After a data breach, can you empower your CEO in thirty minutes?

18 February 2019|

Security breaches are a fact of life. The prevention effort never offers a 100% guarantee. Handling incident responses is equally challenging. Who has all logs, who can perform a root cause analysis across various outsourcing parties? Maybe you should stop shopping for an antivirus solution or a next-generation endpoint product, but rather shop for the desired outcome. A possible benchmark could be: can your department tell the CEO within 30 minutes after detection of a breach how it happened, which data was impacted, how it was stopped and if all forensic evidence is safeguarded?

To enable organizations to roll out new services and apps securely, Palo Alto Networks built the Next-Generation Security Platform to provide prevention through automation, applied consistently across the network, endpoint and cloud. Next-generation firewalls and the GlobalProtect cloud service are covering network security, including remote users and locations, while the public cloud is protected by virtualized next-generation firewalls and the Aperture SaaS security service.

A limitless supply of vulnerabilities and malware

With the endpoint security solution Traps, Palo Alto Networks changed the endpoint security industry forever by replacing legacy antivirus with a unique approach that prevents malware and exploits. Whilst there is a limitless supply of vulnerabilities and malware, attackers are forced to employ a far smaller number of techniques to exploit those vulnerabilities. Palo Alto Network’s approach with Traps was simple: understand these techniques, then employ a series of roadblocks and traps to prevent an attacker from successfully exploiting that vulnerability.

Malware and vulnerability exploits

Palo Alto Networks has completely integrated the Traps product within the Next-Generation Security Platform. One of Traps’ unique features is addressing multiple cybersecurity risks. Threat actors rely primarily on two attack vectors to compromise endpoints: malicious executables (malware) and vulnerability exploits. These attack vectors are used individually or in various combinations but are fundamentally different in nature.

Malware is a malicious executable, often self-contained, designed to perform nefarious activities on a system. Exploits are weaponized data files or content (such as a Microsoft Word document) designed to leverage software flaws or bugs in legitimate applications to provide attackers with remote code execution capabilities.

Known and unknown threats

Preventing attackers from compromising endpoints and servers requires an advanced endpoint protection product that prevents both known and unknown variants of malware and exploits, and delivers this prevention whether a machine is online or offline, on-premise or off-premise, connected to the organization’s network or not.

No ironclad guarantee

Traps continuously exchanges threat intelligence with the WildFire® threat analysis service, with more than 23,000 enterprises, government and service-provider customers contributing to the collective immunity of all other users. Traps uses this intelligence to reprogram itself automatically to prevent malware on the endpoint, in the network or in a SaaS application. This eliminates a lot of opportunities for an attacker to use unknown and advanced malware to infect a system.

It does not offer an ironclad guarantee, however, that organizations are immune to all attacks. Unknown vulnerabilities and weaknesses in an organization’s security policy and device configuration are a harsh reality IT departments have to live with.

Data collection and visualization

Palo Alto Networks was aware of this challenge and with the recent acquisition of Israel-based Secdo, it can add sophisticated endpoint detection and response, or EDR, capabilities – including unique data collection and visualization – to Traps and its Application Framework. This will enhance their ability to rapidly detect and stop even the stealthiest attacks.

Moving to XDR

The ambition of Palo Alto Networks goes further. The future direction is to take the Secdo EDR capability and apply it across the entire platform – not just endpoints, but also network and cloud as well. The concept is called XDR, meaning across the entire platform, so that clients can get the best EDR security capabilities everywhere, rather than just on endpoints.

The result

By combining network, cloud and endpoint data with threat intelligence from WildFire and other sources (via the Logging Service), security teams can use advanced analytical and forensic tools to interpret the data across different data sources, to give them a better understanding of what happened in the event of a data breach. And more importantly: to be able to respond faster and more efficiently to successful attacks, and to communicate effectively with the board about the impact and counter measures.