Stop Zero-Day Malware With Zero Stress With PAN-OS 11.0 Nova

Nov 16, 2022
6 minutes
... views

Announcing the 11.0 Release of Our Industry-Leading PAN-OS

Threat actors are constantly evolving their techniques to avoid detection as they target an ever increasing volume of vulnerabilities. In 2021, there were more than 11,000 newly published vulnerabilities. Attackers started to scan for these vulnerabilities within 15 minutes of a CVE being announced. In this constant race between attackers and defenders, network security needs to find new ways to stay ahead. With the sophistication of today’s threat landscape, malware is more evasive than ever. It is critical for network security, especially traditional IPS and sandboxing solutions, to continue innovating to stay ahead of emerging threats for which there can be no prior knowledge. Today, we’re announcing PAN-OS 11.0 Nova – the next evolution of network security that allows you to stop zero-day malware with zero stress.

The Evolution of Modern Malware

Barriers to accessing state-of-the-art malware have lowered considerably and malware is getting even easier to deploy thanks to “as-a-service” offerings. Attackers now leverage frameworks, such as Cobalt Strike, Metasploit and Sliver, with built-in evasion technology to bypass traditional security with ease. This is a powerful mix with a higher volume of attacks that are significantly more difficult to prevent. In fact, we are seeing attacks that use Cobalt Strike increase by 73% year over year.

Modern malware employs a combination of evasive techniques to avoid detection ranging all the way from staying dormant by sensing the execution environment to performing malicious activity completely in memory. This puts significant strain on network defenders to prevent attacks and rapidly close the gap between detection and prevention.

Zero-Day Exploits on the Rise

Beyond the uptick in volume and sophistication of attacks, there has been a significant increase in the use of zero-day exploits. In fact, we have seen a 100% YoY increase. This is partly due to the rising popularity of injection attacks – one of the top methods used by attackers to gain initial access into a network, according to the Open Web Application Security Project (OWASP) “Top 10 Web Application Security Risks” list. Furthermore, threat actors are able to exploit these vulnerabilities faster than software vendors can patch them, creating a window of exposure where organizations are left vulnerable. Once in, attackers are leveraging popular red team tools, like Cobalt Strike, for further exploitation (e.g., data theft, command–and-control and other malicious activity, such as infrastructure hijacking for crypto-mining). Network security must evolve to prevent further exploitation of known and zero-day vulnerabilities.

Raising the Bar in Network Security

Earlier this year, we introduced PAN-OS 10.2 Nebula. Nebula was a monumental leap forward, giving organizations around the world the protection they need and, we believe, they deserve. Nebula enabled organizations to stay ahead of emerging threats by introducing, for the first time, inline deep learning.

By applying deep learning inline, in real-time, on network traffic, we can detect and prevent new threats, including malware variants. Introducing these inline deep learning capabilities in Nebula marked a shift in network security, allowing us to stop unknown attacks as they happen, not just remediate them after the fact.

But, the innovation can’t stop there. Threat actors continue to find new ways to fly under the radar of security defenses and penetrate networks. They continue to innovate, change and adapt. Network security must continue to do the same. It’s time for something new.

Say Hello to Nova

Just like early astronomers believed novas were new stars because of how brightly they lit up the night sky, PAN-OS 11.0 Nova brings about new security innovations that will shine a light on unknown threats. As the newest version of Palo Alto Networks best-in-class PAN-OS®, Nova extends our industry-leading inline deep learning capabilities to stop even more highly evasive, zero-day threats.

Nova not only sets up the foundation for modern day network security by continuously protecting against zero-day threats, it also raises the bar for how organizations can proactively improve cyber hygiene and simplify security architectures. Nova includes many innovations:

Security Against Zero-Day Threats
  • Modern malware is increasingly evasive. Our new Advanced WildFire uses multiple patented detection techniques, including intelligent runtime memory analysis to detect and prevent 26% more evasive malware than traditional sandboxing solutions. By using stealthy techniques, Advanced WildFire has the ability to inspect memory-resident malicious activity at cloud scale and analyze files across 85,000+ customers to deliver protections in near-real time across network, cloud and endpoint. We are able to do this with a cutting-edge infrastructure that spans 10+ cloud locations across the globe for low latency and utilizes cloud-delivered detections to analyze 80M+ unique files per day.
  • Building on the inline deep-learning capabilities introduced in PAN-OS 10.2 Nebula, we are introducing new, cloud-delivered detections in Advanced Threat Prevention to stop 60% more zero-day injection attacks compared to traditional IPS solutions, all in real time. This enhanced service reimagines the Intrusion Prevention System (IPS) with industry-first inline capabilities for stopping zero-day injection attacks.
Simplified and Consistent Security
  • Nova introduces natively integrated web proxy capabilities for NGFW customers migrating from legacy on-prem proxy solutions. With a single vendor to support firewall and proxy needs, customers benefit from a single management platform and consistent security across campus locations, branches and mobile users.
  • Natively integrated with ML-Powered NGFWs and Prisma SASE, Next-Generation CASB (Cloud Access Security Broker) now includes all-new SaaS Security Posture Management (SSPM) to help find and eliminate dangerous misconfigurations in 60+ enterprise SaaS apps. Customers get near-real-time data protection in modern collaboration apps and suspicious user behavior detection. This protects sensitive data in modern SaaS apps from compromised accounts and insider threats.
Stronger Cyber Posture
  • AIOps for NGFW (launched earlier this year to reduce misconfigurations that can lead to security breaches) now processes 29B metrics every month across 50,000 firewalls and proactively shares 24,000 misconfigurations and other issues with customers for resolution every month. With Nova, AIOps is even more proactive. AIOps now guards against violations of best practices and enables remediation of inefficiencies in security policies before committing changes, helping organizations strengthen defenses against cyberattacks.

As George Bernard Shaw once said, “Progress is impossible without change.” At Palo Alto Networks, we have always believed in changing our industry for the better. To learn more about our newest innovations and how we’re pushing the boundaries of network security, register for our launch event, Stop Zero-Day Malware with Zero Stress, on January 31, 2023.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.