration of Traps with the Palo Alto Networks Next-Generation Security Platform enables organizations to continuously share the growing threat intelligence gained from thousands of enterprise customers across both networks and endpoints to deliver prevention (Figure 4). The automatic reprogramming and conversion of threat intelligence into prevention all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system. An attacker can use each piece of malware once, at most, anywhere in the world, and only has seconds to carry out an attack before WildFire renders it entirely ineffective. Administration Console Technical Architecture The technical architecture of Traps is optimized for maximum availability, flexibility and scalability. At a high level, the architecture consists of any number of Traps endpoint agents that are managed through a central Endpoint Security Manager (ESM) (Figure 5). The ESM in turn implements a three-tiered architecture that consists of an ESM Console, a central Policy Database, and any number of ESM Communication Servers. Policy Database Endpoints Endpoint Security Manager Console The ESM Console is the administrative interface for Traps. Running on Internet Information Services (IIS) for Windows, the ESM Console provides access to the central Policy Database of Traps. Organizations can deploy multiple ESM Consoles, each of which can reside on physical or virtual systems. Communication Server Traps Endpoint Security Manager (ESM) Figure 5: Technical Architecture of Traps Palo Alto Networks White Paper 4

5 Policy Database The Traps Policy Database is the central repository of all information that is necessary to configure, maintain and operate the Traps Advanced Endpoint Protection environment. Examples of the information contained in the Policy Database include: prevention policies and settings, activity and forensic logs, ESM and agent configurations, and WildFire interface configurations. Endpoint Security Manager Communication Servers ESM Communication Servers act as proxies between Traps agents and the ESM Policy Database. ESM Communication Servers do not store data and, therefore, can be easily added and removed from the environment as needed to ensure adequate geographic coverage and redundancy. ESM servers can be installed on Windows Servers deployed on physical or virtual machines. Traps Endpoint Agent The Traps Endpoint Agent is a lightweight agent that consists of various drivers and services. Following its initial deployment onto the endpoints, system administrators have complete control over all Traps agents in the environment through the ESM Console. System Requirements and Platform Support Traps protects unpatched systems and is supported across any platform that runs Microsoft Windows: desktops, servers, industrial control systems (ICS/SCADA), virtual desktop infrastructure (VDI) components, virtual machines (VM), and embedded systems (Figure 6). Benefits of the Multi-Method Approach The Multi-Method Prevention approach of Traps delivers breach prevention, in contrast to breach detection and incident response after critical assets have already been compromised. With Traps, organizations: Operating Systems Windows XP (32-bit, SP3 or later) Windows Vista (32-bit, 64-bit, SP1 or later; FIPS mode) Windows 7 (32-bit, 64-bit, RTM and SP1; FIPS mode; all editions except Home) Windows Embedded 7 (Standard and POSReady) Windows 8 (32-bit, 64-bit) Windows 8.1 (32-bit, 64-bit; FIPS mode) Windows Embedded 8.1 Pro Windows 10 Pro (32-bit and 64-bit) Windows 10 Enterprise LTSB Windows Server 2003 (32-bit, SP2 or later) Windows Server 2003 R2 (32-bit, SP2 or later) Windows Server 2008 (32-bit, 64-bit; FIPS mode) Windows Server 2008 R2 (32-bit, 64-bit; FIPS mode) Windows Server 2012 (all editions; FIPS mode) Windows Server 2012 R2 (all editions; FIPS mode) Virtual Environments VMware ESX Citrix XenServer Physical Platforms SCADA Windows Tablets 1. Prevent security breaches and cyberattacks that bypass antivirus solutions. Traps protects endpoints from known and unknown cyberthreats that are delivered Oracle Virtualbox Microsoft Hyper-V Virtual Desktop Infrastructure VMware Horizon View ATM POS Run-Time Footprint 0.1% CPU Load through malware and Citrix XenDesktop 50 MB RAM exploits, whether a machine is offline or online, on-premise 250 MB Disk Space or off, connected to the organization s network or not. Whereas traditional Figure 6: Traps System Requirements and Platform Support antivirus solutions focus on scanning, detecting and identifying known malware, Traps excels at preventing both the known and the unknown from compromising endpoints, including unknown malware and zero-day exploits. 2. Protect and enable end users to conduct their daily activities without fearing cyberthreats. Traps empowers an organization s users to conduct their daily business activities and use mobile- and cloud-based technologies without fearing unknown cyberthreats, knowing that they are protected from inadvertently running malware or exploits that compromise their systems. Palo Alto Networks White Paper 5

6 3. Automatically convert threat intelligence into prevention. Traps is natively integrated with Palo Alto Networks Next-Generation Security Platform, which includes our Next-Generation Firewall and Threat Intelligence Cloud. This integration means that each component of the platform, including Traps, shares the threats it observes with WildFire and receives threat intelligence in return. It also means that each component automatically converts that intelligence into prevention by reprogramming itself to block threats that are identified anywhere by any other component of the platform. 4. Secure unpatched or unpatchable applications and systems that have reached their end-of-support. Traps Multi-Method Exploit Prevention blocks the core techniques used by all exploits, rendering the techniques ineffective. This effectively prevents the exploitation of application vulnerabilities, whether they are known or unknown, whether vendor security patches have been issued or not, and whether those patches have been applied or not. Traps can protect any application, including those developed in-house, as well as applications and systems that have reached their end-of-support (such as Internet Explorer, Windows XP and Windows Server 2003). 5. Eliminate manual breach analysis and the need for timely identification of critical alerts to stop an attack. The multi-method prevention of Traps delivers breach prevention, in contrast to breach detection and incident response. The security alerts that Traps generates signify the termination of an attack. IT and security staff no longer need to actively sift through security alerts to determine which may warrant an active investigation. With Traps, alert investigation is only necessary when extra resources are available and your organization wants to study potential security breaches that have been prevented. Conclusion To learn more about Traps, attend an Ultimate Test Drive event and experience its prevention capabilities firsthand. Alternatively, contact your sales representative to schedule an in-house evaluation for your organization Great America Parkway Santa Clara, CA Main: Sales: Support: Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. traps-technology-overview-wp