LAS VEGAS – Visibility was a commonly heard word at Palo Alto Networks‘ Ignite conference this week in Las Vegas as customers described the requirements of their network and what they need to enable users to deploy the applications they want without compromising security.
Enter WildFire, Palo Alto Networks’ answer to the challenge of advanced malware targeting enterprises. WildFire leverages the visibility of the vendor’s firewalls to stop suspicious files at the gateway and push them into the cloud for analysis. Once there, the malware would be allowed to execute in a sandbox free from any impact on a customer’s network.
This week, the company decided to move from using the service as a defensive mechanism to a proactive one through a new paid subscription service that pushes out malware signatures to the company’s customers within an hour – something the company says will make a difference in the fight against zero-day malware.
“By definition if you are looking for something that is an unknown, you don’t know if it’s good or bad, you don’t know where to look for it yet,” said Wade Williamson, senior security analyst at Palo Alto Networks. “You’re going to have to look at all traffic so that you see the thing in the first place.”
Executables that are not recognized are – according to the policies set by the user – are sent to the cloud to be analyzed in WildFire’s virtualized sandbox while the firewall continues to enforce security.
“What goes up here (to the cloud) is decided completely by the user, by the customer, by the admin,” explained Chris King, director of product marketing at Palo Alto. “They could have a policy that says, ‘send no files’ – which is the default. Then they could have a policy that says, ‘ok if it’s a collaboration application…if it’s email, if it’s webmail, if it’s a file transfer application…send any content you’ve never seen before to WildFire’.”
By focusing on how malware communicates with its command and control infrastructure (C&C), the company is trying to respond to moves by malware authors to dodge security researchers by using new URLs to disguise the C&C. As part of its strategy, Palo Alto passively analyzes DNS queries to block communication from infected systems. This in turn, helps the vendor develop what officials called “true signatures” for the malware.
“The thing that the malware developers don’t change a lot is how those things communicate,” King said. “Because if you look at it, I can change URLs and files easily – I can actually do some polymorphism here to change the executable on a regular basis…like changing the order in which they call Windows services. It’s the same executables, but they are changing in which they call services so it looks different.”
“When you get down to the way the malware behaves of the network – it does this kind of DNS, they use the such and such peer-to-peer network, it does these kinds of command and control actions, that’s where you start to get to really small numbers (of signatures).”
By observing the DNS behavior of the malware and the URLs it uses, the vendor can leverage that information to augment network defenses beyond creating a signature for the malware itself by for example using the information to bolster URL filtering.
The technology is in no way meant to replace antivirus, Williamson said, noting that there is always going to be value in having antivirus on the device.
“The thing that I think that is important, if you think about kind of where security has been done in the past…IPS has always been doing security in the network and AV guys have been on the endpoint,” Williamson said. “In the past 5 to 10 years…malware has become a very networked application. It uses the network for command and control, it communicates back and forth. If it couldn’t use the network it wouldn’t be as powerful as it is.”
“So what we’re at least coming back and saying is that malware is absolutely a part of this network-based attack. So what we can do, we’d better [do] if we’re going to be in the job of controlling a network-based attack, we at least need to be cognizant of malware at the network level,” he said.
Disclosure: Travel and accommodations for SecurityWeek to attend the Ignite Conference were provided by Palo Alto Networks, under the condition that no coverage was guaranteed, nor would positive coverage be guaranteed.