Threat Prevention Ds

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

Business Benefits Threat Prevention

• Eliminate cost and management


for standalone IPS. Leverage Snort Traditional Intrusion Prevention Has
and other powerful IPS capabilities,
integrated with our NGFW for a single
Failed to Evolve
security policy rule base.
Organizations face a barrage of attacks from threat actors
• Gain visibility into attacks, assured
driven by various motives, including profit, ideology/
your organization is protected.
Inspect all traffic for threats, hacktivism, or even organizational discontent. Today’s
regardless of port, protocol, or attackers are well-funded and well-equipped. They use
encryption.
evasive tactics to gain footholds in target networks and
• Reduce resources needed to manage
vulnerabilities and patches. launch advanced attacks at high volume. Their methods
Automatically block known malware, are highly targeted, leveraging sophisticated playbooks
vulnerability exploits, and C2.
to breach an organization, move laterally, and extract
• Take advantage of full threat
detection and enforcement valuable data, all while remaining invisible to traditional
of prevention controls without independent defenses.
sacrificing performance.

Palo Alto Networks | Threat Prevention | Datasheet 1


To make matters worse, traditional intrusion prevention or predefined ports. By leveraging User-ID™ and App-ID™ tech-
­detection systems (IPS/IDS) still use the same defensive strate- nology on our ML-Powered NGFWs to add context to all traf-
gies they did before the threat landscape evolved. Traffic is only fic on all ports, the Threat Prevention engine never loses sight
inspected on certain ports, and while adding single-function of a threat, regardless of evasion techniques.
devices to the defensive stack may alleviate certain problems, More and more enterprise traffic is being obscured by TLS/
it results in poor performance and a lack of overall visibility. SSL encryption, and adversaries are exploiting the resulting
Furthermore, the basics are often left uncovered, putting the lack of visibility to launch attacks and introduce more risk
onus on security teams who are not properly resourced to iden- to your business. Our ML-Powered NGFWs offer native de-
tify or patch vulnerabilities to confidently avoid data breaches. cryption, and Threat Prevention offers the ability, via policy,
According to a 2019 Ponemon survey, 67% of respondents feel to selectively decrypt and inspect TLS/SSL traffic to strike an
they have insufficient time and resources to mitigate all vul- appropriate balance between security and performance.2
nerabilities to avoid breaches.1
Eliminate Threats at Every Phase
Comprehensive Exploit, Malware, and Command
Countless breaches over the years can be attributed to ­attackers
and Control Protection for Your Network
bypassing single-purpose defensive tools. To e ­ nsure holistic
Palo Alto Networks Threat Prevention service protects your net- protection, the Threat Prevention s­ ubscription, with its tight
work by providing multiple layers of prevention, confronting integration with our ML-Powered NGFWs, brings together
threats at each phase of an attack. In addition to traditional IPS multiple defensive mechanisms:
capabilities, Threat Prevention has the unique ability to detect
• Heuristic-based analysis detects anomalous packet and
and block threats on any and all ports instead of invoking signa-
traffic patterns, such as port scans, host sweeps, and
tures based on a limited set of predefined ports.
­denial-of-service (DoS) attacks.
Our worldwide community of customers shares collective
• Easy-to-configure, custom vulnerability signatures allow
global threat intelligence, significantly reducing the success
you to tailor intrusion prevention capabilities to your net-
rate of advanced attacks by stopping them shortly after they
work’s unique needs, even importing rules from popular
are first encountered. Threat Prevention benefits from our
open source formats such as Snort and Suricata®.
other cloud-delivered security subscriptions for daily up-
dates that stop exploits, malware, malicious URLs, command • Other attack protection capabilities, such as blocking
and control (C2), spyware, etc. A necessity for every Palo Alto invalid or malformed packets, IP defragmentation, and
­Networks NGFW, Threat Prevention can speed prevention of TCP reassembly, protect against evasion and obfuscation
new unknown threats to near-real time when paired with oth- techniques.
er Palo Alto Networks subscriptions, including WildFire® mal- Palo Alto Networks employs natively integrated defensive
ware prevention service for unknown file-based threats, URL technologies to ensure that, when a threat evades one tech-
Filtering for web-borne attacks, DNS Security for attacks ­using nology, another catches it. The key to effective protection is
the Domain Name Service, and IoT Security for unmanaged to use security features that are purpose-built to share infor-
­device visibility and context. mation and provide context around both the traffic they’re
inspecting and the threats they’re identifying and blocking.

Key Capabilities Scan for All Threats in a Single Pass


Enable the Application, Prevent the Threat The Threat Prevention engine represents an industry first
by inspecting and classifying traffic as well as detecting and
Applications are integral to how companies do business.
blocking both malware and vulnerability exploits in a single
Because of that, they’ve been made more readily available
pass. Traditional threat prevention technologies require two
to users by entering networks using encrypted channels
or more scanning engines and multiple rule bases that need to
through nonstandard ports (often to bypass stateful inspec-
be managed separately, adding significant latency and man-
tion firewalls) and port-hopping to guarantee users always
agement overhead while dramatically slowing throughput
have access.
­performance. We use a uniform signature format for all threats
Unfortunately, advanced threats take advantage of this to ensure rapid processing by performing all analysis in a sin-
behavior to get free rides into networks, undetected. They
­ gle, integrated scan, eliminating redundant processes com-
­tunnel within applications, hide in encrypted traffic, and prey mon to traditional solutions.
on unsuspecting targets to get a foothold within a network and
Our Threat Prevention technology combs each pack-
execute malicious activity.
et as it passes through the platform, looking closely at byte
We protect your network against these threats by providing ­sequences within both the packet header and payload. From
multiple layers of prevention, confronting threats at each this ­analysis, we’re able to identify important details about a
phase of the attack. In addition to traditional IPS capabilities, packet, including the application used, its source and desti-
Threat Prevention can detect and block threats on any and all nation, whether the protocol is RFC-compliant, and wheth-
ports instead of invoking signatures based on a limited set of er the payload contains an exploit or malicious code. Beyond

1. “Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture,” Ponemon Institute, February 2019,
https://www.balbix.com/app/uploads/Ponemon-Survey-Vuln-Management-.pdf.
2. To view throughput with Threat Prevention enabled for a specific Palo Alto Networks firewall, see the product summary specsheet.

Threat Prevention | Datasheet 2


techniques, and bare metal analysis to detect and pre- Drive-by-Download Protection
vent even the most evasive threats. Once identified, Threat Unsuspecting users can inadvertently download malware
­Prevention applies verdicts in real time to all ML-Powered merely by visiting a favorite website—even a site’s owners
NGFW form factors, instantly stopping threat proliferation may not know it’s been compromised. Our Threat Prevention
across your enterprise. technology identifies potentially dangerous downloads and
sends a warning to the user to ensure that the download is
Protect Against Command and Control intended and approved. Within Threat Prevention, detection
There’s no silver bullet when it comes to preventing all threats of such “phishing kit” landing pages as well as detection of
from entering the network. After initial infection, attackers web shell files (which aim to enable remote administration
will communicate with the host machine through a C2 chan- of web servers to target other internal systems) are packaged
nel, using it to pull down additional malware, issue further and delivered as spyware signatures. You can extend these ca-
instructions, and steal data. Our C2 protections home in on pabilities and prevent attacks from new and rapidly changing
those unauthorized communication channels and cut them domains by tying this feature to URL Filtering and file block-
off by blocking outbound requests to malicious domains and ing policies.
from known C2 toolkits installed on infected devices.
Mitigate Threats Easily and Accurately
Palo Alto Networks goes beyond standard automation of C2
signatures based on URLs and domains. We automatically DNS Sinkhole
generate and deliver researcher-grade C2 signatures based on In a typical deployment where the firewall is north of the local
malicious traffic seen by WildFire at machine speed and scale. DNS server, the threat log will identify the local DNS resolver
These signatures are payload-based and can detect C2 traf- as the source of the traffic rather than the actual infected host.
fic even when the C2 host is unknown or changes rapidly. You The end result is that the firewall cannot see the infected cli-
can extend overall C2 protection even further with the DNS ent’s DNS query (the originator of the DNS query). The DNS
­Security subscription, which can defeat adversary attempts to sinkholing feature within Threat Prevention solves this visi-
hide C2 channels using DNS tunneling tactics. bility problem, preventing exfiltration and accurately identi-
fying the victim client. You can configure the sinkhole so that
Reduce the Attack Surface any outbound request to a malicious domain or IP address is
Working seamlessly with the built-in, prevention-focused instead redirected to one of your network’s internal IP ad-
features of the ML-Powered NGFW, Threat Prevention and the dresses. This effectively blocks C2 communication, prevent-
added capabilities from Palo Alto Networks cloud-­delivered ing those requests from ever leaving the network.
security subscriptions enable you to significantly reduce your
organization’s attack surface and associated business risk. Automated Correlation Objects
This section provides some examples of the complementary Our Threat Prevention technology and logs feed into the au-
technologies. tomated correlation engine, a powerful addition to the alert-
ing capabilities of Palo Alto Networks firewalls and Panorama.
SSL Decryption The engine correlates a series of related threat events (e.g.,
The vast majority of enterprise network traffic is encrypted, from Threat Prevention logs) that, when combined, indicate
which leaves a gaping hole in network defenses if it’s not de- a likely attack on your network. It pinpoints areas of risk,
crypted and scanned for threats. Our platform’s built-in SSL such as compromised hosts on the network, allowing you to
Decryption service can selectively decrypt inbound and out- focus on a short list of actionable alerts, assess the risk, and
bound SSL traffic. After decryption, all traffic is fully inspect- take action to prevent exploitation of network resources. The
ed and—if confirmed to be safe—re-encrypted before being correlation objects leverage threat research from Unit 42 as
allowed through to its destination. well as unknown threat analysis from WildFire and User-ID
to correlate traffic anomalies and indicators of compromise
File Blocking (IOCs), ensuring you can quickly and accurately identify in-
Executable files constitute a massive share of the malicious fected devices on your network.
files used in spear phishing attacks, and employee negligence
is considered a major security risk, since many may not know The Power of Palo Alto Networks
Security Subscriptions
what’s safe and what isn’t. Reduce the likelihood of a mal-
ware infection by preventing dangerous file types known to
hide malware, such as executable files, from entering your Today, cyberattacks have increased in volume and sophisti-
network. File blocking functionality can be combined with cation, using advanced techniques to bypass network ­security
User-ID to block unnecessary files based on users’ job roles, devices and tools. This challenges organizations to protect
making sure all users have access to the files they need and their networks without increasing workloads for security
providing you with a granular way to reduce your exposure teams or hindering business productivity. Seamlessly inte-
based on your organization’s requirements. You can further grated with the industry’s first ML-Powered NGFW plat-
decrease the number of attack opportunities by sending all form, our cloud-delivered security subscriptions coordinate
allowed files to WildFire for analysis to determine if they con- intelligence and provide protections across all attack vectors,
tain zero-day malware. providing best-in-class functionality while eliminating the
coverage gaps disparate network security tools create. Take
advantage of market-leading capabilities with the c ­ onsistent

Threat Prevention | Datasheet 4


experience of a platform, and secure your organization • DNS Security: Disrupt attacks that use DNS for C2 and data
against even the most advanced and evasive threats. Benefit theft without requiring any changes to your infrastructure.
from Threat Prevention or any of our security subscriptions: • IoT Security: Protect internet-of-things (IoT) and OT
• WildFire®: Ensure files are safe by automatically detecting ­devices across your organization with the industry’s first
and preventing unknown malware, often within seconds, turnkey IoT security solution.
with the industry leading cloud-based analysis. • GlobalProtect™ network security for endpoints: Extend
• URL Filtering: Enable the safe use of the internet by pre- ML-Powered NGFW capabilities to your remote users to pro-
venting access to known and new malicious websites before vide consistent security everywhere in your environment.
users can visit them.
Table 1: Threat Prevention Throughput on the PA-Series
Model Threat Prev. Throughput
Operational Benefits PA-220 320 Mbps
The Threat Prevention subscription enables you to:
PA-820 900 Mbps
• Gain comprehensive security for all data, ­applications,
and users. Scan all traffic, with full context around PA-850 1.2 Gbps
­applications and users. PA-3220 2.8 Gbps
• Automate security with less manual work. Get auto-
PA-3250 3.4 Gbps
matic updates for new threats.
• Deploy Snort signatures. Automatically convert, san- PA-3260 5 Gbps
itize, upload, and manage Snort and Suricata rules PA-5220 10 Gbps
to detect emerging threats and take advantage of
­intelligence. PA-5250 24 Gbps
• Keep your network secure with granular, ­policy-based PA-5260 36 Gbps
controls. Go beyond simply blocking malicious content
to controlling specific file types, reducing the risk to PA-5280 36 Gbps
your entire organization. PA-7050 258 Gbps
• Lock down C2 risk. Automatically generate C2 s
­ ignatures
PA-7080 430 Gbps
at machine scale and speed.
Note: Refer to the respective product summary specsheets for the most up-to-date
information.

Table 2: Privacy and Licensing Summary


Privacy with Threat Prevention Subscription

Palo Alto Networks has strict privacy and security controls in place to prevent unauthorized access to
Trust and Privacy sensitive or personally identifiable information. We apply industry-standard best practices for security and
confidentiality. You can find further information in our privacy datasheets.

Licensing and Requirements

To use the Threat Prevention subscription, you will need Palo Alto Networks Next-Generation Firewalls
Requirements
­running PAN-OS.

Palo Alto Networks Next-Generation Firewalls deployed in any location, as both internal and external
Recommended
sources may introduce network-based threats involving exploits, malware, spyware, C2, URLs, and more
Environment
into your network.

Threat Prevention requires a standalone license, delivered as an integrated, cloud-based subscription


Threat Prevention
for Palo Alto Networks Next-Generation Firewalls. It is also available as part of the Palo Alto Networks
­License
Subscription ELA, VM-Series ELA, or Prisma Access.

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered t­ rademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at https://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Main: +1.408.753.4000 herein may be trademarks of their respective companies. threat-­prevention-
Sales: +1.866.320.4788 ds-110420
Support: +1.866.898.9087

www.paloaltonetworks.com

You might also like