Dec 09, 2015 By Jean-Paul Bergeaux In Blog

Solutions for Endpoint Problems: Digging into MeriTalk’s Federal Survey

Palo Alto Networks has been working hard to solve agencies’ endpoint problems with Traps™, its new next-generation endpoint product.  It’s a good product to look at.

Recently, the Palo Alto Public Sector team hired MeriTalk to survey federal managers and employees and produce a report on endpoint security.  The report offers some recommendations that we at SwishData support:

  • Identify All Connected Assets
  • Patch Vulnerabilities
  • Implement Endpoint Security for Zero Day Threats
  • Require End-User Training
  • Vaccinate Your Endpoints

Most of these are features that Palo Alto’s endpoint system can help with, but there are some additional solutions that can assist federal agencies.  Here are some ideas to make these recommendations even more successful in securing your endpoints.

Identify All Connected Assets. Sounds good, but how?  One way is a solution like ForeScout Technologies’ CounterACT™ system and RedSeal Networks’ network mapping tools.  These two working in concert help significantly.  A ForeScout video provides a good explanation of how CounterACT and McAfee’s DXL combined with ePO can create an underlying architecture to accomplish this.

Patch Vulnerabilities. Sounds simple, but pushing out patches in a large network for every single vulnerability discovered by scanners like Tenable’s Nessus and endpoint management tools like Tanium and CloudHASH is daunting.  How do you prioritize?

If you simply try to digest all of them at once, you may not patch quickly enough.  One way to prioritize is through RedSeal.  It digests vulnerability scan outputs and network configuration data and then displays both a map of the network and a heat map of the most pressing concerns for the most important data.  This makes patching less daunting and more effective.

The second challenge is how do you patch?  Push through Microsoft administrative tools?  There are several tools out there that allow you to solve these issues, usually falling under the incident response category.  Currently, my favorite is CloudHASH, with the caveat that it needs McAfee ePO.

Implement Endpoint Security for Zero-Day Threats. Sounds easy, and many claim to do it.  Truth is no one can guarantee finding true zero-day threats.  The reality is that you need a combination of endpoint IOC monitoring, scheduled queries from a product like Tanium, network monitoring for C&C traffic and a quality sandbox that does both dynamic AND static analysis. Preventing the initial infection of a zero day is nearly impossible, despite what many claim, but catching the infection and activity quickly is possible.  Organizations can contain lateral infections by using an integration of the above products that utilize automation and orchestration in response.  One key to this is being able to quarantine or off-line infected systems with EXTERNAL controls over the infected box through something like ForeScout’s CounterACT.

Require End-User Training. This isn’t a technological solution, but it is one of the most critical activities.  I jokingly call users the “layer 8 vulnerability,” but they are indeed the biggest threat to an agency’s network security.   Hackers tend to be really good conmen.  Witness the success of the recent phishing attack against many agencies and the Verizon DBIR report that validates phishing attacks as the most common high-profile breach method.

Vaccinate You Endpoints. This means information sharing inside an organization or “Local Threat Intelligence” for quick incident response.  Too many times, a breach is detected and the single endpoint is cleaned up too slowly, while other endpoints are not patched, queried for IOCs, and cleaned up quickly, if at all.  Many organizations pay huge sums to companies such as Mandiant and CrowdStrike because this process is difficult to do manually.  Automation and orchestration is needed to achieve incident response effectively in a large enterprise.  Unfortunately, achieving automation and orchestration is not easy.

There are reference architectures that can combine Palo Alto NGFW, sandbox threat data (McAfee ATD, Palo Alto WildFire and FireEye NX), ForeScout Control Fabric, CloudHASH endpoint management, several major SIEMs and a McAfee infrastructure to completely automate this process in a jaw-dropping, efficient manner.  You can even add other technologies such as Brocade, Bromium, Gigamon, MaaS360, MobileIron, RedSeal, Splunk Tenable, TrapX, and more to the reference architecture through direct and API integrations.

For more information about any of these recommendations and the reference architecture, you can contact me at for a briefing.