Governments and the agencies responsible for critical infrastructure are evolving to meet diverse needs for more data for more users – citizens, warfighters, patients, students and contractors – in more places than ever. 'Smart Government' initiatives are driving innovative approaches to how governments can make use of data from more constituents, and smart sensors are changing the way militaries can use real-time data from far afield. These realities are driving a new way of operating that must also include new cyber security considerations.
The Australian Signals Directorate (ASD) has again issued Strategies to Mitigate Cyber Security Incidents guidelines to help Australia's critical infrastructure and other organisations protect the nation's digital assets. These strategies are born from ASD's observation and experience whilst responding to cybersecurity incidents and testing the security posture of Australian government organisations. ASD consider the 'Essential Eight' a cybersecurity baseline for all organisations.
This document maps the capabilities provided by the Palo Alto Networks® Security Operating Platform against these ASD Strategies to mitigate cybersecurity incidents.
Across government and private organisations, operations teams and analysts are overburdened. The widespread cybersecurity skills shortage has created a competitive jobs market, and many government organisations struggle to match rising salaries. Retaining staff can be difficult as well, as many staff members are undertaking manual repetitive tasks, such as log analysis, or responding to a deluge of alerts and events created from disparate, disconnected security tools. Palo Alto Networks Security Operating Platform, Figure 1, improves productivity through automation, letting valuable, often limited, staff focus on what matters – the most critical activities. Shared intelligence and consistent enforcement across networks, cloud and endpoints strengthens and speeds prevention to the newest threats, regardless of where they could enter the network.
Rooted in a focus on threat prevention, the Security Operating Platform is natively integrated, using automation to counter cyberattacks before they manifest in an organisation's environment. Accurate analytics let organisations streamline routine tasks and focus on business or agency priorities. Tight integrations across the platform and with ecosystem partners deliver consistent security across their networks, extending to their cloud instances, and to their remote and mobile devices.
The Security Operating Platform automates threat identification and prevention across cloud, network, servers, and endpoints with a data-driven approach and advanced analytics, all delivered from the cloud. It block exploits, ransomware, malware, and fileless attacks to minimise infected endpoints and servers. Easily operate best security practices using application-, user & content-based policies, and a zero trust approach, to minimise opportunities for attack.
Using the platform, organisations automate security controls with policies that dynamically change to match their application, users and content. DevOps and others responsible for cloud initiatives can more quickly enact new cloud instances. Speed up multi-cloud deployments and simplify management through deep integrations with native cloud services and automation tools. Plus, teams can continuously validate the compliance of their cloud deployments with customisable reports and controls that save time. And with the Application Framework, Palo Alto Networks provides an open ecosystem for trusted innovators to speed security innovations to market. Whether developed by Palo Alto Networks, a third party within the ecosystem or an organisation's own teams, these applications can detect and report on threats, or automate enforcement workflows, reducing response times. Organisations can continually improve their security effectiveness & efficiency with this platform for tightly integrated innovations, building on the value of what is already in place.
The following table describes the 37 individual ASD strategies, ASD's classification of the importance of each, and how the Palo Alto Networks Security Operations Platform supports the use of that strategy. For more detail on a particular Palo Alto Networks product, please refer to the Appendix.
| Mitigation Strategies to Prevent Malware Delivery and Execution | |||
| ASD Weighting | Mitigation Strategy Description | Security Operating Platform | |
| 1 | Essential | Application whitelisting of approved/trusted programs to prevent execution of unapproved/ malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. | Palo Alto Networks Advanced Endpoint Protection provides multiple layers and techniques to prevent the execution of malicious code, including:
It also incorporates other capabilities, including local analysis and cloud-based malware analysis. * Products and Subscriptions: Traps Advanced Endpoint Protection |
| 2 | Essential | Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/ mitigate computers with 'extreme risk' vulnerabilities within 48 hours. Use the latest version of applications. | Palo Alto Networks Advanced Endpoint Protection augments a proactive patching regime through its exploit mitigation capabilities. Rather than relying on signatures to prevent already known threats, its multi-method exploit prevention focuses on the core techniques used in exploit attacks. The result is several layers of protection that block known, unknown and zero-day threats before they can compromise an endpoint. The Advanced Endpoint Protection recognises and proactively blocks exploit techniques that:
This capability removes the pressure to rush application patching and can remove any window of opportunity for attackers to exploit newfound application vulnerabilities. * Products and Subscriptions: Traps Advanced Endpoint Protection |
| 3 | Essential | Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate. | To augment this recommendation, Palo Alto Networks Advanced Endpoint Protection prevents execution of malicious macros in online and offline mode through local analysis and integration with the malware analysis service. It also prevents macros from opening inappropriate or blocked child processes, such as WScript. * Products and Subscriptions: Traps Advanced Endpoint Protection, WildFire malware analysis service |
| 4 | Essential | User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. | For environments where Flash® and Java® are required, the exploit mitigation capabilities of Palo Alto Networks Advanced Endpoint Protection can mitigate the risks of using these commonly exploited applications. By default, these commonly used processes are protected. * Products and Subscriptions: Traps Advanced Endpoint Protection |
| 5 | Excellent | Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes. | Palo Alto Networks malware analysis service is an advanced prevention engine for highly evasive zero-day exploits and malware. The cloud-based service employs a unique multi-technique approach that combines dynamic and static analysis, innovative machine learning techniques, and a bare metal analysis environment to detect and prevent even the most evasive threats. The malware analysis service brings together the benefits of four independent techniques for high-fidelity and evasion-resistant discovery, including:
To meet the strictest local privacy or regulatory requirements, the malware analysis service is available in multiple deployment modes, including:
* Products and Subscriptions: WildFire Malware Analysis service |
| 6 | Excellent | Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. | A Palo Alto Networks next-generation firewall (NGFW) with the malware analysis service can analyse hyperlinks and attachments within emails, including Microsoft® Office and Adobe® PDF files. * Products and Subscriptions: Next-Generation Firewall (NGFW), WildFire malware analysis service |
| 7 | Excellent | Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. | Palo Alto Networks next-generation firewalls (NGFWs) with the URL filtering subscription provide secure web browsing and URL access by allowing administrators to block dangerous sites that deliver malware, or attempt to circumvent security controls or phish user credentials. Palo Alto Networks NGFWs also:
* Products and Subscriptions: Next-Generation Firewall (NGFW), URL Filtering subscription |
| 8 | Excellent | Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections. | Palo Alto Networks next-generation firewalls (NGFWs) can act as gateways, authenticating users though user identification and applying user-based policies against configured zones to ensure end-user systems have no direct internet connectivity. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 9 | Excellent | Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). | Palo Alto Networks Advanced Endpoint Protection includes multi-method exploit prevention that focuses on the core techniques used in exploit attacks, rather than relying on signatures to prevent already known threats. The result is several layers of protection that block known, unknown and zero-day threats before they can compromise an endpoint. Advanced Endpoint Protection recognises and proactively blocks exploit techniques that:
This capability removes the pressure to rush application patching and can remove any window of opportunity for attackers to exploit newfound application vulnerabilities. * Products and Subscriptions: Traps Advanced Endpoint Protection |
| 10 | Very Good | Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or highavailability) data. | N/A |
| 11 | Very Good | Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD. | N/A |
| 12 | Very Good | Antivirus software using heuristics and reputation ratings to check a file's prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. | The Security Operating Platform provides multiple layers and methods of malware prevention. At the network and gateways, Palo Alto Networks next generation firewalls provide stream-based antivirus with content-based signatures. Payload-based signatures detect patterns in the body of a file that can be used to identify future variations of that files even if its content has been slightly modified. This allows immediate identification and blocking of polymorphic malware that would otherwise be treated as unknown. Network antivirus signatures are updated every five minutes with the malware analysis service subscription. At the endpoint, Advanced Endoint Protection prevents the execution of malware using multiple methods, including:
* Products and Subscriptions: Next-Generation Firewall (NGFW), Threat Prevention, Traps Advanced Endpoint Protection |
| 13 | Very Good | Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/ 3G/4G devices. | Advanced Endpoint Protection provides execution control that allows administrators to prevent execution of files from removable media. |
| 14 | Very Good | Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use 'hard fail' SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation's domain. | N/A |
| 15 | Good | User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. | User education is important, as well-crafted phishing emails can be very affective. To back up user training, the Security Operating Platform provides multiple capabilities to mitigate the risk of a successful phishing attack through network controls that:
* Products and Subscriptions: Next-Generation Firewall (NGFW), URL Filtering |
| 16 | Good | Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. | As Palo Alto Networks malware analysis service detects new threats, it automatically pushes updated signatures to the Security Operating Platform every five minutes. The Advanced Endpoint Protection uses local analysis via machine learning to deliver instantaneous verdicts for any unknown executable files, DLLs or Office files before allowing them to run. It examines hundreds of a file's characteristics in a fraction of a second without relying on signatures or prior knowledge of the threat. * Products and Subscriptions: Next-Generation Firewall (NGFW), Threat Prevention, WildFire malware analysis service, Traps Advanced Endpoint Protection |
| 17 | Limited | TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. | N/A |
| 18 | Essential | Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing. | To assist agencies and organisations in enforcing these policies, Palo Alto Networks next-generation firewalls make use of user- and application-identification to prevent administrative accounts from accessing particular applications and web browsing. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 19 | Essential | Patch operating systems. Patch/ mitigate computers (including network devices) with 'extreme risk' vulnerabilities within 48 hours. Use the latest operating system version. Don't use unsupported versions. | Vulnerability Protection profiles on Palo Alto Networks next-generation firewalls can be used to 'virtually patch' operating systems to mitigate the risk of new vulnerabilities being exploited before systems can be otherwise patched. * Products and Subscriptions: Next-Generation Firewall (NGFW), Threat Prevention subscription |
| 20 | Essential | Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or highavailability) data repository. | Palo Alto Networks next-generation firewalls natively provide a policy-based multi-factor authentication (MFA) framework. This unique capability makes it easy to enforce MFA from the firewall for access to highly sensitive services and applications. This is key to stopping cyber adversaries from moving laterally in a network and accessing sensitive resources with the help of stolen credentials or compromised endpoints. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 21 | Excellent | Disable local administrator accounts or assign passphrases that are random and unique for each computer's local administrator account to prevent propagation using shared local administrator credentials. | N/A |
| 22 | Excellent | Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties. | Palo Alto Networks next-generation firewalls help organisations segment networks in an effective and meaningful manner, allowing IT staff to safely enable applications on the network for appropriate groups of users and/or devices. Next-generation firewalls use designated security zones, along with flexible deployment modes at Layer 1, 2 or 3, to segment enterprise networks. Security policies take advantage of features such as application- and user-identification, for admistrators to identify who is using which applications within a segment, whilst content identification and the malware analysis service continually inspect traffic for threats. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 23 | Excellent | Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases. | To augment these measures, Palo Alto Networks next generation firewalls can prevent users from submitting credentials to phishing sites. With integrated user identification, next-generation firewalls can recognize the movement of enterprise credentials in traffic. If a user unknowingly attempts to transmit a username and password to an unauthorized site, policies within the firewall can issue alerts or drop the traffic to stop the transmission. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 24 | Very Good | Non-persistent virtualised sandboxed environment, denying access to important (sensitive or high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files. | N/A |
| 25 | Very Good | Software-based application firewall, blocking incoming network traffic that is malicious/ unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic. | Palo Alto Networks VM-Series virtualised next-generation firewalls provide full application visibility and precise control enabled by App-ID, allowing granular control of application functions and blocking all unauthorised traffic. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 26 | Very Good | Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. | Palo Alto Networks VM-Series virtualised next-generation firewalls provide full application visibility and precise control enabled by App-ID, allowing granular control of application functions, and blocking all unauthorised traffic. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 27 | Very Good | Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. | Palo Alto Networks next-generation firewalls use data filtering to prevent sensitive, confidential and proprietary information from leaving the network by inspecting traffic for sensitive words or data patterns. The nextgeneration firewalls can also integrate with endpoint data loss prevention offerings to enforce DLP policy on the network. Additionally, through App-ID, next-generation firewalls can enforce granular policies at the application level to enable access to only sanctioned SaaS applications and cloud services. * Products and Subscriptions: Next-Generation Firewall (NGFW) |
| 28 | Excellent | Continuous incident detection and response with automated immediate analysis of centralized, time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity. | The Security Operating Platform provides multiple automated detection and response capabilities:
* Products and Subscriptions: Next-Generation Firewall (NGFW), Magnifier Behavioral analysis service |
| 29 | Very Good | Host-based intrusion detection/ prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence. | Through technique-based exploit prevention, Advanced Endpoint Protection can perform superior exploit prevention. It prevents attack techniques rather than relying on signatures, providing enhanced prevention of zero-day exploits. * Products and Subscriptions: Traps Advanced Endpoint Protection |
| 30 | Very Good | Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft's free SysMon tool is an entry-level option. | N/A |
| 31 | Very Good | Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. | Palo Alto Networks threat intelligence service accelerates threat hunting, analysis, correlation and prevention workflows. Unique, targeted attacks are prioritised with full context, allowing security teams to respond to critical attacks more quickly without depending on additional IT security resources. * Products and Subscriptions: AutoFocus threat intelligence service |
| 32 | Limited | Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. | Palo Alto Networks next-generation firewalls intrusion detection and prevention detects and blocks exploit attempts and evasive techniques at the network and application levels, including port scans, buffer overflows, remote code execution, protocol fragmentation and obfuscation. Protections are based on signature matching and anomaly detection, which decodes and analyses protocols, and then uses the information learned to send alerts and block malicious traffic patterns. Stateful pattern-matching detects attacks across multiple packets, accounting for arrival order and sequence as well as making sure all allowed traffic is well-intentioned and devoid of evasion techniques. * Products and Subscriptions: Next-Generation Firewall (NGFW), Threat Prevention intrusion detection and prevention |
| 33 | Limited | Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. | Palo Alto Networks next-generation firewalls can externally backup configuration data for individual firewalls, and Palo Alto Networks network security management includes the same global ability to externally back up configuration for all firewalls in the enterprise. * Products and Subscriptions: Next-Generation Firewall (NGFW), Panorama network security management |
| 34 | Essential | Daily backups of important new/ changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. | Palo Alto Networks next-generation firewalls can externally backup configuration data for individual firewalls, and Palo Alto Networks network security management includes the same global ability to externally back up configuration for all firewalls in the enterprise. * Products and Subscriptions: Next-Generation Firewall (NGFW), Panorama network security management |
| 35 | Very Good | Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. | N/A |
| 36 | Very Good | System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. | N/A |
| 37 | Very Good | Personnel management e.g. ongoing vetting, especially for users with privileged access; immediately disable all accounts of departing users; and remind users of their security obligations and penalties. | N/A |
Palo Alto Networks is dedicated to the needs of government across the globe. Governments around the world – at all levels, and across military, civilian and intelligence organisations - have been using Palo Alto Networks offerings for even their most critical IT and ICS/SCADA networks.
Palo Alto Networks network security products perform consistently against a variety of rigorous evaluations for certification. We are committed to the continued certification and performance evaluation of our products for use in government networks.
ASD mutually recognises evaluations under the Common Criteria Recognition Arrangement, and agencies can select products certified by any CCRA nation where the result is listed on the Common Criteria Portal.
See more information on ASD assessments here: https://www.asd.gov.au/infosec/evaluations.htm.
Palo Alto Networks next-generation firewalls have achieved Common Criteria certification under the rigorous National Information Assurance Partnership, or NIAP, Common Criteria Evaluation and Validation Scheme. The certified products are compliant with:
The certification applies to the Palo Alto Networks PA-200 Series, PA-500, PA-800 Series, PA-3000 Series, PA5000 Series, PA-5200 Series, PA-7000 Series, and VM-Series next-generation firewalls. For certification details, please visit https://www.niap-ccevs.org/Product/Compliant.cfm?PID=10839.
This certification builds upon the previous Common Criteria certification at Evaluation Assurance Level 4+ that NIAP issued to Palo Alto Networks in 2013. The EAL4+ Assurance Continuity Maintenance Report is available at https://www.commoncriteriaportal.org/files/epfiles/st_vid10392-add2.pdf.
Palo Alto Networks products have been validated against FIPS 140-2, a certification focused on cryptographic functionality. Certificates have been issued by the National Institute of Standards and Technology, or NIST, under the Cryptographic Module Validation Program. The certification applies to the Palo Alto Networks PA200 Series, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VMSeries next-generation firewalls.
Next-generation firewalls facilitate safe enablement of all applications within the network perimeter and enforce granular security policies across physical networks as well as public and private clouds. Insights from App-ID, User-ID and Content-ID technology keep teams informed on who is using what on the network, and its effect on the organisation's risk profile.