PowerPoint Presentation

Traps Advanced Endpoint ProtectionMarch 2015| 2014,Palo Alto Networks. Confidential and Proprietary.1This is intended to be a first-touch introduction to Palo Alto Networks. The goal of this presentation is to introduce your audience to key Palo Alto Networks facts, our next-generation security platform, and the rich services and support that we offer directly and through our strategic partners. You should allocate a full 60 minutes to get through this presentation in its entirety.191%78%71%Increase in targetedattacks in 2013 Of exploit kits utilize vulnerabilities less than two years oldOf breaches involvea targeted user deviceAttackers are well funded and more sophisticatedHarsh Reality We Are More at Risk than Ever Launching Zero-Day attacks is more accessible and commonTargeted attacks can onlybe solved on the endpoint$$Unfortunately there isnt a week that goes by where we arent learning about some new data breach. Up until this point the industry hasnt really kept pace with the increasing sophistication of cyber attacks. Not only are these attacks more targeted in nature, the toolkits that attackers use increasingly utilize a growing pool of software vulnerabilities. Some vulnerabilities are known only to the attacker, referred to as Zero-Day vulnerabilities. Others are known to the general public but have to yet to be patched by the software vendor, or patches have yet to be deployed by individuals such as yourself. A fact attackers are very much aware of.

The stats paint a very grim picture A 91% increase in targeted attacks in 2013 (Symantec: Internet Security Threat Report, 2014)78% of the exploit kits use vulnerabilities that are less than 2 years old and have yet to be patched by the manufacturer or organization. (Verizon DBIR, 2013)71% of breaches occur at the expense of a user device (NTT 2014 Global Threat Intelligence Report)

Until today these devices were simply ill-equipped to defend against these targeted attacks. Lets take a closer look at how these attacks happen on the endpoint.

---------------------------------------Additional background notes:Exploit kits ramp up their capabilities to leverage recent vulnerabilities: Research indicates exploit kit developers are pruning older exploits and favoring new ones, as 78% of current exploit kits are taking advantage of vulnerabilities less than 2 years old. While organizations are getting around to removing updating or patching older systems attackers are addressing the eventual change in the environment, knowing a history of poor maintenance practices are likely to repeat (Verizon DBIR, 2013) Organizations are at risk to vulnerabilities in the wild: Data collected in 2013 demonstrates organizations are not protected against common vulnerabilities which are included in widely distributed hacking exploit kits to pose a significant threat to their organizational security. NTT identified top 10 vulnerabilities identified in customer environments which are also present in exploit kits. (NTT 2014 Global Threat Intelligence Report)

2Understanding the ThreatExploitMalformed data file that is processed by a legitimate appTakes advantage of a vulnerability in the legitimate app which allows the attacker to run codeTricks the legitimate application into running the attackers codeSmall payloadMalicious ExecutableMalicious code that comes in an executable file formDoes not rely on any application vulnerabilityAlready executes code aims to control the machineLarge payloadExploit vs. Malicious Executable Whats the Difference?Regardless of the purpose, all attacks must begin with an initial compromise of an endpoint system. Today, there are really only two methods for an attacker to accomplish this initial objective:

First, they can lure an unsuspecting employee into executing a file (.exe) at which point malicious code (malware) is injected into their system. From there the attacker can easily establish control of that system, build a communication channel to an external command-and-control network, then move laterally through the organization infecting other systems until they reach their final target.Or, they can utilize a more sophisticated technique that takes advantage of a security flaw, glitch or weakness within software or an operating system to launch their attack. These software or OS vulnerabilities can be used to grant the attacker administrative privileges of the end users device without their knowledge. As long as that system remains unpatched by the manufacturer and/or organization that individual user remains at risk of attack. And similar to the above, once they have control of that system they can begin the process of establishing communication and moving laterally.

3A Typical Cyber Attack Life Cycle Prevention of an Attack at the Earliest Stage is CriticalTraps Exploit and Malware Prevention Blocks the Attack Before Any Malicious Activity Can InitiatePlan theAttackGatherIntelligenceSilentInfectionLeverageExploitMalwareCommunicateswith AttackerControlChannelMalicious FileExecutedExecuteMalwareData Theft, Sabotage, DestructionSteal DataPreventive ControlsReactive ControlsLets look at how that might play out:First, the attacker will often gather intelligence on the target in order to determine the most effective attack They are looking to determine what applications are commonly used by the victim so they can determine a way to exploit one of those applications. They are also looking at social networks and other data sources to determine names of trusted colleagues or business partners that can be used to persuade the victim to open an attached document or click on a link.

Next, The victim is persuaded to open a document or click on a link that causes an application to be exploited. This can be any common application and the file or link will typically open as normal, giving the user no indication that an attack is under way. However in the background, the exploit is leveraging a vulnerability in the application in order to execute its malicious code. That malicious code often involves downloading malware onto the endpoint, but it does not have to download malware. The entire attack can happen in memory with no new files created.

Next, the malware downloaded by the exploit code is executed. This malware may involve one or more files downloaded onto the victims endpoint, or it may involve a fileless infection in which everything remains in memory, making it even more difficult to detect by traditional anti-virus solutions. The malware often makes itself persistent by inserting itself into the registry and replacing OS components.

Next, the malware will establish communication back to the attackers command and control (C&C) servers. This communication often occurs over an encrypted SSL channel that may not be recognized as malicious by network layer controls. Once a connection to C&C is established, the attacker may issue instructions to download additional malware, or move laterally within the victim network in search or a higher value target. This C&C might not be established in a typical way that can be detected by IPS. For example: the malware might send data back to the attacker via a seemingly legitimate SMTP e-mail.

Finally, the attacker reaches his ultimate goal, which may be data theft, sabotage, or destruction. This often will go on for months before it is detected.4Requires prior knowledgeScanning vs. activity-focusedCan be reverse engineered Malicious activity can disable detectionRemediation takes a great effortToo much noise detection is ignoredCant see all contentNo visibility to endpoint infectionsHard to block malicious activity on legit protocolsCant simulate all environmentsThreat emulation can be identified by the malwareCant enforce actions on the endpointAdvanced Endpoint Protection Why? 84%AttacksDiscovered viaThird Party 225Average Daysto Detect aTargeted AttackToday's Harsh RealityDetection Aloneis Not a StrategyTraditionalDetectionDetectionandRemediationNetwork-LayerSecurityCloud-BasedEmulationUnfortunately there remains a large number of attack vectors that simply cant be prevented by the network, cant only be dealt with at the actual endpoint. For example some of those vectors specifically target users who are not operating within their corporate network, using insecure WiFi or removable USB media. For that reason your architecture must include both network and endpoint security.

Traditional detection: fail for a few reasons, these techniques require prior knowledge of known patterns or behaviors in order to prevent it. The harsh reality is targeted attacks often employ use of threats that have never been seen before. Zero-Day vulnerabilities known only to the attacker and not your defenses; or customized malware that has never been seen and thus has no deployed prevention mechanisms (signatures). These approaches simply cant handle attacks that utilize unknown threats. This is where most antivirus and/or IPS related solutions fall down. Furthermore, they are easily reverse engineered. Sites like virus total allow you to check whether a piece of malware will be detected by anti-virus. An attacker can simply keep modifying the malware until it passes the virus total checks.

Detection and remediation: An entire category of tools is dedicated to threat detection and remediation. These tools offer event correlation, forensics, and can attempt to mitigate the damage after systems have been infected. The problem here is that two fold: 1) This approach implies that we will first let the systems become infected, rather than prevent infection, and 2) due to the large number of events encountered by security operations teams on a regular basis, the detection of a significant threat often gets lost in a sea of white noise.

Network Layer Security: Network layer controls are important, especially for segmentation, but the fact remains that the network cannot have complete visibility. Users might be mobile, so their traffic is not going over the corporate network, or malicious activity might be occurring over legitimate protocols.

Cloud based emulation: Cloud based dynamic analysis, like Wildfire, can be quite effective in identifying malware coming in over the corporate network, but many emulation solutions are less robust and none of them can defend against a targeted threat. For example, malware can be configured to only run if the logged in user name matches the targeted victim. This type of attack targeting an individual will not likely be detected in a simulated environment. Additionally, the emulation environment might use versions of applications that do not match the exact versions being used by the end-user, resulting in exploits that work on the end-user device but not in the emulation environment.

This is why we believe the endpoint is the last line of defense and we have a unique approach to endpoint security that prevents, rather than detects advanced threats.__________________________

Note: Make sure its clear that while highly effective for most threats, our NGFW + WildFire cant protect against 100% of the attacks. There remain a number of vectors that can only be protected by endpoints. Including instances where the endpoint may be operating out of protective environment of the organization and therefore suspect to the dangers of an insecure network environment.5Advanced Endpoint ProtectionThe Right Way to Deal with Advanced Cyber ThreatsPrevent Exploits Including zero-day exploitsPrevent Malicious Executables Including advanced and unknown malwareCollect Attempted-Attack Forensics For further analysisScalable, Lightweight, Full Coverage Apply protection to any application with minimal user impactIntegrate with Network and Cloud Security For data exchange and cross-organization protection

PDFWhat we believe is that customers need a completely new kind of endpoint protection that actually prevents advanced threats. The purpose of this meeting today is to introduce you to a disruptive new technology that we have developed that does exactly that.

To do so you need an advanced endpoint solution, which we believe must follow 5 core principles:Prevent all exploits, including those utilizing Zero-Day vulnerabilities. Prevent all malware, including malware that has never seen beforeCollect detailed forensics to aid in further analysis once an attack has been blockedBe scalable, lightweight and user friendly. Prevention cant come at the expense of your normal operating procedure.Tight integration within your network security and cloud security architecture for quick data exchange and protection across your organization

If you remember anything today its that any solution must contain these five requirements in order to protect against advanced attacks. We strongly believe in these requirements, which is why we they are the core of Traps.6Block the Core Techniques Not the Individual AttacksNumber of New Variants Each Year

Individual AttacksSoftware Vulnerability Exploits Thousands of new vulnerabilities and exploits1,000sCore TechniquesExploitation TechniquesOnly two to four new exploit techniques2-4MalwareMillions of new malware variations1,000,000sMalware TechniquesTens of new malware sub-techniques~10sAs we examined these requirements we realized an entirely new approach would be needed in order to effectively block threats that have never been seen before. When we looked at the number of variants each year - we chose to focus our efforts on blocking the core techniques that attackers use versus the threat itself. As it turns out there is a finite amount of techniques that can be employed in order for an attacker to achieve their objectives. And these techniques dont change frequently when compared to the actual number of new vulnerabilities and malware.

So our strategy was actually quite simple If we could successfully disrupt the technique, then the attack would be thwarted.

So, relative to exploit driven attacks we focused on the exploit techniques and not the thousands of vulnerabilities that emerge each year.

For malware its similar, in that weve focused on the malware techniques as opposed to the millions of individual pieces of malware that emerge each year.

So thats how you have to think about the problem, focus on the core techniques for exploits and malware specifically.

---------------------------------------Additional points you may want to raise:Currently the total number of exploit techniques available to attackers numbers in the mid-20s. You can use Heap Spray as an example to articulate how complicated these techniques are and how infrequent theyre created. Heap Spray took two years for academia to develop. Once it was developed the attacker community got ahold of the technique and began to use it within their toolkits. In parallel we were working with the universities to build mechanisms to block this exploit technique through Traps, so when Heap Spray was exposed to the attacker community we were already prepared to prevent through Traps.7Exploit TechniquesBeginMaliciousActivitiyNormal ApplicationExecutionHeap SprayDEPCircumventionUtilizingOS Function

Gaps AreVulnerabilitiesActivate key loggerSteal critical dataMore

Exploit Attack2.PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader. 1.Exploit attempt contained in a PDF sent by known entity.3.Exploit evades AV and drops a malware payload onto the target.4.Malware evades AV, runs in memory.To gain a better understanding of these exploit techniques and how they are used by attackers, lets walk through an example:

The graphic here represents an application Adobe acrobat reader, for example. As with most applications, this application has a certain number of vulnerabilities. Some may be known, in which case patches might be available. Other vulnerabilities have yet to be discovered.The application normally runs its normal functions (for example, display a document, print, etc.). The attackers goal is to cause the application to do something it is not meant to do (ie, run a piece of code supplied by the attacker). In order to make that happen, the attacker needs to use a series of exploit techniques, in a particular order. If those techniques succeed, the attacker can exploit a vulnerability in the application.

So the user in this example opens the PDF document, the document displays as it normally would, but in the background these techniques are set in motion.

Click forward, showing the 3 exploit techniques

If all three of these techniques succeed (and they often do because anti-virus is not good at detecting them), the acrobat reader software is exploited and malware can be executed.

Click forward to Begin Malicious Activity8Exploit TechniquesNormal ApplicationExecution

HeapSprayTrapsEPM

No MaliciousActivity Exploit Attack2.PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader. 1.Exploit attempt contained in a PDF sent by known entity.3.Exploit evades AV and drops a malware payload onto the target.4.Malware evades AV, runs in memory.Traps Exploit Prevention Modules (EPM)1.Exploit attempt blocked. Traps requires no prior knowledge of the vulnerability.Now lets look at the same scenario again, this time with our Traps Exploit Prevention Modules in place.Our Traps Advanced Endpoint Protection agent runs on the endpoint and injects these exploit prevention modules into each application that runs. This process is seamless and transparent to the end-user.

Note that the exploit prevention modules require no knowledge of where the vulnerabilities are in the application. So you are protected from exploitation of both known and unknown vulnerabilities.

Click forward: Exploit Technique Blocked.

As you can see, as soon as the exploit technique is attempted, it is blocked by Traps. At this point Traps would terminate the application and send a notification to the end-user and the administrator console with detailed information about the attempted attack.

No malicious code was allowed to execute so no harm has been done.

Now You might be wondering: What if the attacker invents a new exploit technique? Or What if the attacker is able to circumvent one of the exploit prevention modules? Click forward9Exploit TechniquesNormal ApplicationExecution

Heap SprayDEPCircumventionNo MaliciousActivity TrapsEPM

Exploit Attack2.PDF is opened and exploit techniques are set in motion to exploit vulnerability in Acrobat Reader. 1.Exploit attempt contained in a PDF sent by known entity.3.Exploit evades AV and drops a malware payload onto the target.4.Malware evades AV, runs in memory.Traps Exploit Prevention Modules (EPM)1.Exploit attempt blocked. Traps requires no prior knowledge of the vulnerability.2.If you turn off EPM #1, the first technique will succeed but the next one will be blocked, still preventing malicious activity. As mentioned previously, an attack will only be successful if a series of exploit techniques succeed usually 3-5.

So lets walk through the scenario where the first exploit prevention module is bypassed and Exploit technique #1 succeeds.

ClickClick again to the second exploit technique being blocked.

Due to the chain-like nature of exploit techniques, even if one succeeds, the next one will be blocked. This will break the chain and prevent successful exploitation of the vulnerable application. So despite the fact that one technique succeeded, the exploit still failed and no malicious activity occurred on the system..

Click No Malicious Activity comes up and the file type starts changing from PDF to other types

Remember, we use adobe acrobat as an example here but this can be any application, including proprietary applications. The nature of the Traps exploit prevention modules is such that they do not require any prior knowledge of the application, how it works, or its vulnerabilities.10Prevention of One Technique in the Chain will Block the Entire Attack Exploit Prevention Case Study Unknown Exploits Utilize Known Techniques DLLSecurityIE Zero DayCVE-2013-3893 Heap SprayDEPCircumventionUASLRROP/UtilizingOS FunctionROP Mitigation/DLL SecurityAdobe ReaderCVE-2013-3346Heap SprayMemory LimitHeap SprayCheck andShellcodePreallocationDEPCircumventionUASLRUtilizingOS FunctionDLLSecurityAdobe FlashCVE-2015-3010/0311ROPROP MitigationJiT Spray J01UtilizingOS FunctionDLLSecurityMemoryLimit HeapSpray CheckLets drill down into how that works using real Zero-Days as an example Here are a few vulnerabilities utilized in various attacks-

IE Zero Day CVE-2013-3893 Operation Deputy dog, an attack campaign used to attack Japanese targets. The attack utilized a vulnerability that exploits the way Internet Explorer accesses an object in memory that has been deleted, allowing an attacker to execute code on a machine by just having the user visit a malicious website.

Adobe Reader CVE-2013-3346 - Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns. Attackers used Spear-phishing e-mails utilizing a vulnerability in Adobe Reader, this attack was and is still successful in the Wild

Adobe Flash CVE-2015- 3010/0311 A vulnerability used as the promar vector of attack in a Cyber Espionage Campaign targeting Forbes.com targeting US Financial Services and Defense Companies

In all the above attacks, the actual process of exploiting a system via a vulnerability is the same- it involves the use of multiple techniques working in concert. In order for an attack to be successful the attacker must execute each of these exploit techniques in a path that has multiple stages that lead to the execution of the malicious activity. In these CVE examples you can see the exploit techniques used in each of the stages of the attck

They cant begin their malicious activity until theyve concluded these steps. Some attacks may involve more steps, some may involve less. In all cases you can count on at least two or three techniques that must be used in order to exploit that endpoint. The reason why Im providing this background is because its important to understand the process an attacker must take, the chain of events their exploit must follow, in order to achieve their objectives. If you understand this process it will be easy to understand the approach weve taken with Traps. At a basic level Traps employs a series prevention modules aimed at blocking the different exploit techniques available to attackers. These modules operate like traps, injected into the user processes, and designed to block the attackers exploit technique as soon as its used.

Its critical that your approach be able to block all techniques. These techniques can be grouped into the following four buckets [Click]. In each case were able to block the attack without having any prior knowledge of the vulnerability. This didnt require signatures or software updates to prevent. Even though an attack may have involved a Zero-Day that had never been seen before.

11Exploit Prevention User ExperienceWhen an Exploitation Attempt is Made, the Exploit Hitsa Trap and Fails before Any Malicious Activity is InitiatedInfected document opened by unsuspecting userTraps is seamlessly injected into processesExploit technique is attempted and blocked by Traps before any malicious activity is initiatedTrapsTraps reports the event and collects detailed forensicsUser\Adminis Notified

PDF

PDF

PDFProcess isTerminatedForensic Data is CollectedRRRLets show how this looks to the individual user and admin.

In this next example a user opens a document, then Traps seamlessly injects itself (in the form of prevention modules) into the process. Its important to note that Traps isnt scanning or monitoring for malicious activity. These are static traps set up within the processes ready to block any exploit technique the second its used. Theres a massive scalability benefit to this approach as very little CPU and memory are used. (Well cover this in more detail shortly.)

Once Traps has injected itself into the process, that process is then shielded from any exploit. If an exploit attempt is made, Traps will immediately block the technique or techniques, terminate the process, and notify both the user and the admin that an attack was thwarted. In addition, Traps will collect detailed forensics and report that information to the Endpoint Security Manager (ESM).

If no attack is made its business as usual for that user and process. The user has no idea any preventative measures were deployed behind the scenes given the minimal resource utilization.

---------------------------------------Optional when/if needed:

We protect any process based on configuration. There are ~100 process by default that are protected within Traps, and there are up to 500 versions that are supported based on configuration so any time those processes are spun up Traps gets injected. You have to inject Traps at the time that the process is started, not necessarily the time the file is loaded. A good example of that would be - I open a Word document the Microsoft Word process is started we have to inject as high up into that stack as we possibly can to be successful and regardless of whether that Word document was good or bad if I now open a second Word document its being opened in the same process so we have to make sure that were always there.

12Preventing Malicious Executables on All FrontsWildFire Inspection and AnalysisMalware TechniquesMitigationAdvancedExecution Control Reduce surface area of attack. Control execution scenarios based on file location, device, child processes, unsigned executables.Local hash control allows for granular system hardening.Dynamic analysis with cloud-based threat intelligence.

61% of malicious files identified by WildFire are not detected by the top 6 enterprise AV products.Prevent unknown malware with technique-based mitigation. (Example: Thread Injection)Now we turn our attention to malware prevention. There are three basic components within our approach:

First there are specific scenarios in which you may want to implement Advanced Execution Control in order to reduce your attack surface. One simple example could be preventing the execution of a particular file type directly form removable media. For example you may want to prevent any portable executables from being directly from a USB key. By controlling the source of file installation you can significantly reduce your risk. Traps execution controlprovides granular control of global policies to control child processes,folders, unsigned executables etc. as well assystem hardening capabilities by allowinggranularcontrol over which applications or hashes should or should not be allowed to run.

Then for the files that you still do allow to run, Traps queries the WildFire threat cloud with a hash to see if its already been detected as malicious elsewhere within the community. If the file is unknown Traps will submit the unknown .exe files to assess their standing within the global threat community.

And finally Traps will once again implement preventative measures within the endpoint to block use of techniques that malware will employ. Traps implements technique-based mitigations that prevent attacks by blocking techniques such as thread injection and create suspend.

---------------------------------------Optional example of where a policy-based restriction could have helped:

Heres why you dont allow executable files from attached media. At the United States NSA (the National Security Agency) a good Samaritan found a USB stick in the parking lot and promptly plugged it into their computer because they wanted to try and figure out who it belongs. Unfortunately for that individual this was a designed attack that utilized a USB with embedded malware as its weapon. Thats one of the most simple examples as to why its important to consider your attack surface and how you can easily de-risk your environment. If it can happen to the NSA it can happen to anyone.

13The Most Comprehensive Approach to Endpoint Protection20+ ExploitPreventionModulesLocal HashManagementExecutionRestrictionsWildFireIntegrationMalwarePrevention ModulesAdvanced Execution ControlAs we said earlier, only an advanced endpoint solution can provide comprehensive protection against advanced threats on the endpoint by placing multiple preventive controls across the stages of the advanced attack heres how that looks played out together- 14Utilization of OS functionsJITHeap SprayChild ProcessUnsigned ExecutableRestricted LocationAdmin Pre-Set VerdictsWildfire Known VerdictOn Demand InspectionInjection Attempts BlockageTrapsMalware ProtectionExample: Traps Kill-Points Through the Attack Life Cycle DeliveryExploitationDownload and ExecuteExecution Restriction 1Execution Restriction 2Execution Restriction 3Local Verdict CheckWildfire Verdict CheckWildfire InspectionMaliciousThread InjectionIntelligenceand EmulationTraps Exploit ProtectionAdvanced ExecutionControlMaliciousBehaviorProtectionMemory CorruptionLogic Flaws45678910Exploitation Technique 1Exploitation Technique 2Exploitation Technique 3123[If used as a more extensive version of the previous slide ]

As we said earlier, only an advanced endpoint solution can provide comprehensive protection against advanced threats on the endpoint by placing multiple preventive controls across the stages of the advanced attack heres how that looks played out together-

[If used in addition to the previous slide] Lets look at an example of how these multiple preventive controls would act to prevent against an advanced or zero day attack- despite the multiple control in Traps ,ONLY ONE point of prevention on the kill chain will thwart the entire attack. Goodbye detection and response.

If the attack cycle begins with an exploited software vulnerability, our exploit mitigation modules will mitigate the attack, already at the first stage in a worst case scenario where the first technique in the attack is new (extremely rare: 2-4 a year) Traps will mitigate the following technique. Preventing the attack entirely.

If the attackers vector of attack begins with the use of a malicious executable, engineering the user to download and execute- Traps multiple Advanced execution controls will restrict child processes,folders, unsigned executables etc. as well as any additional controls setup by the administrator such as management of hashes and verdicts determining what files or applications should or should not run within the organization.

If no restrictions are in place to prevent the execution of the malicious file- the file will run- but is subject to another layer of protection, which is the technique-based mitigations that prevent attacks by blocking the techniques used by the attacker when executing the malicious file - such as thread injection and create suspend.

All in all - Traps is the mot robust and comprehensive Advanced Endpoint Protection Preventing the attack BEFORE any malicious activity is initiated,

15Time stamp and full memory dumpTriggering file (non-executable)File source, names and paths including parents grandparents and child processes Prevented exploitation techniqueIP addressOS versionVersion of attempted vulnerable softwareComponents loaded to memory underattacked processIndications of further memory corruption activity User name and computer nameAccessed URIs; Java applets source URIs Relevant DLL retrievals with their path Relevant files from temp internet foldersTraps Automated Dump Analysis Secondary analysis indicates techniques detectedOngoing Forensics and Attack-Triggered CaptureOngoing RecordingAttack-Related ForensicsExploit or Malware Hitsa Trap and TriggersReal-Time PreventionAny Files ExecutionTime of executionFile nameFile HASHUser nameComputer nameIP addressOS versionFiles malicious historyAs I mentioned earlier its crucial that your endpoint protection solution provide insightful forensics whenever a exploit or use of malware is blocked.

Relevant endpoint activity is captured, with expanded reporting capabilities and customizable on-demand forensics shared with the Endpoint Management Server for collection. This then allows you to search across the rest of your network, so if you dont have Traps installed on all the endpoints you can still utilize that information for quick remediation.Traps then performs a secondary analysis of a security event, was added to automatically analyze the memory records to extract data and scan for traces of malicious activity, such as Heap Spray and ROP chains.

16Endpoint Security Manager (ESM)3-Tier Management StructureESM ConsoleDatabaseESM Servers(each supports 50,000 endpoints scales horizontally)All-in-One Management CenterConfiguration management Logging and DB query Admin dashboard and security overviewForensics capturesIntegration configurationEndpoint Security Manager (ESM)

WildFireExternalLoggingPlatformESM Server(s)Endpoints Running TrapsForensicFolder(s) Theres a couple things to understand with regards to ESM.

First, we follow a three-tier management structure. You have the main ESM platform, a database, then a series of connection servers each of which can support approximately 50,000 endpoints.

This structure allows you to scale your Traps environment horizontally while still maintaining a centralized configuration and database for policies, etc. All of the configuration management, logging, administrative dashboards, and forensics capture are all handled centrally within the ESM. The ESM also handles the communication to WildFire when hashes and files are sent for inspection.

To support large scale or multi-site deployments, multiple ESM Servers each with their own network forensic folder, and manage them from a central ESM Console. Each ESM Server connects to a shared database that stores security policies, agent information and events, and can upload forensic data to a dedicated quarantine folder. 17Coverage and System RequirementsSupported Operating SystemsFootprintWorkstations Physical and VirtualWindows XP SP3Windows Vista SP2Windows 7Windows 8 / 8.1Servers Physical and VirtualWindows Server 2003 (+R2)Windows Server 2008 (+R2)Windows Server 2012 (+R2)25 MB RAM0.1% CPU No ScanningApplication CoverageDefault Policy: 100+ processesAutomatically detect new processesProtect any applicationTraps is supported across many different platforms desktops, servers, industrial control systems, smart grids, and even retail POS systems. Anything that runs Microsoft Windows. We currently support the following Windows-based operating systems XP, Windows 7, Windows 8.1 and Windows Server.

And as I mentioned earlier, because Traps operates in a somewhat static capacity and doesnt scan for malicious activity our resource utilization is very low. CPU utilization is maximum 0.1%, and memory tops out at 25 MB. Its safe to say users will have no idea Traps is working for them behind the scenes.

Traps is able to protect any application from exploitation. Its automatically enabled on over 100 applications out of the box, and every time a new application runs on any endpoint, it is added to the list in the ESM console, which allows the administrator to easily enable protection on any new application.18BenefitsPrevent Zero DayVulnerabilities and Unknown MalwareInstall Patches on Your Own Schedule Protect ANY Application From ExploitsMinimal Performance ImpactSave Time and Money Signature-less No Frequent Updates Networkand Cloud integration The benefits of the unique approach that Traps take should be clear-

Coverage for Zero Day vulnerabilities and unknown malware: Rather than waiting for signatures or indicators of compromise to be released, you remain protected from the newest, most advanced threats.Install patches on your own schedule: Vulnerabilities exist long before patches are released and deploying patches can be a lengthy and cumbersome process. IT teams struggle to ensure patches are thoroughly tested and deployed to all endpoints within a reasonable timeframe. Furthermore, nearly every organization has those legacy systems that for one reason or another cannot be patched. With advanced endpoint protection, endpoints are protected regardless of patch levels.Protect any application from exploits: The focus on exploit techniques rather than application-specific characteristics means this protection can be extended to any application. While many endpoint security products protect only a few commonly used applications from exploitation, our approach is used by customers to protect hundreds of proprietary applications.Minimal performance impact: This approach does not rely on system scanning, virtualization, or any other bloated technology. The agent is lightweight and nonintrusive. It can be completely invisible to the end-user.Saves time and money: When you prevent attacks, you no longer have to deal with the costs of remediation and end-user downtime that often result from malware infection, especially when systems have to be re-imaged.Ease of management, no frequent updates: One of the problems with traditional endpoint protection products is the need to constantly deploy signature updates. Traps focuses on a small set of techniques that do not require frequent updates.Threat intelligence through WildFire integration: WildFire customers benefit from the threat intelligence ecosystem with over one million samples submitted daily by the community. Automated upload and analysis of unknown executables ensures that every new executable launched on an endpoint can be analyzed.

19The Value of an Integrated PlatformNatively IntegratedExtensibleAutomatedCLOUD NETWORK ENDPOINTNext-Generation Firewall

Advanced Endpoint Protection

ThreatIntelligence CloudTRAPSUnknown FilesQuery VerdictOrganizations feel their architecture provides them with limited visibility. Palo alto networks platform is a purpose built platform that is natively integrated, extensible and fully automated. What does that mean exactly?Like we discussed earlier, its not enough for even the best endpoint security if it cant communicate the intelligence to the rest of the organizations critical points. Unknown files detected on the network are continuously shared with WF for analysisAnd now with Traps protecting the endpoints sending unknown executables to WF, complete end to end visibility can finally be achieved

WildFire analyzes the unknown files and uploads signatures every 15 minutes for WF customers and 24-48 hours for Threat Prevention customers- building our global threat intelligence repository, and ultimately reducing the attack surface and dwell time.

To maintain an up-to-date intelligence the ESM Server queries WildFire every 30 minfor changes to verdicts, for example from benign to malicious. (for 30 days)

20

22 | 2015,Palo Alto Networks. Confidential and Proprietary. 54%61%U N K N O W N F I L E S54% OF THE MALICIOUS FILES SUBMITTED IN THE LAST QUARTER HAVE NEVER BEEN SEEN BEFORE BY VIRUSTOTALThe Value of WildFire on the EndpointThe platform integration between Traps and WildFire provides real time intelligence from our global community, through a threat cloud providing automated real time threat prevention without the need for frequent updates.

WildFires threat intelligence significantly increases the security posture and protection against unknown malware-

ThisNumbers of total number of files submitted to WF Dec Feb 201554% of the malicious files submitted in the last quarter have never been seen by virus total 61% of the malicious files were undetected by the top 6 Enterprise AV vendors (This is done through MS Multi-scanner - internal scanner that passes each malware sample through the top 6 Enterprise AV vendors to see if its detected)2223 | 2015,Palo Alto Networks. Confidential and Proprietary. 54%61%U N K N O W N F I L E S61% ARE ZERO-DAY THREATS AND WILL NOT BE DETECTED BY LEADING ENTERPRISE ANTIVIRUS PRODUCTSThe Value of WildFire on the EndpointThe platform integration between Traps and WildFire provides real time intelligence from our global community, through a threat cloud providing automated real time threat prevention without the need for frequent updates.

WildFires threat intelligence significantly increases the security posture and protection against unknown malware-

ThisNumbers of total number of files submitted to WF Dec Feb 201554% of the malicious files submitted in the last quarter have never been seen by virus total 61% of the malicious files were undetected by the top 6 Enterprise AV vendors (This is done through MS Multi-scanner - internal scanner that passes each malware sample through the top 6 Enterprise AV vendors to see if its detected)

23The Right Way to Prevent Malicious ExecutablesUser Tries to OpenExecutable FileRestrictions And Executable RulesHASH CheckedAgainst WildFireMalware TechniquePrevention Employed

WildFire ESMForensicsCollectedUnknown?

EXEBenignMalicious

ExamplesExamplesChild Process?Thread Injection?Restricted Folderor Device?Create Suspend?SafeExecution StoppedHeres how that looks in practice:

When a user goes to open an executable file we first take a look to see if there are any policy-based restrictions in place. Is the file coming from attached media, child processes, from a restricted folder or device? These policies have extended granular whitelist functionality to provide business flexibility without the security risk. If any policies are triggered the file is not allowed to execute.

and if there are no policies then we take a hash of the file and send it to WildFire for inspection. If its known to be bad the file is once again blocked, If the file returns with an unknown verdict from WildFire, the ESM Server can automatically submit the unknown executable file to WildFire for analysis

Depending on configuration, if the file is allowed to execute our malware technique mitigation engine is waiting to block any malicious activity (thread injection, usage of OS components). If any malware techniques are employed that file is blocked.

The net result of all these steps is that malware cant run. And its stopped before the malicious activity is allowed to proceed.

24Wildfire Integration UnknownBenignMaliciousUser Tries to OpenExecutable FileSafe

WildFireLocal CacheServer Cache?

UnknownBenignMalicious?

UnknownBenignMalicious?

UnknownFile Upload

EXE

Override? or revoke?

Changed hash verdictsaved to ESM server Unknown .exe file uploadWildfire Reporting & Analysis Verdict Override

Override? or revoke?

Changed hash verdictsaved to ESM server Unknown .exe file uploadWildfire Reporting & Analysis Verdict Override

Override? or Revoke?

Changed HashVerdict Savedto ESM ServerExecution StoppedESM ConsoleHeres a closer look at how Traps integrates with Wildfire

When the Wildfire policy is enabled, each time an executable file attempts to run, Traps first check the file hash against the local Traps agent cache on the Endpoint. If the file has been run on that endpoint before, it will be on the local cache along with a verdict.

If the executable has never run on that endpoint before, the query is passed to the Endpoint Security Manager server.

If this is the first time the executable has been seen in the organization the ESM server will contact the Wildfire cloud for a verdict. Since Wildfire receives over 1 million new files per day, there is a good chance the file has been analyzed by Wildfire. If not, If the file returns with an unknown verdict from WildFire, the ESM Server can automatically submit the unknown executable file to WildFire for analysis.

What makes this integration even more unique is that Wildfire verdicts can be overridden or revoked by the administrator the administrator can use the WF report associated to each hash verdict to decide weather to revoke or override the verdict. As mentioned before this is ideal for critical or closed systems that require more hardened rules for executables in their environment. With this feature the administrator has the ability to upload or specify the file hashes that should or should not be allowed to run without impacting the global WildFire verdict.

25Traps vs. Microsoft EMETTrapsEMETSecurity componentsAnti-exploit, anti-malware, forensics, device control, WildFire integrationAnti-exploitAnti-exploit effectivenessMore than 2x more protection modules. Enhanced to prevent bypass. the number of protection modules. Some enforced only on processes compiled to work with it. Enforcement method vulnerable to bypass.Centralized management, reporting, monitoring and policy configurationYesNoSelf-protection mechanisms prevent end-user disablingYesNoApplication coverageProtect any application. Automatic addition of new applications.Protects a small number of applications.IntegrationWildFire, SIEM, Syslog, MS SQLNot natively integratedA blog post detailing these differences is located here: http://researchcenter.paloaltonetworks.com/2014/12/exploits-built-circumvent-microsoft-emet-means/

26