Palo Alto targets zero-day threats with new firewall software

Palo Alto Networks has released next-generation firewall (NGFW) software that includes some 50 new features aimed at helping enterprise organizations battle zero-day threats and advanced malware attacks.

The new features are built into the latest version of Palo Alto’s firewall operating system – PAN 11.0 Nova – and include upgraded malware sandboxing for the company’s WildFire malware-analysis service, advanced threat prevention (ATP), and a new cloud access security broker (CASB).

WildFire is Palo Alto’s on-prem or cloud-based malware sandbox that is closely integrated with Palo Alto’s firewalls. When a firewall detects anomalies, it sends data to WildFire for analysis. WildFire uses machine learning, static analysis, and other analytics to discover threats, malware and zero-day threats, according to the vendor.

New to the service are Advanced WildFire features designed to better detect highly evasive zero-day malware attacks.

With Advanced WildFire, Palo Alto added intelligent run-time memory analysis combined with stealthy observation techniques that will let the system detect and protect resources quickly, said Anand Oswal, senior vice president, network security, at Palo Alto.

“Stopping the zero-day threats – that is the singular focus of this release,” Oswal said. “The new release stops 26% more zero-day malware than traditional sandboxes and detects 60% more injection attacks and keeps enterprises one step ahead of some very sophisticated threats.”

Oswal cited GuLoader, which is an advanced trojan downloader that uses shellcode to evade antivirus-analysis techniques, as an example of today’s sophisticated threats

PAN-11 Nova also builds on the previous version of the OS – which brought inline deep-learning capabilities – and adds ATP support for inline detection of zero-day injection attacks.

The idea behind applying deep learning inline, in real-time, on network traffic, is to detect and prevent new threats, including malware variants. The service can stop unknown attacks as they happen, not just remediate them after the fact, Oswal said.

“Look at injection attempts, which push malicious code into computer systems by really exploiting unpatched vulnerabilities in software,” Oswal said. “We built in high-fidelity telemetry data from thousands of exploitable vulnerabilities over the last decade. And our internal testing has shown that when we enable this advanced threat prevention, we were able to detect 60% more zero injection attacks than in the past.”

The new PAN-OS also ties into Palo Alto’s recently introduced next-generation CASB to help customers spot cloud security issues such as system misconfigurations, unnecessary user accounts, excessive user permissions, and compliance risks. The idea is to provide a dashboard to fix problems more quickly and lock critical security settings in place.

Palo Alto also bulked up the OS’ AIops support by adding the ability to search for and correct inefficiencies in firewall security policies before committing changes, helping organizations fortify their cyberdefenses.

“We have developed cybersecurity best practices over the years, and the system can tell customers, through ‘what if’ analysis what would bolster their security posture,” Oswal said. “For example, a customer might want to know ‘what will happen if I enable encryption here or what happens if I change these configurations?’ The system can offer the best practice for the configuration of those devices.”

In addition to the software upgrade, Palo Alto added new boxes to its NGFW family. 

At the high-end, it added the fixed-form-factor 2RU PA-5440, which is twice as fast as the high-end PA-5260. The 5440 is aimed at large campus and data center customers.

For large branch-office environments, the company added the PA-1400, which features 5x performance and 7x session capacity compared to its previous generation box. 

Lastly, the company introduced the PA-445 and PA-415 for small branches. These feature Power over Ethernet (PoE) support and are aimed at protecting devices such as access points, IP cameras, and IP phones without the need for additional electrical circuits.

All of the new firewalls will be available in December. PAN-OS 11.0 will be available in this month.