Palo Alto Networks and Coordinated Enforcement for Malware

Information sharing for defense is as old as the carrier pigeon. In cybersecurity, coordinated enforcement between products has increasingly become part of the defensive backbone to block attacks. Today’s attacks still rely on repeating methods and tools. Coordinated enforcement means identifying an attack in one place, which becomes propagated to not just other products, but other customers as well.

Let’s use malware as an example. Although the target is often endpoints, the firewall and other security controls can also be gatekeepers’ tools. Firewalls and cloud protection tools should benefit from critical knowledge gained from endpoint attacks and vice versa. Effective security calls for coordinated enforcement – communication between the endpoint, network and cloud. In other words, an in depth variation on defense as a firewall could stop malware that's headed for an endpoint before it gets there. Another way to think about it is to make all endpoints, firewalls and cloud controls into a global network of sensors and enforcement points.

How Does Coordinated Enforcement Work?

Establishing a Single Source of Truth

Today, anytime an unknown file is seen by any Palo Alto Networks product, it is sent to WildFire. This checks, analyzes and catalogs the file, creating a signature that is propagated to every other Palo Alto Networks product and customer. In addition, Cortex XDR detects behavior and doesn't need signatures or hashes to reference. Using behavioral threat protection in Cortex XDR simply identifies bad behavior. However, if it detects something, the file gets sent to Wildfire, where a signature is created and distributed in real time. Wildfire becomes a single source of truth for malware attacks.

Real-Time Defensive Propagation

Once a single source of malware truth is established, all products in the Palo Alto Networks family are updated, including other preventative services:

  • NGFW (VM, CN, PA)
    • Advanced Threat Prevention (IPS) receives content updates daily.
    • Advanced URL Filtering (web and phishing) receives content updates immediately for any malicious URLS found.
    • WildFire receives prevention content updates in realtime.
  • Prisma Cloud
    • Prisma Access receives prevention content updates in realtime.
    • Cortex XDR updated with verdicts and WildFire reports for review.
    • Cortex XSOAR threat intelligence module is updated and details are mapped to incidents.

Incorporating Attack Surface Intelligence

While gearing up for attacks is essential, knowing the attack surface better and faster than the attacker is critical. To do this, Cortex Xpanse provides a full inventory of an organization’s global internet-facing assets and misconfigurations to continuously identify security issues on an external attack surface, flag risky communications, evaluate supplier risk or assess the security of acquired companies. Most importantly, you can focus on specific assets prioritized by vulnerability.

How to Do It Without Palo Alto Networks?

Intelligence sharing across multiple standalone security products can also be achieved with a non-platform vendor model, though it does require planning and setup. Typically the easiest approach is to use a security orchestration automation response (SOAR) or threat intelligence management (TIM) solution that allows the management and transfer of data between other security products via APIs or manual integrations. How would you do coordinated enforcement?

  • Create a Threat Map: Identify your threat surface and different parts of the enterprise that are exposed to potential threats. Consider your supply chain, as well.
  • Perform a Security Technology Gap Analysis: Identify which security products cover each aspect of your threat surface and what is included in that coverage (e.g. for a secure web gateway, do they support web and non-web traffic? Which sandbox do they use?).
  • Identify Where “True Up” Is Needed: The analysis should show obvious parts of your threat surface that are missing key areas of coverage, these weak points should have alert priority escalated if needed. Other parts will have different security technologies being used for the same threat type (one sandbox solution for network, another for hybrid workers). It is these technologies you want to prevent the same threats.
  • Collect APIs and Program I/O: This step is less analysis and more planning and programming. Use reference, admin guides and SDKs from your security vendors to create an integration between the products, collecting intel from one to check on another, where it's available. Sometimes exporting or orchestrating data transfers to a common source (SIEM, SOAR, TIM or XDR solution), then automating searches is an easier approach and has less maintenance.

Lessons for Security

A fragmented approach requires security teams to manually configure proper information exchanges that create blind spots. Rather than operate in a silo, endpoint protection must share what it sees to help prevent attacks that can traverse the network and the cloud. And vice versa.

Automating this sharing of intelligence is crucial on two levels. First, manual updates between products do not scale. Your human resources can be more productive elsewhere, and this reduces your potential security gaps arising from the same type of security delivered by different technology vendors.

Diving deeper, firewalls offer in-depth prevention capabilities against threats discoverable within network data. However, that visibility and enforcement is limited to the location and configuration of firewalls within a network. Threats that circumvent firewall enforcement can be prevented by endpoint security products, many of which vary in degrees of effectiveness as they run in isolation and cannot quickly share valuable intelligence across the security stack. To win against today’s sophisticated attacks, you need a prevention-first approach with seamless coordination, communication and enforcement that spans the endpoint, network and cloud.

Coordinated analysis and response – spanning the endpoint, cloud and network – strengthens the overall security posture, freeing up teams to tackle other priorities. It can take days or months until an infection is discovered. The longer an attack takes to identify, the more severe its impact, and the worse for organizations with already overburdened IT staff. Endpoint security products need to automatically halt threats, stopping their spread without any additional user or IT action.

Take threat from anywhere, geo-consolidate and provide protection within seconds for IoT, critical infrastructure, cloud, endpoint and network.