Advanced Threat Prevention Detection Services

Where Can I Use This?
What Do I Need?
  • Prisma Access
  • NGFW
  • Advanced Threat Prevention or Threat Prevention License
Advanced Threat Prevention is an intrusion prevention system (IPS) solution that can detect and block malware, vulnerability exploits, and command-and-control (C2) across all ports and protocols, using a multi-layered prevention system with components operating on the firewall and in the cloud. The Threat Prevention cloud operates a multitude of detection services using the combined threat data from Palo Alto Networks services to create signatures, each possessing specific identifiable patterns, and are used by the firewall to enforce security policies when matching threats and malicious behaviors are detected. These signatures are categorized based on the threat type and are assigned unique identifier numbers. To detect threats that correspond with these signatures, the firewall operates analysis engines that inspect and classify network traffic exhibiting anomalous traits.
In addition to the signature-based detection mechanism, Advanced Threat Prevention provides a inline detection system to prevent unknown and evasive C2 threats and command injection and SQL injection vulnerabilities. The Advanced Threat Prevention cloud operates extensible deep learning models that enable inline analysis capabilities on the firewall, on a per-request basis to prevent zero-day threats from entering the network as well as to distribute protections. This allows you to prevent unknown threats using real-time traffic inspection using inline detectors. These deep learning, ML-based detection engines in the Advanced Threat Prevention cloud analyze traffic for unknown C2, SQL injection, and Command injection vulnerabilities to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download content packages or operate process intensive, firewall-based analyzers which consume resources. The cloud-based detection engine logic is continuously monitored and updated using C2 traffic datasets from WildFire, with additional support from Palo Alto Networks threat researchers who provide human intervention for highly accurized detection enhancements. Advanced Threat Prevention’s deep learning engines support analysis of C2-based threats over HTTP, HTTP2, SSL, unknown-UDP, and unknown-TCP applications. Additional analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no firewall update. Advanced Threat Prevention is enabled and configured under the Inline Cloud Analysis tablocated in the anti-spyware security profile.
Palo Alto Networks also offers the Threat Prevention subscription that does not include the features found in the cloud-based Advanced Threat Prevention license.
The threat signatures used by the firewall are broadly categorized into three types: antivirus, anti-spyware, vulnerability and are used by the corresponding security profiles to enforce user-defined policies.
Palo Alto Networks cloud-delivered security services also generate WildFire and DNS C2 signatures for their respective services, as well as file-format signatures, which can designate file types in lieu of threat signatures; for example, as signature exceptions.
  • Antivirus signatures detect various types of malware and viruses, including worms, trojans, and spyware downloads.
  • Anti-Spyware signatures detect C2 spyware on compromised hosts from trying to phone-home or beacon out to an external C2 server.
  • Vulnerability signatures detect exploit system vulnerabilities.
Signatures have a default severity level with an associated default action; for example, in the case of a highly malicious threat, the default action is Reset Both. This setting is based on security recommendations from Palo Alto Networks.
In deployments where specialized internal applications are present or in cases where third-party intelligence feeds using open-source Snort and Suricata rules, custom signatures can be created for purpose-built protection.
Firewalls receive signature updates in the form of two update packages: the daily Antivirus Content and weekly Application and Threats Content updates. The antivirus content updates include antivirus signatures and DNS (C2) signatures used by antivirus and anti-spyware security profiles, respectively. Content updates for applications and threats include vulnerability and anti-spyware signatures, used by the vulnerability and anti-spyware security profiles, respectively. The update packages also include additional content leveraged by other services and sub-functions. For more information, refer to Dynamic Content Updates.

Recommended For You