It’s WildFire Season for Corporate IT
Cybercriminals have increased their efforts with smarter, stealthier and more deadly malware than we’ve seen in a long time. It’s like a wildfire raging out of control. We, as security professionals, have to find a way to extinguish the fire.
I don’t think it’s a coincidence that one of Palo Alto Networks’ Security Platform components is called WildFire™. In this case, WildFire is a cloud-based malware analysis environment designed to combat the out-of-control conflagration of malware targeting corporate networks. WildFire analyzes files and network traffic to detect advanced threats and indicators of compromise (IOCs), and shares this information with subscribers all over the world who have WildFire installed, and provides that information to a centralized server on a real-time basis. In other words, all WildFire customers benefit from the collective security insights of each other. Consider this fact: even though one customer may have faced a particularly deadly zero-day threat, WildFire can help protect hundreds of other organizations or millions of endpoints from that threat.
And, why do I bring this up? It just so happens that Forescout recently released an enhanced Extended Module for Palo Alto Networks WildFire that can gain threat insight from WildFire and have a significant positive impact on the IT security threats faced by organizations every day.
Calling Home? Not So Fast.
When an advanced threat gets its claws into a particular endpoint, it typically does what we refer to as a “call home” procedure, also known as calling the command and control (C&C) server. What is happening is that the code on the infected endpoint is contacting “home” to report that it has infiltrated the security fence, and is requesting instructions. It also uses various reconnaissance and propagation techniques to infect other endpoints within a corporate network.
The way we can prevent this from happening is by employing a multifaceted defense strategy. First, we need to block the outbound call to the C&C server. That stops the malware from telling the attacker that it’s inside the perimeter. Next, we have to isolate that endpoint to make sure that it doesn’t spread the malware to other endpoints on the network. Finally, we need to prevent or isolate other compromised endpoints connecting to the enterprise network that were infected on public networks or via USB devices. This mitigates the threat, helps limit data exfiltration and allows the endpoint to be remediated and returned to a more positive security posture.
And, it’s no coincidence that the recently released Forescout Extended Module for Palo Alto Networks WildFire helps orchestrate the above workflow in a corporate network. The Palo Alto Networks Next-Generation Firewall, based on malware analysis from WildFire, blocks the outbound call to the C&C server. It also notifies Forescout CounterACT® about the detected IOC and infected endpoint, which allows CounterACT to get additional IOC details from WildFire and initiate mitigation actions. The result is that the infected endpoint is isolated on a quarantine network until it can be remediated. The rest of the endpoints on the network can be automatically scanned for presence of the same infection, and also isolated and remediated before they can call home and do more damage.
With the enhanced Forescout Extended Module for Palo Alto Networks WildFire, customers can leverage best-of-breed capabilities to strengthen network security and increase the security posture of their corporate network.
Until next time.
Want to see this solution in action? Check out the demo.