Palo Alto Networks acquired advanced persistent threat protection startup Morta Security to catch advanced threats that sandboxing misses, in particular malicious campaigns sponsored by nations, the firewall vendor said.
Morta was a stealth startup founded by former employees of the U.S. Air Force and National Security Agency, and Palo Alto declined to describe the technology the company was developing prior to the acquisition. Executives from both companies explained, however, that Morta was developing a product that automated the process of detecting advanced persistent threats that evade sandboxing technologies like Palo Alto's own WildFire product.
"Very targeted malware is still getting through because sandboxes are not a silver bullet," said Nir Zuk, founder and chief technology officer of Palo Alto. Zuk said this kind of malware is usually part of a campaign aimed at a specific company or organization. The campaign draws on extensive resources to penetrate the target network. Often, the attack isn't even network-based. Instead, the attackers rely on low-tech social engineering. Zuk offered an example:
"Someone attacking a big organization once dropped a bunch of USB keys in a parking lot. One employee put one of the keys into a computer and tried to figure out who it belonged to, and it was all over after that. You would never see that [USB key] in a sandbox."
In a recent survey sponsored by another sandboxing vendor, ThreatTrack Security Inc., 47% of 200 security analysts said they had detected malware on the PCs of senior executives who had attached infected devices (such as USB keys) to them. And 40% of analysts complained that they don't have enough skilled security professionals on staff to defend against sophisticated attacks.
"When we talk about these advanced threats and targeted threats, we're talking about a campaign in which a nation state or criminal organization is targeting a specific company," said Raj Shah, co-founder and CEO of Morta and now a senior director of marketing at Palo Alto. "They create a series of tools and techniques in order to steal data. It's not an infected website. It could be a USB key mailed to someone or a zero-day vulnerability. It's a multi-pronged effort to penetrate the network."
Traditionally enterprises have detected and remediated such attacks by bringing in a small army of consulting engineers to troll the network and find the problem. Shah said Morta has built a product that automates that process.
Palo Alto has been trying to differentiate itself from competitors that have strengthened their next-generation firewalls and added sandboxing technologies, said Dave Shackleford, owner and principal consultant with Voodoo Security and an analyst and instructor at the SANS Institute. The Morta acquisition could be an example of Palo Alto trying to extend its technology from the data center to the desktop. Shackleford said Palo Alto is well-known for its ability to integrate into user directories like Microsoft's Active Directory. "My guess is they'll be coupling that with some sort of endpoint-based DLP [data loss prevention] security."
Palo Alto and Morta executives said the acquisition evolved out of discussions about a technology partnership that was helped along by the fact that both companies have a common investor. That investor is probably Menlo Park, Calif.-based Greylock Partners. Palo Alto did not disclose the terms of the deal, which closed this week. The company said it would release a product based on Morta's technology in 2014.
Palo Alto's acquisition of Morta is the second marriage of security firms in the last week. On Jan. 2, advanced threat prevention vendor FireEye disclosed it had purchased endpoint security vendor Mandiant for more than $1 billion.