Palo Alto Networks Traps™ provides Advanced Endpoint Protection that prevents sophisticated vulnerability exploits and unknown malware-driven attacks. Traps accomplishes this through a highly scalable, lightweight agent that uses an innovative new approach for defeating attacks without requiring any prior knowledge of the threat itself. By doing so, Traps provides organisations with a powerful tool for protecting endpoints from virtually every targeted attack.
Despite a plethora of endpoint security products on the market, endpoints are still being infected at an alarming rate. Traditional endpoint protection solutions use methods that simply cannot keep up with the rapidly evolving threat landscape. Instead of looking to identify the millions of individual attacks themselves, or detect malicious behaviour that may be undetectable, Traps focuses on the core techniques that every attacker must link together in order to execute their attack. With this approach, Traps can thwart the attack before any malicious activity can successfully run.
Advanced Endpoint Protection should deliver on the following:
- Prevent all exploits, including those utilising unknown Zero Day vulnerabilities.
- Prevent all malicious executable s, without requiring any prior knowledge
- Provide detailed forensics against prevented attacks
- Highly scalable, lightweight and seamless with minimal to no disruption
- Integrate closely with network and cloud security
Multiple Types of Attack, Complete Protection
Attacks come in different forms and can arrive via multiple vectors including web, e-mail, and external storage. Most traditional endpoint security products protect endpoints from malicious executable files, which are the least sophisticated form. Some of the most advanced and targeted attacks arrive in the form of seemingly harmless data files that are opened by legitimate applications. For example, malicious code can be implanted in a Microsoft Word or PDF document- also known as an exploit. Traps protects endpoints by preventing malware in the form of executables and exploits in the form of data files or network-based attacks.
The most advanced threats these days leverage vulnerabilities in software that we use on a regular basis. They often come in the form of commonly used data files (pdf, rtf, doc, ppt, xls, etc.) or can be individually crafted to target proprietary software used in various industries.
Once the file is opened, the malicious code takes advantage of a vulnerability in the legitimate application being used to view the file, allowing it to execute code and take full control of the endpoint.
How Exploit Prevention Works
Regardless of the attack or its complexity — in order for the attack to be successful the attacker must execute a series of exploit techniques in sequence. Some attacks may involve more steps, some may involve less, in all cases at least two or three techniques must be used in order to exploit the targeted endpoint. Traps employs a series of exploit prevention modules aimed at mitigating and blocking the different exploit techniques available to attackers. Furthermore, each exploit needs to use a series of those techniques in order to be successful. Traps renders these techniques completely ineffective, which means the application is no longer vulnerable.
The Traps agent injects itself into each process as it is started. If the process attempts to execute any of the core attack techniques, the exploit attempt will fail because Traps had made the process impervious to those techniques. Traps will immediately block that technique, terminate the process, and notify both the user and the admin that an attack was prevented and report all of the details to the Endpoint Security Manager (ESM). Due to the chain-like nature of an exploit, preventing just one technique in the chain is all that is needed in order to block the entire attack.
By default, Traps policy is set to protect over 100 processes — each one with dozens of proprietary EPMs (Exploit Prevention Modules). But unlike other products, Traps is not limited to protecting only those processes or applications.
By focusing on the exploit techniques and not the attack itself, Traps can prevent the attack without prior knowledge of the vulnerability, regardless of patches in place, and without signatures or software updates. It’s important to note that Traps isn’t scanning or monitoring for malicious activity, so there’s a massive scalability benefit to this approach as very little CPU and memory are used.