Traps 5.0 Advanced Endpoint Protection

by on ‎03-15-2018 04:43 PM - last edited on ‎07-24-2018 11:01 AM by (77,722 Views)

 

hogwarts-email-header-1200x500.png 

Everyone here at Palo Alto Networks is very happy to announce the release of the latest version of Traps version 5.0. Hopefully this isn’t the first that you have heard about Traps from Palo Alto Networks, because if you haven’t heard, you have been missing out on some of the most advanced endpoint protection available on the market.

Traps can stop threats in their tracks on the endpoint device to prevent successful cyberattacks. Traps thwarts attacks by combining multiple methods of prevention. Traps can even block unknown attacks based solely on its behavior. The software runs on Windows®, macOS® or Linux endpoints, such as laptops, desktops, servers, virtual machines and cloud workloads.

 

MultiMethod Malware and Ransomoware Prevention

There are many methods that Traps is able to prevent known and unknown malware from infecting endpoints. I will cover some of the ways traps accomplishes this task:

  • WildFire threat intelligence
  • Local analysis via machine learning
  • WildFire inspection and analysis
  • Granular child process protection
  • Behavior-based ransomware protection
  • Periodic scanning for dormant malware

Another useful option is the ability for Traps to give organizations the ability to whitelist and blacklist applications, restrict execution of applications, and quarantine malware.

 

Multi-Method Exploit Prevention

Traps breaks the attack lifestyle by blocking the actual exploit techniques being used instead of focusing on individual attacks. Traps uses the following methods to do this:

  • Pre-exploit protection
  • Technique-based exploit prevention
  • Kernel exploit prevention

Coordinated Enforcement With Network and Cloud

Traps and WildFire continuously share threat intelligence with each other, as does each component of Palo Alto Networks Next-Generation Security Platform, such as next-generation firewalls and cloud security services (see image for details). Traps customers receive access to this threat intelligence and the complete set of WildFire malware analysis capabilities.

With this layered protection, Traps all but eliminates the ways that attackers and malware can enter your network.

2018-03-15_traps-1.jpg

 

Cloud-Based Management and a Lightweight Agent

Traps management service is cloud-delivered to save you the time and cost of building out your endpoint security infrastructure. The service is simple to deploy and requires no server licenses, databases or other infrastructure to get started. The intuitive, web-based interface makes it easy to manage policies and events, and accelerate incident response.

2018-03-15_traps-2.jpg

 

System Requirements and Operating Systems Support

Traps supports multiple endpoints across Windows, macOS and Linux operating systems. For a complete list of system requirements and supported operating systems, please visit the Traps Compatibility Matrix webpage.

 

Because I know you all will have a lot of different questions, I have also included a FAQ section below:

Traps 5.0 FAQ

 

Q. Why is PAN moving Traps to the cloud?

A. Having the Traps management service in the cloud means that customers don’t have to build, manage, and maintain an on-premises management server. The benefit is, faster deployments, less day to day management of another server, lower total cost of ownership, and allows us to innovate and introduce new features, faster.  

 

Q. Will Traps be part of the Application Framework?

A. Traps will leverage the Logging Service which is a key component of the Application Framework. Traps agents and Traps management service will forward all logs to the Logging Service. Administrators can then view the event information directly from the Traps admin console. 

 

Q. Can I upgrade from Traps on-premises (ESM) to Traps in the cloud (TMS)?

A. The Traps 5.0 administrators guide has step by step instructions on how to migrate from an on-premises Endpoint Security Manager (ESM) to Traps management service and agents. 

 

Q. Are there any changes to Traps pricing?

A. There are no changes to Traps pricing.  There will be no charge for Traps management service and current agent prices transfer over.

 

Q. Do customers have to purchase Logging Service storage if they move to the cloud?

A. If a customer has a current Logging Service subscription, they will continue to use the capacity they have purchased. If a customer does not currently have a Logging Service subscription they will be given 100GB of Logging Service capacity as part of their Traps subscription.

 

Q. Will the Linux agent support workstations and servers?

A. Initially, the Linux agent will protect Linux server workloads with a focus on exploit prevention. Linux workstations may be added in a future release but are not supported in Traps 5.0. 

 

Q. What Linux distributions will the Linux agent support?

A. Initially, Traps will support the following distributions and versions. Additional distributions may be added in future releases.

  • RedHat (RHEL) – 6.x and 7.x
  • CentOS – 6.x and 7.x
  • Ubuntu Server – 12.x, 14.x, 16.x
  • SUSE – 12.1, 12.2

 

Q. Will Traps management service have the same features as ESM? 

A. There are a number of features being introduced in the Traps management service that will not be supported on ESM.  There will also be features on ESM that will not be supported in Traps management service.  For a list of features available on ESM and Traps management service consult the Traps 5.0 admin guide.

 

Q. Will the minimum number of licenses change?

A. The minimum number of Traps licenses will continue to be 200 seats.

 

Q. Will there be a performance impact when a scan runs?

A. As with anything that touches the file system there may be an impact to performance. Traps scanning was designed to be as low impact as possible.  This includes running scans as a background process with CPU utilization capped at no more than 25% to avoid conflicts and performance degradation.  After the initial scan, only changed or new files will be scanned, minimizing the time and resources used.  The overall scan time will be dictated by the number of files to be scanned and the amount of data change since the last scan. 

 

Q. Is scanning available on all Traps agent operating systems?

A. Scanning currently runs on Windows endpoints only.  Additional support may be added in a future release. 

 

Q. Will Traps management service be available in all regions?

A. The Traps management service will be available in North America and EMEA. Customers in APJ may choose to use either North America or EMEA services or continue using Traps on-premises deployment option with ESM.   

 

Q. Can you automate containment if an endpoint has a security event with Traps 5.0?

A. Not yet. This automation is done by forwarding Traps logs to Panorama which triggers a policy to isolate the endpoint(s) in question.  Logging Service does not yet support log forwarding.  If this is a requirement, you will need to start with an on-premises deployment with ESM then you can migrate to Traps management service when log forwarding is supported.

 

Q. If I am currently using Panorama with Traps, can I continue using it if I upgrade to 5.0?

A. Not yet. This is done by forwarding Traps logs to Panorama.  Logging Service does not yet support log forwarding.  If this is a requirement, you will need to stay with your current on-premises deployment with ESM.  When log forwarding is released, you can migrate to Traps management service when log forwarding is supported.

 

 

More Info

For even more information about traps, please see the following links:

 

The General Data Protection Regulation (GDPR) White Paper https://www.paloaltonetworks.com/resources/whitepapers/palo-alto-networks-traps-a-key-tool-for-gdpr-... 

 

Traps Advanced Endpoint Protection Technology Overview

http://www.paloaltonetworks.com/resources/techbriefs/traps-technology-overview.html

 

Traps 5.0 Datasheet

https://www.paloaltonetworks.com/resources/datasheets/endpoint-protection

 

Thanks for taking time to read all of this. If you found it useful, please give me a Thumbs Up.

As Always, we LOVE to hear from you in the comments section below.. comments, questions or suggestions. 

 

Until next time,Stay Secure!

Joe Delio

End of line.

Comments
by DonohoeRobert
on ‎03-21-2018 09:19 AM

Hi Joe, 

 

I hope you are well. Great post, thank you. Just the the link for the gdpr is giving a 404. 

https://www.paloaltonetworks.com/resources/whitepapers/palo-alto-networks-traps-a-key-tool-for-gdpr-...

 

Best regards, 

 

Rob 

by DonohoeRobert
on ‎03-21-2018 09:24 AM

Capture.GIF

 

Seems fixed now :-) 

by jintan
‎04-09-2018 02:38 AM - edited ‎04-09-2018 11:51 PM

 

As per documented in this article: "After the initial scan, only changed or new files will be scanned, minimizing the time and resources used." - how does the Traps agent know which file is new or changed? 

by emilling
on ‎04-09-2018 05:09 PM

I found this very helpful in one area.

 

I think some features are well needed and needs to be integrated quickly to be fluid.



 

by
on ‎04-10-2018 12:58 PM

@jintan,

As far as the scan is concerned, I can imagine that there is an index that Traps uses to keep track of what has already been scanned, therefore only new or changed files will be scanned.

 

If you need further information on exactly how Traps performs this, then I would recommend that you log into the Endpoint (Traps) Discussion area here:

https://live.paloaltonetworks.com/t5/Endpoint-Traps-Discussions/bd-p/Endpoint_Discussions

And ask your question there.

by uduwawalan
on ‎05-21-2018 01:07 AM

HI Joe,

 

thanks for this technical note. Where can we download this client? I am trying to get a PoC set up and I can only see the traps 4.1  series of clients in the download section. and if I try to install them I have no idea how to point them to the cloud platform.

 

regards

Nalin

by emilling
‎05-21-2018 03:21 AM - edited ‎05-21-2018 03:21 AM

Please contact your Sales Exec or sales to perform a PoC on TRAPS Managed Service.

by BPry
on ‎05-21-2018 03:21 AM

@uduwawalan,

Do you have a Traps TMS (The Cloud Console) already setup and available to you, or not? If you have access to the console you can access all of the agents from the 'agent installation' tab once you login to your TMS console. 

by uduwawalan
on ‎05-21-2018 03:25 AM

Hi Bpry,

 

Thanks for the quick response.

 

The set up on the cloud is all done and I can access that. I was trying to install a client on a  local workstation and at point it asks for a host ( during the insatll process). Now it looks like it's asking for a local host. This is where I am coming unstuck. There is no documentation that I can find that tells you what to do to connect to the traps 5 cloud infrastructure.

 

Regards

Nalin.

by BPry
on ‎05-21-2018 03:29 AM

@uduwawalan,

So when you log into the TSM you should get a webpage that looks like the following; when you click on the 'Agent Installation' and setup an install package the EXE that is provided will have all the host information and will simply install; you don't actually have to setup the hostpath anymore. 

Capture.PNG

by uduwawalan
on ‎05-21-2018 03:44 AM

Thanks. I am going to try this now and I will report back. Again thanks for the quick response.

 

Kind Regards

Nalin.

by emilling
on ‎05-21-2018 03:46 AM

Please remember it is a simplified form to the Locally managed TRAP solution and will take getting use too, but it is the same in functionality.

 

Please make recommendations to your sales exec. for additional function and features.

by uduwawalan
on ‎05-21-2018 04:05 AM

Managed to create the package and it's getting installed now.

 

Two recommendations:  -- Allow Policy names to have at least _ and - as characters.

                                             In the console give brief descriptions of policy settings and their implications ( just like what you see in the group policy console window in Active Directory. That helps you to make up your mind what you want to do with the setting choices for each policy action within a profile.

 

 

Regards

Nalin.

by uduwawalan
on ‎05-21-2018 05:04 AM

 Having had a stab at the Policies and rules, I certainly think a help page is useful for each line within a policy / rule and wouldn't it be nice to have 1. Create a .msi ( as opposed to a .exe) and the correct switches to go with them for silent installs etc and 2. ability to push the exe out to a defined ip address from the console. ( this may be a bit far fetched).

 

Regards

 

by BPry
on ‎05-22-2018 01:04 PM

@uduwawalan,

The MSI package is planned, just talked  to one of the PMs here a last night. The ability to push out the EXE likely isn't going to work, this would more be around a limitation of this not being an on-prem solution. 

by aalonso
on ‎07-09-2018 03:12 AM

multiTenant is a RoadMap for this year, Any update about this? Mid July and running

Ask Questions Get Answers Join the Live Community