Palo Alto Networks aspires to anti-malware defense role with WildFire

LAS VEGAS -- Palo Alto Networks wants its next-generation firewall to be the center of enterprise security, giving it a malware-detection and analysis capability called WildFire that's intended to inspect all traffic passing through the firewall to detect targeted attacks within 30 minutes.

"The firewall is the most pervasive network security device you have," said Lee Klarich, vice president of product management at Palo Alto Networks, in his presentation on the array of new Palo Alto next-generation products released this week, including its first virtualized next-generation firewall. But here at Palo Alto's first customer conference, called Ignite, the company made it clear it also wants to be a significant player in malware detection, too, with its WildFire cloud-based service intended to identify targeted zero-day malware-based attacks at Palo Alto customers.

BACKGROUND: Palo Alto Networks targets VMware shops with virtualized next-gen firewall

WildFire was introduced as a free service for customers with Palo Alto NGFWs to monitor for what could be zero-day malware attacks. WildFire is now ready to not just monitor for detection but also ready to block malware, too. It's now being offered under a subscription-based service, Klarich said.

"It has to be preventative. If all we're do is tell you something bad happened, you have to close it down, you'll stop using it," he said.

The WildFire malware-detection component resides in the NGFW to look at all the traffic passing through and make a copy of executables to send to a cloud-based service that within a few minutes will analyze it and, if it's deemed malicious, save it and notify the security manager.

But WildFire isn't necessarily going to catch things on the first try.

"At first the file goes through," said Wade Williamson, senior security analyst at Palo Alto. The idea is to determine as quickly as possible a targeted attack and generate a custom signature to prevent specific malware zero days in the future. However, since targeted attacks today often are made with rapid malware changes made by attackers, it's a question if WildFire can keep up with a bombardment, or if security manages will always be looking in the rear-view mirror.

WildFire technology is being used already by Palo Alto customers, among them Concord Hospital. Conference attendee Mark Starry, director of architecture and security at Concord Hospital, said WildFire has detected a few attacks, although from time to time the technology may simply result in false positives. Nevertheless, the healthcare organization, which has migrated over the past few years from competing firewall products to use of the Palo Alto application-aware firewalls, finds WildFire to be well worthwhile as an additional threat-detection tool.

Klarich said 973 Palo Alto NGFW customers now use WildFire, and over the past year, WildFire has scanned millions of files passing through customer networks, finding nearly 170,000 of them were malware, and 69,111 of these were zero-day malware not detected by the host antivirus companies at the time.

Klarich further piled on the antivirus vendors, saying days go by and still the A/V vendors don't have coverage for 40% of the malware Palo Alto is finding. But it's the first 24 hours that are important to respond to any attack that penetrates into the corporate network, he said.

In spite of its tough words for antivirus vendors, Palo Alto says it regards WildFire as an addition to network defense, not a substitute for antivirus software. Klarich acknowledged WildFire still remains an evolving threat-detection service.

Palo Alto's stance is that its NGFW can and should be the cornerstone for an expanding wide range of defense based on application-aware controls and features such as URL and reputation-based filtering, which Palo Alto this week said it is now doing based on its own research and development, rather than relying on third-party licensing.

But in an age where companies are now trying to come to grips with the influx of mobile devices, including Google Android and Apple iOS smartphones and tablets, often in situations where employees are allowed to "bring your own device," it's a question how successful a strategy can be that relies on pushing traffic through corporate firewalls to meet security policies.

Palo Alto does have client software called GlobalProtect for Windows and Mac computers that can direct remote traffic to the firewall for application-aware security, and versions for Apple iOS and Google Android that connect via IPsec.

Mike Dundas, senior manager, security architecture at TD Bank, who yesterday spoke at the Ignite user conference about the bank's global rollout and centralized management of Palo Alto NGFWs, pointed out the application-aware firewalls are playing a key role in understanding if TD Bank is being attacked. But he acknowledged his firm is grappling with the BYOD question.

"We're just exploring BYOD," Dundas noted, adding that the bank does use some tablets. TD Bank is not using the Palo Alto software but that's under consideration, as well as using another vendor's mobile-device management software. Next year will be when TD Bank wants to finalize its security approach to BYOD and mobile, said Dundas.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags palo alto networksFirewall & UTMnext-generation firewallsecurityanti-malwaremalwareVMware

More about AppleGoogleIDGPalo Alto NetworksVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts