Today’s complex threat landscape, combined with the diversity and volume of traffic in the modern customer environment, make accurate and effective threat prevention very challenging. This problem is compounded when considering the challenge of detecting new, never-before-seen (also known as “zero-day”) malware and exploits. A global, cloud-based, community-driven approach to threat analysis is key to achieving the best possible threat intelligence and prevention in order to effectively defend against a community of attackers who, themselves, share information, attack methods and techniques. However, many organizations around the globe are limited in how they can share data with a global threat analysis cloud due to concerns around data privacy.
This is the challenge we’re solving today, and for starters, here are five basic questions that you should ask before sending your data to be analyzed in the cloud.
1. Is this the right threat analysis cloud for you?
A global threat analysis cloud has several advantages over regional clouds and on-premise solutions, not only in terms of cost and deployment, but also in terms of the speed with which the cloud can be adapted to emerging threats and trends. However, not all threat analysis clouds are created equal. The use of a global cloud for threat analysis should provide you with a comprehensive view of your organization’s security posture. You should look for solutions that have the capability of correlating threat information across different attack vectors, analyzing the samples both using machine learning, static and dynamic analysis techniques with a high catch-rate and automatically creating a holistic set of new preventions accounting for the full scope of the attack.
And don't just stop there. In addition to identifying unknown malicious content, you should strive to have a cloud-based threat analysis solution with a bidirectional integration with all of the security technologies present in your environment. This will provide you with a unique capability to proactively populate newly created prevention across all of your enforcement points for a tightly coordinated prevention across the attack lifecycle.
Last but not least, the global threat analysis cloud should also leverage community-driven threat data to properly stop threats from spreading. Threat prevention is a big numbers game—the more you know the more you can prevent and protect. You should always look for solutions that have a rich and diverse threat intelligence ecosystem.
2. How granular is your control over your data?
You want to have control over the conditions under which content is sent to the cloud for analysis, including users, applications, source, destination, and other match conditions that are available to you based on your security posture rule base. Some examples will be your ability to determine which file types should be submitted to the cloud for analysis and the physical, regional location of the cloud to be used. Commonly, samples sent for analysis can be bundled with the network session data for the session carrying the file, including useful context around the incident, such as the hosts involved, the URL, email headers, and the application that enabled the download. This data can provide very useful information when determining the context around an infection and the attack vectors used. Configuration of session data should be done in accordance with local laws and regulations.
3. Where is your data going?
Many organizations around the globe, and specifically in Europe, are not sharing data with a global threat analysis cloud due to concerns around data privacy. You should prefer solutions that provide you with an option to choose the location where your data will be analyzed and stored, as part of the global cloud infrastructure. If you are in a heavily regulated industry, look for solutions that have the option to augment the global cloud with an on-premise appliance for local analysis of sensitive content. This hybrid solution should have the same granular control over the type of data submitted as the one you have in your cloud, as well as the ability to generate and populate protections. In an ideal scenario, you will be able to easily apply it to your security profiles across the organization. One last point, make sure that your data remains encrypted using industry-standard encryption methods while in transit and at rest.
4. How long is your data stored in the cloud?
When asking this question, you should expect to hear that submitted samples found to be either benign or grayware will be retained for a short time for further analysis, after which they are permanently deleted from the cloud. You should verify that your data is stored in an encrypted form and only decrypted as necessary for processing or review. Samples that are identified as malware are usually retained indefinitely for research and quality control purposes.
5. Who has access to your data?
There are two answers to this question. First, the cloud provider research team that is responsible for auditing and reviewing customer support cases involving potentially incorrect results produced by the analysis of a “false positive” or “false negative” will have access to your files. This access is not frequent.
Second, we strongly believe in the value of sharing threat intelligence information with the security industry for the global good of the customer community. However, timely sharing of emergent threat intelligence among industry partners should always be balanced with customer privacy. You will want to verify that the solution does not share data between customers or with other parties in a way that identifies who submitted the sample to the analysis cloud. In order to help protect against possible attribution to specific customers or individuals’ data, look for clouds and organizations who share “analysis data” and not files. Analysis data may be tools that are learned during static and dynamic analysis of a sample, such as command-and-control domains, URLs, or IP addresses, second-stage malware downloaded and installed by a “dropper,” analysis of activities or behaviors performed by the malware sample under analysis, and threat signatures for the malware file or traffic generated by the file.
To address data location preferences and deliver on the benefits of threat data shared globally, we are today introducing the WildFire regional EU cloud. This regional cloud ensures customer data will never leave EU borders while offering access to protections generated by the largest threat analysis tool in the world, used by more than 10,000 organizations, threat researchers and technology partners, as part of Palo Alto Networks Next-Generation Security Platform. This global protection capability is key to preventing cyber breaches at all stages of the attack lifecycle.
Additionally, security teams across Europe and around the globe can accelerate threat hunting, analytics and response efforts, with globally correlated threat intelligence from the entire WildFire community made directly accessible through the AutoFocus service.
Give it a try – run a Security Lifecycle Review risk assessment today and understand what’s really happening on your networks.