ANSecurity has successfully deployed the Palo Alto Networks TRAPS advanced endpoint solution to help a major financial services organisation strengthen its security controls.
The financial organisation regularly processes a lot of active content from third-party organisations and its workforce had struggled to differentiate between legitimate or malicious attachments within emails. The organisations had previously used a “traditional” Anti Malware product, in conjunction with Anti-Virus software but found that attacks were still breaching this line of defence.
TRAPS is a technology from Palo Alto that focuses on intercepting the 30 or so underlying techniques that are commonly used across millions of malware examples instead of trying to detect malware signatures that can only be created after an incident. The technology has proven itself as a way of stopping new threats based on understanding these common steps that malware must perform to achieve a successful attack, and Palo Alto claims that these core techniques grow by only a few each year. As a result, Traps offers a way of blocking both common and previously unseen attacks.
“The initial deployment was very fast and we set up TRAPS in its learning mode allowing it identify a number of false positives,” explains Laurence Wright, Network Security Specialist for ANSecurity, “In this mode it starts to identify third party and bespoke in-house developed apps and the regular update processes. Once these were ‘dialled out’ of the detection process, the solution went into production and regular updates from PAN to the client and server software have added features and functionality to ease management, speed up debug and forensic examination of potentially malicious samples and events.”
ANSecurity then deployed malware behaviour controls using execution restrictions on unknown software and child process restrictions to allow more visibility over activity at the endpoint. “Some user re-education was required, especially for power-user and developer machines,” explains Wright, “For example, allowing for the delay in execution of newly downloaded EXE files whilst Wildfire analysis takes place and not running them from folders that could be identified as malicious activity.”
As a result, the likelihood of a successful core attack technique at the endpoint during the exploitation phase is reduced, even before the malware has a chance to run. As a result of TRAPS, malware related security incidents have reduced to almost zero as well as minimising the time consuming process of dealing with false positives.
“There is no magic bullet that will fix everything but as attacks become more sophisticated, TRAPS is a useful and pretty unique security approach that is able to detect the most dangerous type threats” says Wright, “Although it could be considered as a next generation concept, we have also seen particular interest and success helping customers to protect legacy systems running XP and Windows server 2003 that cannot be patched but are considered critical in areas like SCADA and ICS. We continually recommend migration but this is not always possible straight away and TRAPS has also proven very effective in this role.”