PANCast Episode 15: Advanced Threat Prevention in Nova

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L2 Linker
No ratings

 

Episode Transcript:

 

John:

Hello PANCasters, welcome to another episode and today we are doing something a bit different. We have a special guest that is going to talk about some new features in the latest Palo Alto Networks release, which is PAN OS version 11 or Nova. To start with please welcome Michael Lawson from our product management team

 

Michael:

Hey John, Nice to be here today. 

 

John:

Thanks for joining us today Michael. If you could, let’s start with your take on the current global threat landscape?

 

Michael:

Sure thing. The current global threat landscape is complicated more specifically in addition to your Ransomware as a service operations, and financially motivated groups, there is a full on conflict going on in Ukraine, and along with the armed conflict, that includes, I think we’re witnessing the first full on nation state cyber war as well. All this means that the Malware we’re seeing these days is more sophisticated than in the past, and more difficult to detect and built in programs to avoid and interrupt detection and analysis. Specifically in  extremely well crafted malware that’s been quality tested against multiple security solutions, all with the goal of evading detection. And that’s kind of what’s kept us innovating and building on not only what we've done in the past, but with some new things that we were happy to release around Nova.

 

John:

And Nova has some specific new features to help with this. Can you give us some more details?

 

Michael:

For certain. So wildfire has been in production for 11+ years and over the 11 years it has grown exponentially with the additional file types, new detection technologies, machine learning, and dynamic analysis, and it’s continued to be innovated based on real threats that we see out there we build better analysis and detection techniques for it and once we’re able to analyse and detect a specific threat we build protections for that that’s fed out to our cyber ecosystem if you will. With Nova we have one upped ourselves. We have built from the ground up advanced wildfire and it is a custom built, in-house hypervisor that has several features in it that helps us deal with not only threats that we are dealing with today, but kind of future proofing it so it can be the guiding principle of detection for the next 11 years.  Some of those things that we’ve built into this, which is at cloud scale is very impressive, starting off with its introspective analysis. Typically, when you analyse malware, you analyse on a virtual machine. You have some tools running on that virtual machine to collect and detect all the behaviours that the malware’s performing against the machine. Introspective moves those tools out of the virtual machine and puts them at the hypervisor level so it’s an outside in approach and the reason for doing this is we know malware authors write specific hooks and checks and look for anything that is attempting to collect information about observed behaviours so typically those those tools that run on the VM look like a debugger, like a program debugger and so they’ll look for the presence of those tools and they won’t run. So by moving them outside makes it invisible to them. 

 

Another thing that we built into Advanced Wildfire was memory analysis. More and more today memory uses a few common techniques like process injection or process hijacking and it runs in the memory space of a program that’s already running, like Explorer or Chrome for instance, and once the payload runs in memory, or is executed in memory it deletes the file so from a forensics capability, you know a crime’s been committed but all the evidence is gone. It’s just sitting there in memory and you have to be able to read memory. It’s really the only way to detect these payloads. So we have a real time memory analyser that runs alongside of this analysis so as things are running, we are watching the memory and we use memory based yara rules to detect malicious behaviour and specifically tag things that we know about and we also built the industries first real time memory machine learning analyzer and it’s able to detect malicious behaviour in memory, and flag it as well for us. 

 

In addition to that we built an industry first of a malware dependency library emulator. So one of the things that we know from working in the windows computer type world, if you don’t have a certain program installed you can’t open up a file so if I don’t have Microsoft Word on my computer and I get a word file, I go to open it I get a little window that says “unable to open this file type” . We’ve all seen that at various times and working on computers. Malware authors understand this and use this against us so they specifically pick software libraries that might be obscure or hard to find and after careful reconnaissance on their targets they know that they’ll be able to use that against us. So they’ll build in a check in the program to look for a specific software library like is cute FTP, is this version of Java present, etc. and if it isn’t it won’t run. It will interrupt and blue screen the machine or it will stop. Stop running all together. So what we do is we look at the file before we analyse it we read the file header, the file header contains all the libraries that might be called on by the payload and we pre-stage or pre-load those in the virtual machine before we detonate it, and then we run it and the malware believes that the library is present and it runs successfully. Being able to successfully run malware successfully sounds kind of funny but that’s a big goal of ours but the reason for it is for detection. If you can’t run it, you can analyse it , you can’t determine what behaviours it has. That has led to a huge increase in our detection capabilities and lead to a dramatic reduction in false negatives, or malware that we thought was benign but is actually malicious yielding huge results for us and also kind of double down on this this is built alongside wildfire, but on completely separate and it’s on cloud infrastructure. This type of analysis that we’re doing this stuff that you could never get with an on premise physical sandbox device coming from working at McAfee and Trend Micro with their appliances before, great solutions, but you could never get there with an on premise appliance. This is, techniques and capabilities that you really need the scale that the cloud has to offer with its compute and storage capabilities.

 

John:

Well thank you Michael, that’s really interesting. I’ve learnt a lot today so once again, thank you for being on.

 

Michael:

Cheers John, appreciate being on. Looking forward to the next episode of PANCast.

 

John:

Well thank you again Michael. Some great insights into threat prevention and how Nova can help. For our PANCasters out there if you’d like the transcript to this episode please head to live.paloaltonetworks.com. You can also find some links to additional details on Nova including other great new features. Bye for now.

 

Check out the full PANCast YouTube playlist: PANCast: Insights for Your Cybersecurity Journey.

 

Related Content:

NGFW 

 

Rate this article:
Comments
L2 Linker

Thanks, Michael and John. I like what was shared on the new capabilities.

  • 2905 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎04-12-2023 06:46 PM
Updated by: