Move from Detection to Prevention with WildFire
Security teams have recently gained powerful new tools in their fight against modern malware and advanced threats—solutions now can expose unknown malware that was previously invisible to traditional security solutions. This is great progress, but seeing a threat is is only half the solution if you aren’t able to do something about it.
This is where Palo Alto Networks WildFire solves problems that others, such as FireEye simply document. The table below provides an introduction to some of the unique capabilities in WildFire that enables you to prevent advanced threats.
The chart to the right provides you a comparison of some of the key differences between Palo Alto Networks WildFire and FireEye MPS. You can expand each topic to read additional details.
Learn More About WildFire
Additional Information
| Requirement |
WildFire YES |
FireEye MPS NO |
| Blocks Malware Variants |
Enforcement based on unique identifiers in the malware payload that can block variants of the malware even as filename, URL, and even hash are changed. For example, in the month of October, 11,267 WildFire signatures were able to block more than 25, 304 hash values. |
Simple changes to filename and URL allow malware to pass through to the target. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| Scales to Support Large Volumes of Malware |
Virtualized malware analysis requires that each suspicious file is analyzed in its own separate virtual environment. As more unknown files hit your network, more virtual machines are required, which requires a great deal of computing resources. WildFire removes this challenge from you by performing malware analysis in the cloud, where elastic computing resources can be scaled as needed with no impact to your environment. |
FireEye requires you to buy and deploy local hardware for on-site analysis. This not only is very expensive, it creates a fixed cap on the amount of analysis. Under real-world network loads FireEye is easily limited to analyzing only a handful of files per hour, while any files beyond this amount are allowed to pass through without analysis. This leads to an approach that requires massive hardware investment from you, and an architecture that can easily be overwhelmed by an attacker. |
| Requirement |
WildFire YES |
FireEye MPS NO* |
| True In-Line Enforcement |
Designed for high-speed, in-line threat prevention, Palo Alto Networks sits in the direct path of communication, ensuring that malicious content can be dropped, which is the only truly reliable method for controlling malware and malware traffic. |
While FireEye offers in-line options, throughput and high-availability limitations limit FireEye to tap or SPAN deployments. This limits FireEye enforcement to the use of TCP-resets, which are susceptible to race conditions, or in the case of malware command-and-control traffic can simply be ignored by the malicious end-points. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| Stream-Based Malware Engine |
Palo Alto Networks use of a stream-based malware engine means that not only is malware blocked based on the true payload of the malware, but it can do so at speeds of up to 10Gbps. |
FireEye has no stream-based malware engine meaning that enforcement is limited to file header information (filename, URI) and can only recognize the hash value of malware once it is fully downloaded. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| Automatically Updated Sandbox Logic |
WildFire analyzes malware in a virtualized, cloud-based environment that is constantly managed and maintained by Palo Alto Networks researchers and engineers. As new malware behaviors or anti-analysis techniques are observed, our engineers can update WildFire logic accordingly with no impact to you. |
FireEye also performs virtualized malware analysis, but the entire virtual environment analysis logic (including gigabytes of content) must be replicated at each of your sites. This means that to obtain new malware analysis functionality, you must upgrade the FireEye product in your network. Needless to say, malware techniques evolve constantly, and you cannot afford to be constantly upgrading your infrastructure. |
| Requirement |
WildFire YES |
FireEye MPS NO* |
| Reliably Blocks Traffic from Malware Already in the Network |
Palo Alto Networks includes a variety of mechanisms to find and block command and control traffic from malware including true IPS signatures, DNS-based malware signatures as well as URLs. |
FireEye attempts to control command-and-control by blocking traffic based on URL. Malware easily avoids these controls by using many URLs and rotating between them. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| SSL Decryption |
When at all possible, attackers will attempt to hide their malware and malware communications within SSL-encrypted sessions. Palo Alto Networks includes on-box SSL decryption that can be applied selectively based on policy. The solution also has the ability to identify and block other encrypted tunnels that malware may use to hide. |
FireEye lacks any on-box SSL decryption and is thus prevented from analyzing the content within those sessions, or requiring you buy yet another box dedicated to SSL decryption. Without this ability to look into encrypted traffic, FireEye will miss malware within applications like Dropbox or Gmail, which use SSL by default. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| Single Solution for All Applications |
WildFire analyzes web traffic, email, SMB, and FTP traffic for unknown malware with a single integrated solution. |
FireEye requires separate solutions for email, web and file servers. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| Blocks Threats on Non-Standard Ports |
Unlike traditional exploits, malware will often communicate and download additional payloads over non-standard ports. As with all Palo Alto Networks analysis, WildFire uses App-ID to perform all analysis and enforcement in full protocol and application context regardless of the port used. |
FireEye fails to block threats over non-standard ports. Even in cases where the analysis is successful, the enforcement fails. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| Fully Integrated IPS and Anti-Malware Functionality |
Modern malware is part of the modern attack lifecycle, not a replacement of it. Palo Alto Networks performs all of its own research and all IPS and anti-malware technology is developed in house. This not only provides true enforcement of threats, but it reduces the time to enforcement required by relying on 3rd-party partners. |
FireEye lacks both a true IPS engine and a true anti-malware engine for enforcement, and therefore must rely heavily on URLs for blocking. These are architectural issues that are not easily overcome, and partnering with other 3rd party vendors could easily introduce significant delays in protection as FireEye data would need to be converted to 3rd party signatures. |
| Requirement |
WildFire YES |
FireEye MPS NO |
| 10 Gbps of Enforcement |
Palo Alto Networks provides up to 20 Gbps of throughput and up to 10 Gbps of fully loaded threat prevention including IPS, anti-malware, URL filtering and file control. This ensures that security teams can both analyze and enforce on all network traffic. |
FireEye largest appliance is limited to 1 Gbps, and actually analysis capabilities are significantly lower. This means that customers are often required to analyze and enforce on a subset of their network traffic. This is a fundamentally dangerous approach as it forces security teams to make assumptions about what traffic advanced threats will use to infect and to communicate. |