We've reached a tipping point: threats are evolving far too quickly for point products to keep up. Having multiple products operating and analyzing data in silos has led to a fragmented and incomplete understanding of what's happening in the enterprise security landscape. With more than 9 million new instances of malware each month, deploying disparate point products across endpoint, network and cloud is no longer enough.
This paper examines the changing threat landscape and highlights the g rowing importance of best-in-class endpoint protection working in lockstep with other security products to create coordinated and comprehensive enterprise security. We will demonstrate how Palo Alto Networks® Traps™ advanced endpoint protection provides superior endpoint threat prevention as well as bridges the gap between endpoint and perimeter security, improving upon the efficiency and effectiveness of next-generation firewalls to provide stronger defense with fewer resources.
We've witnessed a radical change in attacker behavior in recent years as attackers, primarily driven by money, have seen more favorable returns on their investments than in the past. The cost to create attacks is plummeting, partly due to the availability of commoditized, out-of-the-box attacks and attack services, as well as attackers' abilities to recycle or modify previously known threats, leverage known and open source security technology, and incorporate automation.
The ability to see a quick return has increased exponentially. Early and ongoing success of ransomware attacks has taught attackers that rewards can come quickly with minimal effort, and cryptocurrency makes the process even faster and more lucrative. Credential theft likewise increases the likelihood of gaining access to an organization's critical systems: attackers easily uncover personal information through social media, online databases and other sources, bypassing earlier stages of the attack lifecycle where attacks are commonly prevented and making their targeted attacks even more successful.
Attacks have grown in volume and sophistication. With attackers no longer working independently, taking advantage of technology in much the same way modern organizations do, more than 9 million new malware instances surface each month. With their increased adoption, the constant barrage of zero-day malicious files has moved beyond targeting Windows® systems to also include macOS®, Linux and Android®. Similarly, the explosive growth of cloud-hosted environments introduces yet more targets.
Perhaps most concerning is the huge increase in fileless attacks – estimated to make up 35 percent of attacks in 2018. These attacks include exploits, macros and other methods that don't depend on a user downloading a file to succeed. They succeed more often than file-based attacks because they largely bypass traditional endpoint security measures and leave few traces for forensic investigation.
A successful endpoint attack can cost an organization more than US$5 million on average due to productivity loss, system downtime and theft of information assets. It's a struggle for all groups responsible for preventing attacks – NetOps, Desktop Ops and SecOps – to keep up.
Next-generation firewalls focus on preventing attacks that target the network. Their visibility and prevention capabilities are limited by the location and configuration – the where and how – of these network enforcement points, and unfortunately, many things can circumvent a firewall:
Most attacks start by compromising an endpoint. Threats that evade firewall enforcement can be prevented by endpoint security products, many of which vary in degrees of effectiveness as they run in isolation from the rest of the security infrastructure and cannot quickly share valuable intelligence across the ecosystem.
Organizations usually invest heavily in perimeter protection, but despite this, end users can unwittingly undercut these controls. When they operate outside the network, fall for phishing campaigns, or engage in other risky behavior due to normal human trust or curiosity, users open the door for attackers to circumvent hardened security measures, such as firewalls.
Additionally, many organizations deploy a variety of security tools in the hopes of protecting the organization against such attacks. However, this fragmented approach dramatically decreases operational efficiency, requiring manual configuration and integration while inevitably creating blind spots.
As powerful as next-generation firewalls are, there are several things they cannot do to prevent an attack. Understanding the location and configuration of your next-generation firewall allows endpoint security to cover potential gaps, including:
Rather than operate in a silo, endpoint protection must share what it sees and prevents with both the network and the cloud – coordinating analysis, response and prevention to strengthen overall security posture – to free up teams to tackle other priorities. Effective security calls for tight coordination and communication between the endpoint, network and cloud.
A successful attack on an endpoint creates a beachhead into a network that a next-generation firewall, even with correct configuration and policy implementation, cannot block or prevent. This underscores the importance of ensuring endpoint protection is truly effective, able to:
Few organizations can say both their firewalls and endpoint security are strong, let alone natively integrated. Palo Alto Networks Traps advanced endpoint protection extends the protection of the firewall to create a network of sensors and enforcement points, enhancing security across an entire organization.
Adding Traps to the security ecosystem creates a closed-loop system: as threats emerge, suspicious files and URLs are routed to Palo Alto Networks WildFire® malware prevention service for deep analysis, shared intelligence and automated containment, whether they came from the firewall or the endpoint. Panorama™ network security management ingests logs from next-generation firewalls and Traps, enabling security operations teams to view endpoint security logs in the same context as their firewall logs.
As part of the Security Operating Platform, automated integration and intelligence sharing ensure all parts of the security infrastructure understand newly identified threats and can automatically update preventions, without human intervention, in as few as five minutes. Eliminating the well-known silos and communication barriers between network and endpoint teams as well as disparate products enables open communication and visibility between the products. With gaps and fragmentation reduced, overall protection and security effectiveness increase.
Figure 1: Palo Alto Networks Security Operating Platform
Traps can improve the prevention capabilities of your next-generation firewall and reduce operational overhead in several ways, allowing you to:
Figure 2: Traps coordinated enforcement
Traps addresses the weakest links in a heavily managed and monitored security ecosystem: the endpoints. Traps protects users from increasingly sophisticated adversaries who have become adept at disguising their intent and taking advantage of human nature. It allows users to enjoy a seamless experience without the friction often caused by traditional security methods, such as signatures, scanning or restarts from patch updates.
With its multi-method approach to prevention, Traps prevents known, unknown and highly evasive threats while minimizing the number of alerts an administrator must address. Traps uses intelligence from WildFire to prevent known malware and provide deep inspection of unknown files, including dynamic analysis, static analysis, machine learning and bare metal analysis. It goes beyond merely blocking exploits and fileless attacks: it terminates the process, informs the user and administrator, and collects detailed forensics other parts of the security ecosystem can use.
Figure 3: Threat intelligence and sharing
Minimizing the potential for exposure from an attack, Traps automatically inserts itself into critical phases of the attack lifecycle to halt the execution of malicious programs and stop the exploitation of legitimate applications. It does this regardless of operating system, an endpoint's online or offline status, and whether it is connected to the organization's network or roaming. Additional scanning capabilities in Traps detect dormant, non-executed malware and can quarantine it to ensure it does not detonate, thus disrupting potential attacks before they can infect the endpoint and other parts of the network.
Figure 4: Multiple methods of prevention for accuracy and coverage
Even the smallest teams can effectively manage high-density endpoint implementations, including virtual desktop infrastructure or cloud-hosted environments across platforms, thanks to the cloud-based infrastructure of Traps, further reducing overhead and maintenance.
Traps combines multiple methods of prevention to meet the toughest of endpoint protection requirements and then some, allowing you to:
Until now, the missing piece of the security puzzle has been the inability to seamlessly integrate endpoints into a security ecosystem. Attempts to use a hodgepodge of third-party applications, hardware and custom integration to address sophisticated, endpoint-targeted attacks have failed in exploit prevention or early detection of malware. Palo Alto Networks addresses this gap by integrating firewalls and endpoint security in a way that provides unmatched, comprehensive protection. Bringing together all pieces of the puzzle – firewalls, clouds and endpoints – and aggregating all knowledge in one place results in contextual awareness previously only attainable through time-consuming, manual effort. Traps provides complete attack prevention for the endpoint as an integral part of the Palo Alto Networks Security Operating Platform, complementing and enhancing your next-generation firewalls and other security tools. With Traps, your security is much greater than the sum of its parts.