WildFire: Protection from Targeted and Unknown Malware
Problem: Modern malware has evolved from being simple replicating viruses to highly evasive and adaptable network applications that allow hackers to launch increasingly sophisticated and targeted attacks. This new breed of malware is at the heart of many of today's most sophisticated intrusions – enabling attackers to gain a foothold within the enterprise from which they can dig deeper into the network, control their attack and steal information. As malware has become more powerful, it has also become more targeted and customized for a particular network, thus helping it to avoid traditional signature-based anti-malware solutions. This shift has put IT security teams at a disadvantage inasmuch as the malware that represents the greatest risk to the enterprise is also the most difficult to detect.
Solution: To meet this challenge, Palo Alto Networks has developed WildFire, which provides the ability to identify malicious behaviors in executable files by running them in a virtual environment and observing their behaviors. This enables Palo Alto Networks to identify malware quickly and accurately, even if the particular sample of malware has never been seen in the wild before.
Integration of firewall and the cloud.
WildFire makes use of a customer's on-premises firewalls in conjunction with Palo Alto Networks cloud-based analysis engine to deliver an ideal blend of protection and performance. The inline firewall captures unknown files and performs inline enforcement while maintaining high network throughput and low latency. The analysis of unknown files is offloaded to a secure cloud-based engine to identify unknown malware and subsequently deliver protections to all locations.
WildFire virtualized sandbox.
When the Palo Alto Networks firewall encounters an unknown file, the file can be submitted to the hosted WildFire virtualized sandbox. Submissions can be made manually or automatically based on policy. The sandbox provides virtual targets for the suspected malware where Palo Alto Networks can directly observe more than 70 malicious behaviors that can reveal the presence of malware.
Automated signature generator.
When a sample is identified as malware, the sample is then passed on to the signature generator, which automatically writes a signature for the sample and tests it for accuracy. Signatures are then delivered to all Palo Alto Networks customers as part of the daily malware signature updates.
Deep visibility and analysis.
In addition to providing protection from modern malware, users can see a wealth of information about the detected malware in reports available on the WildFire Portal. This includes the ability to see all behaviors of the malware, the user that was targeted, the application that delivered the malware, and all URLs involved in delivery or phone-home of the malware.