Runtime defense for hosts

Without secure hosts, you cannot have secure containers. Host machines are a critical component in the container environment, and they must be secured with the same care as containers. Prisma Cloud Defender collects data about your hosts for monitoring and analysis.
Runtime host protection is designed to continuously report an up-to-date context for your hosts. You can set detection for malware, network, log inspection, file integrity, activities and custom events. Some of the detected events can only be alerted on, while others can be prevented.

Host runtime policy

By default, Prisma Cloud ships with an empty host runtime policy. An empty policy disables runtime defense entirely.
Creating a new rule enables runtime defense. When Defender is installed, it automatically starts collecting data about the underlying host. To create a rule, open Console, go to
Defend > Runtime > Host Policy
, and click
Add rule
. Create new rules to enhance host protection.
  • Rules are assigned with names to provide an indication of target of each rules.
  • The scope of each rule is determined by the collection assigned to that rule.
  • Prisma Cloud uses rule order and pattern matching to determine which rule to apply for each workload.
Anti-malware provides a set a capabilities that lets you alert or prevent malware activity and exploit attempts.
The
Prevent
action for detection of file system events requires a Linux kernel version 4.20 or later.

Anti-malware

Global settings

  • Alert/prevent processes by path
     — Provides the ability to alert on or prevent execution of specific processes based on the processes name or the full path of binary from which the process is executed. Some of the common tools are available for easy addition by selecting their category.
  • Allow processes by path
     — Provides the ability to mark processes as safe to use based on the process name or full path. Processes added to this list will not be alerted on or prevented by any of the Malware runtime capabilities.
    The above two fields are evaluated together to create a resultant policy:
    Final allowed paths
    =
    Allow paths
    -
    Alert/prevent paths

Anti-malware and exploit prevention settings

  • Crypto miners
     — Apply specific techniques for detection of crypto miners, alert on file creation, and alert or prevent their execution.
  • Non-packaged binaries created or run by service
     — Detect binaries created by a service without a package manager. Alert on file creation, and alert or prevent their execution.
    Defender must be running when a file is written to detect its source.
    To detect binaries that have been deployed without a package manager, Prisma Cloud depends on the package manager on the host. Currently, apt, yum, and dnf are supported.
  • Non-packaged binaries created or run by user
     — Detect binaries created by a user without a package manager. Alert on file creation, and alert or prevent their execution.
    Defender must be running when a file is written to detect its source.
    To detect binaries that have been deployed without a package manager, Prisma Cloud depends on the package manager on the host. Currently, apt, yum, and dnf are supported.
  • Processes running from temporary storage
     — Detect processes running from temporary storage (unexpected behavior for legitimate processes). Alert/prevent on file creation or execution.
  • Webshell attacks
     — Detect abuse of web servers vulnerabilities to create a webshell. Alert on webshell creation and and alert or prevent execution of linux command line tools from web servers.
  • Reverse shell attacks
     — Detect usage of reverse shell and generate an alert.
  • Execution flow hijack
     — Detect execution flow hijack attempt and generate an alert.
  • Encrypted/packed binaries
     — Detect usage of encrypted/packed binaries and generate an alert. Such files are alerted on as encrypted and packed binaries may be used as a method to deploy malware undetected.
  • Binaries with suspicious ELF headers
     — Detect suspicious binaries for ELF headers and generate an alert.
  • Malware based on custom feeds
     — Generate alerts for files classified as malware by their MD5
  • Malware based on Prisma Cloud advanced threat
     — Generate alerts for files classified as malware by Prisma Cloud advanced intelligence feed

Advanced malware analysis

  • Malware based on WildFire analysis
     — Use WildFire, Palo Alto Networks' malware analysis engine, to detect malware and generate alerts. Currently Wildfire analysis is provided without additional costs, but this may change in future releases. To use Wildfire, it must first be enabled.

Host observations

  • Track SSH events
     — As part of the host observation capability, we are also full tracking all SSH activities, which is enabled by default in new rules. Tracking can be disabled via this toggle.

Networking

Networking provides customers high level of granularity in controlling network traffic based on IP, port and DNS. Customers can use their own custom rules or use Prisma Cloud advanced threat protection to alert on or prevent access to malicious sites.

IP connectivity

  • *Allowed IPs: — create an approved list of IPs which access to will not generate an alert.
  • Denied IPs and ports
     — Create lists of listening ports, outbound internet ports and outbound IPs which access to would generate an alert.
  • Suspicious IPs based on custom feed
     — Generate alerts based on entries added to the list of suspicious or high risk IP endpoints under
    Manage > System > Custom feeds > IP reputation lists
  • Suspicious IPs based on Prisma Cloud advanced threat protection
     — Generate alerts based on the Prisma Cloud advanced threat protection intelligence stream.

DNS

When DNS monitoring is enabled, Prisma Cloud filters DNS lookups. By default, DNS monitoring is disabled in new rules.
  • Allowed domains
     — Create an approved list of domains which access to will not generate an alert or be prevented.
  • Denied domains
     — Create a list of denied domains which access to will be alerted or prevented.
  • Suspicious domains based on Prisma Cloud Advanced threat protection
     — Generate alerts or prevent access to domains based on the Prisma Cloud advanced threat protection intelligence stream.

Log inspection

Prisma Cloud lets you collect and analyze logs from operating systems and applications for security events. For each inspection rule, specify the log file to parse and any number of inspection expressions. Inspection expressions support the RE2 regular expression syntax.
A number of predefined rules are provided for apps such as sshd, mongod, and nginx.
Regardless of the specified inspection expression, log inspection has the following boundaries.
  • The maximum amount of bytes read per second is 100.
  • The maximum amount of bytes in a chunk read per second is 2048.
These boundaries are non-customizable.

File integrity management (FIM)

Changes to critical files can reduce your overall security posture, and they can be the first indicator of an attack in progress. Prisma Cloud FIM continually watches the files and directories in your monitoring profile for changes. You can configure to FIM to detect:
  • Reads or writes to sensitive files, such as certificates, secrets, and configuration files.
  • Binaries written to the file system.
  • Abnormally installed software. For example, files written to a file system by programs other than apt-get.
A monitoring profile consists of rules, where each rule specifies the path to monitor, the file operation, and exceptions.
The file operations supported are:
  • Writes to files or directories. When you specify a directory, recursive monitoring is supported.
  • Reads. When you specify a directory, recursive monitoring isn’t supported.
  • Attribute changes. The attributes watched are permissions, ownership, timestamps, and links. When you specify a directory, recursive monitoring isn’t supported.

Activities

Set up rules to audit host events.

Custom rules

For details on custo