Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Palo Alto says its new endpoint protection tool can stop the bad stuff in its tracks

John Dix | Nov. 13, 2014
“Traps” focuses on how exploits work, not their signature.

So let's say there was a weakness in an Adobe PDF file and someone has initiated an exploit to try and take advantage of that weakness. As they go through the steps of that exploit, they would run into one of our exploit prevention modules within Traps and, as soon as they do, our product will shut down that process and alert the user that an attack was prevented and then also alert the admin. Then we collect a package of forensics, including memory state, etc., and provide it to the admin so they know the details of the attack, what user they were going after, what file they were using, etc.

And it is client based?
Right. Traps is a very thin client that lives on the endpoint itself. One of our criteria was this couldn't be some big, heavy, resource-intensive type of technology. It literally consumes only 5MB of memory and about a tenth of one percent on average of CPU utilization. And it basically sits on that endpoint and anytime a new process is opened we inject what we call prevention modules into that process. So the second an attacker tries to utilize one of these known techniques they will run into one of our prevention modules and the attack is prevented.

How can you possibly account for all the different approaches that a vulnerability exploit would attempt?
Right now there are a total of 24 techniques that attackers have at their disposal to try and exploit a system, so we have that covered. These techniques are pretty hard science. It's rare if you see two or three new techniques emerge within a year's period of time. In fact, in the release that we announced we added three new prevention modules against three new techniques that emerged and those are the first techniques that we've seen in two years.

The vast majority of the techniques come out of academia. Someone in academia will be studying different processes, then publish a paper and attackers get a hold of that and, voila, they've got a new technique at their disposal. So we've been working very closely with academia to make sure that, as these things are being researched, we're also building prevention modules against them so that when they publish their paper we also have modules built against those new techniques.

I suspect it will probably be another eight to twelve months or so before we see another one of these techniques emerge. They don't happen that often.

I presume the tool is operating system dependent.
Correct. We support Windows XP, Windows 7 and Windows 8 on the workstation side, and on the server side it's Windows Server 2003, 2008 and 2012. It sits well below the application stack so it's independent of the applications themselves. So we support any kind of application that works on top of a Microsoft Windows environment.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.