Cybersecurity Essentials

Knowledge Objectives

  • Identify the security solutions that comprise the Palo Alto Networks Security Operating Platform.
  • Discuss the fundamental components of a next-generation firewall and explain the basic operation of a next-generation firewall. Compare and contrast traditional port-based firewalls and next-generation firewalls.
  • Describe the need for centralized network security management and explain its benefits to an organization.
  • Identify the major components of the Palo Alto Networks Traps Advanced Endpoint Protection deployment architecture and explain how Traps protects endpoints from malware and exploits.
  • List the requirements to safely enable mobile devices in the enterprise, identify the primary components of GlobalProtect, and describe the basic functionality of GlobalProtect.
  • Explain the importance of continuous, real-time monitoring in the public cloud and how Evident enables organizations to protect and segment their public cloud workloads, ensure continuous regulatory and policy compliance, and discover and classify data within containers and buckets.
  • Demonstrate an understanding of unique SaaS-based security risks and how Aperture protects SaaS-based applications and data.
  • Describe Palo Alto Networks cloud-delivered security services within the Application Framework and Logging Service, including behavioral analytics, log management, threat intelligence, threat indicator sharing, and malware analysis.

Security Operating Platform

The Palo Alto Networks Security Operating Platform (see Figure 3-1) is a purpose-built, fully integrated cybersecurity approach that helps organizations get control of their networks and protect critical assets.

Figure 3-1: Palo Alto Networks Security Operating Platform

The Security Operating Platform makes prevention, action, and control integral and central to enterprise security strategy. The Security Operating Platform provides visualization, protection, and control capabilities for all network traffic, applications, users, and endpoints. Tight integrations across the platform and with partners (third-party vendors) deliver consistent security across clouds, networks, and mobile devices. The following sections describe the Palo Alto Networks solutions that comprise the Security Operating Platform.

Network Security

Network security components in the Security Operating Platform include Palo Alto Networks next-generation firewalls (NGFWs), the Expedition migration tool, and Panorama for centralized network security management.

Next-generation firewalls

Fundamental shifts in application usage, user behavior, and complex network infrastructure have created a threat landscape that exposes weaknesses in traditional port-based network firewalls. End users want access to an ever-increasing number of applications, operating across a wide range of device types, often with little regard for the business or security risks. Meanwhile data center expansion, network segmentation, virtualization, and mobility initiatives are forcing organizations to rethink how to enable access to applications and data, while protecting their networks from a new, more sophisticated class of advanced threats that evade traditional security mechanisms.

Palo Alto Networks NGFWs are the core of the Security Operating Platform. The NGFW inspects all traffic – including applications, threats, and content – and associates it with the user, regardless of location or device type. The application, content, and user become integral components of the enterprise security policy.

NGFWs classify network traffic based on the application's identity to enable visibility and control of all types of applications running on enterprise networks. The essential functional requirements for an effective NGFW include:

  • Application identification. Accurately identify applications regardless of port, protocol, evasive techniques, or encryption. Provide visibility of applications and granular policybased control over applications, including individual application functions.
  • User identification. Accurately identify users and subsequently use identity information as an attribute for policy control.
  • Content identification. Content identification controls traffic based on complete analysis of all allowed traffic, using multiple threat prevention and data loss prevention techniques in a single pass architecture that fully integrates all security functions.

Palo Alto Networks NGFWs are built on a single-pass architecture (see Figure 3-2), which is a unique integration of software and hardware that simplifies management, streamlines processing, and maximizes performance. The single-pass architecture integrates multiple threat prevention disciplines (IPS, anti-malware, URL filtering, etc.) into a single stream-based engine with a uniform signature format. This architecture allows traffic to be fully analyzed in a single pass without the performance degradation seen in multifunction gateways. The software is tied directly to a parallel processing hardware platform that uses function-specific processors for threat prevention, to maximize throughput and minimize latency.

Figure 3-2: Palo Alto Networks NGFWs use a single-pass architecture

The use of one common engine means that two key benefits are realized. First, unlike file proxies that need to download the entire file before they can scan the traffic, a stream-based engine scans traffic in real-time, only reassembling packets as needed and only in very small amounts. Second, unlike with traditional approaches, all traffic can be scanned with a single engine, instead of multiple scanning engines.

Application identification

Stateful packet inspection technology – the basis for most of today's legacy firewalls – was created more than 25 years ago, at a time when applications could be controlled using ports and source/destination IPs. The strict adherence to port-based classification and control methodology is the primary policy element; it is hard-coded into the foundation and cannot be turned off. As a result, many of today's applications cannot be identified much less controlled by the firewall, and no amount of "after the fact" traffic classification by firewall "helpers" can correct the firewall port-based classification.

Establishing port and protocol information is a first step in application identification, but it is insufficient by itself. Robust application identification and inspection in an NGFW enables granular control of the flow of sessions through the firewall. Identification is based on the specific applications (such as Skype, Gmail, and WebEx) that are being used, instead of just relying on the underlying set of often indistinguishable network communication services (see Figure 3-3).

Figure 3-3: Application-centric traffic classification identifies specific applications on the network, irrespective of the port and protocol in use

Application identification provides visibility and control over work-related and non-workrelated applications that can evade detection by legacy port-based firewalls, for example, by masquerading as legitimate traffic, hopping ports, or slipping past the firewall using encryption.

Application identification technology in a Palo Alto Networks NGFW does not rely on a single element, such as port or protocol. Instead, application identification uses multiple mechanisms to determine what the application is, first and foremost, and the application identity then becomes the basis for the firewall policy that is applied to the session. Application identification is highly extensible and, as applications continue to evolve, application detection mechanisms can be added or updated as a means of keeping pace with the ever-changing application landscape.

App-ID traffic classification technology

The first task that a Palo Alto Networks NGFW executes is the identification of the applications traversing the network using App-ID. App-ID uses a multifaceted approach to determine the application, irrespective of port, protocol, encryption (SSL and SSH), or other evasive tactics employed. The number and order of identification mechanisms used to identify the application vary, depending on the application. The application identification techniques (see Figure 3-4) used include:

  • Application protocol detection and decryption. Determines the application protocol (for example, HTTP) and, if SSL is in use, decrypts the traffic so that it can be analyzed further. Traffic is re-encrypted after all the NGFW technologies have had an opportunity to operate.
  • Application protocol decoding. Determines whether the initially detected application protocol is the "real one," or if it is being used as a tunnel to hide the actual application (for example, Tor might be inside of HTTPS).
  • Application signatures. Context-based signatures look for unique properties and transaction characteristics to correctly identify the application regardless of the port and protocol being used. These signatures include the ability to detect specific functions within applications (such as file transfers within SaaS applications).
  • Heuristics. For traffic that eludes identification by signature analysis, heuristic (or behavioral) analyses are applied, which enable identification of any troublesome applications, such as P2P or VoIP tools that use proprietary encryption.

Figure 3-4: How Palo Alto Networks App-ID classifies applications

Key Terms:

  • Tor ("The Onion Router") is software that enables anonymous communication over the internet.

With App-ID as the foundational element for every Palo Alto Networks NGFW, administrators can regain visibility into, and control over, the applications traversing the network.

App-ID: Addressing custom or unknown applications

Palo Alto Networks adds an average of five new applications to App-ID each week, yet unknown application traffic is still detected on the network, such as:

  • Unknown commercial applications. Administrators can use Application Command Center (ACC) and the log viewer to quickly determine whether an unknown application is a commercial application. Administrators can use the packet capture (pcap) feature on the Palo Alto Networks NGFW, to record the traffic and submit it for App-ID development. The new App-ID is developed, tested with the organization, then added to the global database for all users.
  • Internal or custom applications. Administrators can use ACC and the log viewer to quickly determine whether an unknown application is an internal or custom application. You can develop a custom App-ID for the application, using the exposed protocol decoders. The protocol decoders that have been exposed include:
    • FTP (File Transfer Protocol)
    • HTTP (Hypertext Transfer Protocol) and HTTPS (HTTP Secure, or HTTP over SSL)
    • IMAP (Internet Message Access Protocol) and SMTP (Simple Mail Transfer Protocol)
    • RTSP (Real Time Streaming Protocol)
    • Telnet
    • unknown-TCP, unknown-UDP, and file body (for html/pdf/flv/swf/riff/mov)

After the custom App-ID is developed, traffic identified by it is treated in the same manner as the previously classified traffic; it can be enabled via policy, inspected for threats, shaped using Quality of Service (QoS), etc. Alternatively, an application override can be created and applied, which effectively renames the application. Custom App-ID entries are managed in a separate database on the NGFW to ensure they are not impacted by weekly App-ID updates.

An important point to highlight is that Palo Alto Networks NGFWs use a positive enforcement model, which means that all traffic can be denied except those applications that are expressly allowed via policy. This positive enforcement model means that in some cases the unknown traffic can be easily blocked or tightly controlled. Alternative offerings that are based on IPS will allow unknown traffic to pass through without providing any semblance of visibility or control.

App-ID in action: Identifying WebEx

When a user initiates a WebEx session, the initial connection is an SSL-based communication. With App-ID, the device sees the traffic and determines that it is using SSL. If there is a matching decryption policy rule, then the decryption engine and protocol decoders are initiated to decrypt the SSL and detect that it is HTTP traffic. After the decoder has the HTTP stream, App-ID can apply contextual signatures and detect that the application in use is WebEx.

WebEx is then displayed within ACC and can be controlled via a security policy. If the end user were to initiate the WebEx Desktop Sharing feature, WebEx undergoes a "mode-shift": the session has been altered from a conferencing application to a remote access application. In this scenario, the characteristics of WebEx have changed and App-ID detects the WebEx Desktop Sharing feature, which is then displayed in ACC. At this stage, an administrator has learned more about the application use and can exert policy control over the use of the WebEx Desktop Sharing feature separately from general WebEx use.

Application identification and policy control

Application identification enables administrators to see the applications on the network, learn how they work, and analyze their behavioral characteristics and relative risk. When application identification is used in conjunction with user identification, administrators can see exactly who is using the application based on their identity, not just an IP address. With this information, administrators can use granular rules – based on a positive security model – to block unknown applications, while enabling, inspecting, and shaping those applications that are allowed.

After an application has been identified and a complete picture of its usage is gained, organizations can apply policies with a range of responses that are far more granular than the "allow" or "deny" actions available in legacy firewalls. Examples include:

Allow or deny

Allow but scan for exploits, viruses, and other threats

Allow based on schedule, users, or groups

Decrypt and inspect

Apply traffic shaping through QoS

Apply policy-based forwarding

Allow certain application functions

Any combination of the above

Application Function Control

For many organizations, secure application enablement means striking an appropriate security policy balance by enabling individual application functionality while blocking other functions within the same application. Examples may include:

  • Allowing SharePoint Documents, but blocking the use of SharePoint Administration
  • Blocking Facebook mail, chat, posting, and applications, but allowing Facebook itself, effectively only allowing users to browse Facebook
  • Enabling the use of MSN, but disabling the use of MSN-file transfer and only allowing certain file types to be transferred using the file blocking feature

App-ID uses an application hierarchy that follows a container and supporting function model to help administrators easily choose which applications to allow, while blocking or controlling functions within the application. Figure 3-5 shows SharePoint as the container application, and the individual functions within.

Figure 3-5: Application Function Control maximizes productivity by safely enabling the application itself (Microsoft SharePoint) or individual functions

Controlling multiple applications: Dynamic filters and groups

In some cases, organizations may want to control applications in bulk, as opposed to controlling them individually. The two mechanisms in the Palo Alto Networks NGFW that address this need are application groups and dynamic filters:

  • Application groups. A group of applications is a static list of applications that can be used to allow their use for certain users, while blocking their use for others. For example, remote management applications such as remote desktop protocol (RDP), Telnet, and Secure Shell (SSH) are commonly used by IT support personnel, yet employees that fall outside of these groups are also known to use these tools as a means of accessing their home networks. A group of applications can be created and assigned to IT support through User-ID (discussed later in this module), binding the groups to the policy. New employees only need to be added to the directory group; no updates are needed to the policy itself.
  • Dynamic filters. A dynamic filter is a set of applications that is created based on any combination of the filter criteria: category, subcategory, behavioral characteristic, underlying technology, or risk factor. After the desired filter is created, a policy that blocks or enables and scans the traffic can be applied. As new App-ID files are added that fulfill the filter criteria, the filter is automatically updated as soon as the device is updated, thereby minimizing the administrative effort associated with policy management.

User Identification

Compounding the visibility problem in an increasingly mobile enterprise, where employees access the network from virtually anywhere around the world, internal wireless networks reassign IP addresses as users move from zone to zone, and network users are not always company employees. The result is that the IP address, by itself, is no longer an adequate mechanism for monitoring and controlling user activity.

User-ID: Integrating user information and security policies

Creating and managing security policies on an NGFW, based on the application and the identity of the user regardless of device or location, is a more effective means of protecting the network than relying solely on port and IP address information in legacy, port-based firewalls. Palo Alto Networks User-ID enables organizations to leverage user information stored in a wide range of repositories for the following purposes:

  • Visibility: Improved visibility into application usage based on user and group information can help organizations maintain a more accurate picture of network activity
  • Policy control: Binding user information to the security policy to safely enable applications or specific application functions while reducing the administrative effort associated with employee moves, adds, and changes
  • Logging and reporting: If a security incident occurs, forensics analysis and reporting can include user information, which provides a more complete picture of the incident.

User-ID in action

User-ID seamlessly integrates Palo Alto Networks NGFWs with a wide range of user repositories and terminal services environments. Depending on the network environment, multiple techniques can be configured to accurately map the user identity to an IP address. Events include authentication events, user authentication, terminal services monitoring, client probing, directory services integration, and a powerful XML API (see Figure 3-6).

Figure 3-6: User identification integrates enterprise directories for user-based policies, reporting, and forensics

After the applications and users are identified, full visibility and control within ACC, policy editing, and logging and reporting are available. User-ID tools and techniques include:

  • Authentication events. Monitoring of the authentication events on a network allows User-ID to associate a user with the IP address of the device from which the user logs in to enforce policy on the firewall. User-ID can be configured to monitor authentication events for:
    • Microsoft Active Directory: User-ID constantly monitors domain controller event logs to identify users when they log onto the domain. When a user logs onto the Windows domain, a new authentication event is recorded on the corresponding Windows Domain controller. By remotely monitoring the authentication events on Windows domain controllers, User-ID can recognize authentication events to identify users on the network for creation and enforcement of policy.
    • Microsoft Exchange Server: User-ID can be configured to constantly monitor Microsoft Exchange logon events produced by clients accessing their email. Using this technique, even Mac OS X, Apple iOS, and Linux/UNIX client systems that don't directly authenticate to Microsoft Active Directory can be discovered and identified.
    • Novell eDirectory: User-ID can query and monitor logon information to identify users and group memberships via standard lightweight directory access protocol (LDAP) queries on Novell eDirectory servers.
  • User authentication. This technique allows organizations to configure a challengeresponse authentication sequence to collect user and IP address information, using the following tools:
    • Captive Portal: In cases where administrators need to establish rules under which users are required to authenticate to the firewall prior to accessing the internet, Captive Portal can be deployed. Captive Portal is used in cases where the user cannot be identified using other mechanisms. In addition to an explicit username and password prompt, Captive Portal can also be configured to send an NT LAN Manager (NTLM) authentication request to the web browser to make the authentication process transparent to the user.
    • GlobalProtect: Users logging in to the network with GlobalProtect (discussed in Section 3.3.2) provide user and host information to the firewall that, in turn, can be used for policy control.
  • Client probing and terminal services. This technique allows organizations to configure User-ID to monitor Windows clients or hosts to collect the identity and map it to the IP address. In environments where the user identity is obfuscated by Citrix XenApp or Microsoft Terminal Services, the User-ID Terminal Services agent can be deployed to determine which applications are being accessed by users. The following techniques are available:
    • Client probing: If a user cannot be identified via monitoring of authentication events, User-ID actively probes Microsoft Windows clients on the network for information about the currently logged-on user. With client probing, laptop users who often switch from wired to wireless networks can be reliably identified.
    • Host probing: User-ID can also be configured to probe Microsoft Windows servers for active network sessions of a user. As soon as a user accesses a network share on the server, User-ID identifies the origin IP address and maps it to the username provided to establish the session.
    • Terminal services: Users sharing IP addresses while working on Microsoft Windows Terminal Services or Citrix can be identified. Every user session is assigned a certain port range on the server, which is completely transparent to the user and allows the NGFW to associate network connections with users and groups sharing one host on the network.
  • XML API. In some cases, organizations may already have a user repository or an application that is used to store information about users and their current IP address. In these scenarios, the XML API within User-ID enables rapid integration of user information with security policies. Use of the XML API to collect user and IP address information includes:
    • Wireless environments: Organizations using 802.1x to secure corporate wireless networks can leverage a syslog-based integration with the Palo Alto Networks UserID XML API, to identify users as they authenticate to the wireless infrastructure.
    • Proxies: Authentication prompted by a proxy server can be provided to Palo Alto Networks User-ID via its XML API, by parsing the authentication log file for user and IP address information.
    • Network access control (NAC): The XML API allows organizations to harvest user information from NAC environments. As an example, Bradford Networks, a NAC solution provider, uses the User-ID XML API to populate user logons and logoffs of its 802.1x solution. This integration allows organizations to identify users as soon as they connect to the network and set user-based enablement policies.
  • Syslog listener. The agent runs a syslog listener on a designated port that can parse the syslog messages and convert the information into appropriate User-ID mappings.

To allow organizations to specify security rules based on user groups and resolve the group members automatically, User-ID integrates with directory servers using a standards-based protocol and a flexible configuration. After integration with the directory server is configured, the firewall automatically retrieves user and user group information and keeps the information updated to automatically adjust to changes in the user base or organization.

Visibility into a user's activity

The power of User-ID becomes evident when App-ID finds a strange or unfamiliar application on the network. An administrator can use either ACC or the log viewer to can discern the application, who is using the application, the bandwidth and session consumption, the sources and destinations of the application traffic, and any associated threats.

Visibility into the application activity at a user level, not just an IP address level, allows organizations to more effectively enable the applications traversing the network.

Administrators can align application usage with business unit requirements and, if appropriate, can choose to inform the user that they are in violation of policy, or take a more direct approach of blocking the user's application usage outright.

User-based policy control

User-based policy controls can be created based on the application, category and subcategory, underlying technology, or application characteristics. Policies can be used to safely enable applications based on users or groups, in either an outbound or an inbound direction.

User-based policies might include:

  • Enable only the IT department to use tools such as SSH, telnet, and FTP on their standard ports
  • Allow the Help Desk Services group to use Yahoo Messenger
  • Allow Facebook for all users, yet allow only the Marketing group to use Facebookposting, and block the use of Facebook applications for all users

Content identification

Content identification infuses NGFWs with capabilities not possible in legacy, port-based firewalls. Application identification eliminates threat vectors through the tight control of all types of applications. This capability immediately reduces the attack surface of the network, after which all allowed traffic is analyzed for exploits, malware, dangerous URLs, and dangerous or restricted files or content. Content identification then goes beyond stopping known threats to proactively identify and control unknown malware, which is often used as the leading edge of sophisticated network attacks.

Threat prevention

Enterprise networks are facing a rapidly evolving threat landscape full of modern applications, exploits, malware, and attack strategies that can avoid traditional methods of detection. Threats are delivered via applications that dynamically hop ports, use non-standard ports, tunnel within other applications or hide within proxies, SSL, or other types of encryption. These techniques can prevent traditional security solutions such as IPS and firewalls from ever inspecting the traffic, thus enabling threats to easily and repeatedly flow across the network. Also, enterprises are exposed to targeted and customized malware, which may pass undetected through traditional anti-malware solutions.

Palo Alto Networks Content-ID addresses these challenges with unique threat prevention capabilities not found in traditional security solutions. First, the NGFW removes the methods that threats use to hide from security through the complete analysis of all traffic, on all ports regardless of any evasion, tunneling, or circumvention techniques that are used. No threat prevention solution will be effective if it does not have visibility into the traffic. Palo Alto Networks ensures that visibility through the identification and control of all traffic, using the following tools and techniques:

  • Application decoders. Content-ID leverages the more than 100 application and protocol decoders in App-ID to look for threats hidden within application data streams. This tool enables the firewall to detect and prevent threats tunneled within approved applications that would pass by traditional IPS or proxy solutions.
  • Uniform threat signature format. Rather than use a separate set of scanning engines and signatures for each type of threat, Content-ID leverages a uniform threat engine and signature format to detect and block a wide range of malware C&C activity and vulnerability exploits in a single pass.
  • Vulnerability attack protection (IPS). Robust routines for traffic normalization and defragmentation are joined by protocol-anomaly, behavior-anomaly, and heuristic detection mechanisms to provide protection from the widest range of both known and unknown threats.
  • Cloud-based intelligence. For unknown content, WildFire (discussed in Section 3.5.5) provides rapid analysis and a verdict that the firewall can leverage.
  • SSL decryption. More and more web traffic connections are encrypted with SSL by default, which can provide some protection to end users, but it also can provide attackers with an encrypted channel to deliver exploits and malware. Palo Alto Networks ensures visibility by giving security organizations the flexibility to, by policy, granularly look inside of SSL traffic based on application or URL category.
  • Control of circumventing technologies. Attackers and malware have increasingly turned to proxies, anonymizers, and a variety of encrypted proxies to hide from traditional network security products. Palo Alto Networks provides the ability to tightly control these technologies and limit them to approved users, while blocking unapproved communications that could be used by attackers.

Stream-based malware scanning

Prevention of known malware is performed through the use of stream-based scanning, a technique that begins scanning as soon as the first packets of the file are received as opposed to waiting until the entire file is loaded into memory to begin scanning. Stream-based scanning minimizes performance and latency issues by receiving, scanning, and sending traffic to its intended destination immediately without having to first buffer and then scan the file (see Figure 3-7).

Figure 3-7: Stream-based scanning helps minimize latency and maximize throughput performance

Intrusion prevention

Content-ID protects networks from all types of vulnerability exploits, buffer overflows, DoS attacks, and port scans that lead to the compromise of confidential and sensitive enterprise information. IPS mechanisms in Content-ID include:

  • Protocol decoders and anomaly detection
  • Stateful pattern matching
  • Statistical anomaly detection
  • Heuristic-based analysis
  • Invalid or malformed packet detection
  • IP defragmentation and TCP reassembly
  • Custom vulnerability and spyware phone-home signatures

Traffic is normalized to eliminate invalid and malformed packets, while TCP reassembly and IP defragmentation is performed to ensure the utmost accuracy and protection despite any packet-level evasion techniques.

URL filtering

To complement the threat prevention and application control capabilities, a fully integrated, on-box URL filtering database enables security teams to not only control end-user web surfing activities, but also to combine URL context with application and user rules.

The on-box URL database can be augmented to suit the traffic patterns of the local user community with a custom URL database. URLs that are not categorized by the local URL database can be pulled into cache from a hosted URL database. In addition to database customization, administrators can create unique URL categories to further customize the URL controls to suit their specific needs.

URL categorization can be combined with application and user classification to further target and define policies. For example, SSL decryption can be invoked for select high-risk URL categories to ensure that threats are exposed, and QoS controls can be applied to streaming media sites. URL filtering visibility and policy controls can be bound to specific users through transparent integration with enterprise directory services (such as Active Directory, LDAP, and eDirectory), with additional insight provided through customizable reporting and logging.

Administrators can configure a custom block page to notify end users of any policy violations. The page can include references to the username, IP address, the URL they are attempting to access, and the URL category. To place some of the web activity ownership back in the user's hands, administrators can allow users to continue to the website or webpage, after being presented with a warning page, or can use passwords to override the URL filtering policy.

File and data filtering

File and data filtering takes advantage of in-depth application inspection and enables enforcement of policies that reduce the risk of unauthorized information transfer or malware propagation. File and data filtering capabilities in Content-ID include:

  • File blocking by type: Control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension)
  • Data filtering: Control the transfer of sensitive data patterns such as credit card numbers and Social Security numbers in application content or attachments
  • File transfer function control: Control the file transfer functionality within an individual application, which allows application use while preventing undesired inbound or outbound file transfer

Log correlation and reporting

Powerful log filtering enables administrators to quickly investigate security incidents by correlating threats with applications and user identity. The Application Command Center (ACC) provides a comprehensive view of current and historical data – including network activity, application usage, users, and threats – in a highly visual, fully customizable, and easy-to-use interactive format. This visibility enables administrators to make informed policy decisions and respond quickly to potential security threats.

ACC provides a tabbed view of network activity, threat activity, and blocked activity, and each tab includes pertinent widgets for better visualization of traffic patterns on the network (see Figure 3-8).

Figure 3-8: ACC provides a highly visual, interactive, and customizable security management dashboard

Figure 3-9 shows a core widget of the ACC, the "Application Usage" widget. In this case, the widget shows application traffic in bytes. Applications (colored boxes) are grouped in application categories (gray bars). The size of each box indicates how much traffic a given application consumed during the selected time frame. The color of the box indicates the risk level of an application, with red being critical, orange being medium, and blue being the lowest risk. The tabular listing below the graph shows additional information, such as the number of sessions, threats detected, and content or files included, and URLs accessed by these applications.

Figure 3-9: The ACC "Application Usage" widget displays application traffic by type, amount, risk, and category

Figure 3-10 is another ACC widget example that shows source and destination by region, with a visual display of where traffic is originating and going. The world maps are interactive and provide the ability to get more detail and information about traffic to or from individual countries.

Figure 3-10: Geolocation awareness in ACC provides valuable information about source and destination of all application traffic

Figure 3-11 is another ACC widget example that shows the power of application control in an NGFW versus a traditional port-based firewall. This widget shows applications with port hopping capabilities using non-standard ports.

Figure 3-11: The "Applications Using Non Standard Ports" ACC widget highlights port hopping and showcases the importance of application versus port control

Custom tabs can also be created that include widgets that enable administrators to view more specific information. With the ACC, every administrator can customize their own views by selecting predesigned widgets from a drop-down list and building their own user interface (see Figure 3-12).

Figure 3-12: A large variety of widgets can be chosen to customize tabs in the ACC

In addition to customizing existing tabs (network, threat, and blocked activity), administrators can create new custom tabs to monitor certain employees, situations, or applications.

With the interactive capabilities of the ACC, you can learn more about applications, URL categories, risk levels, or threats to get a complete picture of network and threat activity (see Figure 3-13).

Figure 3-13: One-click, interactive capabilities provide additional information and the ability to apply any item as a global filter

The Automated Correlation Engine in the ACC is an analytics tool that surfaces critical threats that may be hidden in the network, which reduces manual data mining and enables faster response times. It scrutinizes isolated events automatically across multiple logs, queries the data for specific patterns, and correlates network events to identify compromised hosts. It includes correlation objects that are defined by the Palo Alto Networks Malware Research team. These objects identify suspicious traffic patterns, compromised hosts, and other events that indicate a malicious outcome. Some correlation objects can identify dynamic patterns that have been observed from malware samples in WildFire.

Correlation objects trigger correlation events when they match on traffic patterns and network artifacts that indicate a compromised host on your network. In the ACC, correlation triggers are clearly identified and highlighted to enable a fast response (see Figure 3-14).

Figure 3-14: The Automated Correlation Engine automatically highlights compromised hosts in ACC by correlating indicators of compromise (IoCs)

A log is an automatically generated, timestamped file that provides an audit trail for system events on the firewall or network traffic events that the firewall monitors. Log entries contain artifacts, which are properties, activities, or behaviors associated with the logged event, such as the application type or the IP address of an attacker. Each log type records information for a separate event type. For example, the firewall generates a Threat log to record traffic that matches a spyware, vulnerability, or virus signature or a DoS attack that matches the thresholds configured for a port scan or host sweep activity on the firewall.

The following logs can be viewed from the Monitor tab on Palo Alto Networks NGFWs:

  • Traffic logs. These logs display an entry for the start and end of each session. Each entry includes the following information: date and time; source and destination zones, addresses, and ports; application name; security rule applied to the traffic flow; rule action (allow, deny, or drop); ingress and egress interface; number of bytes; and session end reason.
  • Threat logs. These logs display entries when traffic matches one of the security profiles attached to a security rule on the firewall. Each entry includes the following information: date and time; type of threat (such as virus or spyware); threat description or URL (Name column); source and destination zones, addresses, and ports; application name; alarm action (such as allow or block); and severity level.
  • URL Filtering logs. These logs display entries for traffic that matches URL Filtering Profiles attached to security rules. For example, the firewall generates a log if a rule blocks access to specific websites and website categories or if you configured a rule to generate an alert when a user accesses a website.
  • WildFire Submissions logs. The firewall forwards samples (files and emails links) to the WildFire cloud for analysis based on WildFire Analysis Profiles settings. The firewall generates WildFire Submissions log entries for each sample it forwards after WildFire completes static and dynamic analysis of the sample. WildFire Submissions log entries include the WildFire verdict for the submitted sample.
  • Data Filtering logs. These logs display entries for the security rules that help prevent sensitive information such as credit card numbers from leaving the area that the firewall protects.
  • Correlation logs. The firewall logs a correlated event when the patterns and thresholds defined in a correlation object match the traffic patterns on your network.
  • Config logs. These logs display entries for changes to the firewall configuration. Each entry includes the date and time, the administrator username, the IP address from where the administrator made the change, the type of client (web, CLI, or Panorama), the type of command executed, the command status (succeeded or failed), the configuration path, and the values before and after the change.
  • System logs. These logs display entries for each system event on the firewall. Each entry includes the date and time, event severity, and event description.
  • HIP Match logs. The GlobalProtect host information profile (HIP) feature enables you to collect information about the security status of the end devices accessing your network (such as whether they have disk encryption enabled). The firewall can allow or deny access to a specific host based on adherence to the HIP‐based security rules you define. HIP Match logs display traffic flows that match a HIP Object or HIP Profile that you configured for the rules.
  • Alarms logs. An alarm is a firewall‐generated message that indicate that the number of events of a particular type (for example, encryption and decryption failures) has exceeded the threshold configured for that event type.
  • Unified logs. Unified logs are entries from the Traffic, Threat, URL Filtering, WildFire Submissions, and Data Filtering logs displayed in a single view. Unified log view enables you to investigate and filter the latest entries from different log types in one place, instead of searching through each log type separately.

The reporting capabilities on the Palo Alto Networks NGFW enable you to monitor your network health, validate your policies, and focus your efforts on maintaining network security. The following report types are available:

  • Predefined reports allow you to view a summary of the traffic on your network. Predefined reports are available in four categories: Applications, Traffic, Threat, and URL Filtering.
  • User or Group Activity reports allow you to schedule or create an on‐demand report on the application use and URL activity for a specific user or for a user group. The report includes the URL categories and an estimated browse time calculation for individual users.
  • Custom reports can be created and scheduled to show exactly the information you want to see by filtering on conditions and columns to include. You can also include query builders for more specific details in report data.
  • PDF Summary reports aggregate up to 18 predefined or custom reports and graphs from Threat, Application, Trend, Traffic, and URL Filtering categories into one PDF document.
  • Botnet reports allow you to use behavior‐based mechanisms to identify potential botnet‐infected hosts in the network.
  • Report Groups combine custom and predefined reports into report groups and compile a single PDF that is emailed to one or more recipients.

Reports can be generated on demand or on a recurring schedule, and they can be scheduled for email delivery.

Palo Alto Networks Expedition (Migration Tool)

The migration to a Palo Alto Networks NGFW is a critical step toward the prevention and detection of cyberattacks. Today's advanced threats require moving away from port-based firewall policies, which are no longer adequate to protect against a modern threat landscape, into an architecture that reduces your attack surface by safely enabling only those applications that are critical to your organization, and eliminating applications that introduce risk.

Expedition enables organizations to analyze their existing environment, convert existing security policies to Palo Alto Networks NGFWs, and assist with the transition from proof-ofconcept to production.

Primary functions of Expedition include:

  • Third-party migration transfers the various firewall rules, addresses, and service objects to a PAN-OS XML config file that can be imported into a Palo Alto Networks NGFW. Third-party migration from the following firewall vendors is available:
    • Cisco ASA/PIX/FWSM
    • Check Point
    • Fortinet
    • McAfee Sidewinder
    • Juniper SRX/NETSCREEN
  • Adoption of App-ID enables organizations to get the most value from their NGFW, while reducing the attack surface and regaining visibility and control over the organization through App-ID.
  • Optimization keeps NGFWs operating at peak performance with services that include:
    • Architecture review
    • System health check
    • Configuration audit
    • Optional product tuning and configuration change implementation
  • Consolidation of legacy firewalls to Palo Alto Networks virtual systems enables organizations to customize administration, networking, and security policies for the network traffic that is associated with specific departments or customers. In a standard virtual system interface configuration, each virtual system uses a dedicated interface to the internet, requiring the use of multiple IP addresses. A shared gateway allows organizations to create a common virtual interface for the virtual systems that correspond to a single physical interface. This shared gateway is helpful in environments where the ISP provides only a single IP address. All of the virtual systems communicate with the outside world through the physical interface using a single IP address.
  • Centralized management with Panorama enables organizations to centrally manage the process of configuring devices, deploying security policies, performing forensic analysis, and generating reports across the organization's entire network of Palo Alto Networks NGFWs. Panorama and the individual device management interfaces are available as either a virtual appliance or a dedicated management platform and share the same web-based look and feel, which ensures workflow consistency while minimizing any learning curve or delay in executing tasks.
  • Auto-zoning automatically adapts security policies from vendors that currently do not use zones and zones-based rules. The mapping of zones depends on the routes and the zone interface IP address. The mappings adjust when you set or change the Interfaces and Zones settings.
  • Customized response pages can be loaded by administrators to notify end users of policy violations.

Together with its combination of tools, expertise, and best practices, Palo Alto Networks helps analyze an organization's existing environment, migrate policies and firewall settings to the NGFW, and assist in all phases of the transition.

Network security management (Panorama)

A data security breach often occurs not because of a lack of information about a cyberattack, but rather because of a lack of appropriately prioritized, actionable information. Possession of actionable, well-organized information about network traffic and threats is more crucial today than ever before. IT and security teams are inundated with unmanageable and uncorrelated amounts of information from multiple, independent security solutions that don't fully integrate with other solutions and lack automation. This complexity makes critical threats buried deep in mountains of information almost impossible to find. Both teams are too overwhelmed to find the proverbial "needle in the haystack" and therefore cannot prioritize their responses appropriately. As a result, several operational gaps exist between:

  • Alert and action. Network and security teams are often overwhelmed by the volume of data in security logs and are unable to easily determine which alerts are minor and which alerts are critical. Several cyberattacks in recent years (discussed in Section 1.1.6) demonstrate the impact of this first operational gap.
  • Known and unknown. As the threat landscape grows increasingly complex, organizations are facing a growing number of unknown threats, and many security teams are struggling to keep pace. Discovery of these threats quickly is crucial, but after they are discovered, security professionals must be able to quickly differentiate between the critical and the non-critical.
  • Idea and implementation. Networks are growing fast and complexity is increasing. Many companies have huge numbers of policies, many of them outdated, because the complexity of provisioning and managing a secure network has become too overwhelming.

Closing of these operational gaps requires reducing security management complexity and improving incident response to enable rapid discovery of threats and quickly surface actionable intelligence.

Palo Alto Networks Panorama network security management reduces security management complexity with consolidated policy creation and centralized management features. The Application Command Center (ACC) in Panorama provides a customizable dashboard for setup and control of Palo Alto Networks NGFWs, with an efficient rulebase and actionable insight into network-wide traffic and threats.

Panorama simplifies network security management with a single security rulebase for firewall, threat prevention, URL filtering, application awareness, user identification, sandboxing, file blocking, and data filtering, to safely enable applications in the enterprise. Security rules easily can be imported, duplicated, or modified across the network. Centralized management of policies and objects provides consistent global security for the organization, and local administrative control provides flexibility at the local level.

Panorama centrally manages common device and network configurations through templates that can be used to push configuration changes to all managed firewalls. Templates eliminate manual, repetitive, risky, and error-prone configuration changes to multiple, individual firewalls deployed throughout the enterprise network. Templates can also be stacked and used as building blocks for streamlined device and network configuration (see Figure 3-15).

Figure 3-15: Template stacking in Panorama

Panorama manages common policies and objects through hierarchical device groups (see Figure 3-16). Multilevel device groups are used to centrally manage the policies across all deployment locations with common requirements. Deployment of hierarchical device groups ensures that lower-level groups inherit the settings of higher-level groups. These device groups streamline central management and enable you to organize devices based on function and location without redundant configuration.

Figure 3-16: Hierarchical device groups in Panorama

You can use shared policies for central control while still providing your local firewall administrator with the autonomy to make specific adjustments for local requirements. At the device group level, you can create shared policies that are defined as the first set of rules (prerules) and the last set of rules (post-rules) to be evaluated against match criteria. Pre-rules and post-rules can be viewed on a managed firewall, but they can be edited from Panorama only within the context of the administrative roles that have been defined. Local device rules (those between pre-rules and post-rules) can be edited by either a local firewall administrator or by a Panorama administrator who has switched to a local firewall context. An organization also can use shared objects defined by a Panorama administrator, which can be referenced by locally managed device rules.

Panorama uses the same set of powerful monitoring and reporting tools available at the local device management level. As you perform log queries and generate reports, Panorama dynamically pulls the most current data directly from NGFWs under management or from logs forwarded to Panorama. Logging and reporting capabilities in Panorama include:

  • Log viewer. For either an individual device or all devices, you can quickly view log activities using dynamic log filtering by clicking a cell value and/or using the expression builder to define the sort criteria. Results can be saved for future queries or exported for further analysis.
  • Custom reporting. Predefined reports can be used as is, customized, or grouped together as one report to suit specific requirements.
  • User activity reports. A user activity report shows the applications used, URL categories visited, websites visited, and all URLs visited over a specified period of time for individual users. Panorama builds the reports using an aggregate view of users' activity, no matter which firewall they are protected by, or which IP or device they may be using.
  • Log forwarding. Panorama aggregates logs collected from all of your Palo Alto Networks firewalls, both physical and virtual form factor, and forwards them to a remote destination for purposes such as long-term storage, forensics, or compliance reporting. Panorama can forward all or selected logs, Simple Network Management Protocol (SNMP) traps, and email notifications to a remote logging destination, such as a syslog server (over UDP, TCP, or SSL).

Panorama can be deployed in a centralized architecture with all Panorama management and logging functions consolidated into a single device, or in a distributed architecture with separate management units and Log Collectors in a hierarchical deployment architecture:

  • Panorama manager. The Panorama manager is responsible for handling the tasks associated with policy and device configuration across all managed devices. The manager does not store log data locally, but rather uses separate Log Collectors for handling log data. The manager analyzes the data stored in the Log Collectors for centralized reporting.
  • Panorama Log Collector. Organizations with high logging volume and retention requirements can deploy dedicated Panorama Log Collector devices that will aggregate log information from multiple managed firewalls.

Palo Alto Networks and Splunk have partnered to extend the powerful visibility into network traffic from Panorama to other network components. The combined solution delivers highly effective, coordinated detection, incident investigation, and response for cyberthreats. With the Splunk App for Palo Alto Networks (see Figure 3-17), enterprise security teams have a powerful platform for security visualization, monitoring, and analysis that enables them to fully leverage the extensive application, user, content, and threat data generated by Palo Alto Networks devices.

Figure 3-17: Integration with Splunk extends visibility and prevention capabilities to your entire network infrastructure

The integrated solution not only combines several approaches for identifying cyberthreats — including dynamic sandbox analysis, statistical anomaly detection, and infrastructure-wide event correlation — but also enables security administrators to expedite incident response by automating the steps needed to block malicious sources and quarantine compromised devices.

Endpoint Protection

Endpoint protection components in the Security Operating Platform include Traps advanced endpoint protection and GlobalProtect mobile security.

Advanced endpoint protection (Traps)

Advanced endpoint protection is a new security product innovation that requires a different mindset from traditional security methodologies. Rather than a reactive "detect and respond" approach as with traditional anti-malware software, advanced endpoint protection employs a proactive prevention strategy. Advanced endpoint protection must do the following:

  • Prevent all exploits, including those using unknown zero-day vulnerabilities
  • Block all malware, without requiring any prior knowledge of specific malware signatures
  • Provide detailed forensics against prevented attacks to strengthen all areas of the organization by pinpointing the targets and techniques used
  • Be highly scalable and lightweight to seamlessly integrate into existing operations with minimal to no disruption
  • Integrate closely with network and cloud security for quick data exchange and crossorganization protection

Palo Alto Networks Traps provides advanced endpoint protection that prevents sophisticated vulnerability exploits and malware-driven attacks, both known and unknown. The key to Traps is blocking core exploit and malware techniques, not the individual attacks. Traps automatically detects and blocks a core set of techniques that an attacker must link together to execute any type of attack, regardless of its complexity. Prevention of just one technique in the CyberAttack Lifecycle (see Section 1.2.2) thwarts the entire attack before it can do any damage.

The Traps agent injects itself into each process as it's started and automatically blocks advanced attacks that would otherwise evade detection. If an exploit attempt is made using one of the attack techniques, Traps immediately blocks that technique, terminates the process, and notifies the user and the security team that an attack was prevented (see Figure 3-18).

Figure 3-18: Traps blocks a core set of techniques to stop advanced attacks

Throughout each event, Traps collects detailed forensics and reports this information to the Endpoint Security Manager (ESM), providing better visibility and a strong understanding of attacks that were prevented. With Traps, endpoints are always protected, regardless of patch, signature, or software-update levels; plus, it requires no prior knowledge of an attack to prevent it.

To prevent the execution of malicious executables on the endpoint, Traps focuses on three key areas to ensure comprehensive protection (see Figure 3-19). Combination of these methods offers unparalleled malware prevention and includes the following:

  • Policy-based restrictions: Organizations can easily set up policies restricting specific execution scenarios. For example, you may want to prevent the execution of files from the Outlook TMP directory, prevent execution of unsigned files, or prevent the execution of a particular file type directly from a USB drive.
  • WildFire inspection and analysis: Traps queries the Palo Alto Networks WildFire threat prevention cloud (discussed in Section 3.5.5) with a hash and submits any unknown .EXE files to assess their risk within the global threat community.
  • Malware techniques mitigation: Traps implements technique-based mitigations that prevent attacks by blocking techniques such as thread injection.

Figure 3-19: Prevention of malicious executables, a multi-tier approach

Malware prevention

The Traps malware prevention engine uses advanced execution control, WildFire integration, and malware prevention modules (MPMs) to prevent the execution of malware.

When a user or endpoint attempts to open an executable, Traps first verifies that the executable doesn't violate any policy-based restrictions. Policy-based restrictions drastically reduce the attack surface by preventing file execution in high-risk scenarios. For example, you may want to prevent execution of the following:

  • Particular (or any) file types directly from a USB drive
  • Files from certain paths (such as the Outlook TMP folder) or network locations where applications don't reside
  • Child processes created by specific applications (such as Microsoft PowerPoint)
  • Unsigned executables or executables with an invalid certificate

Alternatively, highly granular restrictions are available to define trusted processes or file types, locations, and registry paths that these processes can read from and write to. If any of the restriction rules apply to the executable, Traps blocks the file from executing and reports the security event to the ESM.

Traps provides static and dynamic execution control. Basic whitelisting and blacklisting of applications can be managed easily from the ESM Console. Every executable that has ever been run in the organization is listed in the ESM Console along with the WildFire verdict (discussed in Section 3.5.5). The administrator can easily override the verdict with the click of a button. For relatively static environments or specialized systems, such as Point of Sale (POS) or supervisory control and data acquisition (SCADA), endpoints can be hardened with a strict executioncontrol policy. For more dynamic environments such as end-user workstations, dynamic execution analysis and control is accomplished through integration with WildFire.

Traps Advanced Endpoint Protection is natively integrated with WildFire (discussed in Section 3.5.5) to provide zero-day protection against new and unknown exploits and malware threats. WildFire integration provides the capability to have the security of granular execution control and the manageability of a dynamic security policy driven by automated analysis of unknown executables (see Figure 3-20).

Figure 3-20: WildFire integration with Traps enables real-time evaluation of hash verdicts

If an executable file has never been seen before on the endpoint, Traps can submit the file hash for immediate identification by WildFire. If WildFire identifies the file as malicious, Traps will prevent execution before any damage is done. More than 1 million samples are analyzed each day, so there is a good chance that WildFire has seen the file and can alert Traps if it is malicious. If the file hasn't been seen by WildFire, it can be automatically uploaded for rapid analysis to determine whether it's malicious. Traps and Palo Alto Networks NGFWs can submit files to WildFire, so this integration allows for seamless sharing of threat intelligence between NGFWs and the endpoints.

If a malicious file is not blocked by advanced execution control or WildFire evaluation and is allowed to execute, malicious activity can still be blocked by Traps malware prevention modules (MPMs). MPMs focus on core techniques leveraged by many types of malware. For example, they will prevent malicious code from being injected into trusted applications.

A malware protection rule prevents the execution of malware, often disguised as or embedded in non-malicious files, by using malware modules to target common process behavior triggered by malware. You can enable injection of MPMs into all processes or enable protection into one or more protected processes in your organization. To allow legitimate processes to run, you can whitelist parent processes that inject into other processes. MPM rules include:

  • Suspend Guard: Protects against a common malware technique where the attacker creates processes in a suspended state to inject and run code before the process starts. You can enable suspend guard on a source process mode, configure user notification, and optionally whitelist function modules that can call child processes.
  • Thread Injection: Another common entry point for malicious code is through the creation of remote threads and processes. You can enable thread injection to stop remote thread and process creation and specify the limitation on either the source or destination process or thread. You can whitelist specific folders to make exceptions to the general execution restriction rule.

Traps prevents the execution of malicious files with a custom approach to countering traditional and modern attacks (see Figure 3-21). Also, administrators can use periodic scanning to identify dormant threats, comply with regulatory requirements, and accelerate incident response with endpoint context.

  • WildFire threat intelligence: In addition to third-party feeds, Traps leverages the intelligence obtained from tens of thousands of subscribers to the WildFire cloud-based threat analysis service to continuously aggregate threat data and maintain the collective immunity of all users across endpoints, networks, and cloud applications.
    • Traps queries WildFire with the hash of any Windows or macOS executable file, DLL, or Office file before the file runs to assess its standing within the global threat community. WildFire returns a near-instantaneous verdict on whether the file is malicious or benign. If the file is unknown, Traps proceeds with additional prevention techniques to determine whether it is a threat that should be terminated.
    • If the file is deemed malicious, Traps automatically terminates the process and optionally quarantines it.
  • Local Analysis via machine learning: If a file remains unknown after the initial hash lookup and has not been identified by administrators, Traps uses Local Analysis via machine learning on the endpoint – trained by WildFire threat intelligence – to determine whether the file can run, even before receiving a verdict from the deeper WildFire inspection. Local Analysis can examine hundreds of file characteristics in real time to determine whether a file is likely malicious or benign without relying on signatures, scanning, or behavioral analysis.
  • WildFire inspection and analysis: In addition to Local Analysis, Traps sends unknown files to WildFire for discovery and deeper analysis to rapidly detect potentially unknown malware. WildFire brings together the benefits of independent techniques for highfidelity and evasion-resistant discovery that goes beyond legacy approaches. These techniques include:
    • Static analysis via machine learning: A more powerful version of Local Analysis, based in the cloud, that detects known threats by analyzing the characteristics of samples prior to execution
    • Dynamic analysis: A custom-built, evasion-resistant virtual environment in which previously unknown submissions are detonated to determine real-world effects and behavior
    • Bare metal analysis: A hardware-based analysis environment specifically designed for advanced threats that exhibit highly evasive characteristics and can detect virtual analysis

If WildFire determines a file to be a threat, it automatically creates and shares a new prevention control with Traps and other components of the Palo Alto Networks Security Operating Platform in as few as five minutes. This control ensures that the threat is immediately classified as malicious and is prevented if it is encountered again.

Additional prevention capabilities include:

  • Granular child process protection: Traps prevents script-based and fileless attacks, by default, with out-of-the-box, fine-grained controls over the launching of legitimate applications, such as script engines and command shells. The number of available controls continue to grow with regular content updates from the Palo Alto Networks threat research team, Unit 42. Administrators can whitelist or blacklist child processes, and command-line comparisons help to increase detection without negatively impacting process performance or shutting processes down.
  • Behavior-based ransomware protection: In addition to existing multi-method prevention measures, including exploit prevention, Local Analysis, and WildFire, Traps monitors the system for ransomware behavior. On detection, it immediately blocks attacks and prevents encryption of customer data.
  • Scanning: Administrators can scan endpoints and attached removable drives for dormant malware, with an option to automatically quarantine it for remediation when found. Periodic or on-demand scanning can be configured as part of a security profile on one or more endpoints.
  • Admin override policies: Traps enables organizations to define policies based on the hash of an executable file to control what is or isn't allowed to run in their environments. This capability reduces the attack surface and eliminates the negative impact on homegrown or heavily customized applications.
  • Malware quarantine: The quarantine is particularly useful in preventing the inadvertent dissemination of malware in organizations where network-based or cloud-based data storage and SaaS applications automatically sync files across multiple users and systems. Traps immediately quarantines malicious executable files, DLLs, and Office files to prevent propagation or execution attempts of infected files.
  • Grayware classification: Traps enables organizations to identify non-malicious but otherwise undesirable software, such as adware, and prevent it from running in their environments.
  • Execution restrictions: Traps enables organizations to easily define policies to restrict specific execution scenarios to reduce the attack surface of any environment. For example, Traps can prevent the execution of files from the Outlook temp directory or a particular file type from a USB drive.

Figure 3-21: Traps multi-method malware prevention

Exploit prevention

Traps focuses on the core techniques used by all exploits to render those techniques ineffective, which means the application is no longer vulnerable.

The Traps agent injects itself into each process as it is started. If the process attempts to execute any of the core attack techniques, the corresponding exploit prevention module (EPM) prevents that exploit by terminating the process, and it reports all of the details to the ESM as depicted in Figure 3-22.

Figure 3-22: Traps EPMs protect application processes against vulnerabilities

By default, Traps policy is configured to protect over 100 processes — each one with dozens of proprietary EPMs. Traps isn't limited to protecting only those processes or applications. Organizations use Traps to protect all kinds of processes and applications by adding them to the policy configuration. Processes that have been run on the endpoint automatically show up in the ESM Console, which means that those processes can be easily protected with the click of a button. This capability is especially useful for organizations running industry-specific applications, such as Point of Sale (POS) systems, ATM terminals, and supervisory control and data acquisition (SCADA).

If an application conflicts with one of the EPMs, security administrators can simply disable that EPM for the specific application and endpoint. The application is still protected by dozens of other EPMs (see Figure 3-23). Exploits rely on a series of techniques to successfully run, so the other EPMs continue to protect that application and block at least one of the techniques, which breaks the sequence.

Figure 3-23: Only one technique needs to be blocked for an exploit to fail

Attacks that the EPMs can prevent include:

  • Dynamic-link library (DLL) hijacking — replacing a legitimate DLL with a malicious one of the same name
  • Hijacking program control flow
  • Inserting malicious code as an exception handler

Rather than relying on signatures or behavior-based detection to identify exploit-based attacks, Traps takes the unique approach of targeting the limited number of techniques (that is, the tools) any exploit-based attack must use to manipulate a software vulnerability. Traps prevents the techniques instead of identifying each individual attack and thus protects unpatched systems, unsupported legacy systems, applications IT is unaware of, and never-before-seen exploits – also called zero-day exploits. Traps delivers exploit prevention using multiple methods:

  • Pre-exploit protection: Traps prevents the vulnerability-profiling techniques exploit kits use prior to launching attacks. By blocking these techniques, Traps prevents attackers from targeting vulnerable endpoints and applications, effectively preventing the attacks before they begin.
  • Technique-based exploit prevention: Traps prevents known, zero-day, and unpatched vulnerabilities by blocking the exploitation techniques that attackers use to manipulate applications. Although there are thousands of exploits, they typically rely on a small set of exploitation techniques that change infrequently. Traps blocks these techniques, which prevents exploitation attempts before they can compromise endpoints.
  • Kernel exploit prevention: Traps prevents exploits that leverage vulnerabilities in the operating system kernel to create processes with escalated (that is, system-level) privileges. Traps also protects against new exploit techniques used to execute malicious payloads, such as those seen in 2017's WannaCry and NotPetya attacks. By blocking processes from accessing the injected malicious code from the kernel, Traps can prevent the attack early in the attack lifecycle without affecting legitimate processes. This capability enables Traps to block advanced attacks that target or stem from the operating system itself.

By blocking the techniques common to all exploit-based attacks, Traps provides three important benefits:

  • Protects applications that cannot be patched and shadow IT applications: Risk is introduced when unsupported legacy applications are run or when users are granted the flexibility to download and run programs as they want. Traps enables organizations to run any applications, including those developed in-house, those that are no longer receiving updates or security support, or those that are running in their environment without the IT department's awareness, without opening the network to the threat of exploit-based attacks.
  • Eliminates the urgency to patch applications as soon as possible: Organizations using Traps can apply security patches when appropriate for the business and after sufficient testing. Traps prevents the exploitation of application vulnerabilities regardless of when an organization applies security patches issued by application vendors.
  • Prevents zero-day exploits from succeeding: Traps blocks the limited set of exploitation techniques that zero-day exploits typically use, so Traps protects organizations against attacks that use zero-day exploits.

Traps deployment architecture

Traps is a highly scalable advanced endpoint protection solution that consists of an Endpoint Security Manager (ESM) Console, Endpoint Security Manager Server(s), lightweight Traps agents (installed on individual endpoints), and optional external logging.

The Traps infrastructure supports various architectural options to allow for scalability to a large distributed environment. Installation of the ESM creates a database on Microsoft SQL Server and installs the administrative console within Internet Information Server (IIS).

ESM Servers essentially act as proxies between Traps agents and the ESM Database. Communications from Traps agents to ESM Servers occur over HTTPS. ESM Servers don't store data and therefore can be easily added and removed from the environment as needed to ensure adequate geographic coverage and redundancy.

To ensure global connectivity, organizations that don't use a mobility solution such as Palo Alto Networks GlobalProtect (discussed in Section 3.3.2) may opt to put an ESM Server in the DMZ or in a cloud-based environment with external connectivity.

The Traps agent installer can be deployed using your software deployment tool of choice.

Subsequent updates to the agent can be deployed via the ESM. The agent consumes less than 25MB on disk and less than 40MB while running in memory. Observed CPU use is less than 0.1 percent. The agent also employs various tamper-proofing methods that prevent users and malicious code from disabling protection or tampering with agent configuration.

The lightweight structure allows for the Traps environment to scale horizontally and support large deployments of up to 50,000 agents per ESM, while still maintaining a centralized configuration and database for policies. Traps can coexist with most major endpoint security solutions with minimal CPU I/O requirements. With minimal disruption, Traps is optimal for critical infrastructures, specialized systems, and virtual desktop infrastructure (VDI) environments.

The ESM can write logs to an external logging platform, such as an SIEM solution or any system that supports syslog, in addition to storing its logs internally.

Traps in action

To understand how Traps prevents an attack from succeeding, look at an actual cyber-attack example in which a PDF file with an embedded exploit is sent to an unsuspecting user (see Figure 3-24). The user opens the PDF file, which does the following:

  • Exploits Adobe Reader
  • Causes Adobe Reader to create an Internet Explorer (IE) child process
  • Causes IE to download an executable (EXE) file from a malicious website
  • Executes the new EXE file, which then performs malicious activities on the endpoint, including thread injection into IE

This chain of events is common in many attacks. The specific file type, exploit, and malicious executable payload may vary, but the steps are largely the same from one attack to another.

Figure 3-24: When an exploit is attempted, Traps blocks it before any malicious activity is initiated

The key to stopping an attack is to break this chain of events at the earliest possible stage of the attack.

To prevent an attack from succeeding, Traps provides prevention capabilities and multiple layers of protection to block the attacker's ability to access the network and move laterally within the enterprise. In this particular attack example, Traps can prevent the attack from succeeding by using any of the following techniques (see Figure 3-25):

  1. Exploit Technique 1. The exploit uses a series of techniques to take advantage of the vulnerability in the targeted application, Adobe Reader in this case. Although the exploit could be a new zero-day threat, the techniques it has to use are common and new techniques are very rare (typically two to four per year). In this example, the exploit uses several operating system (OS) functions.
  2. Exploit Technique 2. In this example, just-in-time (JIT) spraying is used to exploit a justin-time compiler, which sets up the third exploit technique (heap spraying) to be used in the attack. This type of exploit is commonly used against PDF file formats and Adobe Flash Player. Again, Traps prevents the exploit from executing so that even if the first exploit technique for some reason succeeds, the second exploit fails and the attack is thwarted.
  3. Exploit Technique 3. In this example, heap spraying is used next to facilitate arbitrary code execution. This technique allows the attacker to place a byte sequence in the memory of a target process. Heap spraying is another commonly used exploit technique that Traps prevents from executing.
  4. Execution Restriction 1. In this example, Adobe Reader creates a child process (a technique commonly used to avoid anti-malware detection). Traps restricts child processes from executing arbitrarily and thus prevents the attack from succeeding.
  5. Execution Restriction 2. In this example, the attacker attempts to run an unsigned executable. Here again, Traps prevents the executable from running, based on rules that can be customized by an administrator.
  6. Execution Restriction 3. In this example, an executable program attempts to run from a restricted location, the IE TMP folder. These restricted locations can be customized by an administrator if needed.
  7. Local Verdict Check. A local verdict check compares the file against an administratorconfigured blacklist to determine whether the file is explicitly blocked, or against a whitelist to determine if the file has been explicitly allowed regardless of its WildFire verdict.
  8. WildFire Known Verdict. Traps EPM checks the file against WildFire by sending the file hash. In this example, WildFire responds that the file is known to be malicious and therefore is not allowed to execute.
  9. WildFire On-Demand Inspection. If WildFire has never seen the file, it can be uploaded for analysis and not allowed to run until WildFire provides a verdict.
  10. Malware Prevention Module. If the malicious executable is allowed to run, it attempts a thread injection into IE. This malware technique is blocked by the Thread Injection malware prevention module in Traps.

Figure 3-25: Traps prevents this attack example at any one of ten critical steps

Key Terms:

  • In multitasking operating systems, a child process is a subprocess created by a parent process that is currently running on the system.

Although this is just one example, most modern attacks use some combination of these steps and various exploit and malware techniques. Whereas most endpoint protection approaches focus on one blocking method (whitelisting, for example), Traps takes advantage of every opportunity to prevent compromise and stop the attack.

Mobile security and VPN management (GlobalProtect)

Mobile computing is revolutionizing how and where employees work, and the tools that they use to perform their jobs. As enterprise mobile strategies mature, mobile capabilities become more advanced with new applications and greater access to data, introducing new opportunities — and new risks. If organizations want to adopt more sophisticated uses of mobile devices, enterprise security teams must ensure that they address concerns about the inherent risks to sensitive information and network assets that mobility brings.

Unfortunately, many traditional mobile security tools tend to focus on very basic use cases and may be as limited in their security capabilities as the use cases themselves. The path to unlocking the full value of the mobile device depends on security, which provides the means to extend applications safely. Security should be seen as a way to enable mobile initiatives rather than as a limitation to mobile strategies. To fully realize all of mobility's benefits and safely enable mobile devices, enterprises must:

  • Manage the device. Ensure that mobile devices are safely enabled by configuring the device with proper security settings. Simplify deployment and setup by provisioning common configurations such as account setting for email and credentials such as certificates.
  • Protect the device. Protect the mobile device from exploits and malware. Protection of the device also is important for protecting the data, because data is not safe on a compromised device.
  • Control the data. Control access to data and control the movement of data between applications. Establish policies that define who can access sensitive applications, and the particular devices that can be used.

Palo Alto Networks GlobalProtect safely enables mobile devices for business use by providing a unique solution to manage the device, protect the device, and control the data. It blends together the necessary technology and intelligence to provide a comprehensive solution for mobile security. This solution enables the organization to stop mobile threats, enforce security policies, and protect networks from compromised and non-compliant mobile devices.

GlobalProtect has three primary components:

  • GlobalProtect Gateway: Delivers mobile threat prevention and policy enforcement based on apps, users, content, device, and device state. GlobalProtect gateways provide security enforcement for traffic from GlobalProtect agents and apps. Also, if the host information profile (HIP) feature is enabled, the gateway generates a HIP report from the raw host data the clients submit and can use this information in policy enforcement. GlobalProtect gateways are configured on an interface on any Palo Alto Networks NGFW. You can run a gateway and a portal on the same firewall, or you can have multiple, distributed gateways throughout the enterprise. There are two types of GlobalProtect gateways:
    • External gateways: Provide security enforcement and/or virtual private network (VPN) access for remote users.
    • Internal gateways: An interface on the internal network configured as a GlobalProtect gateway for applying security policy for access to internal resources.
  • When used in conjunction with User-ID (discussed in Section and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic by user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode.
  • GlobalProtect Client: Enables device management, provides device state information, and establishes secure connectivity. It extends a VPN tunnel to Apple iOS, Android, and Windows 10 (and Universal Windows Platform) mobile devices with GlobalProtect App, and Windows, Mac, and Google Chrome operating systems with GlobalProtect Agent. It connects to the GlobalProtect Gateway to access applications and data in accordance with policy. GlobalProtect client software runs on endpoints and enables access to network resources via the GlobalProtect portals and gateways that have been deployed. There are two types of GlobalProtect clients:
    • GlobalProtect Agent runs on Windows, Mac, and Chrome operating systems and is deployed from the GlobalProtect portal. You configure the behavior of the agent – for example, which tabs the users can see and whether users can uninstall the agent – in the client configuration(s) you define on the portal.
    • GlobalProtect App runs on Apple iOS, Android, and Windows 10 mobile devices and establishes a device-level VPN connection to the GlobalProtect Gateway to protect traffic and enforce security policies. GlobalProtect App can automatically select the optimal gateway for a given location to provide a transparent user experience for security. On Apple iOS devices, GlobalProtect App can be configured for app-level VPN.
  • GlobalProtect Portal: Directs all client traffic to the appropriate gateway and is accessed first by the client device. The GlobalProtect Portal provides the management functions for the GlobalProtect infrastructure. Every client system that participates in the GlobalProtect network receives configuration information from the portal, including information about available gateways and any client certificates that may be required to connect to the GlobalProtect gateway(s). Also, the portal controls the behavior and distribution of the GlobalProtect client. If you are using the HIP feature, the portal also defines the information to collect from the host, including any custom information you require. The GlobalProtect Portal can be configured on an interface on any Palo Alto Networks NGFW.

Figure 3-26 illustrates how the GlobalProtect portals, gateways, and agents/apps work together to enable secure access for all your users, regardless of which devices they are using or where they are located.

Figure 3-26: GlobalProtect components work together to secure access for all users in the enterprise, regardless of location or device

GlobalProtect also provides a complete infrastructure for managing secure access to enterprise resources from remote sites. The GlobalProtect Large Scale VPN (LSVPN) feature on Palo Alto Networks NGFWs simplifies the deployment of traditional hub-and-spoke VPNs. The LSVPN feature enables security teams to quickly extend enterprise networks to multiple branch offices with a minimum amount of configuration required on the remote satellite devices. LSVPN uses certificates for device authentication and IPsec to secure data. The LSVPN infrastructure consists of the following components (see Figure 3-27):

  • GlobalProtect Portal: Provides the management functions for the GlobalProtect LSVPN infrastructure. Every satellite that participates in the GlobalProtect LSVPN receives configuration information from the portal, including configuration information to enable the satellites (the spokes) to connect to the gateways (the hubs). The portal can be configured on an interface on any Palo Alto Networks NGFW.
  • GlobalProtect gateways: A Palo Alto Networks NGFW that provides the tunnel endpoint for satellite connections. The resources that the satellites access are protected by security policy on the gateway. A separate portal and gateway are not required; a single firewall can function as portal and gateway.
  • GlobalProtect satellite: A Palo Alto Networks NGFW at a remote site that establishes IPsec tunnels with the gateway(s) at the corporate office(s) for secure access to centralized resources. Configuration on the satellite firewall is minimal, enabling security teams to quickly and easily scale the VPN as new sites are added.

Figure 3-27: The GlobalProtect LSVPN components work together to securely extend an enterprise network to remote offices

  • GlobalProtect cloud service is a cloud-based security infrastructure service that simplifies the process of scaling the Palo Alto Networks Security Operating Platform so that organizations can extend the same best-in-breed security to remote network locations and mobile users without having to build out their own global security infrastructure and expand their operational capacity. With GlobalProtect cloud service, Palo Alto Networks automatically deploys NGFWs and GlobalProtect portals and gateways in the locations where the organization needs them (see Figure 3-28).

Figure 3-28: GlobalProtect cloud service

With GlobalProtect cloud service, Palo Alto Networks deploys and manages the security infrastructure globally to secure your remote networks and mobile users. GlobalProtect cloud service comprises five components:

  • Cloud services plugin: Panorama (discussed in Section 3.2.3) plugin that enables GlobalProtect cloud service and the Logging Service. This plugin provides a simple and familiar interface for viewing the status of the service, and it configures the settings to begin directing traffic from your remote network locations and mobile users to the cloud service. To enable you to quickly enforce consistent security policy across all locations, you can leverage the Panorama templates and device groups you may have already created to push configurations to the firewalls, portals, and gateways in GlobalProtect cloud service.
  • Service infrastructure: Before GlobalProtect cloud service can create an infrastructure in the cloud for your remote network locations and mobile users, you must supply a subnet that does not overlap with other IP addresses you use internally. GlobalProtect cloud service uses the IP addresses within this subnet to establish a network infrastructure between your remote network locations and mobile users and service connections to your headquarters and/or data center (if applicable). Internal communication within the cloud is established using dynamic routing.
  • Service connections: A GlobalProtect cloud service license includes the option to establish IPsec tunnels (discussed in Section 2.6.4) to up to three of your headquarters or data center sites. This service is optional and enables GlobalProtect cloud service to connect to your authentication servers and give your mobile users and remote network users access to corporate resources. Before you can set up a service connection, you must set up an IPSec tunnel from each HQ/data center location to the GlobalProtect cloud service. You then set up routing to enable traffic to and from the tunnel to the subnetworks that contain the resources to which your remote network and mobile users need access. All GlobalProtect gateways can then connect to the service connection firewall in a hub-and-spoke architecture to provide access to the internal networks in your GlobalProtect cloud service infrastructure.
  • Remote networks: GlobalProtect cloud service for remote networks automatically deploys NGFWs in the regions you specify in the cloud services plugin during the onboarding steps. You will need an IPsec-compliant firewall, router, or software-defined WAN (SD-WAN) device that can establish a tunnel to GlobalProtect cloud service for remote networks, and you must route traffic from users at the remote network location through the IPsec tunnel so that the policy you have pushed to the service can be enforced by the cloud service. You can enable access to the subnetworks at each remote network location using either static routes, dynamic routing using the Border Gateway Protocol (BGP, discussed in Section 2.1.3), or a combination of static and dynamic routes. All remote network locations that you onboard are fully meshed.
  • Mobile users: GlobalProtect cloud service for mobile users automatically deploys GlobalProtect portals and gateways in the cloud. Mobile users then connect to GlobalProtect cloud service for mobile users to receive their VPN configuration, which routes them to the closest GlobalProtect cloud service gateway for policy enforcement. Before you can configure this service, you must designate an IP address pool for the service to use to assign IP addresses for the client VPN tunnels. The addresses in this pool must not overlap with other address pools you use internally or pools you assign for the service connections.

Also, the cloud firewalls, gateways, and portals that are deployed as part of the GlobalProtect cloud service infrastructure must forward all logs to the Logging Service. You can then view the logs, Application Command Center (ACC), and reports from Panorama for an aggregated view into your remote network and mobile user traffic.

All of the GlobalProtect cloud service firewalls deployed for your organization are fault tolerant. All of the cloud firewalls deployed to secure your remote network locations and enable service connections are in a high availability configuration, with state synchronization across multiple availability zones. Also, if you configure a backup WAN link, tunnel failover time is less than 10 seconds from the time of detection (depending on your internet provider). To ensure availability for mobile users, GlobalProtect cloud service deploys multiple firewalls in all regions to enable reliable, global coverage. Failover between a primary gateway and a backup gateway is fewer than 20 seconds. The service is secure, resilient, up to date, and available to you when you need it, so you can focus on defining polices that meet your corporate usage guidelines for consistent policy enforcement.

Cloud Security

Cloud security components in the Security Operating Platform include Evident cloud monitoring and compliance and Aperture SaaS security.

Cloud monitoring and compliance (Evident)

Driven by the flexibility and ease of public clouds, Agile development and the DevOps movement have accelerated the speed of application development cycles. Security teams can no longer depend on pre-deployment scanning, penetration tests, or presence-based discovery methods. To get the visibility they need, they require automated, API-based tools that can handle the volumes of data produced in the cloud. The key for today's enterprise is to remove the human element from repeatable processes and tasks so teams can better protect their cloud environments. Human errors can become amplified quickly and create major risks. Cloud environments are continuously changing and connecting with more services, so errors are bound to occur: private keys inadvertently are made public, ports are left open, and stored data gets exposed.

Key Terms:

  • DevOps is the culture and practice of improved collaboration between application development and IT operations teams.

Evident was developed specifically to help modern IT, DevOps, and security and compliance teams implement and maintain security within the cloud shared responsibility model (discussed in Sections 1.1.3 and 2.8.1). Evident provides public cloud infrastructure services security that enables organizations to automate the management of cloud security and compliance risks so they can minimize the attack surface and protect their public cloud deployments.

Evident provides continuous monitoring of public clouds, which enables organizations to deploy applications confidently, knowing the cloud environment is securely configured. With continuous monitoring enabled, Evident also helps organizations achieve a continuous state of compliance. Evident analyzes the configurations of all the services and account settings against strict security and compliance controls. Data stored within cloud storage services is classified and checked for data exposure and malware.

The Evident automated approach to securing public cloud workloads incorporates three critical security components – continuous monitoring, compliance validation, and secure cloud storage. It is fully customizable and can be adapted to identify and alert enterprises about risks and vulnerabilities that are specific to their data and usage policies. The Evident API-based approach allows all three security components to be embedded directly into the application development process without compromising on agility.

The capabilities and benefits of Evident include:

  • Continuous visibility and monitoring. Evident provides security and compliance teams with a view into the risks across all their cloud accounts, services, and regions by automating monitoring, inspection, and assessment of the organization's cloud infrastructure services. Because security and compliance teams have real-time visibility into the security posture of their environment, they can be alerted about issues that do not comply with the organization's required controls and settings.
  • Compliance validation. Taking a security-first approach to compliance helps organizations go beyond compliance requirements and adopt best practices that keep their environments and data secure. Evident simplifies measurement and reporting of compliance with prebuilt, one-click compliance reports for Center for Internet Security (CIS) Foundations, General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), U.S. National Institute of Standards and Technology (NIST), Payment Card Industry (PCI), and Service Organization Control (SOC) 2, and allows users to create custom reports to measure specific organizational goals.
  • Securing cloud storage services. Evident helps identify and classify data stored in Amazon S3 buckets, Microsoft Azure Blob Storage, and Google Cloud Storage. Evident is powered by machine learning and provides awareness of the type of data in these services so organizations can identify data exposure risks and automatically remediate policy violations as soon as they occur.
  • Automated remediation. Evident enables automated remediation to quickly enforce policies as defined by the organization. Risks can be addressed quickly, and necessary changes can be made to configurations and settings without manual intervention, which returns the environment to a compliant state faster.

SaaS security (Aperture)

To safely enable SaaS usage in your organization, start by clearly defining the SaaS applications that should be used and which behaviors within those applications are allowed. This step requires a clear definition of which applications are:

  • Sanctioned (allowed and provided by IT)
  • Tolerated (allowed because of a legitimate business need, with restrictions, but not provided by IT)
  • Unsanctioned (not allowed), then controlling their usage with granular policies

Sanctioned SaaS applications provide business benefits and are fast to deploy, require minimal cost, and are infinitely scalable. Tolerated SaaS applications fulfill a legitimate business need, but certain usage restrictions may be necessary to reduce risk. Unsanctioned SaaS applications either clearly provide no business benefits, or the security risks of the application outweigh the business benefits. For example, an unsanctioned SaaS application may violate regulatory compliance mandates, create an unacceptable risk of loss of corporate intellectual property or other sensitive data, or enable malware distribution (see Figure 3-29).

Figure 3-29: Impacts of sanctioned and unsanctioned SaaS applications

To control sanctioned SaaS usage, an enterprise security solution must provide the following:

  • Threat prevention. SaaS applications introduce new threat risks that need to be understood and controlled. Many SaaS applications automatically sync files with users, and users often share data in SaaS applications with third parties that are out of an organization's control. These two aspects of SaaS environments create a new insertion point for malware that not only can get in from external shares, but can also automatically sync those infected files across the organization without any user intervention. To address SaaS-based malware threats, a security solution must be able to prevent known and unknown malware from residing in sanctioned SaaS applications, regardless of the source.
  • Visibility and data exposure control. After sanctioned SaaS usage is defined and controlled with a granular policy, data residing in those SaaS applications is no longer visible to the organization's perimeter firewalls. This loss of visibility creates a blind spot for IT. Additional data exposure controls are needed to specifically address the unique risks associated with SaaS environments, with a focus on data protection. Visibility of data stored and used in SaaS applications is critical to ensuring a deep understanding of users, the data they have shared, and how they have shared it.
  • Prevent risk, don't just respond. An organization's users commonly use certain SaaS applications long before the organization officially sanctions those applications. Even after a SaaS application is sanctioned, data is often shared with third parties that don't necessarily have next-generation security solutions to effectively safeguard SaaS data from malware threats and data exposure risks. Threat prevention and data exposure control in a SaaS-based environment requires visibility and control not just from the time that a SaaS application is sanctioned going forward. You need visibility and control of all your data, including data that was being stored – and shared – before the SaaS application was sanctioned.

Data residing within enterprise-enabled SaaS applications is not visible to an organization's network perimeter. Palo Alto Networks Aperture connects directly to sanctioned SaaS applications to provide data classification, sharing/permission visibility, and threat detection within the application. This capability yields unparalleled visibility, which allows organizations to inspect content for data exposure violations and control access to shared data via a contextual policy.

Aperture builds on the existing SaaS visibility and granular control capabilities of the Palo Alto Networks Security Operating Platform provided through App-ID with detailed SaaS-based reporting and granular control of SaaS usage. Figure 3-30 shows an example of the granular controls for SaaS applications supported with App-ID.

Figure 3-30: Example of granular controls supported with App-ID

Aperture is a completely cloud-based, end-to-end security solution that provides visibility and control within SaaS applications, without the need for any proxies, agents, software, additional hardware, or network changes (see Figure 3-31). Aperture isn't an inline service, so it doesn't impact latency, bandwidth, or end-user experience. Aperture communicates directly with the SaaS applications themselves and looks at data from any source, regardless of the device or location from which the data was sent.

Figure 3-31: Complete SaaS visibility and control with the Palo Alto Networks Security Operating Platform

SaaS threat prevention

WildFire (discussed in Section 3.5.5) threat cloud integration with Aperture provides cyberthreat prevention to block known malware and identify and block unknown malware. This integration extends the existing integration of WildFire to prevent threats from spreading through the sanctioned SaaS applications, which prevents a new insertion point for malware. When new malware is discovered by Aperture, the threat information is shared with the rest of the Security Operating Platform, even if it is not deployed inline with the SaaS applications.

Data exposure visibility

Aperture provides complete visibility across all user, folder, and file activity, which provides detailed analysis that helps you transition from a position of speculation to one of knowing exactly what is occurring in the SaaS environment at any given point in time. Because you can view deep analytics into day-to-day usage, you can quickly determine if there are any data risk or compliance-related policy violations. This detailed analysis of user and data activity allows for granular data governance and forensics.

Aperture connects directly to the applications themselves, so it provides continuous silent monitoring of the risks within the sanctioned SaaS applications, with detailed visibility that is not possible with traditional security solutions.

Contextual data exposure control

Aperture enables you to define granular, context-aware policy control that provides you with the ability to drive enforcement and the quarantine of users and data as soon as a violation occurs. This control enables you to quickly and easily satisfy data risk compliance requirements such as PCI and PII while still maintaining the benefits of cloud-based applications.

Aperture prevents data exposure in unstructured (hosted files) and structured (application entries such as data. Both data types are common sources of improper data shares.

Advanced document classification

Aperture inspects documents for common sensitive data strings such as credit card numbers, SSH keys, and Social Security numbers, and flags them as risks if they are improperly shared. Unique to Aperture is the ability to identify documents by type, through advanced document classification regardless of the data that is contained in the document itself. Aperture has been predesigned to automatically identify sensitive documents, such as those related to medical, tax, and legal issues.

Retroactive policy

A traditional network security solution can see only inline data and apply security policies to data that is accessed inline, after the policy is created. This approach doesn't effectively prevent SaaS data exposure, however, because SaaS data may have been shared long before the policy was created. This data may not be accessed inline for many months or years, potentially leaving sensitive data exposed indefinitely to malware infection and unauthorized access.

Aperture retroactively applies security policies to all users and data from the beginning of the SaaS account's creation, rather than the policy creation, to identify any potential vulnerabilities or policy violations. Aperture does not wait for someone to access the data inline to apply policies and resolve any vulnerabilities or violations; SaaS data and shares are proactively discovered, protected, and resolved, no matter when they were created.

Policies are context-driven to allow for granular definitions of data exposure risks. This granularity is necessary to enable SaaS use by users while still preventing accidental data exposure. Policies take several factors in context to create an overall data exposure risk profile. One or two factors may not provide enough insight into the potential risk of the share. The overall risk of exposure is determined only after the full context of the share is understood.

Risks are calculated by user type, document type, sensitive data contained, how they are shared, and whether malware is present. This capability provides the ability to control the exposure at a granular level based on several important factors.

For example, a financial team may be able to share financial data with other people on their team, but not beyond that. Even though the original share is allowed, they cannot share data that is infected with malware. The financial team may, however, be allowed to share nonsensitive data companywide or, in some cases, with external vendors. The key to enabling this level of granularity is the ability to look at the share in the context of all the factors.

Application Framework and Logging Service

The Application Framework and Logging Service in the Security Operating Platform provides cloud-delivered security services including behavioral analytics (Magnifier), log management (Logging Service), threat intelligence (AutoFocus), threat indicator sharing (MineMeld), and malware analysis and threat prevention (WildFire).

Behavioral analytics (Magnifier)

Many organizations can't find intrusions quickly because security analysts are inundated with log messages generated by their infrastructure. They try to find high-priority threats by correlating logs, but they rarely have the correct data or tools to accurately detect attacks. So, they're left with endless alerts to review, many false positives, and an unwieldy list of correlation rules to maintain.

As a result, security analysts operate in firefighting mode, attempting to review as many alerts as possible each day. These alerts often lack the context needed to confirm threats, so analysts waste valuable time finding additional information rather than stopping attacks.

Palo Alto Networks Magnifier behavioral analytics helps security analysts quickly find and stop the stealthiest network threats. Magnifier analyzes rich network, endpoint, and cloud data with machine learning, and accurately identifies targeted attacks, malicious insiders, and compromised endpoints. Security analysts can rapidly confirm threats by reviewing actionable alerts which contain investigative detail, and then leverage the NGFW to block threats before the damage is done.

By thwarting every step of an attack, organizations can limit any opportunity for an attack to succeed. Magnifier detects and stops command and control, lateral movement, and data exfiltration by detecting behavioral anomalies indicative of attack. Magnifier delivers powerful behavior-based protection, augmenting the Security Operating Platform to stop attacks across the attack lifecycle (see Figure 3-32).

Figure 3-32: The Security Operating Platform prevents threats across the attack lifecycle

Magnifier automatically pinpoints active attacks, which allows security analysts to focus on the threats that matter. Magnifier starts by analyzing rich data stored in the Logging Service by Palo Alto Networks NGFWs, including information about users, devices, and applications. Magnifier examines multiple logs, including Enhanced Application Logs, which provide data specifically designed for analytics. Analysis of multiple logs allows Magnifier to track attributes that are nearly impossible to ascertain from traditional threat logs or high-level network flow data. Magnifier uses the following machine learning techniques to analyze logs:

  • Unsupervised machine learning: Magnifier uses unsupervised machine learning to model user and device behavior, perform peer group analysis, and cluster devices into relevant groups of behavior. Magnifier uses these profiles to detect anomalies compared to past behavior and peer behavior.
  • Supervised machine learning: Magnifier monitors multiple characteristics of network traffic to classify each device by type, such as a desktop computer, mobile device, or mail server. Magnifier also learns which users are IT administrators or normal users. With supervised machine learning, Magnifier recognizes deviations from expected behavior based on the type of user or device, thus reducing false positives.

Magnifier leverages a pre-compute detection framework to maximize speed, efficiency, and accuracy. This framework processes log data stored in the Logging Service by NGFWs and calculates the values it needs to track user and device behavior. Each Magnifier detection algorithm can analyze large amounts of data over long periods of time because the inputs have been pre-calculated. Magnifier does not rely on correlation rules to parse large volumes of raw data and find one or two signs of malicious behavior. Instead, the Magnifier detection algorithms can evaluate past behavior, peer behavior, the type of entity, and many other attributes simultaneously to avoid false positives and produce higher-fidelity results.

By integrating attack detection algorithms with data collected from the Security Operating Platform and applying a pre-compute detection framework, Magnifier identifies active attacks with unparalleled precision.

To reduce investigation time, Magnifier produces a small number of accurate, actionable alerts, and information about the user, application, and device obtained through User-ID and App-ID technology. Magnifier also eliminates lengthy forensics investigations by interrogating endpoints to determine which process or executable initiated an attack. Then, Magnifier ascertains whether the endpoint process is malicious by integrating with WildFire cloud-based threat analysis service to analyze the process. Magnifier makes verification of attacks easy for security analysts by presenting all the necessary information in an intuitive web interface (see Figure 3-33).

Figure 3-33: Magnifier web interface

Magnifier behavioral analytics identifies behavioral anomalies to expose hard-to-detect threats, such as:

  • Targeted attacks. Attackers attempt to blend in with legitimate users as they explore and exploit targeted networks. Magnifier detects the anomalous behavior that attackers cannot avoid as they traverse the network and look for valuable data.
  • Malicious insiders. With their trusted credentials and access, malicious insiders can cause massive damage. Magnifier identifies changes in user behavior to detect attacks such as internal reconnaissance and lateral movement.
  • Risky behavior. Well-meaning but reckless employees can expose organizations to undue risk. Magnifier allows organizations to follow security best practices by monitoring user activity and identifying risky behavior.
  • Compromised endpoints. Attackers often use malware to infiltrate targeted networks. Magnifier identifies anomalous traffic generated by malware and confirms infections using Pathfinder endpoint analysis and WildFire threat analysis services.

Palo Alto Networks NGFWs monitor network traffic and extract metadata expressly designed for analytics. Magnifier uses this data, along with Pathfinder endpoint analysis, to profile user and device behavior without requiring organizations to provision new network sensors or agents (see Figure 3-34). The Palo Alto Networks Logging Service delivers efficient log storage that scales to handle the large volumes of data needed for behavioral analytics. Organizations can quickly deploy Magnifier and the Logging Service and avoid the time-consuming process of setting up new equipment.

Figure 3-34: Magnifier uncovers attacks by analyzing data from NGFWs and Pathfinder endpoint analysis

As a cloud-based application for the Palo Alto Networks Application Framework, Magnifier overcomes the scaling challenges of on-premises analytics and allows Palo Alto Networks researchers to deploy security innovations more quickly.

The Logging Service elastically scales on demand in the cloud, providing an intelligent, operationally efficient, cost-effective way to store the large volumes of data needed for behavioral analytics.

As a cloud-delivered application, Magnifier increases the speed of technical innovation while streamlining IT operations. Magnifier researchers can rapidly deploy new behavioral analytics detection algorithms to all subscribers, review anonymized metrics to gauge their efficacy, and adjust algorithms and metrics as needed. Organizations no longer need to maintain or upgrade on-premises software because Magnifier is always up-to-date.

Log management (Logging Service)

Network security log analysis is an important cybersecurity practice that organizations perform to correlate potential threats and prevent breaches, but managing logs from various security tools and services takes effort and resources. To convert these logs into actionable information, organizations need an affordable way to store, process, and analyze as much log data as possible. Unfortunately, traditional hardware-based log collection comes with administrative overhead and scale limitations that make otherwise useful data unwieldy or unavailable.

To protect their networks, organizations must be able to perform advanced analytics on all available data. Security applications that perform such analytics need access to scalable storage capacity and processing power. In the case of hardware-based log management products, such infrastructure and processing power may not be readily available, which makes these offerings less responsive to changing business needs.

The Palo Alto Networks Logging Service is a cloud-based offering for context-rich enhanced network logs generated by Palo Alto Networks security products, including NGFWs,

GlobalProtect cloud service, and Traps advanced endpoint protection. The cloud-based Logging Service lets organizations collect ever-expanding volumes of data without needing to plan for local compute and storage, and it is always ready to scale. Palo Alto Networks handles all the infrastructure needs, including storage and compute, to provide insights customers can use. If an organization already has on-premises log collectors, the Logging Service complements them by providing a logical extension of log storage to the cloud.

The Logging Service is the cornerstone of the Palo Alto Networks Application Framework (see Figure 3-35): a scalable set of security applications that can apply advanced analytics in concert with Palo Alto Networks enforcement points to prevent the most advanced attacks.

Organizations are no longer limited by how much hardware is available or how quickly sensors can be deployed pervasively throughout the network.

Figure 3-35: The Palo Alto Networks Logging Service

Logging Service capabilities include:

  • Central repository for NGFW and cloud services logs. The Logging Service can collect logs from NGFWs of all form factors and Palo Alto Networks cloud-based services. Logs are available in one location, which makes facilitates application of analytics and correlation capabilities to identify threats.
  • Logging infrastructure that scales with changing business needs. The Logging Service was designed to scale quickly, and changes can easily be made.
  • Insight into network, application, and user behavior. The Application Command Center – part of Panorama network security management (discussed in Section 3.2.3) – and its reporting capabilities gives security analysts critical insights into network, application, and user behavior. With this level of context, analysts can make informed decisions about how to eliminate open attack vectors and improve the organization's security posture.
  • Integration with other security infrastructure. You can make the data and information hosted by the Logging Service available to your choice of third-party or custom security applications. You can also automate security workflows using Palo Alto Networks security infrastructure through the Application Framework.

Threat intelligence (AutoFocus)

Highly automated and increasingly sophisticated cyberattacks are occurring in greater volumes than ever before. Overburdened security teams, futilely attempting to investigate every threat in the enterprise network, have little time to analyze and understand truly advanced attacks.

Palo Alto Networks AutoFocus enables a proactive, prevention-based approach to network security that puts automation to work for security professionals. Threat intelligence from the service is made directly accessible in the Palo Alto Networks platform, including PAN-OS software and Panorama. AutoFocus speeds the security team's existing workflows, which allows for in-depth investigation into suspicious activity, without additional specialized resources.

AutoFocus is built on a large-scale, distributed computing environment hosted in the Palo Alto Networks threat intelligence cloud. Unlike other solutions, the service makes threat data accessible and actionable at the IoC level and goes beyond simply showing summarized logs from multiple sources in a dashboard. AutoFocus has unprecedented visibility into the threat landscape, with the collective insight of thousands of global enterprises, service providers, and governments feeding the service (see Figure 3-36).

Figure 3-36: Palo Alto Networks AutoFocus Threat Intelligence Cloud

The service correlates and gains intelligence from:

  • WildFire (discussed in Section 3.5.5)
  • URL filtering with PAN-DB service
  • Palo Alto Networks global passive DNS network
  • Palo Alto Networks Unit 42 threat intelligence and research team
  • Third-party feeds, including closed and open-source intelligence

AutoFocus makes over a billion samples and sessions, including billions of artifacts, immediately actionable for security analysis and response efforts. AutoFocus extends the Security Operating Platform with the global threat intelligence and attack context needed to accelerate analysis, forensics, and hunting workflows. Together, the platform and AutoFocus move security teams away from legacy manual approaches that rely on aggregating a growing number of detectionbased alerts and post-event mitigation, to preventing sophisticated attacks and enabling proactive hunting activities.

Priority alerts and tags

AutoFocus enables you to distinguish the most important threats from everyday commodity attacks, contextualizing events on your network with tags. Unique to AutoFocus, tags enrich your visibility into the most critical threats, with contextual intelligence that lets you know which malware families, campaigns, threat actors, malicious behaviors, and exploits, are being used against you.

When a tag matches an event on your network, a priority alert is sent via email, within the AutoFocus dashboard, or via HTTP post, with the full tag context included. Alerts are highly customizable, which enhances your existing security workflow with prioritization and context for the most critical threats.

Tags can be created for any host or network-based indicator in AutoFocus to alert you when a specific threat has been observed in your organization or industry. In addition to priority alerts, all tags are searchable so you can quickly identify associated malicious samples or indicators.

As new threats are identified, Palo Alto Networks Unit 42, your own organization, and the global community of AutoFocus experts add new tags to the service. AutoFocus is the primary analysis tool used by Unit 42 to identify new threats, correlate global data, identify connections between malicious samples, and build adversary or campaign profiles.

With AutoFocus and the Security Operating Platform, security teams can:

  • Determine how targeted or unique a threat seen on their network is
  • Investigate related malicious samples
  • Identify suspicious DNS queries with domain resolution history

Threat correlation

When security teams conduct threat analysis, they must quickly identify which IoCs represent the best path to remediation. For an active or ongoing compromise, the speed of investigation and the ability to meaningfully correlate data is critical. Each file has hundreds, potentially thousands, of artifacts, with only a small number of unique IoCs able to be correlated to the larger profile of an adversary or related attacks.

AutoFocus uses an innovative statistical analysis engine to correlate billions of artifacts across a global data set and bring forward unique IoCs likely associated with targeted attacks. The service automatically applies a unique visual weighting system to identify unique and critical IoCs, which guides analysis and incident response efforts down the most relevant path.

AutoFocus allows you to build sophisticated multi-layer searches at the host and network-based artifact levels, and target your search within industry, time period, and other filters. These searches allow you to make previously unknown connections between attacks and plan your incident response actions accordingly.

When further analysis is required, security teams can switch between AutoFocus and PAN-OS software or Panorama, with pre-populated searches for both systems. AutoFocus provides the entirety of Palo Alto Networks threat intelligence, which dramatically reduces the time it takes to conduct analysis, forensics, and hunting tasks.

Actionable intelligence

Security teams require more than a way to prioritize, analyze, and correlate threat intelligence – they need a way to convert it into actionable controls to prevent future attacks. AutoFocus enables you to create new protections for the Security Operating Platform by exporting highvalue IoCs from the service into PAN-OS software External Dynamic Lists to instantly block malicious URLs, domains, or IP addresses. AutoFocus can also export IoCs to third-party security devices via a standard CSV format. Security teams can use AutoFocus to identify unique, targeted attacks against their organization and take direct action to mitigate and prevent them.

Threat analysis, forensics, and incident response teams often rely on a broad range of scripts, open-source tools, security devices, and services to investigate potential security incidents. AutoFocus can dramatically reduce the time required to investigate by enriching third-party services through:

  • Open API support. The AutoFocus API is built on an easy-to-use, representational state transfer (RESTful) framework, and allows for integrations into hundreds of use cases, such as sending threat intelligence data to existing SIEM tools. This framework makes data available for additional threat analysis or custom threat blocking automations.
  • Remote sweeping capability. Security teams can move from indicators in the service to internal and third-party external systems directly from AutoFocus. Teams can define up to 10 external systems, which lets them continue their analysis seamlessly across their entire infrastructure, such as correlating logs from NGFWs or triggering searches in SIEM tools.
  • Support for STIX data format. AutoFocus provides out-of-the-box integration with Structured Threat Information Expression (STIX) infrastructure and makes data available for export in the STIX data format.

Key Terms:

  • Representational state transfer (REST) is an architectural programming style that typically runs over HTTP, and it is commonly used for mobile apps, social networking websites, and mashup tools.
  • Structured Threat Information Expression (STIX) is an Extensible Markup Language (XML) format for conveying data about cybersecurity threats in a standardized format.
  • Extensible Markup Language (XML) is a programming language specification that defines a set of rules for encoding documents in a human-readable and machine-readable format.

Threat indicator sharing (MineMeld)

To prevent successful cyberattacks, many organizations collect indicators of compromise (IoCs) from various threat intelligence providers with the intent of creating new controls for their security devices. Unfortunately, legacy approaches to aggregation and enforcement are highly manual in nature, often creating complex workflows and extending the time needed to identify and validate which IoCs should be blocked.

MineMeld is an open-source application that streamlines the aggregation, enforcement, and sharing of threat intelligence. MineMeld is available directly on GitHub and on pre-built virtual machines (VMs) for easy deployment. With an extensible modular architecture, anyone can add to the MineMeld functionality by contributing code to the open-source repository.

MineMeld (see Figure 3-37) supports a variety of use cases, with more being added each day by the community, including:

  • Aggregating and correlating threat intelligence feeds
  • Enforcing new prevention controls, including IP blacklists
  • Evaluating the value of a specific threat intelligence feed for your environment
  • Extracting indicators from Palo Alto Networks device logs and sharing them with other security tools
  • Sharing indicators with trusted peers
  • Identifying incoming sessions from Tor exit nodes for blocking or strict inspection
  • Tracking Office365 URLs and IPs

Figure 3-37: MineMeld aggregates and correlates threat intelligence feeds

MineMeld allows you to aggregate threat intelligence across public, private, and commercial intelligence sources, including between government and commercial organizations.

MineMeld simplifies the collection and correlation of intelligence across:

  • Commercial threat intelligence feeds
  • Open Source Intelligence (OSINT) providers
  • Threat intelligence platforms
  • Information sharing and analysis centers (ISACs)
  • Computer emergency response teams (CERTs)
  • Other MineMeld users

After indicators are collected, MineMeld can filter, deduplicate, and consolidate metadata across all sources, which allows security teams to analyze a more actionable set of data, enriched from multiple sources, for easier enforcement.

MineMeld natively integrates with Palo Alto Networks security platforms to automatically create new prevention-based controls for URLs, IPs, and domain intelligence derived from all sources feeding into the tool. Organizations can simplify their workflows for blocking IoCs with External Dynamic Lists and Dynamic Address Groups, without spending additional resources to manage block lists, including the automated timeout of expired indicators. MineMeld also integrates with the Palo Alto Networks AutoFocus contextual threat intelligence service to allow organizations to identify high-value, targeted indicators – in AutoFocus – and block them on their NGFWs with export lists and MineMeld.

Malware analysis (WildFire)

Advanced cyberattacks employ stealthy and persistent methods to evade traditional security measures. Skilled adversaries require modern security teams to re-evaluate their prevention tactics to better address the volume and sophistication of today's attacks.

The Palo Alto Networks WildFire cloud-based malware analysis environment is a cyberthreat prevention service that identifies unknown malware, zero-day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a scalable, virtual environment. WildFire automatically disseminates updated protections in near real-time to immediately prevent threats from spreading – without manual intervention.

WildFire significantly improves security posture and protection against unknown malware. WildFire processes about 5 million unique files daily and about 30,000 to 50,000 unique malware files that are sent to WildFire by customer-deployed Palo Alto Networks NGFWs. Typically, 60 percent of these malware files are not detected by any of the major antivirus vendors when first submitted to WildFire, and 30 days later 25 to 50 percent are still not detected by the major antivirus vendors.

To support dynamic malware analysis across the network at scale, WildFire is built on a cloudbased architecture (see Figure 3-38). Where regulatory or privacy requirements prevent the use of public cloud infrastructure, a private cloud solution can be built on-premises.

Figure 3-38: WildFire provides cloud-based malware analysis and threat prevention

In addition to either public or private cloud deployments, organizations can leverage both within the same environment. The hybrid cloud capabilities of WildFire allow security teams more file analysis flexibility because they can define which file types are sent to the WildFire public cloud versus the on-premises appliance, or private cloud. The WildFire hybrid cloud capability enables organizations to alleviate privacy or regulatory concerns by using the WildFire appliance for file types containing sensitive data. Organizations also benefit from the comprehensive analysis and global threat intelligence services of the WildFire public cloud for all others.

The Security Operating Platform proactively blocks known threats, which provides baseline defenses against known exploits, malware, malicious URLs and C&C activity. When new threats emerge, the Security Operating Platform automatically routes suspicious files and URLs to WildFire for deep analysis.

WildFire inspects millions of samples per week from its global network of customers and threat intelligence partners looking for new forms of previously unknown malware, exploits, malicious domains, and outbound C&C activity. The cloud-based service automatically creates new protections that can block targeted and unknown malware, exploits, and outbound C&C activity by observing their actual "behavior," rather than relying on pre-existing signatures. The protections are delivered globally in minutes. The result is a closed-loop, automated approach to preventing cyberthreats that includes:

  • Positive security controls to reduce the attack surface
  • Inspection of all traffic, ports, and protocols to block all known threats
  • Rapid detection of unknown threats by observing the actions of malware in a cloud-based execution environment
  • Automatic deployment of new protections back to the frontline to ensure threats are known to all and blocked across the attack lifecycle

Behavior-based cyberthreat discovery

To find unknown malware and exploits, WildFire executes suspicious content in the Windows, Android, and Mac OS X operating systems, with full visibility into common file types, including:

  • Executables (EXEs), dynamic-link libraries (DLLs), compressed files (ZIP), and portable document format (PDF)
  • Microsoft Office documents, spreadsheets, and presentations
  • Java files
  • Android application packages (APKs)
  • Adobe Flash applets and webpages (including high-risk embedded content, such as Java and Adobe Flash files/images)

WildFire identifies hundreds of potentially malicious behaviors to uncover the true nature of malicious files based on their actions, including:

  • Changes made to host: WildFire observes all processes for modifications to the host, including file and registry activity, code injection, memory heap spray (exploit) detection, addition of auto-run programs, mutexes, Windows services, and other suspicious activities.
  • Suspicious network traffic: WildFire performs analysis of all network activity produced by the suspicious file, including backdoor creation, downloading of next-stage malware, visiting low-reputation domains, and network reconnaissance.
  • Anti-analysis detection: WildFire monitors techniques used by advanced malware that is designed to avoid virtual machine (VM)-based analysis, such as debugger detection, hypervisor detection, code injection into trusted processes, and disabling of host-based security features.

Key Terms:

  • A mutex is a program object that allows multiple program threads to share the same resource, such as file access, but not simultaneously.

WildFire is natively integrated with the Security Operating Platform, which can classify all traffic across hundreds of applications. WildFire uniquely applies this behavioral analysis to web traffic, email protocols (SMTP, IMAP, and POP), and FTP, regardless of ports or encryption.

Threat prevention with global intelligence sharing

When an unknown threat is discovered, WildFire automatically generates protections to block it across the Cyber-Attack Lifecycle, and it shares these updates with all global subscribers within as little as 5 minutes. These quick updates can stop rapidly spreading malware; and these updates are payload-based, so they can block proliferation of future variants without any additional action or analysis.

WildFire protects organizations from malicious and exploitive files and links, and also looks deep into malicious outbound communication and disrupts C&C activity with anti-C&C signatures and DNS-based callback signatures. The information is also used for URL Filtering with PAN-DB, where newly discovered malicious URLs are automatically blocked. This correlation of threat data and automated protections is key to identifying and blocking ongoing intrusion attempts and future attacks against your organization.

Integrated logging, reporting, and forensics

WildFire provides access to integrated logs, analysis, and visibility into WildFire events, through the management interface, the WildFire portal, AutoFocus (discussed in Section 3.5.3), and Panorama (discussed in Section 3.2.3). This access enables security teams to quickly investigate and correlate events observed in their networks to rapidly locate the data needed for timely investigations and incident response.

Host-based and network-based indicators of compromise (IoCs) become actionable through log analysis and custom signatures. To aid security and incident response teams in discovering infected hosts, WildFire also provides:

  • Detailed analysis of every malicious file sent to WildFire across multiple operating system environments, including host-based and network-based activity
  • Session data associated with the delivery of the malicious file, including source, destination, application, User-ID, and URL
  • Access to the original malware sample for reverse-engineering and full packet captures (pcaps) of dynamic analysis sessions
  • An open application programming interface (API) for integration with best-in-class SIEM tools, such as the Palo Alto Networks application for Splunk, and leading endpoint agents. This analysis provides a numerous IoCs that can be applied across the attack lifecycle.
  • Native integration with Traps advanced endpoint protection (discussed in Section 3.3.1) and Aperture advanced SaaS protection (discussed in Section 3.4.2)
  • Access to the actionable intelligence and global context provided by AutoFocus threat intelligence (discussed in Section 3.5.3)
  • Natively integrated with the correlation engine in Palo Alto Networks NGFWs (discussed in Section 3.2.1)

Key Terms:

  • An indicator of compromise (IoC) is a network or operating system (OS) artifact that provides a high level of confidence that a computer security incident has occurred.
  • An application programming interface (API) is a set of routines, protocols, and tools for building software applications and integrations.
  • A packet capture (pcap) is a traffic intercept of data packets that can be used for analysis.


  • access point (AP): See wireless access point (AP).
  • Address Resolution Protocol (ARP): A protocol that translates a logical address, such as an IP address, to a physical MAC address. The Reverse Address Resolution Protocol (RARP) translates a physical MAC address to a logical address. See also IP address, media access control (MAC) address, and Reverse Address Resolution Protocol (RARP).
  • Advanced Encryption Standard (AES): A symmetric block cipher based on the Rijndael cipher.
  • AES: See Advanced Encryption Standard (AES).
  • AP: See wireless access point (AP).
  • API: See application programming interface (API).
  • application programming interface (API): A set of routines, protocols, and tools for building software applications and integrations.
  • application whitelisting: A technique used to prevent unauthorized applications from running on an endpoint. Authorized applications are manually added to a list that is maintained on the endpoint. If an application is not on the whitelist, it cannot run on the endpoint. However, if it is on the whitelist the application can run, regardless of whether vulnerabilities or exploits are present within the application.
  • ARP: See Address Resolution Protocol (ARP).
  • AS: See autonomous system (AS).
  • attack vector: A path or tool that an attacker uses to target a network.
  • authoritative DNS server: The system of record for a given domain. See also Domain Name System (DNS).
  • autonomous system (AS): A group of contiguous IP address ranges under the control of a single internet entity. Individual autonomous systems are assigned a 16-bit or 32-bit AS number (ASN) that uniquely identifies the network on the internet. ASNs are assigned by the Internet Assigned Numbers Authority (IANA). See also Internet Protocol (IP) address and Internet Assigned Numbers Authority (IANA).
  • bare metal hypervisor: See native hypervisor.
  • BES: See bulk electric system (BES).
  • boot sector: Contains machine code that is loaded into an endpoint's memory by firmware during the startup process, before the operating system is loaded.
  • boot sector virus: Targets the boot sector or master boot record (MBR) of an endpoint's storage drive or other removable storage media. See also boot sector and master boot record (MBR).
  • bot: Individual endpoints that are infected with advanced malware that enables an attacker to take control of the compromised endpoint. Also known as a zombie. See also botnet and malware.
  • botnet: A network of bots (often tens of thousands or more) working together under the control of attackers using numerous command-and-control (C&C) servers. See also bot.
  • bridge: A wired or wireless network device that extends a network or joins separate network segments.
  • bring your own apps (BYOA): Closely related to BYOD, BYOA is a policy trend in which organizations permit end users to download, install, and use their own personal apps on mobile devices, primarily smartphones and tablets, for work-related purposes. See also bring your own device (BYOD).
  • bring your own device (BYOD): A policy trend in which organizations permit end users to use their own personal devices, primarily smartphones and tablets, for work-related purposes. BYOD relieves organizations from the cost of providing equipment to employees, but creates a management challenge because of the vast number and type of devices that must be supported. See also bring your own apps (BYOA).
  • broadband cable: A type of high-speed internet access that delivers different upload and download data speeds over a shared network medium. The overall speed varies depending on the network traffic load from all the subscribers on the network segment.
  • broadcast domain: The portion of a network that receives broadcast packets sent from a node in the domain.
  • bulk electric system (BES): The large interconnected electrical system, consisting of generation and transmission facilities (among others), that comprises the "power grid."
  • bus (or linear bus) topology: A LAN topology in which all nodes are connected to a single cable (the backbone) that is terminated on both ends. In the past, bus networks were commonly used for very small networks because they were inexpensive and relatively easy to install, but today bus topologies are rarely used. The cable media has physical limitations (the cable length), the backbone is a single point of failure (a break anywhere on the network affects the entire network), and tracing of a fault in a large network can be extremely difficult. See also local-area network (LAN).
  • BYOA: See bring your own apps (BYOA). BYOD: See bring your own device (BYOD).
  • child process: In multitasking operating systems, a subprocess created by a parent process that is currently running on the system.
  • CIDR: See classless inter-domain routing (CIDR).
  • CIP: See Critical Infrastructure Protection (CIP).
  • circuit-switched network: A network in which a dedicated physical circuit path is established, maintained, and terminated between the sender and receiver across a network for each communications session.
  • classless inter-domain routing (CIDR): A method for allocating IP addresses and IP routing that replaces classful IP addressing (for example, Class A, B, and C networks) with classless IP addressing. See also Internet Protocol (IP) address.
  • collision domain: A network segment on which data packets may collide with each other during transmission.
  • consumerization: A computing trend that describes the process that occurs as end users increasingly find personal technology and apps that are more powerful or capable, more convenient, less expensive, quicker to install, and easier to use, than enterprise IT solutions.
  • convergence: The time required for all routers in a network to update their routing tables with the most current routing information about the network.
  • covered entity: Defined by HIPAA as a healthcare provider that electronically transmits PHI (such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies), a health plan (such as a health insurance company, health maintenance organization, company health plan, or government program including Medicare, Medicaid, military and veterans' healthcare), or a healthcare clearinghouse. See also Health Insurance Portability and Accountability Act (HIPAA) and protected health information (PHI).
  • CRC: See cyclic redundancy check (CRC).
  • Critical Infrastructure Protection (CIP): Cybersecurity standards defined by NERC to protect the physical and cyber assets necessary to operate the bulk electric system (BES). See also bulk electric system (BES) and North American Electric Reliability Corporation (NERC).
  • Cybersecurity Enhancement Act of 2014: A U.S. regulation that provides an ongoing, voluntary public-private partnership to improve cybersecurity and to strengthen cybersecurity research and development, workforce development and education, and public awareness and preparedness.
  • Cybersecurity Information Sharing Act (CISA): A U.S. regulation that enhances information sharing about cybersecurity threats by allowing internet traffic information to be shared between the U.S. government and technology and manufacturing companies.
  • cyclic redundancy check (CRC): A checksum used to create a message profile. The CRC is recalculated by the receiving device. If the recalculated CRC doesn't match the received CRC, the packet is dropped and a request to resend the packet is transmitted back to the device that sent the packet.
  • data encapsulation: A process in which protocol information from the OSI or TCP/IP layer immediately above is wrapped in the data section of the OSI or TCP/IP layer immediately below. Also referred to as data hiding. See also Open Systems Interconnection (OSI) reference model and Transmission Control Protocol/Internet Protocol (TCP/IP) model. data hiding: See data encapsulation.
  • DDOS: See distributed denial-of-service (DDOS).
  • default gateway: A network device, such as a router or switch, to which an endpoint sends network traffic when a specific destination IP address is not specified by an application or service, or when the endpoint does not know how to reach a specified destination. See also router and switch.
  • DevOps: The culture and practice of improved collaboration between application development and IT operations teams.
  • DHCP: See Dynamic Host Configuration Protocol (DHCP).
  • digital subscriber line (DSL): A type of high-speed internet access that delivers different upload and download data speeds. The overall speed depends on the distance from the home or business location to the provider's central office (CO).
  • distributed denial-of-service (DDOS): A type of cyberattack in which extremely high volumes of network traffic such as packets, data, or transactions are sent to the target victim's network to make their network and systems (such as an e-commerce website or other web application) unavailable or unusable.
  • DLL: See dynamic-link library (DLL).
  • DNS: See Domain Name System (DNS).
  • domain name registrar: An organization that is accredited by a top-level domain (TLD) registry to manage domain name registrations. See also top-level domain (TLD).
  • Domain Name System (DNS): A hierarchical distributed database that maps the fully qualified domain name (FQDN) for computers, services, or any resource connected to the internet or a private network to an IP address. See also fully qualified domain name (FQDN).
  • drive-by-download: A software download, typically malware, that happens without a user's knowledge or permission.
  • DSL: See digital subscriber line (DSL).
  • Dynamic Host Configuration Protocol (DHCP): A network management protocol that dynamically assigns (leases) IP addresses and other network configuration parameters (such as default gateway and Domain Name System [DNS] information) to devices on a network. See also default gateway and Domain Name System (DNS).
  • dynamic-link library (DLL): A type of file used in Microsoft operating systems that enables multiple programs to simultaneously share programming instructions contained in a single file to perform specific functions.
  • EAP: See Extensible Authentication Protocol (EAP).
  • EAP-TLS: See Extensible Authentication Protocol Transport Layer Security (EAP-TLS).
  • EHR: See electronic health record (EHR).
  • electronic health record (EHR): As defined by, an EHR "goes beyond the data collected in the provider's office and include[s] a more comprehensive patient history. EHR data can be created, managed, and consulted by authorized providers and staff from across more than one healthcare organization."
  • electronic medical record (EMR): As defined by, an EMR "contains the standard medical and clinical data gathered in one provider's office."
  • EMR: See electronic medical record (EMR).
  • endpoint: A computing device such as a desktop or laptop computer, handheld scanner, pointof-sale (POS) terminal, printer, satellite radio, security or videoconferencing camera, selfservice kiosk, server, smart meter, smart TV, smartphone, tablet, or Voice over Internet Protocol (VoIP) phone. Although endpoints can include servers and network equipment, the term is generally used to describe end user devices.
  • Enterprise 2.0: A term introduced by Andrew McAfee and defined as "the use of emergent social software platforms within companies, or between companies and their partners or customers." See also Web 2.0.
  • exclusive or (XOR): A Boolean operator in which the output is true only when the inputs are different (for example, TRUE and TRUE equals FALSE, but TRUE and FALSE equals TRUE).
  • exploit: A small piece of software code, part of a malformed data file, or a sequence (string) of commands, that leverages a vulnerability in a system or software, causing unintended or unanticipated behavior in the system or software.
  • Extensible Authentication Protocol (EAP): A widely used authentication framework that includes about 40 different authentication methods.
  • Extensible Authentication Protocol Transport Layer Security (EAP-TLS): An Internet Engineering Task Force (IETF) open standard that uses the Transport Layer Security (TLS) protocol in Wi-Fi networks and PPP connections. See also Internet Engineering Task Force (IETF), point-to-point protocol (PPP), and Transport Layer Security (TLS).
  • Extensible Markup Language (XML): A programming language specification that defines a set of rules for encoding documents in a human-readable and machine-readable format.
  • false negative: In anti-malware, malware that is incorrectly identified as a legitimate file or application. In intrusion detection, a threat that is incorrectly identified as legitimate traffic. See also false positive.
  • false positive: In anti-malware, a legitimate file or application that is incorrectly identified as malware. In intrusion detection, legitimate traffic that is incorrectly identified as a threat. See also false negative.
  • favicon ("favorite icon"): A small file containing one or more small icons associated with a particular website or webpage.
  • Federal Exchange Data Breach Notification Act of 2015: A U.S. regulation that further strengthens HIPAA by requiring health insurance exchanges to notify individuals whose personal information has been compromised as the result of a data breach as soon as possible, but no later than 60 days after breach discovery. See also Health Insurance Portability and Accountability Act (HIPAA).
  • Federal Information Security Management Act (FISMA): See Federal Information Security Modernization Act (FISMA).
  • Federal Information Security Modernization Act (FISMA): A U.S. law that implements a comprehensive framework to protect information systems used in U.S. federal government agencies. Known as the Federal Information Security Management Act prior to 2014.
  • fiber optic: Technology that converts electrical data signals to light and delivers constant data speeds in the upload and download directions over a dedicated fiber optic cable medium. Fiber optic technology is much faster and more secure than other types of network technology.
  • Financial Services Modernization Act of 1999: See Gramm-Leach-Bliley Act (GLBA).
  • FISMA: See Federal Information Security Modernization Act (FISMA).
  • floppy disk: A removable magnetic storage medium commonly used from the mid-1970s until about 2007, when it was largely replaced by removable USB storage devices.
  • flow control: A technique used to monitor the flow of data between devices to ensure that a receiving device, which may not necessarily be operating at the same speed as the transmitting device, doesn't drop packets.
  • fully qualified domain name (FQDN): The complete domain name for a specific computer, service, or resource connected to the internet or a private network.
  • GDPR: See General Data Protection Regulation (GDPR).
  • General Data Protection Regulation (GDPR): A European Union (EU) regulation that applies to any organization that does business with EU citizens. It strengthens data protection for EU citizens and addresses the export of personal data outside the EU.
  • Generic Routing Encapsulation (GRE): A tunneling protocol developed by Cisco Systems that can encapsulate various network layer protocols inside virtual point-to-point links.
  • GLBA: See Gramm-Leach-Bliley Act (GLBA).
  • Gramm-Leach-Bliley Act (GLBA): A U.S. law that requires financial institutions to implement privacy and information security policies to safeguard the non-public personal information of clients and consumers. Also known as the Financial Services Modernization Act of 1999.
  • GRE: See Generic Routing Encapsulation (GRE).
  • hacker: Term originally used to refer to anyone with highly specialized computing skills, without connoting good or bad purposes. However, common misuse of the term has redefined a hacker as someone that circumvents computer security with malicious intent, such as a cybercriminal, cyberterrorist, or hacktivist.
  • hash signature: A cryptographic representation of an entire file or program's source code.
  • Health Insurance Portability and Accountability Act (HIPAA): A U.S. law that defines data privacy and security requirements to protect individuals' medical records and other personal health information. See also covered entity and protected health information (PHI).
  • heap spray: A technique used to facilitate arbitrary code execution by injecting a certain sequence of bytes into the memory of a target process.
  • hextet: A group of four 4-bit hexadecimal digits in a 128-bit IPv6 address. See also Internet Protocol (IP) address.
  • high-order bits: The first four bits in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and low-order bits.
  • HIPAA: See Health Insurance Portability and Accountability Act (HIPAA).
  • hop count: The number of router nodes that a packet must pass through to reach its destination.
  • hosted hypervisor: A hypervisor that runs within an operating system environment. Also known as a Type 2 hypervisor. See also hypervisor and native hypervisor.
  • HTTP: See Hypertext Transfer Protocol (HTTP). HTTPS: See Hypertext Transfer Protocol Secure (HTTPS).
  • hub (or concentrator): A device used to connect multiple networked devices together on a local-area network (LAN).
  • Hypertext Transfer Protocol (HTTP): An application protocol used to transfer data between web servers and web browsers.
  • Hypertext Transfer Protocol Secure (HTTPS): A secure version of HTTP that uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption. See also Secure Sockets Layer (SSL) and Transport Layer Security (TLS).
  • hypervisor: Technology that allows multiple, virtual (or guest) operating systems to run concurrently on a single physical host computer.
  • IaaS: See infrastructure as a service (IaaS).
  • IANA: See Internet Assigned Numbers Authority (IANA).
  • IETF: See Internet Engineering Task Force (IETF).
  • indicator of compromise (IoC): A network or operating system (OS) artifact that provides a high level of confidence that a computer security incident has occurred.
  • infrastructure as a service (IaaS). A cloud computing service model in which customers can provision processing, storage, networks, and other computing resources and deploy and run operating systems and applications. However, the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over operating systems, storage, and deployed applications, and some networking components (for example, host firewalls). The company owns the deployed applications and data, and it is therefore responsible for the security of those applications and data.
  • initialization vector (IV): A random number used only once in a session, in conjunction with an encryption key, to protect data confidentiality. Also known as a nonce.
  • inodes: A data structure used to store information about files and directories in a file-based storage system, but not the filenames or data content itself.
  • Internet Assigned Numbers Authority (IANA): A private, nonprofit U.S. corporation that oversees global IP address allocation, autonomous system (AS) number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet Protocolrelated symbols and internet numbers. See also autonomous system (AS) and Domain Name System (DNS).
  • Internet Engineering Task Force (IETF): An open international community of network designers, operators, vendors, and researchers concerned with the evolution of the internet architecture and the smooth operation of the internet.
  • Internet Protocol (IP) address: A 32-bit or 128-bit identifier assigned to a networked device for communications at the Network layer of the OSI model or the Internet layer of the TCP/IP model. See also Open Systems Interconnection (OSI) reference model and Transmission Control Protocol/Internet Protocol (TCP/IP) model.
  • intranet: A private network that provides information and resources – such as a company directory, human resources policies and forms, department or team files, and other internal information – to an organization's users. Like the internet, an intranet uses the HTTP and/or HTTPS protocols, but access to an intranet is typically restricted to an organization's internal users. Microsoft SharePoint is a popular example of intranet software. See also Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS).
  • IoC: See indicator of compromise (IoC).
  • IP address: See Internet Protocol (IP) address.
  • IP telephony: See Voice over Internet Protocol (VoIP).
  • IV: See initialization vector (IV).
  • jailbreaking: Hacking an Apple iOS device to gain root-level access to the device. This hacking is sometimes done by end users to allow them to download and install mobile apps without paying for them, from sources, other than the App Store, that are not sanctioned and/or controlled by Apple. Jailbreaking bypasses the security features of the device by replacing the firmware's operating system with a similar, albeit counterfeit version, which makes the device vulnerable to malware and exploits. See also rooting.
  • Kerberos: A ticket-based authentication protocol in which "tickets" are used to identify network users.
  • LAN: See local-area network (LAN).
  • least privilege: A network security principle in which only the permission or access rights necessary to perform an authorized task are granted.
  • least significant bit: The last bit in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and most significant bit. linear bus topology: See bus topology.
  • local-area network (LAN): A computer network that connects laptop and desktop computers, servers, printers, and other devices so that applications, databases, files and file storage, and other networked resources can be shared across a relatively small geographic area such as a floor, a building, or a group of buildings.
  • low-order bits: The last four bits in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and high-order bits.
  • MAC address: See media access control (MAC) address.
  • malware: Malicious software or code that typically damages, takes control of, or collects information from an infected endpoint. Malware broadly includes viruses, worms, Trojan horses (including Remote Access Trojans, or RATs), anti-AV, logic bombs, back doors, rootkits, bootkits, spyware, and (to a lesser extent) adware.
  • master boot record (MBR): The first sector on a computer hard drive, containing information about how the logical partitions (or file systems) are organized on the storage media, and an executable boot loader that starts up the installed operating system.
  • MBR: See master boot record (MBR).
  • media access control (MAC) address: A unique 48-bit or 64-bit identifier assigned to a network interface controller (NIC) for communications at the Data Link layer of the OSI model. See also Open Systems Interconnection (OSI) reference model.
  • metamorphism: A programming technique used to alter malware code with every iteration, to avoid detection by signature-based anti-malware software. Although the malware payload changes with each iteration – for example, by using a different code structure or sequence, or inserting garbage code to change the file size – the fundamental behavior of the malware payload remains unchanged. Metamorphism uses more advanced techniques than polymorphism. See also polymorphism.
  • Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP): A protocol used to authenticate Microsoft Windows-based workstations using a challenge-response mechanism to authenticate PPTP connections without sending passwords. See also point-to-point tunneling protocol (PPTP).
  • most significant bit: The first bit in a 32-bit IPv4 address octet. See also Internet Protocol (IP) address, octet, and least significant bit.
  • MS-CHAP: See Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP).
  • mutex: A program object that allows multiple program threads to share the same resource, such as file access, but not simultaneously.
  • NAT: See network address translation (NAT).
  • National Cybersecurity Protection Advancement Act of 2015: A U.S. regulation that amends the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthens privacy and civil liberties protections.
  • native hypervisor: A hypervisor that runs directly on the host computer hardware. Also known as a Type 1 or bare metal hypervisor. See also hypervisor and hosted hypervisor.
  • NERC: See North American Electric Reliability Corporation (NERC).
  • network address translation (NAT): A technique used to virtualize IP addresses by mapping private, non-routable IP addresses assigned to internal network devices to public IP addresses.
  • Network and Information Security (NIS) Directive: A European Union (EU) directive that imposes network and information security requirements for banks, energy companies, healthcare providers and digital service providers, among others. NIS Directive: See Network and Information Security (NIS) Directive. nonce: See initialization vector (IV).
  • North American Electric Reliability Corporation (NERC): A not-for-profit international regulatory authority responsible for assuring the reliability of the bulk electric system (BES) in the continental United States, Canada, and the northern portion of Baja California, Mexico. See also bulk electric system (BES) and Critical Infrastructure Protection (CIP).
  • obfuscation: A programming technique used to render code unreadable. It can be implemented using a simple substitution cipher, such as an exclusive or (XOR) operation, or more sophisticated encryption algorithms, such as the Advanced Encryption Standard (AES). See also Advanced Encryption Standard (AES), exclusive or (XOR), and packer.
  • octet: A group of 8 bits in a 32-bit IPv4 address. See Internet Protocol (IP) address.
  • one-way (hash) function: A mathematical function that creates a unique representation (a hash value) of a larger set of data in a manner that is easy to compute in one direction (input to output), but not in the reverse direction (output to input). The hash function can't recover the original text from the hash value. However, an attacker could attempt to guess what the original text was and see if it produces a matching hash value.
  • Open Systems Interconnection (OSI) reference model: A seven-layer networking model consisting of the Application (Layer 7 or L7), Presentation (Layer 6 or L6), Session (Layer 5 or L5), Transport (Layer 4 or L4), Network (Layer 3 or L3), Data Link (Layer 2 or L2), and Physical
  • (Layer 1 or L1) layers. Defines standard protocols for communication and interoperability using a layered approach in which data is passed from the highest layer (application) downward through each layer to the lowest layer (physical), then transmitted across the network to its destination, then passed upward from the lowest layer to the highest layer. See also data encapsulation.
  • optical carrier: A standard specification for the transmission bandwidth of digital signals on Synchronous Optical Networking (SONET) fiber optic networks. Optical carrier transmission rates are designated by the integer value of the multiple of the base rate (51.84Mbps). For example, OC-3 designates a 155.52Mbps (3 x 51.84) network and OC-192 designates a 9953.28Mbps (192 x 51.84) network.
  • OSI model: See Open Systems Interconnection (OSI) reference model.
  • PaaS: See platform as a service (PaaS).
  • packer: A software tool that can be used to obfuscate code by compressing a malware program for delivery, then decompressing it in memory at run time. See also obfuscation.
  • packet capture (pcap): A traffic intercept of data packets that can be used for analysis.
  • packet-switched network: A network in which devices share bandwidth on communications links to transport packets between a sender and receiver across a network.
  • PAP: See Password Authentication Protocol (PAP).
  • Password Authentication Protocol (PAP): An authentication protocol used by PPP to validate users with an unencrypted password. See also point-to-point protocol (PPP).
  • Payment Card Industry Data Security Standards (PCI DSS): A proprietary information security standard mandated and administered by the PCI Security Standards Council (SSC), and applicable to any organization that transmits, processes, or stores payment card (such as debit and credit cards) information. See also PCI Security Standards Council (SSC). pcap: See packet capture (pcap).
  • PCI: See Payment Card Industry Data Security Standards (PCI DSS).
  • PCI DSS: See Payment Card Industry Data Security Standards (PCI DSS).
  • PCI Security Standards Council (SSC): A group comprising Visa, MasterCard, American Express, Discover, and JCB that maintains, evolves, and promotes PCI DSS. See also Payment Card Industry Data Security Standards (PCI DSS).
  • PDU: See protocol data unit (PDU).
  • Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian privacy law that defines individual rights with respect to the privacy of their personal information, and governs how private sector organizations collect, use, and disclose personal information in the course of business.
  • Personally Identifiable Information (PII): Defined by the U.S. National Institute of Standards and Technology (NIST) as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity… and (2) any other information that is linked or linkable to an individual…."
  • pharming: A type of attack that redirects a legitimate website's traffic to a fake site.
  • PHI: See protected health information (PHI).
  • PII: See Personally Identifiable Information (PII).
  • PIPEDA: See Personal Information Protection and Electronic Documents Act (PIPEDA).
  • PKI: See public key infrastructure (PKI).
  • platform as a service (PaaS): A cloud computing service model in which customers can deploy supported applications onto the provider's cloud infrastructure, but the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over the deployed applications and limited configuration settings for the application-hosting environment. The company owns the deployed applications and data, and it is therefore responsible for the security of those applications and data.
  • PoE: See power over Ethernet (PoE).
  • point-to-point protocol (PPP): A Layer 2 (Data Link) protocol layer used to establish a direct connection between two nodes.
  • point-to-point tunneling protocol (PPTP): An obsolete method for implementing virtual private networks, with many known security issues, that uses a TCP control channel and a GRE tunnel to encapsulate PPP packets. See also Transmission Control Protocol (TCP), Generic Routing Encapsulation (GRE), and point-to-point protocol (PPP).
  • polymorphism: A programming technique used to alter a part of malware code with every iteration, to avoid detection by signature-based anti-malware software. For example, an encryption key or decryption routine may change with every iteration, but the malware payload remains unchanged. See also metamorphism.
  • power over Ethernet (PoE): A network standard that provides electrical power to certain network devices over Ethernet cables.
  • PPP: See point-to-point protocol (PPP).
  • PPTP: See point-to-point tunneling protocol (PPTP).
  • pre-shared key (PSK): A shared secret, used in symmetric key cryptography that has been exchanged between two parties communicating over an encrypted channel.
  • promiscuous mode: Refers to Ethernet hardware used in computer networking, typically a network interface card (NIC), that receives all traffic on a network segment, even if the traffic is not addressed to the hardware.
  • protected health information (PHI): Defined by HIPAA as information about an individual's health status, provision of healthcare, or payment for healthcare that includes identifiers such as names, geographic identifiers (smaller than a state), dates, phone and fax numbers, email addresses, Social Security numbers, medical record numbers, or photographs. See also Health Insurance Portability and Accountability Act (HIPAA).
  • protocol data unit (PDU): A self-contained unit of data (consisting of user data or control information and network addressing).
  • PSK: See pre-shared key (PSK).
  • public key infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public key encryption.
  • QoS: See Quality of Service (QoS).
  • Quality of Service (QoS): The overall performance of specific applications or services on a network including error rate, bit rate, throughput, transmission delay, availability, jitter, etc. QoS policies can be configured on certain network and security devices to prioritize certain traffic, such as voice or video, over other, less performance-intensive traffic, such as file transfers.
  • RADIUS: See Remote Authentication Dial-In User Service (RADIUS).
  • rainbow table: A pre-computed table used to find the original value of a cryptographic hash function.
  • RARP: See Reverse Address Resolution Protocol (RARP).
  • recursive DNS query: A DNS query that is performed (if the DNS server allows recursive queries) when a DNS server is not authoritative for a destination domain. The non-authoritative DNS server obtains the IP address of the authoritative DNS server for the destination domain and sends the original DNS request to that server to be resolved. See also Domain Name System (DNS) and authoritative DNS server.
  • Remote Authentication Dial-In User Service (RADIUS): A client-server protocol and software that enables remote access servers to communicate with a central server to authenticate users and authorize access to a system or service.
  • remote procedure call (RPC): An inter-process communication (IPC) protocol that enables an application to be run on a different computer or network, rather than on the local computer on which it is installed.
  • repeater: A network device that boosts or retransmits a signal to physically extend the range of a wired or wireless network.
  • representational state transfer (REST): An architectural programming style that typically runs over HTTP, and is commonly used for mobile apps, social networking websites, and mashup tools. See also Hypertext Transfer Protocol (HTTP).
  • REST: See representational state transfer (REST).
  • Reverse Address Resolution Protocol (RARP): A protocol that translates a physical MAC address to a logical address. See also media access control (MAC) address.
  • ring topology: A LAN topology in which all nodes are connected in a closed loop that forms a continuous ring. In a ring topology, all communication travels in a single direction around the ring. Ring topologies were common in token ring networks. See also local-area network (LAN).
  • rooting: The Google Android equivalent of jailbreaking. See jailbreaking.
  • router: A network device that sends data packets to a destination network along a network path.
  • RPC: See remote procedure call (RPC).
  • SaaS: See software as a service (SaaS).
  • salt: Randomly generated data that is used as an additional input to a one-way hash function that hashes a password or passphrase. The same original text hashed with different salts results in different hash values.
  • Sarbanes-Oxley (SOX) Act: A U.S. law that increases financial governance and accountability in publicly traded companies.
  • script kiddie: Someone with limited hacking and/or programming skills that uses malicious programs (malware) written by others to attack a computer or network.
  • Secure Sockets Layer (SSL): A cryptographic protocol for managing authentication and encrypted communication between a client and server to protect the confidentiality and integrity of data exchanged in the session.
  • service set identifier (SSID): A case sensitive, 32-character alphanumeric identifier that uniquely identifies a Wi-Fi network.
  • software as a service (SaaS): A cloud computing service model, defined by the U.S. National Institute of Standards and Technology (NIST), in which "the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings."
  • SONET: See Synchronous Optical Networking (SONET).
  • SOX: See Sarbanes-Oxley (SOX) Act.
  • spear phishing: A highly targeted phishing attack that uses specific information about the target to make the phishing attempt appear legitimate.
  • SSID: See service set identifier (SSID).
  • SSL: See Secure Sockets Layer (SSL).
  • STIX: See Structured Threat Information Expression (STIX).
  • Structured Threat Information Expression (STIX): An XML format for conveying data about cybersecurity threats in a standardized format. See also Extensible Markup Language (XML). subnet mask: A number that hides the network portion of an IPv4 address, leaving only the host portion of the IP address. See also Internet Protocol (IP) address. subnetting: A technique used to divide a large network into smaller, multiple subnetworks.
  • supernetting: A technique used to aggregate multiple contiguous smaller networks into a larger network to enable more efficient internet routing.
  • switch: An intelligent hub that forwards data packets only to the port associated with the destination device on a network.
  • Synchronous Optical Networking (SONET): A protocol that transfer multiple digital bit streams synchronously over optical fiber.
  • T-carrier: A full-duplex digital transmission system that uses multiple pairs of copper wire to transmit electrical signals over a network. For example, a T-1 circuit consists of two pairs of copper wire – one pair transmits, the other pair receives – that are multiplexed to provide a total of 24 channels, each delivering 64Kbps of data, for a total bandwidth of 1.544Mbps.
  • TCP: See Transmission Control Protocol (TCP).
  • TCP segment: A protocol data unit (PDU) defined at the Transport layer of the OSI model. See also protocol data unit (PDU) and Open Systems Interconnection (OSI) reference model.
  • three-way handshake: A sequence used to establish a TCP connection. For example, a PC initiates a connection with a server by sending a TCP SYN (Synchronize) packet. The server replies with a SYN ACK packet (Synchronize Acknowledgment). Finally, the PC sends an ACK or SYN-ACK-ACK packet, acknowledging the server's acknowledgement, and data communication commences. See also Transmission Control Protocol (TCP).
  • TCP/IP model: See Transmission Control Protocol/Internet Protocol (TCP/IP) model.
  • threat vector: See attack vector.
  • TLD: See top-level domain (TLD). TLS: See Transport Layer Security (TLS).
  • top-level domain (TLD): The highest level domain in DNS, represented by the last part of a FQDN (for example, .com or .edu). The most commonly used TLDs are generic top-level domains (gTLD) such as .com, edu, .net, and .org, and country-code top-level domains (ccTLD) such as .ca and .us.
  • Tor ("The Onion Router"): Software that enables anonymous communication over the internet.
  • Transmission Control Protocol (TCP): A connection-oriented (a direct connection between network devices is established before data segments are transferred) protocol that provides reliable delivery (received segments are acknowledged and retransmission of missing or corrupted segments is requested) of data.
  • Transmission Control Protocol/Internet Protocol (TCP/IP) model: A four-layer networking model consisting of the Application (Layer 4 or L4), Transport (Layer 3 or L3), Internet (Layer 2 or L2), and Network Access (Layer 1 or L1) layers.
  • Transport Layer Security (TLS): The successor to SSL (although it is still commonly referred to as SSL). See also Secure Sockets Layer (SSL).
  • Type 1 hypervisor: See native hypervisor.
  • Type 2 hypervisor: See hosted hypervisor.
  • UDP: See user datagram protocol (UDP).
  • UDP datagram: A protocol data unit (PDU) defined at the Transport layer of the OSI model. See also user datagram protocol (UDP) and Open Systems Interconnection (OSI) reference model.
  • uniform resource locator (URL): A unique reference (or address) to an internet resource, such as a webpage.
  • URL: See uniform resource locator (URL).
  • user datagram protocol (UDP): A connectionless (a direct connection between network devices is not established before datagrams are transferred) protocol that provides best-effort delivery (received datagrams are not acknowledged and missing or corrupted datagrams are not requested) of data.
  • variable-length subnet masking (VLSM): A technique that enables IP address spaces to be divided into different sizes. See also Internet Protocol (IP) address. virtual LAN (VLAN): A logical network that is created within a physical local-area network.
  • VLAN: See virtual LAN (VLAN).
  • VLSM: See variable-length subnet masking (VLSM).
  • Voice over Internet Protocol (VoIP): Technology that provides voice communication over an Internet Protocol (IP)-based network. Also known as IP telephony.
  • VoIP: See Voice over Internet Protocol (VoIP).
  • vulnerability: A bug or flaw that exists in a system or software and creates a security risk.
  • WAN: See wide-area network (WAN).
  • watering hole: An attack that compromises websites that are likely to be visited by a targeted victim to deliver malware via a drive-by-download. See also drive-by-download.
  • Web 2.0: A term popularized by Tim O'Reilly and Dale Dougherty unofficially referring to a new era of the World Wide Web, which is characterized by dynamic or user-generated content, interaction, and collaboration, and the growth of social media. See also Enterprise 2.0.
  • whaling: A type of spear phishing attack that is specifically directed at senior executives or other high-profile targets within an organization. See also spear phishing.
  • wide-area network (WAN): A computer network that connects multiple LANs or other WANs across a relatively large geographic area, such as a small city, a region or country, a global enterprise network, or the entire planet (for example, the internet). See also local-area network (LAN).
  • wireless access point (AP): A network device that connects to a router or wired network and transmits a Wi-Fi signal so that wireless devices can connect to a wireless (or Wi-Fi) network.
  • wireless repeater: A device that rebroadcasts the wireless signal from a wireless router or AP to extend the range of a Wi-Fi network.
  • XML: See Extensible Markup Language (XML).
  • XOR: See exclusive or (XOR).
  • zero-day threat: The window of vulnerability that exists from the time a new (unknown) threat is released until security vendors release a signature file or security patch for the threat.
  • zombie: See bot.