Traps 5.0 Advanced Endpoint Protection

Everyone here at Palo Alto Networks is very happy to announce the release of the latest version of Traps version 5.0. Hopefully this isn’t the first that you have heard about Traps from Palo Alto Networks, because if you haven’t heard, you have been missing out on some of the most advanced endpoint protection available on the market.

Traps can stop threats in their tracks on the endpoint device to prevent successful cyberattacks. Traps thwarts attacks by combining multiple methods of prevention. Traps can even block unknown attacks based solely on its behavior. The software runs on Windows®, macOS® or Linux endpoints, such as laptops, desktops, servers, virtual machines and cloud workloads.

MultiMethod Malware and Ransomoware Prevention

There are many methods that Traps is able to prevent known and unknown malware from infecting endpoints. I will cover some of the ways traps accomplishes this task:

• WildFire threat intelligence
• Local analysis via machine learning
• WildFire inspection and analysis
• Granular child process protection
• Behavior-based ransomware protection
• Periodic scanning for dormant malware

Another useful option is the ability for Traps to give organizations the ability to whitelist and blacklist applications, restrict execution of applications, and quarantine malware.

Multi-Method Exploit Prevention

Traps breaks the attack lifestyle by blocking the actual exploit techniques being used instead of focusing on individual attacks. Traps uses the following methods to do this:

• Pre-exploit protection
• Technique-based exploit prevention
• Kernel exploit prevention

Coordinated Enforcement With Network and Cloud

Traps and WildFire continuously share threat intelligence with each other, as does each component of Palo Alto Networks Next-Generation Security Platform, such as next-generation firewalls and cloud security services (see image for details). Traps customers receive access to this threat intelligence and the complete set of WildFire malware analysis capabilities.

With this layered protection, Traps all but eliminates the ways that attackers and malware can enter your network.

Cloud-Based Management and a Lightweight Agent

Traps management service is cloud-delivered to save you the time and cost of building out your endpoint security infrastructure. The service is simple to deploy and requires no server licenses, databases or other infrastructure to get started. The intuitive, web-based interface makes it easy to manage policies and events, and accelerate incident response.

System Requirements and Operating Systems Support

Traps supports multiple endpoints across Windows, macOS and Linux operating systems. For a complete list of system requirements and supported operating systems, please visit the Traps Compatibility Matrix webpage.

Because I know you all will have a lot of different questions, I have also included a FAQ section below:

Traps 5.0 FAQ

Q. Why is PAN moving Traps to the cloud?

A. Having the Traps management service in the cloud means that customers don’t have to build, manage, and maintain an on-premises management server. The benefit is, faster deployments, less day to day management of another server, lower total cost of ownership, and allows us to innovate and introduce new features, faster.  

Q. Will Traps be part of the Application Framework?

A. Traps will leverage the Logging Service which is a key component of the Application Framework. Traps agents and Traps management service will forward all logs to the Logging Service. Administrators can then view the event information directly from the Traps admin console. 

Q. Can I upgrade from Traps on-premises (ESM) to Traps in the cloud (TMS)?

A. The Traps 5.0 administrators guide has step by step instructions on how to migrate from an on-premises Endpoint Security Manager (ESM) to Traps management service and agents. 

Q. Are there any changes to Traps pricing?

A. There are no changes to Traps pricing.  There will be no charge for Traps management service and current agent prices transfer over.

Q. Do customers have to purchase Logging Service storage if they move to the cloud?

A. If a customer has a current Logging Service subscription, they will continue to use the capacity they have purchased. If a customer does not currently have a Logging Service subscription they will be given 100GB of Logging Service capacity as part of their Traps subscription.

Q. Will the Linux agent support workstations and servers?

A. Initially, the Linux agent will protect Linux server workloads with a focus on exploit prevention. Linux workstations may be added in a future release but are not supported in Traps 5.0. 

Q. What Linux distributions will the Linux agent support?

A. Initially, Traps will support the following distributions and versions. Additional distributions may be added in future releases.

• RedHat (RHEL) – 6.x and 7.x
• CentOS – 6.x and 7.x
• Ubuntu Server – 12.x, 14.x, 16.x
• SUSE – 12.1, 12.2

Q. Will Traps management service have the same features as ESM? 

A. There are a number of features being introduced in the Traps management service that will not be supported on ESM.  There will also be features on ESM that will not be supported in Traps management service.  For a list of features available on ESM and Traps management service consult the Traps 5.0 admin guide.

Q. Will the minimum number of licenses change?

A. The minimum number of Traps licenses will continue to be 200 seats.

Q. Will there be a performance impact when a scan runs?

A. As with anything that touches the file system, there may be an impact to performance. Traps scanning was designed to be as low impact as possible. Scans are executed as a low priority background process and the OS will manage the resources used. CPU usage is normally limited to 25%, but there may be spikes in CPU usage. If any other processes require CPU cycles, the OS will take the resources from the Traps scanning process.

After the initial scan, only changed or new files will be scanned, minimizing the time and resources used. The overall scan time will be dictated by the number of files to be scanned and the amount of data changed since the last scan. 

Q. Is scanning available on all Traps agent operating systems?

A. Scanning currently runs on Windows endpoints only.  Additional support may be added in a future release. 

Q. Will Traps management service be available in all regions?

A. The Traps management service will be available in North America and EMEA. Customers in APJ may choose to use either North America or EMEA services or continue using Traps on-premises deployment option with ESM.   

Q. Can you automate containment if an endpoint has a security event with Traps 5.0?

A. Not yet. This automation is done by forwarding Traps logs to Panorama which triggers a policy to isolate the endpoint(s) in question.  Logging Service does not yet support log forwarding.  If this is a requirement, you will need to start with an on-premises deployment with ESM then you can migrate to Traps management service when log forwarding is supported.

Q. If I am currently using Panorama with Traps, can I continue using it if I upgrade to 5.0?

A. Not yet. This is done by forwarding Traps logs to Panorama.  Logging Service does not yet support log forwarding.  If this is a requirement, you will need to stay with your current on-premises deployment with ESM.  When log forwarding is released, you can migrate to Traps management service when log forwarding is supported.

More Info

For even more information about traps, please see the following links:

The General Data Protection Regulation (GDPR) White Paper https://www.paloaltonetworks.com/resources/whitepapers/palo-alto-networks-traps-a-key-tool-for-gdpr-... 

Traps Advanced Endpoint Protection Technology Overview

http://www.paloaltonetworks.com/resources/techbriefs/traps-technology-overview.html

Traps 5.0 Datasheet

https://www.paloaltonetworks.com/resources/datasheets/endpoint-protection

Thanks for taking time to read all of this. If you found it useful, please give me a Thumbs Up.

As Always, we LOVE to hear from you in the comments section below.. comments, questions or suggestions. 

Until next time,Stay Secure!

Joe Delio

End of line.