Palo Alto Networks expanded the file visibility, zero-day detection and malicious domain detection capabilities of its WildFire advanced threat protection service.
WildFire is a sandboxing service Palo Alto launched a year ago. As network users download unknown files onto their devices, WildFire mirrors those downloads and executes them in a simulated environment to determine if they are malicious.
The enhanced version is enabled through PAN-OS 6.0, the latest iteration of Palo Alto's core operating system for its security products. The new version has the ability to detect, sandbox and filter additional file types, including Java, PDFs and Microsoft Office. It also added mobile file types like Android Application Package Files. WildFire can also provide simultaneous execution of files in Windows XP and Windows 7 to catch malware written for a particular system.
"The biggest [enhancement] I've been waiting for is analysis of Java, because over the last year and a half we've seen use of Java by bad actors increase," said Palo Alto customer Phil Cummings, a network manager for a healthcare provider network with 20,000 users. "Initially [Java] was used to redirect you to a website where some executable malware would come down onto your PC. Then we saw it move up to play a bigger role, in the sense that we've seen Java build the malware on a desktop."
WildFire can detect zero-day exploits through behavior analysis as they hit a network and deliver information on those exploits within 30 minutes. The company also added the ability to identify and block malicious domains used for command and control of malware.
Network security engineers can feed all this analysis directly into their Palo Alto firewalls for automated, closed-loop protection, or they can plug the intelligence provided by WildFire into third-party security products through the company's application programming interfaces.
Palo Alto is developing its WildFire service to give enterprise customers an architectural approach to securing the network, said Jon Oltsik, senior principal analyst with Milford, Mass.-based Enterprise Strategy Group. "There is an automation component that is very straightforward," he said. "If WildFire discovers a new type of malicious code, sharing that with Palo Alto's security devices automates enforcement."
Reports from the WildFire sandbox gives engineers a clear picture of what happens when malicious files infect a device, Cummings said.
"Based on the sandbox report you get from WidlFire, you can then look at your logs to see if clients [on the network] are exhibiting the same behavior the malware exhibited in the sandbox," he said. "That helps you determine if [the user] actually ran the executable. We know they downloaded it, but did they actually run it?"
With the enhanced WildFire version, engineers have more ways of determining whether a device has been infected on a wider variety of file types. They can look for telltale signs of infection that WildFire reported on.
"Because the sandbox shows you things like registry changes, that gives you something concrete that you can give to a technician so they can go to a machine and look for those particular registry changes. It provides a behavioral report, but it also provides an activity report," Cummings said.
Cummings said he uses the network behavior identified by WildFire to create new rules in his Palo Alto firewalls. If newly detected malware is associated with a particular destination on the Internet, he can block that address, which cuts off future downloads and any potential command-and-control traffic.