Episode Transcript:
John:
Michael: 
Sure. Thanks, John. I'm Michael Lawson. I'm a senior principal technical marketing engineer for Advanced Wildfire. I'm based in Texas and I've been in this role for about five years. As a technical marketing engineer, I work closely with product managers, the engineering team, unit 42 to build the best malware analysis and prevention solution in the industry. You know, before Palo, I spent the past 15 years or so building sandbox solutions for many companies and logos that I think you would recognize. You know, pioneering many new and innovative features.
John:
Thanks, Michael. So, I hear that advanced Wildfire can't do anything without SSL decryption. Is that true?
Michael:
Well, yes and no. It's kind of a tricky question. So, for Wildfire to do anything, it has to be able to see the file, right? And you know that so if we can't see the file, it's kind of hard for us to analyze it. But when you look at today's networks and internet, you know, 90+ % of your traffic is encrypted. But you know, with that in mind, without SSL decryption, you know, we can still see files that come down via unencrypted links. But yeah, I mean, you need decryption to see the files. When the traffic isn't encrypted, we can see the files and analyze the threats inside of it. And once we see a threat, we can analyze and block it. So, yeah, it's a huge thing. You're going to need SSL decryption at some point.
John:
Michael:
Well, you know after you go back, you know, after you're done listening to this podcast, so get to the end of this one, but you know, I would just go back and listen to our previous podcast that was done about SSL decryption. And you know, back to your question, you know, you wouldn't be wrong with the thinking that but threat actors don't really think that way, right? So if you're a bank robber, you're going to pick a bank to rob, you know, and and you're looking at a couple different banks if you can visualize, you know, some banks you might want to rob. You know, the first bank you look at has state of the art defences, cameras, security guards, right? Brand new locks on the doors, everything else. The second bank doesn't have any of that. You know, maybe they got one old, you know, security guard and he doesn't even have a gun and he's just kind of sleeping in a chair in the corner. So, if you have to pick which bank you're going to rob, probably going to go for bank number two, one with no security, no one's watching, no one's paying attention, right?
John:
Yeah, actually that makes sense. It's easier and I've got a better chance of getting away with it.
Michael:
Yeah, exactly. So the threat actors do a fair bit of reconnaissance and if they know you're, you know, not decrypting and not looking at the traffic, they know that, right? And they also know if you have any threat preventions running in line, too. So if they find a target that isn't decrypting and doesn't have any threat prevention solutions running in line, that makes things easier for them. So you're that second bank without, you know, the sleepy security yard in the corner. So you know what they'll do and this is actually a documented attack last year, the threat actors realized that they weren't you know doing any type of inline inspection because they weren't decrypting and so they just sent down an attack via non SSL channels. And the part this just made it easier for them. So they didn't have to encrypt the traffic. They didn't have to burn their latest C2 infrastructure. They didn't have to use any of this malleable C2 trickery. And they and they just hosted the file in a simple directory server and focused on the delivery, right? And you know and how to trick the user into downloading the payload and you know I'm sure they used an LLM to kind of convert the language and polish the language out for them. But you know this is what this group did in North Korea, right? So you know my advice, whether you're decrypting or not is to turn the security services on. Period. Right? Turn them on. You know you wouldn't get in a car without a seat belt. You got the world's greatest security appliance and Palo Alto's next gen firewall sitting in your network. Turn on the security services first and foremost and you know work with your Palo Alto team right you know to walk you through that you know we've got best practice guides, videos and things like that out but also partner up with your team right and you know your team can help you enable a precision decryption policy down the road um but before you get to decryption turn the things on on, you know, that's that's the most important thing.
John:
Great. Thank you. That makes sense. So with advanced Wildfire though, it is just a cloud sandbox and it doesn't stop anything in line though, does it?
Michael:
Well, so advanced Wildfire is a little bit more than just a sandbox, right? So the cloud analysis is a big part of this picture. And I would say that the legacy way of thinking. You know, Wildfire analyzes, you know, roughly 80 million files a day. And with that volume, we're always looking at the most efficient way to analyze files and look and see how we can deliver verdicts faster and what analysis techniques that we can apply can be applied for inline analysis.
John:
Okay, so what is it doing to prevent threats in line?
Michael:
Well, you know, so this is really great timing, you know, to talk about this and and because a lot of our customers right now are upgrading to a PANOS version 11.1. or or greater, right? And as they're on there, we're having more and more conversations with the customers about these inline capabilities we've added. So, first off, you know, Wildfire has virus signatures, right? Not a virus database, not a hash database, but virus signatures. It's the unique features of the files. So, it's like looking at the DNA. So, one signature can capture multiple files. So, it's not this one to one match that we see with, you know, some legacy solutions out there. And you know, so that's the first line of defense that we have. The second is we have inline machine learning engines that run on the firewall, right? And there's eight of these and they're file type specific a couple of PowerShells, ELF, PE etc. And these precision ML engines, precision AI ML engines are designed to detect zero day threats. You know we call it precision AI you know because everyone's like that's a marketing term. It's not. It's really because Palo Alto has been pioneering the use of AI for so long. This isn't something we just bolted on last year to do a me too. These have been running in line for over four years. And the amount of data that they are learnt or trained on is huge. So they are very mature, extremely accurate in the way that they go about analyzing and detecting threats. And the third solution, this is the one that requires PANOS 11.1. This is our Inline cloud analysis or MICA or ICA you might hear us refer to it and so this is a game changing feature for our customers. We released that in 2023.
John:
Hold on game changer? So we’ve been doing this for a while? If you're saying game changer I'd like our listeners to focus in on this. Can you tell us a bit more?
Michael:
Yes so I know it sounds a little bit like marketing you know hype but when it comes to blocking zeroday threats inline cloud analysis is pretty awesome. So let me explain a little bit how it works. So, as I mentioned, we have some pretty innovative solutions and our signatures and machine learning working to block a threat. But after that, if we can't determine if files malicious or not, we stream a copy of it up to the cloud. And on the firewall, we hold on to the last bit of that file. So, it's you know, parts of it are trickling down your endpoint, and we're just going to hold on to that last bit and prevent it from being downloaded. Then, we're going to use our cloudscale AI to analyze the file. And by cloudscale, I mean these massive machine learning LLM engines to analyze it. These cloud engines are trained on about two billion files a month and you know including malicious and benign files and they account for about 90% of all Wildfire verdicts that we've seen globally. But they're very accurate, very fast, and when they analyze it, they'll return a verdict back to the firewall. If the verdict is malicious, we'll block the file. We prevented a day zero attack. We'll continue analyzing the file in the cloud and generating signatures. But this gives you, you know, cloud strength analysis in line and with minimal impact to the end users and and to business.
John:
Very cool. I see why you like it. What about deploying these policies? Is it hard?
Michael:
No, but it's a you know, but a thoughtful and paced deployment is always recommended. You can deploy these policies in what we call alert only mode, right? Which allows you to test the deployment of a single feature or multiple features without impacting anything and then evaluate the results and then adjust the policy from you know alert to block you I think a lot of teams do you know do this in its you know they they call it observe mode right and you know but they'll they'll do one feature and then they move on to the next feature and and what's great about Palo's firewalls is you can deploy these down for a single user single app single IP address Right. So, it's not a rip it off for everybody or not. You can go really fine-tune with it. But you know, um, that said, there's some common mistakes you can avoid. If you've never configured any of the security policies before and this is just not your area, like listen, I'm a network person. I don't know anything about security, but you know, I believe you. I need it turned on. Hey, reach out to Palo, right? They'll get a hold of me. They'll get a hold of one of my, you know, partners on the team. And we love to work with customers and help and coach them through configuring and deploying best practices.
John:
Okay. Like what kind of mistakes do you see?
Michael:
Well, so one of them I like to call it the Michael Lawson mistake, right? Because I made this one, but it's enabling default policy and just walking away. It's, you know, like Ronco set it and forget it, right? This sounds weird, but the policy is based on best practices and we'll block all threats. However, we have found that some customers aren't aware of, you know, what kind of soup they're cooking in their kitchen. And they're not aware of the applications and utilities that they use every day. So may some of those things don't conform to best practices for software development. So these applications to Wildfire can look like malware and Wildfire will block these files. It's really good at blocking things that look like malware, smell like malware, walks like malware. Okay, it's blocked. Done. Right. One deployment we found that you know they had an endpoint security policy that had an exception to allow for a bunch of these applications to run otherwise you know if they would have blocked them too. So you know I recommend reviewing your existing security policies for endpoint and legacy network devices and then we can match those exceptions and accommodate for those use cases. I also recommend you know doing that observe policy time frame, setting these things to alert and then we can test and validate the exceptions and potentially discover any more, and then we also have a bunch of benign test files that we can use to, verify, you know, the policy, what the policy would do if it did find something for you as well.
John:
Michael:
Yeah, I have a couple things to do. So, yeah, after we set the policy to alert, we can observe and review any anomalies. Second thing we can do is we can always set up like an evaluation NGFW right, and then just take a span or tap port off your network and set up a best configuration on there and run it. So don't impact production, just stream it off to an eval appliance and do all of our testing and practice on your production traffic but not in line, right? And then use those test policies to evaluate test files and evaluate the policies and see how that works, right?
John:
Okay, that's great. Are all deployments this slow or phased?
Michael:
No, but my default recommendation is phased. You know, like I said, I called it the Mike Lawson mistake. I've had some, you know, experiences pushing out default policies that didn't work so well. I worked at a bank, you know, quite a few years ago. I was deploying a network security policy on an internal firewall and, you know, it’s always a good idea to inspect that east-west traffic, right? You don't know if something's going to sneak in sideways on you. And this one specific firewall for the subnet was sitting in front of my internal development team and these developers are building applications and scripts to the business Excel files that talk to an AS400 make updates to SQL tables. This is you know normal stuff and it also you know, involves sharing what I'll just say are unsigned raw files around and those unsigned raw files to security and sandbox tools look very suspicious and they have features in common with a lot of malware. So I deployed my full block best practice policy without any review, without any observe time and you know then my SIEM lit up like a fireworks show on 4th of July, right? It was bad. You know it was not a good day. So I had to reach back out to my vendor support team and and they you know told them like everything's stopping you know and they quickly worked with me and we were able to kind of tweak that policy and fine-tune it to you know inspect the risky files and not block the internal development files that were mid development cycle. After that every policy deployed you know from that point we deployed in like this alert observe mode first. Much more careful that way like rule number one in network security or network ops right don't break the internet right that's your first thing right? I broke that rule thankfully my boss and employer at the time was very forgiving so but yeah don't be like Michael, be better than that, right?
John:
Thanks, Michael. That makes a lot of sense. So, what are the key takeaways for today, then?
Michael:
Yeah. I'm going to sound like a broken record, but, do the alert only observe mode. This gives you crucial time to evaluate any potential issues and resolve them before they impact your production environment. You know, I would just say it's naive to think you know everything about your network, until you act if you're not running anything like this. Test deployment in a non-inline mode utilizing you know our labs, span or tap mode with an evaluation deployment is highly beneficial and the cool thing about getting an evaluation appliance is it allows you to not just evaluate advanced Wildfire which is great but you can evaluate all the other security solutions that Palo has right based on your production traffic and then make a you know highly educated informed decision on like yeah we should look at URL and DNS and IoT and these other things. My other, you know, other thing I'll let you walk away. This is my life lesson, right? Leverage your account team, right? The account teams are great people. They're they love working with customers. They, you know, if you ask them what's the best part of their job, and that's solving customer problems. Setting these policies are straightforward, right? Not very difficult. And once you've done it once, it's pretty much, you know, ingrained in your brain. But you know, our most successful customers, partner and leverage the PaloAlto Networks account team. I mean, they really leverage them and get every bit of them out of them as they can. I work frequently with those teams where we dive deep into customer experiences. We answer the tough questions. And we make sure they get the maximum value from Wildfire.
John:
Thank you so much, Michael, for sharing some really good information on advanced Wildfire and how it's shifting to provide cloudscale analysis in line for our PANCasters. As always, the transcript of the episode will be on live.peltonetworks.com and also some links related to this episode. Thanks again.
Related Content:
