Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Similar documents
TRAPS ADVANCED ENDPOINT PROTECTION

Traps Advanced Endpoint Protection

TRAPS ADVANCED ENDPOINT PROTECTION

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

APP-ID. A foundation for visibility and control in the Palo Alto Networks Security Platform

McAfee Public Cloud Server Security Suite

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

A Modern Framework for Network Security in Government

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Securing the Modern Data Center with Trend Micro Deep Security

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

SentinelOne Technical Brief

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

McAfee Embedded Control

PROTECT WORKLOADS IN THE HYBRID CLOUD

THE ACCENTURE CYBER DEFENSE SOLUTION

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

SentinelOne Technical Brief

MAKING THE CLOUD A SECURE EXTENSION OF YOUR DATACENTER

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

SEGMENTATION TO A TRADITIONAL DATA CENTER

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

Aligning with the Critical Security Controls to Achieve Quick Security Wins

Paloalto Networks PCNSA EXAM

IBM Security Network Protection Solutions

The threat landscape is constantly

AKAMAI CLOUD SECURITY SOLUTIONS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Security by Default: Enabling Transformation Through Cyber Resilience

Securing Your Amazon Web Services Virtual Networks

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

CloudSOC and Security.cloud for Microsoft Office 365

McAfee Endpoint Threat Defense and Response Family

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

CyberArk Privileged Threat Analytics

6 KEY SECURITY REQUIREMENTS

Office 365 Buyers Guide: Best Practices for Securing Office 365

McAfee Embedded Control for Retail

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CS 356 Operating System Security. Fall 2013

Privileged Account Security: A Balanced Approach to Securing Unix Environments

SandBlast Agent FAQ Check Point Software Technologies Ltd. All rights reserved P. 1. [Internal Use] for Check Point employees

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

RSA NetWitness Suite Respond in Minutes, Not Months

Building Resilience in a Digital Enterprise

Maximum Security with Minimum Impact : Going Beyond Next Gen

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

SIEM: Five Requirements that Solve the Bigger Business Issues

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Securing Your Microsoft Azure Virtual Networks

McAfee epolicy Orchestrator

SYMANTEC DATA CENTER SECURITY

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Build Your Zero Trust Security Strategy With Microsegmentation

Juniper Sky Advanced Threat Prevention

JUNIPER SKY ADVANCED THREAT PREVENTION

Stopping Advanced Persistent Threats In Cloud and DataCenters

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

VM-SERIES FOR VMWARE VM VM

McAfee Endpoint Security

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

A Comprehensive CyberSecurity Policy

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

AT&T Endpoint Security

Symantec Endpoint Protection 14

Real-time, Unified Endpoint Protection

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

PREVENT CREDENTIAL THEFT IN HEALTHCARE

WHITEPAPER. How to secure your Post-perimeter world

deep (i) the most advanced solution for managed security services

Configure Unsanctioned Device Access Control

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Symantec Protection Suite Add-On for Hosted Security

Securing Office 365 with SecureCloud

ForeScout Extended Module for Carbon Black

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Supporting The Zero Trust Model Of Information Security: The Important Role Of Today s Intrusion Prevention Systems

Securing Your Most Sensitive Data

RSA Security Analytics

Securing the Software-Defined Data Center

Integrated Access Management Solutions. Access Televentures

FIREWALL BEST PRACTICES TO BLOCK

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Borderless security engineered for your elastic hybrid cloud. Kaspersky Hybrid Cloud Security. #truecybersecurity

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Automating the Top 20 CIS Critical Security Controls

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Endpoint Protection : Last line of defense?

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

McAfee MVISION Cloud. Data Security for the Cloud Era

Transcription:

Zero Trust on the Endpoint Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection March 2015

Executive Summary The Forrester Zero Trust Model (Zero Trust) of information security advocates a never trust, always verify philosophy in protecting information resources. Though the model has traditionally been applied to network communications, it is clear that today s cyber threats warrant a new approach in which the Zero Trust model is extended to endpoints. Palo Alto Networks Traps Advanced Endpoint Protection is an innovative endpoint protection technology that prevents exploits and malicious executables, both known and unknown. It has the proven capacity to act as the enforcer for Zero Trust and to serve as a vital component of an enterprise s security architecture and compliance suite on the endpoint. What is the Zero Trust Concept? The Zero Trust Model developed by Forrester Research seeks to change the paradigm by which many organizations think about defending the enterprise information infrastructure. Zero Trust is intended to remedy the deficiencies with perimeter-centric strategies and the legacy devices and technologies used to implement them. It does this by promoting never trust, always verify as its guiding principle. In particular, with Zero Trust there is no default trust for any entity including network segments, users, devices and applications. In addition, verifying that authorized entities are always doing only what they are allowed to do is a requirement. The implications for these two changes are, respectively: a) The enterprise must establish trust boundaries that effectively compartmentalize different segments of the internal computing environment. The general idea is to move security controls closer to the resources that require protection. b) Trust boundaries must do more than just initial authorization and access-control enforcement. To always verify also requires ongoing monitoring and inspection of associated communications traffic for subversive activities (i.e. threats). The core Zero Trust principle and derivative implications are further reflected and refined in the three concepts that define the operational objectives of a Zero Trust implementation. Concept #1: Ensure that all resources are accessed securely regardless of location. This suggests not only the need for multiple trust boundaries, but also increased use of secure access for communication to/from resources, even when sessions are confined to the internal network. It also means ensuring that only devices with the right status and settings (e.g., ones that are compliant with security policy) are allowed access to the network. Concept #2: Adopt a least-privilege strategy and strictly enforce access control. The goal in this case is to absolutely minimize authorized access to resources in order to reduce the pathways available for malware and attackers to gain unauthorized access and subsequently spread laterally and/or exfiltrate sensitive data. Concept #3: Inspect and log all traffic. This reiterates the need to always verify while also making it clear that adequate protection requires more than just strict enforcement of access control. Close and continuous attention must also be paid to exactly what is happening in allowed applications, and the only way to do this is to inspect the content for threats. PAGE 2

Zero Trust and the Endpoint The Zero Trust network concepts outlined above are necessary but not sufficient to combat today s advanced cyber threats. The same rigor must be applied on the endpoint, on the OS, on connected devices, and in memory. This is particularly important, as most resources an attacker might be interested in data and applications will live on the endpoint. For the purposes of this paper, the endpoint is defined as: any computing device or platform potentially subject to attack. Traps and Zero Trust Palo Alto Networks Traps Advanced Endpoint Protection is designed to proactively block attacks targeting endpoints, including unknown malicious executables and zero-day exploits. Traps automatically detects and blocks a core set of techniques that every attacker must link together in order to execute any type of attack, regardless of its complexity. Due to the chain-like nature of an exploit, preventing just one technique in the chain is all that is needed in order to block the entire attack, allowing companies to stop malicious attempts before they can do any damage. The Trap s agent injects itself into each process as it is started. This will automatically trigger and block advanced attacks that would otherwise evade detection. Traps Forensic Data is Collected Process is Terminated User\Admin is Notified Infected document opened by unsuspecting user Traps is seamlessly injected into processes Exploit technique is attempted and blocked by Traps before any malicious activity is initiated Traps reports the event and collects detailed forensics Figure 1: Traps blocks a core set of techniques to stop advanced attacks before they happen If an exploit attempt is made using one of the attack techniques, Traps immediately blocks that technique, terminates the process, and notifies both the user and the admin that an attack was prevented. Throughout each event, Traps collects detailed forensics and reports this information to the Endpoint Security Manager (ESM), resulting in better visibility and an understanding of attacks that were prevented. With Traps, endpoints are always protected, regardless of patch, signature or software-update levels; plus, it requires no prior knowledge of an attack in order to prevent it. To prevent the execution of malicious executables on the endpoint, Traps focuses on three key areas to ensure comprehensive protection. When combined, these methods offer unparalleled malware prevention and include: 1. Policy-based Restrictions: Organizations can easily set up policies restricting specific execution scenarios. For example, you may want to prevent the execution of files from the Outlook tmp directory, or prevent the execution of a particular file type directly from a USB drive. 2. WildFire inspection and analysis: Traps queries the WildFire threat intelligence cloud with a hash and submits any unknown.exe files to assess their standing within the global threat community. 3. Malware Techniques Mitigation: Traps implements technique-based mitigations that prevent attacks by blocking techniques such as thread injection. PAGE 3

WildFire User Tries to Open Executable File Restrictions And Executable Rules HASH Created & Checked Against WildFire Malware Technique Prevention Employed Examples Child Process? Restricted Folder or Device?? Unknown Malicious Benign EXE Examples Thread Injection? Create Suspend? Safe Figure 2: Prevention of malicious executables, a multi-tier approach ESM Forensics Collected Traps fits into the Zero Trust model by operating deep within the operating system and persistently enforcing the Zero Trust concept. No application or attached device should be trusted on the endpoint. Many endpoint security approaches begin by trusting everything and monitoring for known patterns or malicious behaviors, while others attempt to whitelist trusted applications and block all others. Both of these methodologies fall short of implementing Zero Trust on the endpoint, which must be done on multiple levels: Do not trust unknown applications: Executables that have never been seen on the endpoint before should not be trusted. This concept can be applied in two ways: Static Whitelisting: The administrator can establish a static list of approved applications or digital signers that are allowed to run on the endpoint. Dynamic Analysis: The endpoint agent integrates with a dynamic analysis engine that analyzes new executables to determine if they are malicious or not. By leveraging the dynamic-analysis capabilities of WildFire, organizations gain the advantages of the massive scale of this cloud-based threat intelligence service without the need to manage static whitelisting. Do not trust known applications: Whitelisting is not enough. Trusted applications have vulnerabilities that can be exploited by attackers. In order to have Zero Trust on the endpoint, exploitation of trusted applications must be prevented. This involves multiple methods including: Exploit Prevention: The exploit prevention in Traps can be applied to any application, including proprietary, legacy, and industry-specific applications. Child Process Blocking: Some applications should not be allowed to create child processes. This can be enforced by Traps. Do not trust external media: Prevent execution from removable media. The Palo Alto Networks Enterprise Security Platform, which includes Traps Advanced Endpoint Protection, the next-generation firewall, and the WildFire threat-intelligence cloud, enables full implementation of Zero Trust from network to endpoint. PAGE 4

Conclusion In a dynamic and constantly evolving threat environment, it is clear that the enterprise can no longer rely on static defenses. A tight perimeter is no longer an option. Zero-day attacks easily bypass signature-based defenses, and social engineering can readily trick users into executing malware using trusted credentials. Leveraging the Zero Trust model as part of a comprehensive security architecture provides enterprise architects and administrators with a better way to organize and connect their defenses. Palo Alto Networks Traps Advanced Endpoint Protection enables Zero Trust by preventing the execution of malicious executables and exploits, without depending on pre-existing signatures or assuming that a user or application is trusted. For more information regarding the Palo Alto Networks Enterprise Security Platform and its component technologies, please visit www.paloaltonetworks.com. 4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com Copyright 2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_ZTE_031815

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback