asset thumbnail
White Paper

Security Platform for Financial Services

Thousands of banks, institutional investors, asset managers, broker-dealers and other financial institutions across the globe prevent successful cyberattacks with our Next-Generation Security Platform

Palo Alto Networks is uniquely qualified to protect financial transactions and customer data and support regulatory compliance by providing advanced prevention capabilities in one security platform, while complementing other technologies.

Cybercriminals increasingly target financial institutions while, at the same time, their security and network teams are challenged to:

  • Support new technology innovations, such as mobile deposits, multi-channel customer service, social media engagements, and broader IT trends like the virtualization of the data center, cloud computing, and internet as a wide area network (WAN)
  • Enable safe access to customer financial data from a myriad of entry points, including retail bank branches, partner facilities, client desktops, mobile devices and
  • Ensure compliance with FINRA, SEC, OCC, EBA, MAS and other regulations over financial transactions and sensitive customer

With Palo Alto Networks®, you can deploy a comprehensive cybersecurity strategy throughout the organization, regardless of access point location, usage profile, type of traffic, and more. Our Next-Generation Security Platform protects complex

IT environments for financial services institutions by providing:

  • Full visibility and granular control over applications, users and content on your network.
  • Ability to apply role-based access to any asset on your
  • Detect and prevent known and unknown threats on the network, endpoint, data center and in the
  • Effectively segment network zones based on asset sensitivity, access profiles and information exchanged to
  • reduce risk and simplify compliance.
  • Eliminate unauthorized traffic and applications that consume valuable bandwidth (e.g., Netflix).
  • Provide safe customer access to the internet with isolated guest Wi-Fi at your front office
  • Complement your installed base of enterprise security products (e.g., secure email gateway, web proxy, SIEM).

A Foundation for Better Security

An effective security architecture requires consistent security rules from the edge of your network to the core of your data center.

Palo Alto Networks Next-Generation Security Platform is a set of natively integrated components that largely automate the prevention of cyberattacks.

Figure 1: Palo Alto Networks Next-Generation Security Platform

There are three types of components in the platform. The network component is the Next-Generation Firewall that inspects all traffic and detects and safely enables applications and users. It blocks known threats and sends any unknown file or URL for inspection by WildFire™ cloud-based threat analysis service, either in the cloud or on-premise.

The endpoint component is Traps™ advanced endpoint protection and is a lightweight agent installed on endpoints. With a light footprint, it inspects files and processes on the endpoint for both known and unknown exploits and malware. It is highly effective at protecting Windows® systems that are difficult to patch, like ATMs.

The Threat Intelligence Cloud gathers potential threats from the Next-Generation Firewall and endpoints, analyzes and correlates threat intelligence, and distributes the threat intel back to the Next-Generation Firewall and endpoints for enforcement.

Together, the security platform components provide financial institutions with layered defenses to prevent cyberattacks throughout the attack lifecycle. The most common use cases for financial institutions include:

Read on for more details about the most common use cases for financial institutions.

Use Case 1: Prevent Cyberattacks at the Network Perimeter

To gain control over what’s on your network at all times, deploy the Palo Alto Networks Next-Generation Firewall at the edge. A core differentiator of our security platform is the ability to automatically detect over 2,200 applications, including FIX and Bloomberg traffic, and integrate with enterprise directories

to identify users. User identification at the firewall makes it a lot easier to track down the location of malware-infected PCs. Moreover, our ability to block the exfilitration of corporate login credentials will minimize the effectiveness of phishing attempts and subsequent account takeover attacks.
The native IPS, anti-malware, anti-exploit and URL filtering capabilities in the Next-Generation Firewall prevent sophisticated cyberattacks targeted at financial institutions, such as APTs and advanced malware used in recent attacks like Carbanak, Dridex, Bartallex, Locky, H1N1 and Nymaim

Figure 2: The Next-Generation Firewall safely enables applications, users and content


Use Case 2: Network Segmentation

Financial institutions may leverage network segmentation as a highly effective strategy to:

  • Limit the exposure from a compromised workstation or server endpoint by restricting lateral movement.
  • Increase the difficulty for attackers to exfiltrate data from financial networks.
  • Reduce the scope of PCI DSS compliance.
  • Help meet FFIEC guidelines related to cybersecurity.
  • Implement true Zero Trust segmentation - a cross-industry best practice.

With Palo Alto Networks, financial institutions can achieve these benefits by isolating common types of devices into zones and allowing traffic between the zones based on approved applica- tions or user directory groups. See Figure 3 for an example of some recommended zones for network segmentation in a financial services institution.

Figure 3: Example zones for segmentation in banking

Use Case 3: Support Regulatory Compliance

Financial institutions manage sensitive data that is protected under regulations that differ by country. In the U.S., the FFIEC outlines the cybersecurity guidelines for institutions subject to governance by the FDIC, NCUA, OCC and CFPB. Our Next- Generation Security Platform supports numerous examination guidelines for financial institutions.

  1. Threat intelligence: A threat analysis system automatically correlates threat data to specific risks and then takes

risk-based automation actions while alerting management.

  1. Threat and vulnerability detection: Advanced threat prevention features maintain the integrity of customer and transaction data by preventing malware and
  2. Preventative controls: Network environments and virtual instances are designed and configured to restrict and monitor traffic between trusted and untrusted
  3. Access and data management: Production and non-production environments are Tools are implemented to prevent unauthorized access to and exfiltration of confidential data.

Use Case 4: Zero Trust

Financial institutions may isolate the devices that process or store consumer banking information into a specific zone. The Next-Generation Firewall identifies applications (App-ID™ application identification technology) and users (User-ID™ user  identification technology), which makes it easier to create traffic rules between zones that are easy to understand and manage, compared to legacy IP address/port rules.

For example, the rules listed above could be used to control traffic flow between a corporate endpoint zone, retail branch zone and consumer server zone.

Then, when you put these rules into action, the corporate user in a campus location can’t access the consumer banking server zone, but the retail branch user can.

Figure 4: Defining connectivity between a corporate endpoint zone, retail bank branch zone and the consumer banking server zone

This gives you an idea of the granular rules you can define to isolate certain zones within your financial institution network and ensure that only specific users or applications can pass through the zone boundary.


Use Case 5: Protect Cloud Computing Initiatives

Financial institutions are looking to cloud computing (both private and public) in support of competitive advantages and cost optimization. The agility, flexibility, and scalability of cloud computing cannot be ignored, but appropriate cybersecurity measures are required.

Palo Alto Networks virtualized next-generation security appliance, VM-Series, enables financial institutions to protect their private and public cloud infrastructure using application-centric security policies to safeguard applications and data. A rich set of APIs can be used to integrate with external orchestration and management tools, collecting information related to workload changes, which can then be used to dynamically drive policy updates in real time.

Prisma™ SaaS extends the visibility and granular control of our security platform into SaaS (Software as a Service) applications by looking into them directly – providing full visibility into the day-to-day activities of users and data. Granular controls ensure policy is maintained to eliminate data exposure and threat risks.

Figure 5: Palo Alto Networks Next-Generation Security Platform protects private and public cloud computing environments


Use Case 6: Protect Windows PCs that are Difficult to Patch

Due to the highly complex nature of financial services IT environments, many IT departments struggle to patch all Windows devices. In addition, many ATMs are still based on an underlying Windows XP environment, which is no longer officially supported by the vendor. The sheer quantity and distributed geography of these devices makes upgrades and/or replacements a logistical challenge.

Such financial institutions may use Traps to prevent malware and exploits on such devices. The lightweight nature of the signatureless Traps agent decreases the risk to Windows workstations and servers that are difficult to patch. Additionally, the multi-method prevention capabilities of Traps against both known and unknown threats has been recognized as a suitable replacement for antivirus solutions.

Figure 6: Traps protects Windows-based PCs and devices with signature-less anti-malware and anti-exploit capabilities

Use Case 7: Mobile Device Protection

Mobile devices, such as smartphones and iPad®, are extensively used by financial advisors and roaming customer service agents within a branch. You can extend the same protection that Palo Alto Networks Next-Generation Security Platform provides to your deployed mobile devices with GlobalProtect™ network security client for endpoints, which is natively integrated with WildFire for the detection of unknown threats, and with MDM providers like AirWatch for easier deployment.

Deploy GlobalProtect on managed Windows laptops to achieve the same network-level threat protection whether your laptops access the internet from inside or outside the financial institution’s network. Another option would be to use clientless SSL VPN on unmanaged devices to access corporate web applications through the GlobalProtect portal.


Manage the Security Platform Centrally

Finally, financial services IT security and network management teams can collaborate on a single security platform with defined administrative roles to enforce the separation of duties.

Our central management solution, Panorama™ network security management makes firewall management and intelligence gathering easy. Use the native log viewer or integrate with third-party log management tools like Splunk, LogRhythm and ArcSight® to create traffic reports for network management and regulatory compliance.


Take the Next Step and Regain Control Over Your Network

Discover more about the visibility and control that our preven- tion-oriented approach provides and how you can use our security platform to automatically stop cyberattacks in your financial services environment.