You are on page 1of 8

A Modern Framework

for Network Security
in Government

Palo Alto Networks | A Modern Framework for Network Security in Government 1

automatically. enables an targeted of virtually any industry. segments of the network. but often successfully establish movement of malware throughout the network. the world. They must move beyond mere detection and governments can defeat attackers before they can exploit a response. Automatically 3. across are off-network. The adversary wants access to that same data – to steal it. governments can protect critical among other approaches. integrity and availability of that data ­whenever it is needed. and organization to establish the verification of all users. But they can also thwart other steps in the attack prevent. the networks. from delivery and exploitation and installation to exfiltration governments must create agility to prevent ­attacks across their of information from the target network. To reduce ­advanced attacks. monetary or movement of adversaries through the target network and thwart intelligence value. ­Security ­operations centers (SOCs) and remediation of latter points in the attack chain to a preventative intelligence analysts must have less noise and more relevant approach ­throughout. This can lead controls and threat prevention necessary to defeat the lateral to tremendous loss. THWART THE ATTACK CHAIN 1. civilians and ­warriors. However and Wherever Accessed Governments around the world are exchanging more data with all of their constituents: citizens. chain by ­controlling applications. Palo Alto Networks | A Modern Framework for Network Security in Government 2 . and develop spear phishing and waterhole attacks. immediate and block unwanted at all places in the endpoints that automatically cybersecurity and automatic sharing applications network. reduce victim to the target network. to gain access through the unwitting information from unauthorized applications or users. This exchange of information – further and ­faster. device and/or location. political. The Gartner Cyber Attack Chain reveals six stages of an attack disrupt it. devices and attackers know they must use more evasive tactics to penetrate applications traversing the network. device. in cooperation with one another. Protect and 4. Ensure the Trust approach. first coined by Forrester. the attack. actions. users and content everywhere across the network. location or to coordinate signatures around the network and in data centers. Cyber Attack Chain and Zero Trust It’s no secret that government networks are among the most The Zero Trust approach. The stakes are high. not only the exposure of vulnerable systems. Some of the latest attacks show a concerted or group functions.Government: Securing Your Data. from the perimeter edge and ­endpoints to the heart approach to the threat must move ­beyond mere detection and of their data centers. Many attackers are able to. block follow-on intelligence and distribution and activity all network traffic regardless of attacks. Protect and 5. Prevent new 6. identify their Trust boundaries that effectively compartmentalize different patterns. Create cohesion 7. Adopt a Zero 2. and partners in more ways than ever. and prevent the lateral penetrate their target network. whether of strategic. A Zero Trust a beachhead and remain undetected for a significant period of model incorporates virtual segmentation with the enforcement time while continuing evasive and damaging action. or possibly even change it. within the context of user these networks. With the technology available today. professionals of intelligence everywhere on on endpoints. data to act upon. in remote locations and at major Internet gateways. control and defend systems defend the attacks and between IT. ­Fundamentally. This ensures the ­confidentiality. By establishing Zero effort to study victims with appropriate access. to ­prevention that allows the security functions to vulnerability. patients. across both IT and control systems networks – means the security of the networks housing and serving that data requires change in parallel. endpoint. students.

which leads to much more effective use of security deviations from the whitelist are stopped. north-south traffic by decoding all ingress and egress data. Understand your the cyberattack chain. Strictly control the flow between security zones of trust. and any suspicious files are automatically and immediately Securing the Data Center and Cloud analyzed. automatically generated. Using the pre-established whitelist of applications. whitelisting approach coupled with on-board correlation of security information. content. Host a government application store government data globally. provide device state information. malicious URLs and Numerous data uses and many more data users connecting IP addresses involved in the attack are identified. applications and content move from VM to VM. the way up to a global campaign. −− Incorporate malware analysis. resulting in drastically reduced events per analyst across all communications – not just web and email. legitimate applications are supported with new classifiers. users and network devices. Use device management to configure Choose a cybersecurity solution that makes VM seamless while the mobile ­devices. Integrate the mobile device ­security with advanced traffic based on the steps above down to the virtual machine attack prevention to ­prevent new malware from affecting (VM). should be data center applications and their current risk profiles. here are several key steps governments should consider: −− Establish visibility into all network traffic and define which −− From individual malware behaviors and attack tactics all applications do and do not belong on the mission network. where attackers often hide be reviewed. platform level to reduce the volume of threats that must −− Decrypt SSL communications. Establish a Zero Trust model to for managing government-vetted or custom government protect the mission and ensure the confidentiality and integ- applications. are critical applications. and thwart attempted tions on the same device. Decrypt SSL communications. as users. −− Within the security operations and/or the security opera- establish zones of users and access to those applications and tions center (SOC).Securing the Host and Network from Low Level to Advanced Threats To secure their networks and endpoints. credentials as part of a phishing attack. make the broadest visibility and threat data. newly discovered operations or SOC personnel. Though these prevents all exploits and prevents all malicious executables. establish ­secure ­connectivity to access applications and data in ­accordance with security policies. and the security policies remain intact with them. lish a dynamic whitelist of all approved applications to ensure −− For mobile endpoints and their access to your data: normal operations. of the data must remain the highest priority. Palo Alto Networks | A Modern Framework for Network Security in Government 3 . Isolate government data by controlling lateral rity of government data. use of stolen credentials for access from outside the network perimeter. and appliances (virtual and physical) Regardless of how you have architected your data center – are automatically reprogrammed with the protections – for consolidation. based on applications. Thwart attempted outbound leaks of data movement between government and personal applica. correlation of threat intelligence feeds and automated blocklists from the −− Incorporate advanced attack detection and prevention results. Estab- fully integrated and should learn from one another. user. −− With automation. Apply mobile threat prevention and policy ­enforcement at −− Ensure your security strategy considers both east-west and all mobile endpoints. There are several key all without human intervention. −− Whitelist the applications by user or user group and enforce −− With correlation and automatic threat prevention at a the controls. Any hour. identified threats are detected. signatures through numerous devices represent complexity and risk. fixed endpoints into the core of the data center and/or −− For Amazon® Web Services and Microsoft® Azure® public cloud. The defenses across vulnerabilities and active exploits available. and ­device and device state. Adopt −− As noted previously. they are often the very ones with without requiring any prior knowledge. prevention a reality: Thwart any attacker who attempts to compromise a host and −− Across the breadth of the network from the mobile and move laterally by suppressing their movement and access. This can be achieved with an application their tracks. Extend a VPN tunnel to ­mobile apply granular control for all applications. scalable advanced endpoint protection that applications reside within your data center. Identify devices with −− Credential theft is a frequent tactic for those targeting infected applications. de-duplication. private. cloud environments. the mobile devices. integrate the same level of security at the VM level for visibility and threat prevention as ­on- premise services or data-center operations. considerations: −− Thwart both exploits and malware on all endpoints. hybrid cloud and/or public cloud – security malware. where attackers often hide their tracks. from network to endpoint. URLs and IP addresses – in as little as five minutes. establish a benchmark of which lightweight.

AWS GovCloud (US). operations. operation of rivers and dams. newly A P P DB D VM-1000-HV VM-1000-HV B NS Xv S NS Xv S VM witch discovered legitimate applications are supported with new VM witch wa classifiers. transport and onboard ship. malicious URLs and IP addresses involved in the attack are identified. Incorporate advanced attack detection and Internet prevention across all communications in and out of each zone. Control Systems Security for example approving the use of a specific videoconfer. but not the file transfer capability within critical functions for government – from civilian to military it. and Microsoft Azure Palo Alto Networks | A Modern Framework for Network Security in Government 4 . URLs and IP addresses – in as little as five minutes. building and identify and block new malware in these environments. maintain granular visibility and control of use at the application and individual application function level. navigation. and any suspicious files are automatically and wa re ES re Xi ES Xi immediately analyzed. W EB W EB AP P −− Any deviations from the whitelist are stopped. and other functions. Perimeter −− Incorporate advanced attack detection and prevention Firewall Physical across all communications in and out of each zone. all without human intervention. Public Cloud V SeM Segmentation: Separate applications rie- s and data for security and compliance C4 V SeMrie- s Hybrid: Extend your data center C4 into AWS or Microsoft Azure Gateway: Protection GP VM-SERIES from internet-borne threats C4 GlobalProtect: Policy PA consistency for the N O RA cloud. Don’t Virtual settle for manual. Don’t settle for manual. identified threats are detected. These critical operations perform fuel and folder and user operating within the SaaS application. automation. signatures are automatically generated and attacks are thwarted. manpower-intensive efforts to thwart advanced attacks. manpower-intensive efforts to thwart Compute Clusters advanced attacks. Control systems and machine-to-machine operations manage encing service. weapons storage. −− For SaaS. Extend visibility and control down to the individual file. M A and your devices * All use cases supported in AWS standard regions. the network. aircraft and tank Apply advanced threat prevention to block known malware operations. and sensors are reprogrammed with the Virtualized Data Center protections – for malware. Private Cloud Apply deep analytics into the day-to-day usage to quickly determine if there are any data losses or compliance-related policy violations.

including those utilizing unknown zero-day vulner- all users. The Palo Alto Networks Next. Palo Alto Networks Next-­Generation ­Security Platform about 5 minutes. classification and filtering of URLs.Generation Security Platform is a natively integrated platform that brings network. This capability detects and blocks Gartner Magic Quadrant platforms/subscriptions. including stealthy providing baseline defenses against known exploits. command and control (C2) activity by observing their actual behavior. and content ­enables an ­organization abilities. attempts to evade detection. It then automatically creates and enforces content-based malware protections. and as a five-time samples as they execute. and ­create security policies appropriate for their own environment. ­encrypted communications. provides dynamic and static analysis of suspicious content. processes and technolo- ational network between functions. With full visibility into all network traffic. unique. or those which simply cannot be o −− Apply the appropriate security and best practices to the patched due to operational downtime. −− Block executables launched from specific network ­locations or devices. addi- needs. tional protections are afforded at the endpoint through policy and potential security impact. which are demanding more from their unknown files in an advanced. −− Endpoint exploit. minutes. rather than relying on pre-existing signatures. both to the IT network and within the oper- −− Evaluate any third-party people. Beyond immediate malware detection. and prevents threats at each stage of the attack lifecycle. streamlines day-to-day operations and boosts security efficacy. virtual malware analysis security solutions. such as SSL encryption. Palo Alto Networks | A Modern Framework for Network Security in Government 5 . high-risk ­applications. gies operating these systems on behalf of government and ensure they have the same level of security controls as those −− Recognize that unpatchable systems with antiquated the government itself operates. closed-loop approach controls ­cyberthreats. and command-and-control infrastructure.To ensure the protection of these critical systems – often running −− Make visibility of the network traffic into and out of the unpatchable systems – governments should: operational network a priority. Armed with this information. users’ application prior knowledge. This platform approach ensures your organiza- tion can detect and prevent swiftly evolving attacks. cloud. Examples of policy restrictions include: organizations can make fully ­informed decisions for ­application −− Block unsigned executables whitelisting. ­analyzing suspicious next-generation security platform. purpose- built for high fidelity hardware emulation. and endpoint security into a common architecture. WildFire™. https://www. by user and ­application. −− Known malware prevention: Proactive blocking of known delivering threat prevention for unknown threats in as little as 5 threats with Threat Prevention and URL Filtering ­services. applications. thereby reducing the overall threat footprint. and the ability to build logical policies based on the specific security posture of a user’s device. with complete visibility and threat prevention. https://www. In Prevent Threats at Every Step of the Cyber Attack Chain addition to quickly turning unknown threats into known. pose a very high risk operations or automation networks as you would the IT and must be a priority for advanced endpoint protection. and command and control activity. mobile. ­ perating systems. malware.paloaltonetworks.html. restrictions. the Focused on preventing exploits and both known and ­unknown ­environment generates protections that are shared ­globally in malware. network. and all malicious executables. provides threat prevention across the Cyber Attack Chain. It also detects malicious links in email and malicious infrastructure. ­malware.paloaltonetworks. Palo Alto Networks Next-Generation Security for Government Palo Alto Networks serves governments in over 70 −− Unknown or zero-day malware prevention: Analysis of ­countries today. coupled with machine learning for swift learning of attack behavior – from malicious content up to a global campaign of activities – in a virtual environment to discover new threats. and outbound threat prevention approach. Secure the operational network boundary. malicious infrastructure such as malicious domains and DNS activity. the platform’s malicious URLs. ­exploits. With the most advanced and flexible environment available for your own private network. ­beginning with positive security controls to reduce the attack surface.html Security subscriptions on the platform are seamlessly integrated to add protection from both known and brand new threats. without requiring any to understand the most-used ­applications. Palo Alto Networks cloud-based or on-premises malware analysis environment. SaaS. proactively blocking access to malicious websites and other attacker resources. and policy violation prevention: Prevention of advanced endpoint attacks by thwarting −− Application visibility and positive enforcement: ­Visibility of exploits. we provide an ­innovative targeted and unknown malware.

Reduce Noise. With Palo Alto security data and alerts daily from a variety of tools. MineMeld automates 5. public. Security practitioners receive an overwhelming volume of and devices deployed across their organization. Microsoft Azure. resulting in much more effective use of security and hybrid cloud environments. public. Mobile threat prevention and policy enforcement at all mobile −− SaaS control and threat prevention: Added security of endpoints are based on applications. provides tion or compliance-related policy violations. Create Actionable Intelligence −− Security practitioners receive an overwhelming volume of secu. ­vendor Networks AutoFocus™ service. and granular.factor appliances. and quarantine of users and data as soon as a violation occurs according to security policies.000 global enterprises. The VM-Series of virtual. deep analytics into day-to-day attack prevention ­prevents new malware from affecting mobile usage to quickly determine if there are any data loss protec- ­devices. security practitioners gain feeds and devices deployed across their organization.000 global enterprises. global intelligence. public. With instant access to actionable intelligence derived from billions Palo Alto Networks AutoFocus™ service. public cloud and hybrid cloud – Improve Efficiency of Security Operations and/or SOCs Palo Alto Networks security platform secures the edge and heart Visibility and threat prevention across the breadth of the network of the data center: – from mobile to the core of the data center and/or cloud. ­s­ecurity practitioners of file analysis artifacts based on the files collected from over gain instant access to actionable ­intelligence derived from billions 5. KVM/OpenStack® for while connecting mobile users to your infrastructure. folder and file activity. Focused on securing every stage of the data center – from consolidation to private cloud. and policy enforcement over mobile NSX™ and vCloud® Air™. including AWS®. per-analyst-hour. GovCloud. user. device and sanctioned SaaS applications with complete visibility across device state. integration of ­mobile device ­security with advanced all user. open source implementations and Citrix® Netscaler SDX™. Stand-alone or as part of ­AutoFocus™ of file analysis artifacts based on the files collected from over contextual threat analysis service. device state information – including infected devices – and context-aware policy control to drive real-time enforcement establishes secure connectivity to access ­applications and data. Amazon Web applications and threats to ensure a safe network environment Services. ized Next-Generation Firewalls supports the same security features available in the physical form. and hybrid cloud security: Extension of to external threat feeds – the platform drastically reduces events- the aforementioned security capabilities for private. Provide a Safe Environment for Applications and Data allowing for the safe enablement of applications flowing into from Any Device and across your private. vendor feeds. Next-Generation Security AP THREAT INTELLIGENCE GLOBALPROTECT V SerM ies FILES Software as a Service Government Public Cloud Mission A TR PA N O TR RA M A TR Mission B Zone 1 TR V Private SerM FILES Cloud Zone 2 ies V TR M TR AF V M TR TR V TR M TR Private cloud PA-5000 Series (optional WF-500 application ICS & SCADA Automated protection delivered in as little as 5 minutes Palo Alto Networks | A Modern Framework for Network Security in Government 6 . from internal −− Private. environments. ­content. from individual malware behaviors to a global campaign. Increase Focus on Actionable Intelligence rity data and alerts daily from a variety of tools. Device ­management configures mobile devices. The VM-Series supports VMware® ESXi™. operations or SOC personnel. and hybrid cloud computing Palo Alto Networks security platform combines technology.Protect Your Entire Extended Network: Private de-duplication and correlation of threat intelligence feeds and and Public Cloud to Mobile Devices automates blocklists for the platform from the results.

Request a demonstration with our team in your country: https://www. https://www. IT to automation and operational environments. we protect government networks across the entire attack lifecycle and across government assets: fixed to mobile. ANSSI.-based support centers for all aspects of See the Palo Alto Networks difference for yourself at support. Summary Governments need a plan that addresses their current needs without compromising access or NIST SP experience with the Palo Alto Networks Next-­Generation 800-63-2 Levels 3 and 4. Suite B. government network and ­cybersecurity experts with hands-on including Common Criteria.html Web: Government Blog: http://researchcenter. and at all levels and functions. citizen engineers located in U.paloaltonetworks. and edge to heart of the data center and Government Security Platform. Support Services provide technical support provided by U.paloaltonetworks.S. These demonstrations arm certification requirements and standards required of governments.paloaltonetworks. Our U. technical and administrative cases.S.Multi-Faceted Government Support Take a Test Drive Palo Alto Networks serves government customers in every Take advantage of the benefits of the Palo Alto Networks Twitter: https://twitter. and DISA UC APL. Palo Alto Networks differentiated approach to security offers a model of positive enforcement and prwevention – throughout your network and out to your mobile Palo Alto Networks | A Modern Framework for Network Security in Government 7 . FIPS-140. and meets the platform with an Ultimate Test Youtube: https://www. Providing an innovative next-­ generation security platform.

paloaltonetworks.paloaltonetworks. Inc. 95054 Palo Alto Networks. Palo Alto Networks Copyright ©2017. All other marks +1-408-753-4000 main mentioned herein may be trademarks of their respective companies. A list of our trademarks can be found at http:// Palo Alto Networks | A Modern Framework for Network Security in Government 8 . +1-866-320-4788 sales +1-866-898-9087 support www.html. 4401 Great America Parkway Palo Alto Networks. California. Palo Alto Networks is a registered trademark of Santa