Despite seeming like somewhat of a no-brainer, using the power of the cloud to combat cloud-based security threats has really only come into vogue recently. As organizations continue to move their infrastructures out of physical data centers into the cloud, traditional methods for securing IT resources are becoming increasingly ineffective. Using cloud-based collective intelligence and virtualization to inform threat detection methods is fast becoming a standard practice, and for many security products—a central ingredient to an effective multi-pronged approach to combating cyber attacks.
FireEye and Palo Alto Network’s (PAN) Wildfire are two cloud-based security platforms for rapidly aggregating, analyzing, and sharing threat data across all of their respective customer installations and subscriptions. We’ll take a closer look at both of these solutions and discuss how security products are increasingly tapping into cloud-enabled collective intelligence to counter threats of increasing sophistication.
Crowdsourced Security Intelligence
The notion of effective perimeter security is disappearing as fast as the perimeter itself. In response, leading security platforms are combining a variety of mechanisms to combat multi-vectored attacks and new and/or unknown threats. To address the rise in advanced persistent threats (APT) and commercially motivated cyber attacks, old IT security paradigms must be reworked—and in some cases abandoned and replaced—to protect today’s infrastructures, especially given how integral the cloud has become to organizations. Predicting malicious behavior using common signature-based approaches becomes less efficient and effective as the volume of unique attack signatures grows, while traditional anomaly detection methods generate significant network noise and false positives—often resulting in the “tuning-down” of security mechanisms and a weakened security posture.
To improve the accuracy and efficacy of threat detection and protection in the presence of unknown dangers, security providers are now adopting a hive-minded approach to IT security. Next generation security solutions can significantly decrease threat detection and resolution time by tapping into various threat intelligence exchanges and data gleaned from customer implementations around the globe. Furthermore, virtualization technologies are being employed to isolate potential threats such as malware in safe environments for analysis and and threat assessment. This type of crowdsourced security intelligence and virtual sandboxing are the key ingredients in both FireEye’s Threat Intelligence service and PAN Wildfire’s next-generation firewall technologies.
Virtualization and Sandbox Security
According to recent numbers, almost 1 million new malware threats appear every day. This makes them virtually impossible to detect using conventional methods. And since malware is instrumental in most APT attacks, they must nonetheless be analyzed and understood somehow—without risking the enterprise’s security posture. In the same sense that scientists create closed, controlled environments to study human viruses and diseases in the hopes of discovering vaccines safely, security platforms such as FireEye and PAN Wildfire create VM-based or virtualized sandboxes to analyze, identify, and protect environments from new threats. This also provides the mechanism that allows for fast dissemination of new threat data across each respective security platform’s install-base.
FireEye Threat Intelligence
FireEye is a longstanding leader in IT security solutions and pioneered the use of virtualization technologies to remediate threats. By employing a specialized, virtual machine-based technology called Multi-Vector Virtual Execution (MVX), FireEye is able to detonate suspicious files, Web objects, and email attachments inside a safely isolated space. The malware is installed and executed to completion inside these virtualized environments with file locations, new registry keys, corrupted DLLs—as well as any outbound call destinations—tracked, analyzed, and disseminated.
The platform sources and shares threat data through the FireEye Dynamic Threat Intelligence cloud: a global network of interconnected FireEye sensors deployed throughout its customer networks, technology partner networks, and service providers globally. According to FireEye, these sensors perform over 50 billion analyses of 400,000+ unique malware samples daily.
In addition to the Multi-Vector Virtual Execution (MVX) engine and Dynamic Threat Intelligence cloud, a wide range of products—including a range of endpoint, network, and security appliances—round out the solution’s platform architecture. A host of subscription-based, threat intelligence services are also available, as well as professional incident response and security assessment services provided through Mandiant (acquired in late 2013). In fact, FireEye is often called upon to investigate high-profile data breaches such as the recent Sony Pictures, JP Morgan, and Anthem cyber attacks.
Palo Alto Networks Wildfire
Traditional firewalls are prevalent fixtures in today’s enterprise infrastructures, but often use antiquated methods for traffic analysis and threat identification. Furthermore, they do not provide protection in the cloud and are marginally useful for thwarting APTs. In response to changing IT environments, infrastructures, and evolving workforce usage patterns, many manufacturers are creating next-generation firewalls to provide more fine-grained control of incoming and outgoing network traffic. PAN is a next-generation firewall and network security vendor: like FireEye, PAN uses a cloud-based malware analysis environment called Wildfire to provide its solutions with advanced threat analysis and intelligence sharing/dissemination.
By analyzing files for over 250 threat indicators including host changes, outbound traffic, and any attempts to bypass analysis, FireEye is able to protect environments and disseminate its findings globally to other Palo Alto Networks platforms in 15 minutes. Wildfire observes the behaviors of suspicious files in a cloud-based virtual execution environment and creates a signature once the threat has been verified. Once the threat is mitigated, the malware/threat signature is shared and disseminated through its Threat Intelligence Cloud.
Wildfire natively integrates with any of PAN’s intelligent firewall products based around its Enterprise Security Platform, which brings together its line of network, cloud and endpoint security into a common architecture for comprehensive visibility and control.
UpGuard's VendorRisk platform is used by hundreds of companies to automatically monitor their third-party vendors. We ran a quick surface scan on both FireEye and Palo Alto Networks to generate an instant security rating:
Our assessment showed that both companies carry similar risks which include:
- Increased susceptibility to man-in-the-middle attacks through incomplete support for HTTP Strict Transport Security (HSTS). Palo Alto Networks were in a weaker position here, as they do not enforce HSTS.
- Higher exposure to risk of cross site attacks, as http-only cookies were not being used.
- DNS being susceptible to man-in-the-middle attacks, as neither company enforces DNS Security Extensions (DNSSEC) on their domain.
- Potential for their web domain to be hijacked, because of insufficient domain protection.
Based on their score, FireEye edged out Palo Alto Networks. Both companies have some improvements to make in their basic security practices.
We can automatically measure and monitor the security of FireEye, Palo Alto Networks and all your other third-party vendors.
Fight fire with fire, as they say. Advanced threats like APTs have evolved to harness the power of the cloud, and security solutions are following suit. Next-generation security platforms are adopting cloud-based coordinated threat management based on crowdsourced security intelligence, with both FireEye and PAN Wildfire are leading the charge with their respective security platforms. Both use similar architectures for cloud-enabled threat intelligence and sandboxing/isolation—choosing one over may ultimately come down to how well the solution dovetails into existing infrastructures, and how one plans to deploy each respective solution.
Wildfire works natively with PAN devices, so companies with existing PAN infrastructure components may realize more value from WildFire. Furthermore, PAN’s expertise in next-generation firewall solutions—coupled with its WildFire technology—makes for a formidable platform for comprehensive enterprise security. FireEye also provides a line of email and endpoint security devices (e.g., NX, EX, HX series devices, respectively), but its strengths are its FireEye Dynamic Threat Intelligence cloud and MVX engine. Unlike WildFire, FireEye is available both natively through its own security solution(s) and as-a-service—subsequently, it’s a better candidate for those wishing to use it with other technologies and vendor offerings.
Both solutions employ advanced methods for threat detection and protection—but at the end of the day, IT security must be multi-layered and comprehensive—not just bleeding edge. UpGuard provides validation and monitoring to ensure vulnerabilities and exposures—both in the computing resources being protected, as well as the mechanisms providing the security—are identified and addressed.