Information sharing for defense is as old as the carrier pigeon. In cybersecurity, coordinated enforcement between products has increasingly become part of the defensive backbone to block attacks. Today’s attacks still rely on repeating methods and tools. Coordinated enforcement means identifying an attack in one place, which becomes propagated to not just other products, but other customers as well.
Let’s use malware as an example. Although the target is often endpoints, the firewall and other security controls can also be gatekeepers’ tools. Firewalls and cloud protection tools should benefit from critical knowledge gained from endpoint attacks and vice versa. Effective security calls for coordinated enforcement – communication between the endpoint, network and cloud. In other words, an in depth variation on defense as a firewall could stop malware that's headed for an endpoint before it gets there. Another way to think about it is to make all endpoints, firewalls and cloud controls into a global network of sensors and enforcement points.
Today, anytime an unknown file is seen by any Palo Alto Networks product, it is sent to WildFire. This checks, analyzes and catalogs the file, creating a signature that is propagated to every other Palo Alto Networks product and customer. In addition, Cortex XDR detects behavior and doesn't need signatures or hashes to reference. Using behavioral threat protection in Cortex XDR simply identifies bad behavior. However, if it detects something, the file gets sent to Wildfire, where a signature is created and distributed in real time. Wildfire becomes a single source of truth for malware attacks.
Once a single source of malware truth is established, all products in the Palo Alto Networks family are updated, including other preventative services:
While gearing up for attacks is essential, knowing the attack surface better and faster than the attacker is critical. To do this, Cortex Xpanse provides a full inventory of an organization’s global internet-facing assets and misconfigurations to continuously identify security issues on an external attack surface, flag risky communications, evaluate supplier risk or assess the security of acquired companies. Most importantly, you can focus on specific assets prioritized by vulnerability.
Intelligence sharing across multiple standalone security products can also be achieved with a non-platform vendor model, though it does require planning and setup. Typically the easiest approach is to use a security orchestration automation response (SOAR) or threat intelligence management (TIM) solution that allows the management and transfer of data between other security products via APIs or manual integrations. How would you do coordinated enforcement?
A fragmented approach requires security teams to manually configure proper information exchanges that create blind spots. Rather than operate in a silo, endpoint protection must share what it sees to help prevent attacks that can traverse the network and the cloud. And vice versa.
Automating this sharing of intelligence is crucial on two levels. First, manual updates between products do not scale. Your human resources can be more productive elsewhere, and this reduces your potential security gaps arising from the same type of security delivered by different technology vendors.
Diving deeper, firewalls offer in-depth prevention capabilities against threats discoverable within network data. However, that visibility and enforcement is limited to the location and configuration of firewalls within a network. Threats that circumvent firewall enforcement can be prevented by endpoint security products, many of which vary in degrees of effectiveness as they run in isolation and cannot quickly share valuable intelligence across the security stack. To win against today’s sophisticated attacks, you need a prevention-first approach with seamless coordination, communication and enforcement that spans the endpoint, network and cloud.
Coordinated analysis and response – spanning the endpoint, cloud and network – strengthens the overall security posture, freeing up teams to tackle other priorities. It can take days or months until an infection is discovered. The longer an attack takes to identify, the more severe its impact, and the worse for organizations with already overburdened IT staff. Endpoint security products need to automatically halt threats, stopping their spread without any additional user or IT action.
Take threat from anywhere, geo-consolidate and provide protection within seconds for IoT, critical infrastructure, cloud, endpoint and network.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.