animind - Fotolia
Palo Alto Networks integrated the threat intelligence gathered by its WildFire sandboxing technology into Cyvera Traps, its recently acquired endpoint security technology. It is the first Palo Alto-Cyvera technology unification announced since the firewall vendor purchased the endpoint security specialist in March.
Traps will now receive intelligence on malware that WildFire has detected and identified, combining network security and endpoint protection for faster threat prevention.
"The integration allows Traps to quickly validate with WildFire that it has already detected, analyzed and determined [something] to be malicious," said Scott Gainey, vice president of product marketing at Palo Alto. "That exchange can happen in less than two seconds."
Many security vendors have identified the integration of network and endpoint security as a way to make security operations more efficient and effective.
Network security devices can often overwhelm administrators with alerts, said Rick Holland, principal analyst for security and risk management at Forrester Research. It becomes too easy to miss the one alert that represents a potential breach. When network security is integrated with endpoint security, an administrator can quickly find out whether a particular piece of malware has actually executed on a server or PC and infected it, he said. In other words, it's easier to weed out alerts that don't represent an immediate threat.
More Palo Alto-Cyvera integration to come
This integration, which is one-way from WildFire to Cyvera Traps, is just the first intersection point between Cyvera and the company's network security technology, Palo Alto's Gainey said. Traps has the potential to help WildFire with malware analysis, for instance.
"If you are in an environment where the endpoint detects some new attack you can grab forensics from that attack and share it with WildFire, which can use that in its analysis," Gainey said. Palo Alto's next-generation firewall is also ripe for integration with the endpoint protection technology, he added.
"Having knowledge of the endpoint state is very powerful for the network" said Greg Young, research vice president at Gartner. "What is the general health of the endpoint? What's it patched to? What unusual activity have we seen there? And the reverse is also true, with the network providing information to the endpoint, being able to tell that an alert is a false positive or something we should follow up on."
Do enterprises want a single security platform?
While network security teams do want more integration between endpoint and network security, they don't necessarily want it all from the same vendor, Young said. Instead, they want their existing vendors to integrate with each other.
Palo Alto will be trying to either displace endpoint vendors with Cyvera or persuade enterprises to add it as a second endpoint product. "The majority of enterprises prefer a single endpoint agent," Young said. "Only a subset of organizations will put this extra agent in there. Others will look toward their incumbent endpoint protection provider to provide additional inspection and communication with network security. Cisco correctly exited that product space [with Cisco Security agent] after recognizing those barriers."
Palo Alto and other network security vendors that have purchased endpoint protection vendors -- such as FireEye and its Mandiant acquisition -- may find more success in integrating with endpoint security leaders like McAfee, Symantec and Kaspersky Labs, he said.
As the industry consolidates, however, many vendors may be less interested in cooperating with rivals for security spending, Forrester's Holland said. They would rather sell enterprises both network and endpoint security.
"I think in the near-term, these integrations [between vendors] will continue because customers demand it. If I am a New York bank and I have a Palo Alto firewall but someone else on my endpoints, because of my clout, I'm going to demand that integration continue," Holland said. "So long as there are lighthouse customers that demand those integrations, they will continue. But when products come up for renewal, vendors will say, we have this capability, too. Why not bring it to us?"