Professional Documents
Culture Documents
Threat Prevention Ds PDF
Threat Prevention Ds PDF
PREVENTION
Comprehensive Exploit, Malware, and
Command-and-Control Protection for Your Network
To make matters worse, network security products are still using the same defensive
Purpose-built within Palo Alto
strategies employed before the threat landscape evolved. Traffic is only inspected
Networks® Next-Generation Security
on certain ports and, while adding single-function devices to the defensive stack
Platform, the Threat Prevention
may help alleviate a particular problem, it results in poor visibility and performance.
service protects networks across
This has left a dangerous situation, where gaping holes are present in network
different attack phases:
defenses because security solutions are fractured and difficult to manage, while
• Scans all traffic in full context of attackers are increasingly adept at penetrating them.
applications and users.
Enable the Application, Prevent the Threat
• Prevents threats at every stage Applications are an integral part of how companies do business and, because of
of the cyberattack lifecycle. that, they’ve made themselves increasingly available to users by entering networks
using encrypted channels through non-standard ports and by hopping from open
• Single-pass scanning architecture port to open port to guarantee users always have access.
allows for high throughput
Unfortunately, advanced threats take advantage of the way in which applications
without sacrificing security.
make themselves available to users, leveraging them for a free ride into the network,
• Daily, automatic updates for undetected. They tunnel within applications, hide within SSL-encrypted traffic, and
newly discovered threats, with take advantage of unsuspecting targets to get a foothold within the network and
preventions available in 300 execute malicious activity.
seconds for zero-day malware We protect your network against these threats by providing multiple layers of
and exploits through WildFire™ prevention, confronting threats at each phase of the attack. In addition to traditional
cloud-based threat analysis intrusion-prevention capabilities, we provide the unique ability to detect and block
service. threats on any and all ports, instead of invoking signatures based on a limited set
of predefined ports. By leveraging User-ID™ user identification technology and
• Revolutionary automated App-ID™ application identification technology within our next-generation firewall,
command-and-control signatures which identify and add context to all traffic on all ports, the Threat Prevention
generated at machine scale and engine never loses sight of the threat, regardless of the evasion technique.
speed.
• Easy-to-configure, custom vulnerability signatures allow • Updates from WildFire, ensuring protection against
you to tailor intrusion prevention capabilities to your zero-day malware.
network’s unique needs. Signatures for all types of malware are generated directly
Palo Alto Networks employs natively integrated defensive from billions of samples collected by Palo Alto Networks,
technologies to ensure that, when a threat evades one including previously unknown malware sent to WildFire, our
technology, another catches it. The key to effective protection Unit 42 threat research team, and other third-party research
is to use security features that are purpose-built to share in- and technology partners around the world.
formation and provide context around both the traffic they’re
inspecting and the threats they’re identifying and blocking. Command-and-Control (Spyware) Protection
We know there’s no silver bullet when it comes to pre-
Intrusion Prevention (IPS)
Threat-based protections detect and block exploit attempts Payload-Based vs. Hash-Based Signatures
and evasive techniques at both the network and applica-
Signatures based on payload detect patterns in the
tion layers, including port scans, buffer overflows, remote
body of the file that can be used to identify future
code execution, protocol fragmentation and obfuscation.
variations of the files, even if the content has been
Protections are based on signature matching and anomaly
slightly modified. This allows us to immediately identify
detection, which decodes and analyzes protocols and uses
and block polymorphic malware that otherwise would
the information learned to send alerts and block malicious
be treated as a new unknown file.
traffic patterns. Stateful pattern matching detects attacks
across multiple packets, taking into account arrival order and Signatures based on hash match on the fixed encoding
sequence, and making sure all allowed traffic is well-inten- unique to each individual file. Because a file hash is
tioned and devoid of evasion techniques. very easily changed, hash-based signatures are not
effective at detecting polymorphic malware or variants
• Protocol decoder-based analysis statefully decodes the
of the same file.
protocol and then intelligently applies signatures to detect
network and application exploits.
• Because there are many ways to exploit a single vul-
nerability, our intrusion prevention signatures are built venting all threats from entering the network. After initial
based on the vulnerability itself, providing more thorough infection, attackers will communicate with the host machine
protection against a wide variety of exploits. A single through a command-and-control (CnC) channel, using it to
signature can stop multiple exploit attempts on a known pull down additional malware, issue further instructions, and
system or application vulnerability. steal data. Our CnC protections hone in on those unautho-
rized communication channels and cut them off by blocking
• Protocol anomaly-based protection detects non-RFC- outbound requests to malicious domains and from known
compliant protocol usage, such as an overlong URI or CnC toolkits installed on infected devices. Palo Alto Net-
FTP login. works goes beyond standard automation of CnC signatures
• Easy-to-configure, custom vulnerability signatures allow us based on URLs and domains. We automatically generate
to tailor intrusion prevention capabilities to your network’s pattern-based CnC signatures – delivering researcher-grade
unique needs. CnC signatures at machine speed and scale.
*DSRI-enabled
4401 Great America Parkway © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of
Santa Clara, CA 95054 Palo Alto Networks. A list of our trademarks can be found at http://www.paloal-
Main: +1.408.753.4000 tonetworks.com/company/trademarks.html. All other marks mentioned herein
Sales: +1.866.320.4788 may be trademarks of their respective companies. threat-prevention-ds-020617
Support: +1.866.898.9087
www.paloaltonetworks.com