Palo Alto Networks | White Paper

TRAPS ADVANCED ENDPOINT PROTECTION

Technology Overview

Palo Alto Networks | White Paper 2

Most organizations deploy a number of security products to protect their endpoints, including one or more traditional antivirus solutions. Nevertheless, cyber breaches continue to increase in frequency, variety and sophis-tication. Faced with the rapidly changing threat landscape, current endpoint security solutions and antivirus can no longer prevent security breaches on the endpoint. Palo Alto Networks® Traps™ advanced endpoint protection replaces traditional antivirus with a unique combination of the most effective, purpose-built, malware and exploit prevention methods that pre-emptively block known and unknown threats from compromising a system.

Multi-Method PreventionThreat actors rely primarily on two attack vectors to compromise endpoints: malicious executables (malware) and vulnerability exploits. These attack vectors are used individually or in various combinations, but they are fundamentally different in nature:

• Malware is an often self-contained malicious executable that is designed to perform nefarious activities on a system.

• Exploits are weaponized data files or content (such as a Microsoft® Word document) that is designed to leverage software flaws or bugs in legitimate applications to provide an attacker with remote code execution capabilities.

Preventing attackers from compromising endpoints and servers requires an advanced endpoint protection product that prevents both known and unknown variants of each malware and exploit, and also delivers this prevention whether a machine is online or offline, on-premise or off, connected to the organization’s network or not (Figure 1). In fact, effective breach prevention cannot be achieved unless all of these requirements are met simultaneously.

Due to the fundamental differences between malware and exploits, meeting these requirements necessitates an approach that combines multiple threat prevention methods that are optimized to either prevent the execution of malicious programs or prevent vulnerability exploits from subverting legitimate applications.

Traps advanced endpoint protection replaces traditional antivirus with a multi-method prevention approach that combines the most effective, purpose-built, malware and exploit prevention methods to protect endpoint systems from known and unknown threats.

Multi-Method Malware PreventionTraps prevents malicious executables with a unique, multi-method prevention approach that maximizes the coverage against malware while simultaneously reducing the attack surface and increasing the accuracy of malware detection. This approach blends several layers of protection that, when combined, instantaneously prevent known and unknown malware from infecting a system (Figure 2).

• Static Analysis via Machine Learning: This method delivers an instantaneous verdict on any unknown executable file before it is allowed to run. By examining hundreds of the file’s characteristics in a fraction of a second, this method determines if it is likely to be malicious or benign without reliance on signatures, scanning or behavioral analysis. The threat intelligence available through WildFire™ cloud-based malware analysis environment is used to train the machine learning model of Traps to autonomously recognize mal-ware, especially variants that have never been seen before, with unmatched effectiveness and accuracy.

• WildFire Inspection and Analysis: This method leverages the power of WildFire to rapidly detect unknown malware and automatically reprogram Traps to prevent known malware. Traps queries WildFire with the

“hash” of any executable file before it is allowed to run, in order to assess its standing within the global threat community. If it has been deemed malicious, Traps automatically reprograms itself to prevent the execution of that file from that moment on. If the executable file is unknown, Traps submits it to WildFire for complete inspection and analysis. WildFire, in turn, eliminates the threat of the unknown by transform-ing it into known in about 300 seconds.

Execute MaliciousPrograms

Exploit SoftwareVulnerabilities

Must prevent known and unknown

exploits, including zero-day exploits.

Must prevent known and unknown

malware from infectingendpoints.

Online

Offline

On-Prem

Off-Prem

Figure 1: Effective Endpoint Security Must Prevent Both Malware and Exploits

Palo Alto Networks | White Paper 3

• Trusted Publisher Execution Restrictions: This method allows organizations to identify executable files that are among the “unknown good” because they are published and digitally signed by trusted publishers, entities that Palo Alto Networks recognizes as reputable software publishers.

• Policy-Based Execution Restrictions: Organizations can easily define policies to restrict specific execution scenarios, thereby reducing the attack surface of any environment. For example, Traps can prevent the execution of files from the Outlook “temp” directory or prevent the execution of a particular file type directly from a USB drive.

• Admin Override Policies: This method allows organizations to define policies, based on the hash of an executable file, to control what is allowed to run in any environment and what is not. This delivers a fine-grained whitelisting and blacklisting capability that enables administrators to override the verdicts issued by WildFire or static analysis to suit an organization’s needs.

In addition to the malware prevention methods above, Traps quarantines malicious executables to prevent the dissemination of infected files to other users. Although essential in most environments, this capability is particularly useful in preventing the inadvertent dissemination of malware in organizations where network- or cloud-based data storage and SaaS applications automatically sync files across multiple users and systems.

Multi-Method Exploit PreventionMany targeted attacks begin with an exploit delivered as a data file (such as a Microsoft Office or Adobe® Acrobat® file) through a website, via email, or over the network. When the user opens the file, the malicious code embedded inside leverages a software vulnerability in the application that is used to view the file to subvert the application and executes an arbitrary set of instructions. Because this type of attack is difficult to distinguish from normal application behavior, it bypasses traditional antivirus and most endpoint security solu-tions. In addition, if the application being exploited is whitelisted, the attack will bypass those controls as well.

Traps uses an entirely new and unique approach to preventing exploits. Instead of focusing on the millions of individual attacks or their underlying software vulnerabilities, Traps focuses on the core exploitation techniques used by all exploit-based attacks. Although there are many thousands of exploits, they all rely on a small set of core exploitation techniques that change infrequently. Furthermore, each exploit must use a series of those exploitation techniques to successfully subvert an application. By blocking the core techniques, Traps effectively prevents the exploitation of application vulnerabilities, whether they are known or unknown. Organizations us-ing Traps can run any application, including those developed in-house and those that no longer receive security support, without the imminent threat to their environment.

Traps implements a multi-method approach to exploit prevention, combining several layers of protection to block exploitation techniques (Figure 3):

• Memory Corruption/Manipulation Prevention: Memory corruption is a category of exploitation techniques where the exploit manipulates the operating system’s normal memory management mechanisms for the application opening the weaponized data file that contains the exploit. The Memory Corruption Prevention method recognizes and stops these ex-ploitation techniques before they have a chance to subvert the application.

Admin OverridePolicies

Trusted Publisher WildFire Inspectionand Analysis

Static Analysis viaMachine Learning

ExecutionRestrictions

Figure 2: Traps Multi-Method Malware Prevention

Figure 3: Traps Multi-Method Exploit Prevent

MemoryCorruptionPrevention

Logic FlawPrevention

Malicious CodeExecutionPrevention

Palo Alto Networks | White Paper 4

• Logic Flaw Prevention: Logic flaw is a category of exploitation techniques that allow the exploit to manipulate the operating system’s normal processes that are used to support and execute the target application opening the weaponized data file. For example, the exploit may alter the location where dynamic link libraries (DLLs) are loaded from into an application’s execution environment so that the exploit’s mali-cious DLLs can replace legitimate ones. The Logic Flaw Prevention method rec-ognizes these exploitation techniques and stops them before they succeed.

• Malicious Code Execution Prevention: In most cases, the end goal of every exploit is to execute some arbitrary code – the attacker’s commands that are embedded in the exploit data file. The Malicious Code Execution Preven-tion method recognizes the exploitation techniques that allow the attacker’s malicious code to execute and blocks them before they succeed.

Next-Generation Security PlatformWith the ever-decreasing cost of computing power, threat actors can launch increasingly numerous and sophisticated attacks with far greater ease than before. Disjointed layers of security and point solutions that rely on obsolete technologies or human response to alerts are no longer sufficient or scalable. Only a platform that consolidates, automates and natively integrates multiple preventive technologies can ensure the prevention of advanced, targeted and evasive attacks.

The native integration of Traps with the Palo Alto Networks Next-Generation Security Platform enables orga-nizations to continuously share the growing threat intelligence gained from thousands of enterprise customers across both networks and endpoints to deliver prevention (Figure 4).

The automatic reprogramming and conversion of threat intel-ligence into prevention all but eliminates the opportunity for an attacker to use unknown and advanced malware to infect a system. An attacker can use each piece of malware once, at most, anywhere in the world, and only has seconds to carry out an attack before WildFire renders it entirely ineffective.

Technical ArchitectureThe technical architecture of Traps is optimized for maximum availability, flexibility and scalability. At a high level, the archi-tecture consists of any number of Traps endpoint agents that are managed through a central Endpoint Security Manager (ESM) (Figure 5). The ESM in turn implements a three-tiered architecture that consists of an ESM Console, a central Policy Database, and any number of ESM Communication Servers.

Endpoint Security Manager ConsoleThe ESM Console is the administrative interface for Traps. Running on Internet Information Services (IIS) for Windows, the ESM Console provides access to the central Policy Database of Traps. Organizations can deploy multiple ESM Consoles, each of which can reside on physical or virtual systems.

NEXT-GENERATIONFIREWALL

THREAT INTELLIGENCECLOUD

AUTOMATED

EXTENSIBLENATIVELYINTEGRATED

ADVANCED ENDPOINTPROTECTION

CLOUD

NET

WORK

ENDPOIN

T

Figure 4: Palo Alto Networks Next-Generation Security Platform

AdministrationConsole

Policy Database

CommunicationServer

Traps EndpointSecurity Manager

(ESM)

Endpoints

Figure 5: Technical Architecture of Traps

Palo Alto Networks | White Paper 5

Policy DatabaseThe Traps Policy Database is the central repository of all information that is necessary to configure, maintain and operate the Traps Advanced Endpoint Protection environment. Examples of the information contained in the Policy Database include: prevention policies and settings, activity and forensic logs, ESM and agent configurations, and WildFire interface configurations.

Endpoint Security Manager Communication ServersESM Communication Servers act as proxies between Traps agents and the ESM Policy Database. ESM Communication Servers do not store data and, therefore, can be easily added and removed from the environment as needed to ensure adequate geographic coverage and redundancy. ESM servers can be installed on Windows Servers deployed on physical or virtual machines.

Traps Endpoint AgentThe Traps Endpoint Agent is a lightweight agent that consists of various drivers and services. Following its initial deployment onto the endpoints, system administrators have complete control over all Traps agents in the environment through the ESM Console.

System Requirements and Platform SupportTraps protects unpatched systems and is supported across any platform that runs Microsoft Windows: desktops, servers, industrial control systems (ICS/SCADA), virtual desktop infrastructure (VDI) components, virtual machines (VM), and embedded systems (Figure 6).

Benefits of the Multi-Method ApproachThe Multi-Method Prevention approach of Traps delivers breach prevention, in contrast to breach detection and incident response after critical assets have already been compromised. With Traps, organizations:

1. Prevent security breaches and cyberattacks that bypass antivirus solutions. Traps protects endpoints from known and unknown cyberthreats that are deliv-ered through malware and exploits, whether a machine is offline or online, on-premise or off, connected to the organization’s network or not. Whereas traditional antivirus solutions focus on scanning, detecting and identifying known malware, Traps excels at preventing both the known and the unknown from compromising endpoints, including unknown malware and zero-day exploits.

2. Protect and enable end users to conduct their daily activities without fearing cyberthreats. Traps empowers an organization’s users to conduct their daily business activities and use mobile- and cloud-based technologies without fearing unknown cyberthreats, knowing that they are protected from inadvertently running malware or exploits that compromise their systems.

Operating SystemsWindows XP (32-bit, SP3 or later)

Windows Vista (32-bit, 64-bit, SP1 or later; FIPS mode)

Windows 7 (32-bit, 64-bit, RTM and SP1; FIPS mode; all editions except Home)

Windows Embedded 7 (Standard and POSReady)

Windows 8 (32-bit, 64-bit)

Windows 8.1 (32-bit, 64-bit; FIPS mode)

Windows Embedded 8.1 Pro

Windows 10 Pro (32-bit and 64-bit)

Windows 10 Enterprise LTSB

Windows Server 2003 (32-bit, SP2 or later)

Windows Server 2003 R2 (32-bit, SP2 or later)

Windows Server 2008 (32-bit, 64-bit; FIPS mode)

Windows Server 2008 R2 (32-bit, 64-bit; FIPS mode)

Windows Server 2012 (all editions; FIPS mode)

Windows Server 2012 R2 (all editions; FIPS mode)

Virtual Environments Physical PlatformsVMware ESX

Citrix XenServer

Oracle Virtualbox

Microsoft Hyper-V

SCADA

Windows Tablets

ATM

POS

Virtual Desktop Infrastructure Run-Time FootprintVMware Horizon View

Citrix XenDesktop

0.1% CPU Load

50 MB RAM

250 MB Disk Space

Figure 6: Traps System Requirements and Platform Support

4401 Great America ParkwaySanta Clara, CA 95054

Main: +1.408.753.4000Sales: +1.866.320.4788Support: +1.866.898.9087

www.paloaltonetworks.com

© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. traps-technology-overview-wp-072816

3. Automatically convert threat intelligence into prevention. Traps is natively integrated with Palo Alto Networks Next-Generation Security Platform, which includes our Next-Generation Firewall and Threat Intelligence Cloud. This integration means that each component of the platform, including Traps, shares the threats it observes with WildFire and receives threat intelligence in return. It also means that each component automatically converts that intelligence into prevention by reprogramming itself to block threats that are identified anywhere by any other component of the platform.

4. Secure unpatched or unpatchable applications and systems that have reached their end-of-support. Traps Multi-Method Exploit Prevention blocks the core techniques used by all exploits, rendering the techniques ineffective. This effectively prevents the exploitation of application vulnerabilities, whether they are known or unknown, whether vendor security patches have been issued or not, and whether those patches have been applied or not. Traps can protect any application, including those developed in-house, as well as applications and systems that have reached their end-of-support (such as Internet Explorer®, Windows XP and Windows Server® 2003).

5. Eliminate manual breach analysis and the need for timely identification of critical alerts to stop an attack. The multi-method prevention of Traps delivers breach prevention, in contrast to breach detection and incident response. The security alerts that Traps generates signify the termination of an attack. IT and security staff no longer need to actively sift through security alerts to determine which may warrant an active investigation. With Traps, alert investigation is only necessary when extra resources are available and your organization wants to study potential security breaches that have been prevented.

ConclusionTo learn more about Traps, attend an Ultimate Test Drive event and experience its prevention capabilities firsthand. Alternatively, contact your sales representative to schedule an in-house evaluation for your organization.