By Larry Hoehn, Enterprise Solutions Architect
When most people think of endpoint protection, they think of antivirus software. But targeted attacks can use a new threat that is able to evade detection or some embedded malicious content in an iFrame could bypass antivirus software.
Palo Alto Networks acquired Cyvera and branded this product as ‘Traps’. You may have seen similar products on the market, like Microsoft EMET. However, Traps integrates into WildFire, Palo Alto Network’s sandboxing technology. Plus it’s a mature product, as you’ll see below.
Traditional antivirus-based protection is based on signatures – it requires prior knowledge of the threat in order to be effective. According to Palo Alto Networks, over 20,000 new forms of malware are created per day. Antivirus-based solutions have to build signatures against all of those new forms, then distribute those signatures out to all the endpoints. This takes time and has a negative impact on the effectiveness of many antivirus solutions.
Traps is very effective against zero-day based attacks. The attacker would run into one of the exploit prevention modules within Traps, the process gets terminated, the user is alerted that an attack was prevented, and the administrator receives an alert. Traps collects forensics and provide it to the administrator.
Traps is a very thin client on the endpoint (Windows only at this time, but including XP, 7, 8, 2003, 2008 and 2012). When a new process is opened, Traps injects prevention modules into that process. This prevents the attacker from using a couple dozen different techniques available in their arsenal.
If you a looking for a way to extend the lifespan of Windows XP or 2003 in your environment, Traps may be for you since Microsoft isn’t patching those Operating Systems any more.
With Traps, malware prevention is accomplished through a series of policies on the endpoint that significantly limits the risk of inadvertently downloading malware. As previously mentioned, Traps integrates with WildFire to determine whether a file is known to be malicious. Then Traps uses malware prevention modules to ensure that the malware never executes.
Traps is available in a one, three or five-year subscription. The price is different for workstation protection vs. server protection.
To summarize, Traps blocks known and unknown exploits, known and unknown malware, and provides forensics that can be used to protect the rest of the organization. Let me know your thoughts, especially if you’ve investigated or implemented a solution that provides this type of endpoint protection.