Always Innovating: Advanced Threat Prevention and Software Firewalls

Aug 22, 2023
6 minutes

Following our strong Fiscal Year 2023 financial results, we bring you the August 2023 edition of Always Innovating in Network Security. In this edition, we share our latest innovations in Advanced Threat Prevention (ATP) and Software Firewalls. One of the ATP innovations released this month is the ability to prevent unknown Command and Control (C2) propagated by the Empire framework. The ATP reports are getting richer and will have MITRE mappings, and we have added Australia to our growing list of ATP regional clouds, ensuring customers get the fastest security updates no matter where they are in the world.

We also launched Cloud NGFW for Azure, and added new Panorama managed features to Cloud NGFW for AWS. On VM-Series for GCP, we now support Load Balancer enabled High Availability Active/Passive Support.

1. Advanced Threat Prevention Empire C2 Detection

Building upon our PAN-OS 10.2 Nebula innovations preventing Cobalt Strike Command and Control (C2), we are excited to announce the expansion of our prevention capability to Empire C2 (supported in PAN-OS 11.0.2+) — a formidable Command and Control framework that ranks among the most popular on GitHub. It is similar to Cobalt Strike in that it can create malleable profiles which are good at hiding from signature-based defenses. With new inline deep learning models, Advanced Threat Prevention is able to prevent unknown C2 propagated specifically by the Empire tool. Combined with our signature based detections, this capability further strengthens our ability to stop zero-day and highly evasive attacks. Check out our quick demo (6 mins) below to learn more about how Advanced Threat Prevention stops evasive command and control network traffic from Empire.


2. Advanced Threat Prevention Report Enhancements

Attack Evidence

Understanding the reasoning behind an AI-generated malicious verdict is often challenging. Unlike signatures that hinge on exact matches, machine learning evaluates numerous data points, resulting in a more intricate process that doesn't align with the straightforward nature of signature-based defenses. This is why we are introducing human readable detection explanations to add a layer of transparency and insight into attacks, empowering practitioners to grasp the meaning behind verdicts with simplicity. Currently, this feature is available in the Advanced Threat Prevention Report for Empire C2 detections.

Here is an example of an Empire detection happening in the early stage of an attack.

Here is an example of an Empire detection happening during the later stages of an attack, when a compromised system is being controlled.

MITRE Mappings

Embrace the cutting-edge power of threat analysis with the Advanced Threat Prevention Report. When Advanced Threat Prevention analyzes threats, this report provides detailed information about detection, attack transactions, sessions and related processes. Now, the report includes MITRE ATT&CK® classified techniques used.

Within the report, the Detection Service Results section is the star of the show, breaking down threat activities and techniques. With the new addition of MITRE ATT&CK® classified techniques, you'll gain insight into how attackers try to breach your systems. This knowledge enables you to strengthen your defenses and stop potential threats before they get worse. Learn more about the Advanced Threat Prevention report on Palo Alto Networks Tech Docs.

3. Advanced Threat Prevention Australia Regional Cloud

At Palo Alto Networks, we are deeply committed to providing cutting-edge security solutions to customers worldwide. We are thrilled to announce the launch of our Advanced Threat Prevention Regional Cloud in Australia, expanding our local cloud infrastructure to nine regions. This launch reflects our unwavering dedication to helping organizations like yours achieve the highest level of security while adhering to data residency requirements. Palo Alto Networks simplifies compliance and certification with local cloud security infrastructures in more than 76 countries worldwide. Check out our products, regions and their certifications on our website.

4. Cloud NGFW for Azure GA Announcement On August 1, 2023 we announced that Cloud NGFW for Azure is now generally available (GA), and expanding into seven more Azure regions to safeguard applications and workloads around the globe. As a generally available service, customers can now depend on Cloud NGFW for Azure to provide best-in-class security, backed by an uptime service-level agreement (SLA) of 99.99%.

Cloud NGFW for Azure is now available in a total of 12 regions, with more regions coming soon. Customers securing their applications with Cloud NGFW for Azure will benefit from the ease of use of an Azure-native ISV managed service, the ability to extend security from on-prem to Azure with Panorama, and, of course, Palo Alto Networks best-in-class security powered by AI and ML. To get your free, 30-day trial, simply go to the Azure Marketplace listing. To see how pricing works, check out this easy, interactive pricing estimator. For more information visit our TechDocs and watch the demo video.

5. Additional Panorama Managed Features introduced for Cloud NGFW for AWS

Last month, we unveiled the integration of Cloud NGFW for AWS with Panorama. We are now excited to introduce two Panorama Managed features for Cloud NGFW for AWS:

a. Tag Based Policies

With Tag Based Policies you can
1. Utilize the Cloud NGFW console to seamlessly integrate your AWS accounts and extract tags from the associated AWS resources.
2. Leverage the power of the Panorama plugin to conduct periodic tag queries from your Cloud NGFW tenant.
3. Seamlessly incorporate retrieved tags into Panorama device groups, enabling efficient management of Dynamic Address Group objects and rules.

b. WildFire

Offered as an additional security service, WildFire combines machine learning, dynamic and static analysis and a custom-built analysis environment to discover even the most sophisticated threats across multiple stages and attack vectors.

To see how to add Panorama to Cloud NGFW for AWS, refer to this documentation. For a video demo to setup Cloud NGFW for AWS integration with Panorama, click here. You can also estimate costs quickly with our interactive pricing estimator. Or simply get started with your free, 30-day trial at AWS Marketplace and see how you can extend security from on-prem to AWS quickly and easily. To keep up with the latest, checkout What’s New in Cloud NGFW for AWS.

6. Google Cloud (GCP) Load Balancer enabled High Availability Active/Passive Support for VM-Series

We have released our High Availability (HA) Active-Passive integration of VM-Series with GCP’s load balancer. Using the load balancer’s built-in failover mechanism, VM-Series can failover from the active instance to the passive instance within seconds, guaranteeing resilience. To learn more, check out documentation here.

Following on from June 2023 (Phishing Detection, DNS and Industrial OT) and July 2023 (User Experience, Threat Coverage and Management), this month’s Always Innovating in Network Security covered our latest innovations in Advanced Threat Prevention (ATP) and Software Firewalls (Cloud NGFW for Azure, Cloud NGFW for AWS and VM-Series for GCP). Achieve your best protection and features by staying abreast of all of our latest innovations through this monthly series - and make sure you checkout our next edition coming out in September.

Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.