securing your microsoft environment
SECURING YOUR
MICROSOFT
ENVIRONMENT
From the Network to the Cloud to the Endpoint
Your business relies on a Microsoft® infrastructure that
stretches from your network to the cloud to endpoints located
around the world. In many ways, the success of your business
relies on how secure your Microsoft infrastructure is. Your
users do not care where the applications and data reside; they
only care about getting their job done. SharePoint®, Skype for
Business, or Active Directory® deployed on the network, in
Azure®, or as part of your Office 365® subscription should have
no impact on the success of your business.
Attackers do not care where your applications and data reside,
either. Their attack patterns are the same: Gain access to the
network, oftentimes by compromising an endpoint – mobile
or otherwise. Once on the network, their goal may be to
steal customer data, utilize your network to harvest Bitcoin,
or become part of a botnet. The challenge your organization
faces is how best to protect your highly distributed Microsoft
infrastructure from cyberattacks.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
Contents
Prevention or Acceptance and Remediation?
3
Hiding in Plain Sight
3
Whac-A-Mole Security
3
A Platform Approach to Prevention
4
Native Integration
4
Platform Components
4
A Platform Approach for Microsoft Environments
5
Prevention for the Network
5
Identification and Control
5
Prevent Known and Unknown Threats
6
Consistent Security for All Locations and Users
6
Prevention in Azure
7
Controlling Access to Your Azure Deployment
7
Segmentation for Improved Security and Compliance
7
Automated Deployments and Streamlined Management
8
Prevention for Office 365
9
Visibility Into SaaS Usage on the Network
9
Control SaaS Application Usage
9
Prevent Malware Insertion and Data Loss
10
Prevention for Endpoints and Servers
10
Multi-Method Malware Prevention
11
Multi-Method Exploit Prevention
11
Automating Prevention With the Next-Generation Security Platform
12
Extend Network Security Policies to the Endpoint
12
Summary
Palo Alto Networks | Securing Your Microsoft Environment White Paper
13
2
Prevention or Acceptance and Remediation?
It seems that nary a day goes by that we do not hear about a security breach resulting in the loss of data, userinformation exposure and massive damage to a company’s reputation. According to the Breach Level Index, dating
back to 2013, roughly 4.8 billion records have been lost through a variety of attack techniques. For some, this
staggering statistic has led to a shift away from an attack-prevention mentality to one of acceptance, in which
attackers have won and the focus is on attack remediation and recovery from damages inflicted. The basis for an
acceptance and remediation mentality may be explained not only by the volume of security incidents reported
publicly but also by the interconnected and distributed nature of IT infrastructure.
Image 1: Your threat footprint spans the network, the cloud and the endpoint
The greater the distribution of your applications, the greater the exposure and the greater the challenge to protect
it. Your application workloads may be running in Azure, or perhaps you’re using Office 365. Your data is distributed
between on-premises and cloud resources. Remote users may be accessing applications from a Windows-based
phone, tablet or laptop. Further increasing your exposure is how business applications operate on your network.
Microsoft Skype for Business®, SharePoint and Active Directory can be deployed on premises, in the cloud or as a
service, each using a wide range of contiguous ports – including TCP/80, TCP/443 and a range of high-number ports.
The more ports that are opened on your network, even for business purposes, the greater your risk footprint becomes.
Hiding in Plain Sight
Attackers are taking full advantage of your highly distributed Microsoft infrastructure, executing their attacks
in relatively consistent patterns. Initially attackers will compromise a user to gain access to your network. The
compromise may be spear phishing, a drive-by download or other means. The attack may or may not target
specific Microsoft-based applications or resources. The attack mechanism or the endpoint device does not matter.
The goal is to gain access to the network.
Once on the network, attackers will hide in plain sight, using common applications, such as DNS, SSH and HTTP,
to hide their activities. As an example, the Wekby Group, a group that is well-known for launching zero-day
attacks using newly announced application vulnerabilities, recently kicked off the Pisloader attack. Using web
compromise or spear phishing to infect an endpoint and subsequently gain access to the network, the Pisloader
attack then used DNS on its standard port (TCP/53) for command-and-control traffic. This meant that, no matter
how tightly the ports were locked down, the Pisloader C&C passed through the open port for DNS looking just
like normal traffic. Every network, virtualized or otherwise, uses DNS.
Whac-A-Mole Security
History has shown that, when a significant security risk arises, a point solution is applied to address it. Playfully
termed a “Whac-A-Mole” approach, this methodology of solving a security problem is limited in many different ways:
• Lacks application awareness: Application developers have long moved past the port-and-protocol development methodology to an approach in which the port or ports used are based upon ease of application
access. In many cases, business-critical applications are flowing across TCP/80 and TCP/443 alongside
common web traffic. Microsoft SharePoint and Skype for Business are two perfect examples of applications
that fit this mold. Both applications use a wide range of ports, increasing the threat footprint.
• No shared context: With point solutions, the ability to gain contextual knowledge needed to perform a risk
assessment, make an informed policy decision, or investigate an incident is non-existent. Information on
the threat, the application vector it may have used, whether it was on its standard port, and the associated
user all become valuable tools in the lifecycle of security management.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
3
• Limited feedback mechanisms: Point products lacking integration and the ability to share context means
that those solutions are is unable to dynamically ingest feedback as a means of improving the solution
features needed to improve the security posture.
Clearly the Whac-A-Mole approach to protecting digital assets is no longer effective. A new approach is needed to
protect an organization’s digital way of life, one that is platform-based yet supports your prevention efforts, from
the network to the cloud to the endpoint.
A Platform Approach to Prevention
The Palo Alto Networks® Next-Generation Security Platform approach to prevention begins with visibility into the
applications in use on your network, in the cloud and SaaS environments, as well as the endpoints. The knowledge
of which applications are in use, and by whom, provides you with the power to make more informed security
decisions and, more importantly, begin reducing your attack surface area by enabling business applications
based on user identity, allowing access only when two-factor authentication is in use. By definition, application
enablement is based on a positive-control security model, which means unsanctioned or unwanted applications
are implicitly denied, thereby reducing the attack surface area.
Complete visibility
• Network & endpoint
(different views)
• All applications,
including cloud & SaaS
• All users & devices,
including all locations
• Encrypted traffic
Reduce attack
surface area
Prevent all
known threats
Detect & prevent
new threats
• Enable business apps
• Exploits
• Unknown malware
• Block “bad” apps
• Malware
• Zero-day exploits
• Limit app functions
• Command & control
• Limit high-risk websites
and content
• Malicious & phishing
websites
• Custom attack
behavior
• Require multi-factor
authentication
• Bad domains
Image 2: A prevention approach to protecting your Microsoft applications
Complementing the application control and threat prevention capabilities is a URL filtering solution that
categorizes URLs based on their content at the domain, file and page level and is dynamically updated based on
new contextual information collected by the threat intelligence cloud. To protect enabled applications, threat
prevention policies can be applied to specific flows, inspecting and blocking known attacks (e.g., vulnerability
exploits, command and control, viruses, malware, etc.). A final, yet critical, piece to our platform approach is to
make unknown attacks – those on the network, in the cloud, and on the endpoint – known through a range of
detection and analysis techniques that result in the dynamic creation and delivery of new protection mechanisms.
Native Integration
The immediate impact of our security platform can be seen in our ability to help you reduce your attack surface
area and improve your security posture. Each element of our platform is natively integrated, sharing contextual
information on the attack, the application it may have used, and the victim.
Information learned about the attack is used to continually improve each of the prevention elements in a dynamic
and automated manner, making it increasingly difficult for cyber criminals to execute a successful attack. Native
integration is key to delivering consistent security capabilities applied to all users, applications and locations –
from the network, to the cloud, to the endpoint.
Platform Components
The Palo Alto Networks Next-Generation Security Platform reduces your threat exposure by controlling
sanctioned and unsanctioned application flows, preventing known and unknown threats within allowed traffic and
on the endpoints, and continually strengthening prevention efforts based on ongoing threat analysis. The security
technologies that power our Next-Generation Security Platform include:
• Next-Generation Firewall: Delivered as either a hardware appliance or a virtualized instance for both public and private cloud deployment, the Next-Generation Firewall natively inspects all traffic, inclusive of applications, threats and content, then ties that traffic to the user, regardless of location or device type. The
application, content and user, or the elements that run your business, then become integral components of
your enterprise security policy. The result is the ability to align security with key business initiatives. Mobile
device protection enforces a consistent security posture for all users and all devices, regardless of location.
• Threat Intelligence Cloud: This provides centralized intelligence capabilities and automated delivery of
cyberattack preventative measures that can eliminate new and previously unknown threats within 300
seconds from attacks on the network, cloud and endpoint. The threat intelligence cloud also extends to
securely enable SaaS applications with policies that control access and prevent threats and data loss.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
4
• Advanced Endpoint Protection: This replaces traditional antivirus with true prevention by preemptively
blocking malware and exploits, including zero-day threats, before they compromise endpoints.
ility
sib
Vi
Red
uc
eA
face
Sur
ck
tta
Com
ple
te
The Next-Generation Security Platform empowers organizations to adopt a prevention-first security posture that
protects their network and digital assets from cyberattacks.
k
Un
nT
hre
ats
t
Preven
Network
nT
hre
o
w
no
w
Cloud
ats
nt
Preve
Kn
Endpoint
Image 3: Palo Alto Networks Next-Generation Security Platform components
A Platform Approach for Microsoft Environments
With prevention capabilities that span the network, the cloud – including Azure and Office 365 – and the
endpoint, the Palo Alto Networks Next-Generation Security Platform is well-suited to protect Microsoft-centric
environments. On the network, both physical and virtualized form factors can be deployed and extended into the
cloud to protect Azure workloads and Office 365 environments. Advanced endpoint protection can be deployed
on Windows endpoints to prevent attacks from compromising the end user and eventually, your network.
Prevention for the Network
On the network, in either a physical appliance or a virtualized form factor deployed in Hyper-V, our next-generation
firewall allows you to safely enable Microsoft applications while eliminating risky and unsanctioned applications and
preventing both known and unknown attacks.
Identification and Control
Our firewall natively applies multiple classification mechanisms to the traffic stream to identify applications,
threats and malware. The application, the content within, and the user can all be used as the basis for your
security policy. All traffic is classified, regardless of port, encryption (SSL or SSH), or evasive technique employed.
Unidentified applications, typically a small percentage of traffic yet high in potential risk, are automatically
categorized for systematic management.
Identified applications include a wide range of Microsoft applications, like Office 365, including SharePoint and
OneDrive®, Microsoft Lync, Skype for Business, Windows Update, Xbox Live®, Microsoft Exchange and SQL server
traffic. In many cases, individual application functions are identified and can be used for policy control. For example,
SharePoint Docs, Admin and Blog all can be enabled individually for different groups of users within Active Directory.
App
developer
All users
Marketing
Image 4: Application control based on users improves your security posture
Palo Alto Networks | Securing Your Microsoft Environment White Paper
5
With SharePoint as the basis of your security policy, as opposed to the wide range of ports commonly used by
SharePoint, your attack footprint is reduced dramatically to only the SharePoint applications and the required
supporting elements, such as DNS and NetBIOS. The result is an improved security posture and a reduction in
administrative effort.
To improve your security posture and reduce incident-response times, it’s critical to map application usage to
user and device type – and be able to apply that context to your security policies. Integration with a wide range
of enterprise user repositories provides the identity of the user and device accessing the application, including
Microsoft Windows PCs and handheld devices. The combined visibility and control over both users and devices
means you can safely enable the use of any application traversing your network, no matter where the user is or
the type of device being used.
Prevent Known and Unknown Threats
A key element for enabling your Microsoft applications includes preventing both known and unknown threats
within the individual application flows. Intrusion prevention system (IPS) features block network- and applicationlayer vulnerability exploits, buffer overflows, DoS attacks and port scans. Antivirus/anti-spyware protection blocks
millions of malware variants, including those hidden within compressed files or web traffic (compressed HTTP/
HTTPS), as well as known PDF viruses. For traffic encrypted with SSL, you can selectively apply policy-based
decryption and then inspect the traffic for threats, regardless of port.
Unknown or targeted malware (e.g., advanced persistent threats) hidden within PE, Office, PDF or Android™ APK
files can be identified and executed by WildFire™ cloud-based threat analysis service, which directly observes
and executes unknown files in a virtualized sandbox environment across multiple operating systems and
application versions. WildFire monitors more than 420 malicious behaviors and, if malware is found, a signature
is automatically developed and delivered to all WildFire users globally in as little as five minutes. To help eliminate
spear phishing attacks, WildFire can analyze links in email and block the delivery of malicious files.
WF
Protection
delivered
Threat Intelligence
Cloud
Unknown
threats
Image 5: Prevent unknown threats, improve all protection mechanisms
As WildFire detects and prevents unknown attacks, the value of a natively integrated platform comes to light.
The information collected based on the behavioral techniques observed by WildFire is fed back into the Threat
Prevention engine in the form of new or updated signatures, which are then delivered to all users via scheduled
content updates. Malicious URLs that were used as part of the attack are fed into the URL filtering database to
improve its threat prevention capabilities for all users.
Consistent Security for All Locations and Users
Our next-generation firewall is available in either a purpose-built hardware platform that scales from an enterprise
branch office to a high-speed data center or in a virtualized form factor to support your cloud-based computing
initiatives. This provides your data and assets with consistent protection, no matter where they are located.
Your security policies can be extended to control which devices can access particular applications and network
resources. For example, ensure that laptops are compliant with the corporate image before allowing access to
the data center. Check if the mobile device is up-to-date, corporate-owned, and fully patched before accessing
sensitive data. The end result is that your security policy extends from your organizational boundary to wherever
your users and devices are located.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
6
Prevention in Azure
Complementing native Azure security services, our next-generation firewall can be deployed from the Azure
Marketplace as a bring-your-own-license or as a pay-as-you-go subscription. In either case, protecting your
workloads and data deployed in Azure with the same next-generation firewall and advanced threat prevention
features that are available in our security appliances is the end goal.
Controlling Access to Your Azure Deployment
Most organizations integrate Azure into their IT infrastructure using a hybrid approach that extends their
corporate network into Azure via a secure connection, such as an IPsec VPN. This allows Azure to become an
active application deployment environment that expands and contracts accordingly. Typical Azure deployments
will have fewer applications when compared to a physical network, but because attackers do not care where the
applications and data reside, equal or greater efforts to protect your Azure deployments should be made. To that
end, visibility into, and control over, the applications and users moving across the secure link is of paramount
importance.
A common use case for Azure is for new application development, which means there are a range of development
tools and users accessing the environment. To simplify the process of which tools are available to whom, policies
can be set that grant access to the different environments based on user credentials and need. If warranted,
two-factor authentication can also be used. As users move from project to project, their user credentials in Active
Directory can be moved from group to group. For example, Dev group has full access to the Dev VNET, while
only IT admins have RDP/SSH access to the production VNET. This limits the attack footprint based not only on
applications but also on users, thereby improving your security posture.
WF
Threat Intelligence
Cloud
V
SeM
ries
Image 6: Securely expand your data center into Azure
As more workloads are deployed in Azure, funneling the commercial application update process through the
corporate connection and then back out to the vendor for the updates may become cumbersome and costly. An
alternative approach is to implement internet gateway security policies that allow the workloads to reach out to
very specific websites and internet resources for their regularly scheduled updates. This maintains strict control
over the applications moving in and out of your Azure environment.
Segmentation for Improved Security and Compliance
Today’s cyberthreats commonly compromise an individual workstation or user and then move laterally to find their
target, regardless of their deployment location. Just as if it were a physical data center, segmentation in Azure
can be used to improve security by establishing application-based policies that force the application to operate
on its default ports, implicitly enforcing the “deny all else” premise that a firewall is based upon, thereby reducing
the attack surface area. When combined with Active Directory integration, your segmentation policies can grant
workload access based on the user identity and business need. From a compliance perspective, segmentation
policies allow you to control which applications are communicating with each other across different subnets and
between VNETs while keeping them separate from your data sources. Some examples of segmentation policies
might include:
• Validate that SharePoint is in use, forcing it over its standard ports and implicitly blocking any other applications
from being used.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
7
• Limit access to the Microsoft SQL database to the SharePoint application itself, implicitly blocking the web
front-end from connecting to the database while blocking attacks specifically targeting SQL databases.
• Grant the finance group access to the SQL database that houses the credit card information.
• Allow marketing users, based on their user-group membership, to access only SharePoint documents and
no other features.
• Enable only the IT group to use SharePoint Admin while inspecting the traffic that uses application-specific
threat prevention policies.
Just as if it were a physical data center, segmentation policies in Azure can be used to improve security by
establishing application-based policies that include threat prevention to not only stop attacks from gaining access
to your workloads but also block them from moving laterally from workload to workload.
Automated Deployments and Streamlined Management
A key benefit to cloud computing is the ability to be more agile, responding quickly with feature updates or
entirely new application deployments. Security, in some cases, can become a bottleneck because, as an industry
best practice, policy updates are typically a controlled process. Automation in the form of bootstrapping and
dynamic policy updates can help alleviate the bottlenecks, ensuring security can keep pace with the business.
Bootstrapping is a standard next-generation firewall feature that enables users to create a bootstrap image that
includes a fully configured firewall, including licenses, policy settings, and connections to Panorama™ network
security management. The bootstrapped file is stored in Azure, which can then can be accessed for rapid
deployment by administrators or via scripting. With bootstrapping, security can keep pace with the business.
• Firewall configuration
• Security policies
• BYOL licenses
Bootstrap
package
• Software updates
• Dynamic content
A
M
RA
O
N
PA
Azure
data disk
• Attach to Panorama
• Device group
V
V SeMr
SeM
rie ies
s
Image 7: Automating fully configured firewall deployments
In both physical data centers and in Azure, you are challenged with managing the changes that may occur
between compute workload additions, removals or modifications and how quickly a security policy can be
updated. To help minimize these delays, our next-generation firewall provides a rich set of native management
features that streamlines policy deployment so that security can keep pace with the changes in your compute
workloads. An XML API allows our next-generation firewall to consume changes in workloads and dynamically
feed those changes into the security policy, eliminating a potential firewall change control bottleneck.
Panorama allows you to centrally manage all of your Palo Alto Networks Next-Generation Firewall deployments
– in both the physical and virtual form factors – thereby ensuring policy consistency and cohesiveness. Panorama
allows you to manage all aspects of our next-generation firewall including:
• Policy deployment, including security, NAT, QoS, policy-based forwarding, decryption, application override,
captive portal and DoS protection.
• Shared policies that leverage pre- and post-rules deployed by the Panorama administrators to enforce
shared policies while allowing local policy editing. Rules in between the pre- and post-rules can be edited
locally or by a Panorama administrator.
• Software and content updates (applications, threats, antivirus, WildFire™) and licenses can be managed
across all deployed instances from a central location.
• Aggregate logging and reporting across dynamic or locally queried data gathered from all managed firewalls.
Using the same look and feel that the individual device management interface carries, Panorama eliminates any
learning curve associated with switching from one user interface to another.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
8
Prevention for Office 365
The pervasiveness of shadow IT is a result of the tremendous value SaaS applications are providing to end
users. However, the risks of data exposure and threat insertion are far too great to allow SaaS usage to remain
unchecked. This has never been more obvious than with Office 365. While other SaaS applications can be
considered optional and their use more easily prevented, Microsoft Office is often a standard application for most
organizations. Now that it comes with cloud applications automatically enabled, it has the potential to allow every
employee to use SaaS applications, regardless of the organization’s size or policy.
Securely enabling SaaS applications begins with visibility into the applications and users and a firm understanding
of whether the SaaS application is sanctioned, unsanctioned or tolerated. Visibility into SaaS usage is a key piece
to enablement, but so is the prevention of malware insertion and data loss, which is often facilitated by standard
Office 365 file storage and file-sharing features. To protect your Office 365 deployment, threat prevention and
data loss policies should be applied to further reduce the attack surface area and improve the security posture.
Visibility Into SaaS Usage on the Network
Properly controlling SaaS usage is impossible without the knowledge of which applications are being used in the
network and how they are being used. This requires granular, application-level visibility of usage. To help ensure
that our platform was able to accurately identify Office 365, Palo Alto Networks and Microsoft collaborated to
ensure superior identification of Office 365 application usage on the network. This includes the ability to detect
application usage and the direction of transfer (upload versus download) even in encrypted flows. In addition to
accuracy and directional control, the next-generation firewall can decrypt Office 365 flows to inspect the files
within those flows, allowing detailed analysis of threats through WildFire.
To further aid in controlling SaaS usage at the network level, the next-generation firewall includes the ability
to mark individual SaaS applications as either sanctioned or unsanctioned for improved visibility and reporting.
This foundation enables a detailed SaaS report that can be generated as needed and, when paired with Active
Directory integration through User-ID™, can provide details of who is using which application and in what
quantity. This allows continuous reporting of SaaS usage to become a regular part of your security posture analysis.
Even more importantly it provides the key visibility needed to define a SaaS usage policy and a means to begin
migrating users to sanctioned SaaS applications.
Control SaaS Application Usage
Enterprise-sanctioned applications, such as Office 365, are typically allowed without restrictions. Unsanctioned
SaaS applications, such as those that are known threat vectors, hosted in dangerous geographic regions with poor
security and governance controls, or with bad end-user license agreements (EULAs) and service-level agreements
(SLAs) are usually blocked outright. Policies to control these applications are relatively straightforward.
Less straightforward are those SaaS applications that are “tolerated”, falling somewhere between enterprisesanctioned and unsanctioned applications. Tolerated applications represent a unique challenge, requiring a more
granular and measured policy to control their usage. Tolerated applications typically fall into two main categories:
• External partners: These are applications that to your users for sharing and collaboration. These applications
are often controlled by a third party or partner who is sharing data with your internal users.
• Non-enterprise applications: These are applications that internal users rely on that are not “enterprise”
applications and cannot, or should not be sanctioned.
Since there is no way to ensure the safety of data in the third party’s SaaS application or the safety of files entering
your organization, a few steps need to be taken to ensure their use does not compromise your network security.
• Prevent malware insertion: Block encrypted connections that could deliver malware into the network
invisibly, possibly bypassing existing security.
• Prevent data loss: Set the next-generation firewall policy to allow only the downloading of files preventing
data from leaving your network without visibility or control. File uploads should be restricted to enterprise-sanctioned applications that are secured with our Next-Generation Security Platform. Exceptions can
be set based on users or groups via policies based on User-ID™ user identification technology.
Standardizing on an enterprise-sanctioned application, such as Office 365, opens up the opportunity to move users
off of tolerated applications, increasing security while providing more capabilities to end users. Simply cutting off
access to these applications often isn’t a valid option since corporate data likely already resides in them and cutting
them off only traps the data in the tolerated SaaS applications. Instead, a policy should be set to allow only the
downloading of data with no upload rights. Have the users move their data to Office 365 over a period of time. Once
the data has been migrated, the application can be moved from tolerated to unsanctioned and blocked.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
9
Prevent Malware Insertion and Data Loss
SaaS applications are often the first insertion point for malware and the last exfiltration point for data loss.
Because of this critical point in the infrastructure, the cloud applications themselves should be protected in
the same manner as the network applications. Put differently, once the traffic, files and data begin moving off
the network into Office 365, or other SaaS applications, you need the ability to exert a consistent control and
prevention policy.
WF
Threat Intelligence
Cloud
AP
Image 8: Securely enable Office 365, prevent threats and protect data
The SaaS-based component of our security platform adds the ability to connect directly to SaaS applications,
such as Office 365, to provide data classification, sharing/permission visibility, and threat detection within the
application. This yields unparalleled visibility, enabling organizations to inspect content for data risk violations
as it moves to the cloud, controlling access to shared data via a contextual policy.
To prevent threats within controlled SaaS applications, our SaaS security offering is integrated with WildFire,
providing advanced threat prevention to prevent known and unknown malware while simultaneously
eliminating a new malware insertion point. As with threats discovered and prevented on the network, new
malware discovered is used to continually improve the Threat Prevention and URL Filtering elements of our
security platform.
Prevention for Endpoints and Servers
Threat actors rely primarily on two attack vectors to compromise Windows systems: malicious executables
(malware) and vulnerability exploits in system or application software. Regardless of their delivery method
(e.g., via email, over the internet, or through SaaS applications, such as Office 365), preventing attackers from
compromising endpoints and servers requires that you prevent both known and unknown variants of each
malware and exploit. Additionally, this prevention must be present whether a machine is online or offline, on- or
off-premise, connected to the organization’s network or not. In fact, effective breach prevention cannot be
achieved unless all of these requirements are met simultaneously.
Due to the fundamental differences between malware and exploits, meeting these requirements necessitates
an approach that combines multiple threat prevention methods that are optimized to prevent either the
execution of malicious programs or vulnerability exploits from subverting legitimate applications.
Traps™ advanced endpoint protection replaces traditional antivirus with a multi-method prevention approach
that combines the most effective, purpose-built malware and exploit prevention methods to protect Windows
systems from known and unknown threats.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
10
Multi-Method Malware Prevention
To prevent malicious executables, Traps implements a multi-method prevention approach that maximizes the
coverage against malware while simultaneously reducing the attack surface and increasing the accuracy of
malware detection. This approach delivers several layers of protection that, when combined, instantaneously
prevent known and unknown malware from infecting a system.
Traps evaluates executables as they launch to determine if they are benign or malicious. It checks each executable
against hash-based administrative override policies that deliver fine-grained whitelisting and blacklisting capabilities,
as well as against policy-based restrictions that control what types of applications are allowed to run in your
environment and from where within the Windows file system they can execute (e.g., Traps can prevent the execution
of files from the Outlook “temp” directory). Traps automatically and immediately identifies new executable files
published and digitally signed by trusted and reputable software publishers (such as Microsoft). These executable
files are allowed to run without delay or impact to the user, as long as they do not violate any restriction policies.
For files that are not signed by trusted publishers, Traps queries WildFire with the hash of each executable file
before it is allowed to run, in order to assess its standing within the global threat community. If an executable file
has been deemed malicious, Traps prevents it from execution and quarantines it for further administrative actions. If
an executable file is unknown, Traps submits it to WildFire for complete inspection and analysis and evaluates it via
static analysis for an instant verdict. The machine learning algorithm deployed in the static analysis engine of Traps
examines hundreds of characteristics of an executable file to determine if it is likely to be malicious or benign.
Traps quarantines all malicious executables to prevent the dissemination of infected files to other users. Although
essential in most environments, this capability is particularly useful in preventing the inadvertent dissemination of
malware in organizations where network- or cloud-based data storage and SaaS applications (such as Office365
and SharePoint) automatically sync files across multiple users and systems.
+
Multi-method malware
prevention
Multi-method exploit
prevention
Image 9: Multi-method malware and exploit prevention
Multi-Method Exploit Prevention
Many targeted attacks begin with an exploit delivered as a data file (such as a Microsoft Office file) through
a website, via email or over the network. When the user opens the file, the malicious code embedded inside
leverages a software vulnerability in the application that is used to view the file to subvert the application and
execute an arbitrary set of instructions.
Because this type of attack is difficult to distinguish from normal application behavior, it bypasses traditional
antivirus and most endpoint security solutions. In addition, if the application being exploited is a whitelisted one,
the attack will bypass those controls as well.
Traps uses an entirely new and unique approach to preventing exploits. Instead of focusing on the millions of
individual attacks or their underlying software vulnerabilities, Traps focuses on the core exploitation techniques
used by all exploit-based attacks. Although there are many thousands of exploits, they all rely on a small set
of core exploitation techniques that change infrequently. Furthermore, each exploit must use a series of those
exploitation techniques to successfully subvert an application. By blocking the core techniques, Traps effectively
prevents the exploitation of application vulnerabilities, whether they are known or unknown. Organizations
using Traps can run any application, including those developed in-house and those that no longer receive security
support (such as Internet Explorer versions older than 11), without the imminent threat to their environment.
Traps implements a multi-method approach to exploit prevention, combining several layers of protection to block
exploitation techniques, including Memory Corruption and Manipulation (e.g., Heap Spray, ROP), Logic Flaw (e.g.,
DLL Hijacking), and Malicious Code Execution.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
11
Automating Prevention With the Next-Generation Security Platform
As a component of the Palo Alto Networks Next-Generation Security Platform, Traps both shares and receives
threat intelligence information with WildFire. Threat intelligence information is passed to WildFire by each
component of the security platform, and Traps uses this information to block threats on the endpoint, no matter
where they originated.
WF
Threat Intelligence
Cloud
Endpoints
Network
Image 10: Automate prevention based on intelligence gained elsewhere
The automatic reprogramming and conversion of threat intelligence into prevention all but eliminates the
opportunity for an attacker to use unknown and advanced malware to infect a system. An attacker can use
each piece of malware at most once, anywhere in the world, and only has seconds to carry out an attack before
WildFire renders it entirely ineffective.
Extend Network Security Policies to the Endpoint
The network plays several roles in the attack lifecycle on the endpoint. It is used as a vehicle for the delivery of
exploits and malware. It provides the means for ongoing communication with the attacker. It is also the conduit for
exfiltration of credentials and data. In addition, some types of attacks, such as phishing, take place by intercepting
the traffic or impersonating legitimate websites in order to steal credentials.
Network security provides the means to disrupt such attack methods, but it can only protect the traffic that
it sees. As workforces adopt mobile platforms, such as laptops, tablets and smartphones, a growing amount
of network traffic is uninspected and thus creates a dangerous set of conditions that increases the attacker’s
capabilities to communicate directly with a victim’s endpoint.
WF
Threat Intelligence
Cloud
GP
V
SeM
ries
Image 11: Enforce policy consistency from the network to the endpoint
Extend the protection of the Next-Generation Security Platform with GlobalProtect™ network security client for
endpoints. GlobalProtect provides organizations with the means to maintain visibility and enforce security policy
for all traffic, even when the user is away from the office. This is done by automatically establishing a connection
to a next-generation firewall operating as an internet gateway (in hardware, Hyper-V® or Azure), enabling the
organization to consistently enforce policy for all traffic in the same manner.
Palo Alto Networks | Securing Your Microsoft Environment White Paper
12
By stopping an attack in network traffic, organizations can reduce the attack surface by preventing malicious
content,such as exploits and malware, from reaching the endpoint. In addition, GlobalProtect applies the platform
to block communication to a hostile domain or phishing site, intercept communication to a command-and-control
server, and block the exfiltration of data.
Summary
Your Microsoft infrastructure encompasses network, cloud and endpoints components that are at the heart
of your business operations. Microsoft Exchange, Active Directory and Skype for Business enable worldwide
communications; Office 365 and SharePoint facilitate team collaboration; while Windows drives your server farms
and your employee endpoints
Image 12: Threat prevention is continually improved based on intelligence gained from platform components
Palo Alto Networks protects your distributed Microsoft environment with a natively integrated security platform
that spans your network, cloud and endpoints. Each of our platform components provides you with the ability to
reduce your attack surface area, prevent threats and make unknown attacks known. Native integration provides
threat intelligence that continually improves your ability to prevent known and unknown attacks across your entire
Microsoft infrastructure.
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:+1.866.320.4788
Support:+1.866.898.9087
www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.com/
company/trademarks.html. All other marks mentioned herein
may be trademarks of their respective companies. securingyour-microsoft-environment-white-paper-wp-091216
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement