Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends the threat prevention capabilities of the next-generation firewall to tackle some of the most challenging threats in the world today, and does so with full visibility and enforcement at up to 10Gbps.
The modern threat landscape has fundamentally evolved, and cyber-security teams face threats on a daily basis that rely on stealth, persistence and the skilled avoidance of traditional security measures. Such a fundamental shift in one’s adversary demands more than an incremental response, and modern security teams are re-evaluating some of their most basic security assumptions concerning how they look at network traffic, how threats are identified, and ultimately how they are blocked. Palo Alto Networks® prepares cyber-security teams for this challenge by offering a new approach based on simple but powerful concepts:
• Allnetworktrafficmustbefullyinspected.
• Anyunknownsmustbeactivelyandconclusivelyinvestigatedatscale.
• Threatsneedtobeblocked,notjustdetected.
ThesecoreprinciplesarethefoundationofPaloAltoNetworksWildFiresolution,inwhichfullvisibility,scalableanalysis,andautomatedprotectionallworktogethertosecurethenetworkanditsdata.Onlythenext-generationfirewallprovidesfull-stackanalysisandenforcementofallnetworktrafficregardlessofevasionandencryption,ensuringthathiddenoranomalousthreatsareexposed.WildFirethenproactivelyrunsanyunknownfilesinasafe,scalablesandboxenvironmentwheremalwareisconclusivelyidentifiedandnewprotectionsareautomaticallydeveloped.Theresult isacompletelyunique,closedloopapproachtocontrollingcyberthreatsbasedonnext-generationvisibility,cloud-basedmalwaresandboxing,andreliablein-lineblockingofthreats.
WildFire Overview
Atitscore,WildFiredetectsandblockstargeted,polymorphic,orotherwiseunknownmalware.Todoso,WildFiremarriestheuniquevisibilityandcontrolofthenext-generationfirewallwithacloud-basedenvironmentwheremalwareissafelyanalyzedatscale.Byproactivelyexecutingunknownfilesinavirtualenvironment,WildFireuncoversmalwarebasedonitsrealbehavior,ensuringmalwareisdetectedevenifitgetspasttraditionalsignatures.
Thisstyleofsandboxanalysisiscomputationallyintensebynature,andasaresult,WildFireisdesignedonacloud-basedarchitecturethatensuresseamlessscalability.TheWildFirepubliccloudenablesanyPaloAltoNetworkscustomertoperformtrue malwaresandboxingofunknownfileswithouttheneedforanyadditionalhardware.However,ahardware-enabledprivatecloudoptionisavailabletoextendtheWildFirearchitecture to customers who cannot use public cloud resources due to regulatory orprivacyrequirements.
WildFire™
P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t
• Proactively executes suspicious files in a safe environment to identify malware based on more than 100 malicious behaviors.
• Combines the visibility of the next-generation firewall with cloud-based analysis to ensure accurate, safe and scalable malware analysis.
• True in-line blocking of malware infecting files and command-and=control traffic at the firewall.
P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t
Whenathreatisdetected,WildFireautomaticallyfeedsinformationandprotectionsbacktoWildFiresubscribers.Withininminutes,subscribersreceivefirewalllogswithaverdictoftheanalysisincludingeventcontext.Moreimportantly,WildFiregeneratestruemalwareprotectionsforthenewlydiscoveredmalware,and sharesthoseprotectionswithallWildFiresubscribersworld-wide within30to60minutesoftheinitialdetection.Theseprotectionsnotonlystoprapidlyspreadingmalware,butalsotrackuniqueidentifiersinthemalwarebodytoproactivelyfindandblockmalwarevariants.Additionally,WildFireanalysisisusedtoupdateDNS-basedmalwaresignatures,updateURLcategoriesontheflyandtogeneratenewcommand-and-controlsignatures,allof which can be used to identify and disrupt the all-important malwarecommand-and-controltraffic.
How WildFire Works
Visibility Into All Traffic
Advancedpersistentthreats(APTs)thriveontheirabilitytohide fromsecuritysolutions.Thisistruenotjustofnewmalware,butofalltrafficusedintheattack.Asaresult,thequalityofacybersecurity solution is only as good as its ability to look into alltraffic,andthisispreciselywhythenext-generationfirewallisaprerequisiteforcontrollingtheseadvancedattacks.AswithallPaloAltoNetworksanalysis,WildFirebenefitsfromthefull-stackanalysisofalltraffic,acrossallportsandtheabilitytotightlycontrolavarietyofmethodsthatattackersusetohide.
P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t
• Abandoning Port-Based Assumptions:Foralloftheadvance-mentsinITsecurity,virtuallyallsecurityproductsfallbackonoutdatedassumptionsbasedonport.Trafficisallowedorblockedbasedonport,signaturesareappliedbasedonport,and additional decoders and analysis are applied based on theport.PaloAltoNetworksforgoestheseassumptionsandperformsafull-stackidentificationanddecodeofalltrafficacrossallports.Thiscontextisconstantlymonitoredandupdatedtoreflectanychangesintheapplicationorprotocol. Thisprocessremainsfundamentallyuniqueinnetworksecurityandensuresattackerscan’thidebyroutingtrafficinnon-standardwaysortunnelingwithinotherapprovedtraffic.
• Visibility Into SSL Encrypted Traffic: As more applications movetotheweb,SSLhasbecomeanincreasinglycommonfactoflife.AndwhileSSLprovidesimprovedsessionsecurity,italsohastheeffectofpotentiallycreatinganopaquevectorwherethreatscanflowwithoutthepryingeyesofsecurity.PaloAltoNetworksofferson-boxSSLdecryptionthatcanbeselectivelyappliedbasedonpolicy.Decryptonlythetrafficthatinterestsyou,andsetpoliciestoensuretrafficisneverdecryptedtosensitivesitessuchashealthcareorbankingsites.
• Visibility Into Unknown Traffic: Bypositivelyclassifyingalltraffic,PaloAltoNetworkscanfurtherrevealthepresenceof anyunknownorcustomtraffic.Suchcustomtrafficisstronglycorrelatedwithmalwareandadvancedthreats,andsimplenext-generationfirewallpoliciesallowyoutoseethistrafficandautomaticallyenforcepolicyonit.
PAGE 2
Adds to threat signature research database
Exfiltration of sensitive data
Commandand control
Downloadof additional
malware
=
REPORT & ENFORCE POLICY
FILE TRANSFER DECODERS
PATTERN DB
SINGLE PASS PATTERN MATCH
DATA
WildFire CloudObserves and detects 100+
malicious behaviors to identify malware(available as a public or private cloud)
WildFire provides a logical combination of next-generation firewall hardware and scalable cloud-based malware analysis.
PAGE 3
Conclusive Behavior-Based Analysis
Whenanunknownfileisseenbythefirewall,thefileistransferredtotheWildFirevirtualizedenvironment,whereitisexecutedandallbehaviorsandcommunicationsareobserved.WildFiremonitorsformorethan100maliciousbehaviorstoidentifythetruenatureofmaliciousfilesbasedontheiractionsincluding:
• Changes Made to the Host:WildFireobservesallprocessandhookingbehaviors,changesmadetoregistries,auto-runmodi-fications,changestosecuritysettingsandanyfilesthatarecreatedormodified.AllchangesaredocumentedinWildFirereports.
• Malicious Traffic and Hacking:WildFirelooksforsuspiciousormaliciousnetworkbehaviorssuchasestablishingbackdoors,downloadingadditionalexecutables,visitingdynamicDNSdomains,scanningforvulnerabilitiesandmuchmore.
• Security Avoidance Behaviors: WildFirealsoconstantlylooksformalwaretechniquesusedtoavoidanalysissuchasattemptingtoavoidexecutingwhilebeingmonitored,injectinginto running or trusted processes and disabling host-based securityfeatures.
Using the Power of Cloud-Computing for Malware Analysis
Virtualizedmalwareanalysisrequiresmassiveamountsofcomputingresources,becausethesolutionmustprovideafullyindependentvirtualenvironmenttoanalyzeeveryunknownor suspiciousfile.Thismeansthatcomputingrequirementscanswingwildlydependingontheamountandtypeoftraffichittingthe network.Thishasthepotentialtorequireagreatdealofhardwareforanalysis,andevenworsetocreatebottlenecksthatlimittheanalysisofmalware.Tosolvethisproblem,WildFireleveragesa cloud-based architecture that allows computing resources to scaleelasticallybasedonneed.
• Shared Protections: Inadditiontoimprovedscalability,the WildFirecloudensuresthatuserscanbenefitfromtheanalysisofallotherWildFireusers.Malwareidentifiedinonelocation,generatesprotectionsthatapplytoallusersworldwide.This appliesnotonlytomalwaresamples,butalsodangerousURLs, andDNSqueriesfrommalwareaswell.
• Public Cloud: Bydefault,WildFireleveragesapubliccloudenvironmentmanageddirectlybyPaloAltoNetworks.AllfilesaresecurelytransferredbetweenthefirewallandtheWildFireoverencryptedconnections,signedonbothsidesbyPaloAltoNetworks.Anyfilesthatarefoundtobebenignaredestroyed,whilemalwarefilesaresavedforfurtheranalysis.
• Private Cloud:Forcustomerswhodonotusecloud-basedsolutionsduetoregulatoryorprivacyconcerns,PaloAltoNetworksoffersaprivatecloudoptionforWildFire.Thisprivate cloudisenabledbytheWF-500WildFireAppliance,andallows customerstorunafullyfunctioningversionoftheWildFireenvironmentthatremainswithinthecustomer’snetwork.
Automated Prevention
Onceafileisdeterminedtobemalicious,WildFireautomaticallydevelopsprotectionsforthenewthreatandgeneratesintegratedandcorrelatedlogsforsecuritystaff.WithinminutesofsubmittingafiletoWildFire,subscribersreceiveanintegratedlogwiththeverdictofthemalwareanalysis,whichiscorrelatedwithanyotherrelevantlogsinthePaloAltoNetworksuserinterface.Additionally,allWildFireuserscanreceivenotificationsviaemailbasedonpolicy.
TheWildFirepubliccloudalsodevelopsarangeofprotectionsforallnewlydiscoveredmalware(customersusingaprivateclouddeploymenthavetheoptiontosubmitconfirmedmalwaretothe publiccloudinordertogenerateprotections).WildFireauto-maticallydevelops,testsanddeliversnewmalwaresignatureswithin30to60minutestoallWildFiresubscribers,worldwide.Inadditiontomalwaresignatures,WildFiredataisusedtoupdateDNS-basedsignatures,URLcategoriesandcommand-and-controlsignaturesaswell.
• Malware Signatures:ThesesignaturesarebasedonuniqueidentifiersinthemalwarepayloadthatallowasingleWildFiresignaturetoblockmultiplepolymorphicvariants.ThesesignaturesaredeliveredtoWildFiresubscriberswithin30to60minutesoftheinitialsubmissionofthefile.
• DNS Signatures: WildFirerecordsallDNSqueriesandmaintainsa database and signature list of DNS requests that are unique tobotnetsandmalwareoperations.
• Command-and-Control Signatures: Palo Alto Networks researchersmaintainfullcoverageforallcommand-and-controltrafficobservedinWildFire.Thesesignaturesprovideakeymethod for identifying and controlling any malware infections alreadyinthenetwork.
• URL Categories:WildFiremonitorsanyURLsanddomainsthatmalwarecommunicateswith.WildFirethenprovidesupdatesonanynewlydiscoveredmaliciousdomainstoPAN-DB,PaloAltoNetworksinternallydevelopedURLfilteringdatabase.
P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t
P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t
Malware Forensics and Event Analysis
Integrated Logging and Reporting
WildFiresubscribersreceiveintegratedWildFirelogsontheir firewalls,enablingteamstocorrelateWildFireeventswithotherimportanteventsobservedbythefirewall.Thisensuresthatstaffcanquicklyandseamlesslytieapplications,URLs,files,known threats and unknown threats into a coordinated approach tothreatprevention.Additionally,PaloAltoNetworksprovidespre-builtreportsforWildFireeventstoprovideongoingdocumentationofemergingthreats.
WildFire Portal
Whendealingwithnewandemergingthreats,it’simportantthatsecurityteamsbeabletoquicklyandeasilyinvestigatemalwareinordertocorrelateaninfectionwithothersecurityeventsorsimplytoaidinthecleanupinthecaseofaninfection.
TheWildFirePortalprovidesdetailedanalysisandforensicsforeveryfileanalyzedbyWildFire.Staffcantracktheoverallratesofmalwaredetected,andcandrilldownintodetailedanalysisonanygivenfile.Staffcaneasilyseetheverdictofafile,theapplication,IPaddressand/orURLthatdeliveredthefileaswellastheuserthatwastargeted.
Theanalysisthenprovidesgranulardetailsofthemalwareincludingallobservedmaliciousbehaviors,alistofanyandalldomainsthemalwarevisited,registrykeysaddedormodifiedaswellasanyfilescreatedormodified.Thisanalysisprovidesthecontexttoknowexactlyhowthemalwareattemptedtoenterthenetwork,howittriestocommunicatebackoutofthenetworkandactionsitperformedonthetargethost.Thisinformationcanprovideteamswithdetailstoestablishhost-basedindicatorsforinfectedmachines,aswellasprovidingthereal-world data needed to adapt security policies to changing attackstrategies.Thisdataalsohelpssecurityteamstoteachandtrainnetworkusersbyshowingthenames,locationsandapplicationsthathavebeenusedagainsttheminphishingorsocialengineeringattempts.
PAGE 4
Integrated WildFire Logs
P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t
Maintaining the Privacy of Your Files
Aswithanyuseofthecloud,anenterprisemustensurethat thecloudisusedsafelyandwithoutexposingenterprisedata. WildFireisnoexception,andprovidescustomerswithfull controloverwhatdataissharedwithWildFireandtheadditionalprotection of multiple layers of professionally managed security toensuredataisneverexposed.PaloAltoNetworksalsoofferstheWF-500applianceforcustomerswhoprefertodeployWildFireasaprivatecloud.
Whetherdeployedasaprivateorpubliccloud,securityteamsalwaysretainfullcontroloverexactlywhichfilesshouldbesenttotheWildFirecloud.TeamsmaywanttoanalyzeallunknownfilesorsimplythosefilescomingfromtheInternetorotheruntrustedzones.Inadditiontocontroloverwhichfilesaresentforanalysis,policiescanbesettocontrolwhatrelevantsessioninformationshouldbeincludedwiththesampleforanalysis.Sessioninformationreferstothecontextofthe
networksessionresponsiblefordeliveringtheunknownfile suchastheapplication,targetuser,portnumber,sourceIPaddress,userandhostname,aswellastheattackingIPorURL.Thisdataisoftenparticularlyusefulforcorrelationpurposesifafileisfoundtobemalicious,butisnotrequired forWildFiretodeterminethestatusofthefile.
Whenafileissentforanalysis,thefirewallestablishesasecureconnectionbetweenthelocalfirewallandPaloAltoNetworksWildFirecloudorlocalWF-500appliance.ThisconnectionissecuredonbothendsbyclientcertificatessignedbyPaloAltoNetworks ensuring that data remains secure in transit and preventingthepossibilityofaman-in-the-middleattack.OncedeliveredtotheWildFirecloud,thefileisprotectedbehindmultiplelayersofprofessionallymanagedsecurity.FilesareonlyallowedinboundtotheWildFirecloudtoensurethatbenignfilesneverleavetheWildFireenvironment.Followinganalysis,benignfilesaredestroyedandonlythehashvalueretainedinordertopreventfuturere-analysis.
PAGE 5
Analysis From the WildFire Portal
PAGE 6
3300 Olcott Street Santa Clara, CA 95054
Main: +1.408.573.4000Sales: +1.866.320.4788 Support: +1.866.898.9087
www.paloaltonetworks.com
Copyright ©2013, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_DS_WF_051313
WildFire Requirements:
PAN-OSversion5.0orhigher.
Licensing Information:
BasicWildFirefunctionalityisavailabletoallPaloAltoNetworks customersatnocharge.TheseuserscanautomaticallysubmitsuspiciousfilestoWildFireandprotectionsaredeliveredwithregularthreatpreventioncontentupdates(threatpreventionlicenseisrequired).AnadditionalWildFirelicenseprovidesWildFiresignaturesevery30minutesforallnewmalwaredetectedanywhereintheworld,integratedlogging/reporting;accessto WildFireAPIforprogrammaticsubmissionofupto100samplesperdayandupto1,000reportqueriesbyfilehashperday.
WF-500
TheWF-500isanoptionalhardwareappliancetosupportcustomerswhochoosetodeployWildFireasaprivatecloud.TheWF-500isnotrequiredasWildFiredeploymentswillusePaloAltoNetworkssecurepubliccloudbydefault.
PROCESSOR
•Dual6-CoreIntelProcessorwithHyper-Threading
MEMORY
•128GBRAM
SYSTEM DISK
•120GBSSD
STORAGE
•2TBRAID1:4x1TBRAIDCertifiedHDDfor2TBofRAIDStorage
I/O
•4x10/100/1000,DB9Consoleserialport,USB
RACK MOUNTABLE
•2U
POWER SUPPLY
•Dual920Wpowersuppliesinhotswap,redundantconfiguration
MAXIMUM POWER CONSUMPTION
•510Watts
MAXIMUM BTU/HR
•1740
INPUT VOLTAGE
•100-240VAC
MAXIMUM CURRENT CONSUMPTION
•11Amps@100VAC
OPERATING TEMPERATURE
•32to95F,0to35C
NON-OPERATING TEMPERATURE
•-4to158F,-20to70C
SAFETY
•UL/CSA,CB
EMI
•FCCClassA,VCCIClassA,CEClassA
P A L O A LT O N E T W O R K S : W i l d F i r e D a t a s h e e t