Palo Alto
Networks the next-generation security company, today announced advancements to
its Next-Generation Security Platform
that provide customer organizations with the ability to prevent the theft and
abuse of stolen credentials, one of the most common methods cyber adversaries
use to successfully compromise and maneuver within an organization to steal
valuable assets.
The majority
of breaches involve password theft at some stage of the attack lifecycle. According
to the 2016 Verizon Data Breach Incident Report (DBIR), nearly two-thirds of
the breaches analyzed were, in some part, the result of stolen credentials.
Because the vast majority of organizations continue to use simple
password-based credentials as the primary means of enabling user access to
systems, it is often easier for an attacker to steal passwords
than it is to find and hack a vulnerable system or successfully bypass malware detection
and threat prevention technologies.
Traditional approaches to stopping credential phishing are rudimentary, manual,
limited, and rely primarily on educating employees and classifying a phishing
site before someone encounters it. If the organization’s security products miss
a new phishing site, the only recourse is hoping the user doesn’t proceed to
enter his or her credentials.
Further,
password-only-based approaches to authentication remain very common due to the
traditional complexities of implementing multi-factor authentication, leaving
many applications exposed to simple credential abuse-based access by attackers.
Palo Alto
Networks now delivers the industry’s first multi-method, scalable and automated
approach designed to prevent credential-based attacks. These capabilities,
delivered from the next-generation firewall, prevent the theft and abuse of
stolen credentials and complement additional malware and threat prevention and
secure application enablement functionality, to extend customer organizations’
ability to prevent cyber breaches.
“Credential
theft has been a challenge for countless organizations around the world. Palo
Alto Networks is bringing to market a unique approach to intercepting the problem
at the network level. When this feature is tightly integrated with identity access
management solutions, organizations can make significant progress towards
ending credential theft,” said Jeff Wilson, senior research director,
Cybersecurity Technology, IHS Markit.
Among the
more than 70 new features introduced to the Next-Generation Security Platform
as part of PAN-OS security operating system version 8.0, credential theft
prevention feature highlights include:
Automatically identify and block phishing sites by sending suspicious
links from emails to the WildFire™ service for enhanced machine learning-based
analysis. If the site is determined to be phishing, PAN-DB will automatically
update the phishing URL category, block the site, and prevent users from
accessing it.
Prevent
users from submitting credentials to phishing sites; by integrating with User-ID™
technology, the firewall can recognize the movement of enterprise credentials
in the traffic. If a user unknowingly attempts to transmit a username and
password to an unauthorized site, policies within the firewall can alert or
drop the traffic and stop the transmission of corporate credentials.
Prevent
the use of stolen credentials by providing a policy-based multi-factor
authentication framework natively in the next-generation firewall. This unique
capability makes it easy to enforce multi-factor authentication from the
firewall to stop cyber adversaries from moving laterally in a network
and accessing sensitive resources with the help of stolen credentials or
compromised endpoints. This is achieved by working at the network
level in conjunction with authentication and identity management frameworks,
such as single sign-on and multi-factor authentication, and integrating with a
number of next-generation identity access management vendors, including Okta®,
Ping Identity® and Duo
Security, as well as policy enforcement tools. In addition to simplifying the overall
administrative overhead, with this new
centralized policy-based approach in PAN-OS 8.0, administrators will now be
able to protect internal and custom applications with multi-factor
authentication, a step that is often impossible to deploy with today’s existing
tools.
PAN-OS
8.0 is now available globally to customers of Palo Alto Networks with a current
support contract.
To learn more
about the PaloAlto Networks Next-Generation SecurityPlatform, visit: https://www.paloaltonetworks.com/products/platforms.html.