I'm Kate Taylor. Today we're going to be talking about WildFire and Palo Alto Networks approach to advanced detection and prevention. WildFire is just one layer in Palo Alto networks, multilayered approach to the advanced threat problem. Before content is even scanned by WildFire, it first has to go through our security policy. That means it has to come in on an allowed application by an allowed user. It has to be an allowed file type, for example, and it can't contain any known exploits or malware. I like to break our approach down into three basic steps. Let's start with attack surface reduction. Let's say you've got our platform here, and you've got all this potentially malicious traffic trying to get into the network. We can enact a positive security model that will deflect a lot of this potentially malicious traffic. Before content is scanned by WildFire, it has to go through a number of the security features on our platform, and those consist of a few main technologies. We've got APP-ID, and this goes to allowing visibility into all applications and limiting what applications have access to the network based on their enterprise and business need. We then have USER-ID, which lets us map IP address to user and limit each user's access to applications based on what active directory group they're part of or any number of other components based on who that user is and what they should have access to, and then we have content ID, which consists of a number of different technologies beneath it. The first of that is we have a URL policy, which allows us to reduce the attack surface by permitting access to known good URLs and disallowing access to known bad URLs, through the use of our malware category. We also have file blocking, and this allows us to limit the file types that are allowed into the network. For example, Java has a reputation for being pretty risky, and it's actually recommended that across the board you just disable Java on all Web browsers. But doing that on the endpoint and the mobile device, it's pretty difficult to manage. So instead you can disable those things on the network level. With Java, you can disable JAR and class files from even entering the network. There are certain situations where you'll need Java to run with specific applications, maybe that applies to you, but if not, you can block them completely or just carve out those certain situations where it is actually legitimate and needs to run on the network and block the rest. We also have IPS and anti command and control. This allows us to block known exploits and outbound command and control or call back channels, and then we also have a stream based antivirus engine which allows us to block known malware. All of this is done in a stream based fashion, which lets us have as little as possible impact on throughput because it's done on a packet by packet basis. You're really able to lock down the attack surface and reduce your risk. Let's say content gets through, an attack gets through and hits an end point hit this device right here. Let's say it comes in over email, an email attachment that has a PDF attachment over SSL because it's with an application like Gmail. What happens is this is sent to WildFire, WildFire sense is this PDF and analyzes it. Once it's determined whether it's malicious or not, if it's determined malicious, it generates protections and sends those protections back up to the firewall so that if this PDF or a version of this PDF hits another host within the network, it'll automatically be blocked by these technologies we just talked about. Let's say that this compromised host starts exhibiting some suspicious behavior stemming from the infection. Let's say that it starts making DNS queries to start initiating command and control activity, the protections generated by WildFire will block these so that they never actually make it to these servers out here, if your sandbox tells you about a malware event after the fact, it's better than having no visibility at all. But we like to emphasize attack surface reduction and prevention over pure detection, and we know it's not enough to have a standalone point solutions, even if they're best in class. The only way to truly be able to detect and prevent advanced attacks is by doing that at multiple stages in the attack lifecycle from the network level all the way down to the endpoint, and that's where traps advanced endpoint protection technology comes into play. Traps prevent known and unknown malware and exploits from executing on the endpoint by focusing on a limited set of core techniques common to all exploits and malware. If this user is the unfortunate victim of a targeted attack, let's say spearfishing or watering whole campaign, and inadvertently downloads unknown malware that uses a zero-day exploit on an allowed application, traps injects itself into the applications process, recognizes a specific exploit technique and terminates the process. Despite the many thousands of exploits, all of them use a small set of core techniques that must be used in sequence for the attack to be successful, so every technique must pan out. By blocking just one technique in the sequence. Traps can prevent the entire exploit from taking place. No damage done. The information seen by traps is integrated with the threat intelligence shared by the rest of the platform through WildFire traps send a hash of the executable malware used in the attack to WildFire. WildFire checks to see if it's seen that hash before. If it's seen that file. If it has, it sends the verdict back up to traps, and if it hasn't, it analyzes it very thoroughly and then generates the protections that then are delivered back to the platform. This completes the cycle of closed loop detection and prevention that's central to our approach in overcoming advanced threats. Four more words like these visit www.paloaltonetworks.com or visit our YouTube channel.
