Findings from WildFire

It has been a busy and exciting week at Palo Alto Networks where we have announced a brand new platform – the PA-200 a branch office appliance for the distributed enterprise , a new software update – PAN-OS 4.1 with more than 50 new features , and WildFire™, a completely new capability of the next-generation firewall that allows security teams to detect and remediate unknown and targeted malware. Click to see Nir talking about the release on Bloomberg TV. I want to share a little bit more on WildFire because I think that this technology has the potential to be one of the most significant recent developments in threat prevention, and I think the data from the beta testing bears this out.

First, a quick bit of background. IT security teams have been on the horns of a dilemma concerning targeted and unknown malware. On one hand, traditional IPS and anti-malware products are ineffective because they only detect things that are already known to be bad and unknown files are assumed to be benign. On the other hand, sandboxing technology, which can expose unknown malware by observing it in a virtual environment, has remained separate from the front lines of day-to-day security enforcement. Previous attempts at sandboxing solutions required lots of additional single-purpose hardware, and lacked the in-line enforcement capabilities needed to protect the network. In short, security teams have had only an expensive option that could provide some visibility into unknown malware, but which fell short when it came to enforcement.

WildFire bridges this gap by blending in-line capture and enforcement with out-of-band sandbox analysis to identify unknown threats. Additionally, WildFire offloads the sandbox analysis to a highly secure cloud-based environment, meaning that no new hardware is required. As a result, managing unknown malware threats becomes operationally similar to managing known threats. The next-generation firewall provides visibility into all traffic, known threats are blocked, and unknown files are sent up to the WildFire sandbox for analysis. If a file is found to be malware, WildFire generates signatures both for the infecting file and outbound malware traffic which are delivered with normal AV updates to prevent further infections and stop any malicious traffic. IT managers are provided details on: who was targeted, URLs that were involved in the attack and what applications were used in the attempted malware delivery.

So it all sounds good in theory, but how has WildFire performed in the real world? Over the past few months WildFire has been deployed at a variety of full production beta test sites worldwide, and we have found the results to be more than a little eye opening. First and foremost, literally every WildFire beta test site caught incoming malware that was previously unknown and unidentified in the industry. In fact, 57 percent of the malware that WildFire detected had no coverage or had not been seen by Virus Total at the time of discovery. Again, these are production networks, not honeypots or lab experiments, so they represent the types of activity that likely goes unnoticed throughout enterprise networks today. Here are a few other interesting stats and findings from the beta tests:

• 7% of unknown files encountered in the wild were found to be malware.
• 21% of newly discovered malware generated unknown traffic.
• More than 5,000 samples used a non-standard port.
• Specific phishing campaigns were found to have affinity for particular applications, with one phisher using AOL-Mail and another using the Hotfile file transfer application.

These results are just the tip of the iceberg, and we will continue to keep you updated with interesting findings. However, the most important findings will be the ones on your network, and since all of these WildFire features are available today and are free of charge as part of PAN-OS 4.1, there’s no reason not to start actively finding and stopping malware on your networks. Happy hunting.