BUYERS GUIDE:

CYBERSECURITY

The definitive guide for evaluating

cybersecurity solutions

Palo Alto Networks | Cybersecurity Buyers Guide 1

 Cyber criminals constantly innovate their threat
tactics to more efficiently breach organizations
and make off with valuable data. As cybercrime
evolves, we see increased innovation in the
hacking tools and techniques used to evade
known security mechanisms. In the past few
years, we have seen more advanced, targeted
attacks, where hackers spent ample time
investigating the target and tailoring the threat.

Keeping up with new attack techniques, and

effectively defending against advanced threats,
is perhaps the biggest challenge facing security
teams today. In a world of cyberthreats where
the only constant is change, architecting a
cybersecurity solution that dynamically adapts
to constant change is crucial.

Palo Alto Networks | Cybersecurity Buyers Guide 2

 Introduction
Cybersecurity is one of the hottest topics today. Corporate breaches in the headlines
have turned hackers into the new super villains, as these dedicated, organized, and well-
financed cyber criminals bombard organizations through ever-changing attack
tools and vectors.

The attacks themselves are more complex too, composed of multiple layers and
techniques, each outsourced to specialty groups, ensuring zero-day effects. This they
achieve by making sure nothing stays constant. Each stage in the attack changes by
leveraging morphing techniques, such as dynamic DNS, fresh URLs for command and
control (CnC), self-destruct tools, and more. Yesterdays zero-day code has already been
packaged and sold to other cyber criminals for use in secondary campaigns. In short,
the threat landscapes rate of change is accelerating rapidly, increasing the security gaps
organizations must deal with and leaving them more exposed than ever before.

As surprising as it may sound, the new tactics of cyber criminals are not as new as
you might think. Attackers actually recycle many of the same attack components. In
fact, as many as 90 percent of these so-called new attacks can be prevented simply
by correctly using existing security technologies as part of an end-to-end cybersecurity
plan1. Attackers typically use the most proven forms of attack because they work.
And they work because organizations are often several steps behind in patching their
systems and updating their defenses against the latest attack methods.

Cybercrime has become a booming industry, accelerating in the last 5 years, complete
with automated tools, customer support, and guarantees for product effectiveness.
The commoditization of new attacks and weaponized tools means that even the most
amateur hacker can now effectively deliver professional-level threats into a targeted
organization.

Its no wonder security professionals keep asking: What can we do to protect ourselves
and our customers from these new super villains? hoping to hear about some shiny
new product that will solve all of their security problems and provide protection against
every new threat.

As a security professional, you need to enable a productive work environment

while providing all of the controls needed to protect your organizations data and
customers. How effective you and your team are depends, not only on how advanced
your defenses are, but also how much breadth and depth you have in terms of
visibility. You must:

Gain total visibility. Inspect all data and cut through the overwhelming volume of
alerts and manual processes associated with operating many discrete security prod-
ucts designed for singular functions.
Efficiently correlate information to identify infected systems and weaknesses
throughout the network, cloud, and endpoints and then execute protection across
the network, devices and data.
Reduce the gaps between detection, analysis, and protection while keeping up with
new threats composed of various tools, technologies, and vectors.

And this isnt easy. So, what should your plan be?

Online Trust Alliance, Data Protection Best Practices, 2015

1

Palo Alto Networks | Cybersecurity Buyers Guide 3

THINK LIKE AN ATTACKER.
Attackers and their campaigns follow a sequence of eventsknown as the attack lifecycleto successfully infiltrate a network and
either exfiltrate, destroy, or prevent access to data to disrupt business. While the order may not be constant, since attackers can
create their own sequence from the stages below, the goal is always the same: to reach the last stage and achieve their objective. The
good news is that, because it happens over time, blocking just one of the following stages in the attack lifecycle is all you need to do
to protect your organizations network and data from a breach.

Reconnaissance
Just like burglars and thieves, cyber criminals carefully
plan their attacks. They research, identify, and select
targets, often using phishing tactics or extracting public
information from LinkedIn profiles or corporate websites.
Cyber attackers try to learn as much as possible about
the systems youre running as they scan for services and
applications they can exploit and identify vulnerabilities
to target. Certain tools, like IPS and firewalls, can stop
some of these tactics, specifically port scans and host
sweeps. However, due to the public nature of the Internet,
investigation by cyber criminals into your users and
company affiliations is largely impossible to protect against.
Weaponization
Next, attackers create tailored exploits, and combine
them with malicious payloads, to leverage weaknesses
theyve found during the reconnaissance stage.
Because this stage is all done on the attackers side,
security tools cannot defend against weaponization.
However, tools like sandboxes and intrusion prevention
systems (IPS) can help to defend against targeted
vulnerabilities and custom payloads packaged during
this stage. Exploit kit protection can help make
newly weaponized tools obsolete by decreasing their
effectiveness when theyre reused.

Delivery Exploitation Installation Command and Control

Attackers determine how to
send weaponized threats into
a network, using such methods
as phishing and watering holes.
They may choose to embed
malicious code within a seemingly
innocuous file, like a PDF, Word
document or email message.
Or, in highly targeted attacks,
attackers may craft deliverables
to catch the specific interests
of an individual. Security tools
like anti-malware, sandboxing,
and URL filtering or proxies can
help to prevent delivery, if they
monitor and defend against all
traffic on all ports.
Once attackers gain access inside
an organization, they can activate
attack code on the victims host
and ultimately take control of the
target machine. This opens the
door for them to move laterally
within the network, though
typically command and control
is executed before this happens.
Tools like IPS devices and
endpoint protection agents can
be used to block exploitation,
and highly segmented network
architectures also help to limit
the systems and devices attacks
can exploit.
Attackers will seek to establish
privileged operations,
escalate access, and establish
persistence by installing
their own malicious program
(malware), like a root kit, on
the victim machine. This stage
is only enacted if malware is
used in the attack. Typically,
command and control happens
during installation to download
additional payloads from an
attacker-controlled Web page
or server. Endpoint protection
agents, URL filtering, and
anti-malware technology are
used to protect devices from
installation.
Attackers establish a command
channel back through the
Internet to a specific server, so
they can communicate and pass
data back and forth between
infected devices and attacker-
controlled servers. Command
and control occurs multiple
times during an attack, often
to fetch additional payloads,
receive new instructions from
the attacker by updating its
code, and siphon data out of
an organization. IP reputation
services and DNS protection
can help block command and
control traffic.

Actions on the Objective

Attackers have many different motivations, and its not always for profit. Their reasons can be to exfiltrate data, destroy critical
infrastructure, deface Web property, or create fear (extortion). Because this stage is always the last within the lifecycle and
completes an attack, blocking the connection with the attacker, or stopping previous stages effectively, causes both this stage and
the overall attack to fail.

Considering the attack lifecycle within the context of your organizations network architecture, and understanding how cyber criminals operate,
will help you to design a better cybersecurity strategy and build a holistic defense that dynamically identifies symptoms of infection, zeroes in on
the root cause, and prevents the disease.

Palo Alto Networks | Cybersecurity Buyers Guide 4

DEFINING
CYBERSECURITY
Detect unknown
Reduce the Prevent known Mitigate zero-day
threats and quickly
attack surface threats infection
make them known

To achieve cybersecurity is to successfully protect Multiple detection and prevention capabilities are necessary
your organizations electronic network and data against to enable teams to identify vulnerable interactions and
unauthorized use. You begin this process by determining what network components, effectively manage risk, and quickly
constitutes authorized use. First, you need to define who can mitigate attacks. In order to determine which tools you need to
interact with what, and how, typically using next-generation accomplish this for your organization, lets begin by reviewing the
firewalls with granular access control policies. Second, and the fundamental functions above that are designed to execute.
focus of this guide, is to ensure the integrity of those approved
The remainder of this Buyers Guide is divided into two sections:
interactions and make sure that theyre not corrupted by
the first section, 10 Things Your Next Cybersecurity Solution
hidden threats, which is no simple task. This is why you need
Must Do, outlines the architecture that is necessary for blocking
more than a single technology to achieve cybersecurity.
attacks and preventing breaches. The second section delves
Cybersecurity strategy has historically been limited to into how these 10 things help buyers navigate the request for
detectionmonitoring a few known attack vectors at the proposal (RFP) process and effectively evaluate a cybersecurity
Internet edge and on endpoints, and generating hundreds to solution.
thousands of alerts in an endless and reactive remediation
cycle. This strategy focuses on continuously relieving the
symptoms of high-priority threats, instead of correlating them
and directing attention to repairing the root cause, once and
for all. The unmanageable number of alerts and the constant
cycle of repetitive remediation has significantly contributed to
the fact that it takes organizations an average of 225 days to
detect targeted APTs (advanced persistent threats) launched
against them2.

Ponemon Institute, State of Advanced Persistent Threats, 2013

2

Palo Alto Networks | Cybersecurity Buyers Guide 5

 10 THINGS
YOUR CYBERSECURITY
SOLUTION MUST DO
1
Enforce allowed interactions
between your data and your users.
The network is at the core of your business. Like a virtual
highway, it connects your users and customers to important
data and dramatically increases productivity. And it must be
protected. Data is constantly in transit, and because sources,
destinations, and the paths in between them are becoming more
and more virtualized, network traffic is increasingly complex.
Roads that lead to critical data stores and valuable assets must
be protected because its not always obvious when access is
abused.
Attackers look for the easiest way in, targeting users, devices,
and applications to get to the data theyre after. They know
that organizations diversity of unsecured remote and mobile
devices makes it easier for them to piggyback into the corporate
network. In addition to employees, customers and partners who
use these numerous applications and devices to legitimately
access data increases traffic complexity.
As an organization becomes more connected, and the roads to
and from data stores significantly increase (e.g., multiple branch
offices, private and public cloud environments and greater
numbers of remote users), the risk for successful breaches
skyrockets.
Palo Alto Networks | Cybersecurity Buyers Guide
Requirements
To reduce the sheer number of attacks to which your network
and data are exposed, your cybersecurity solution must allow
you to effectively reduce the attack surface by granularly
identifying approved interactions between users and data based
on the specific data youre trying to protectwhat it contains,
where its located, how it should be used, and by whom.
Choosing a solution that promotes micro-segmentation is also
important. Each network location likely behaves somewhat
differently, and thus each requires a slightly different set of
allowed behaviors. Identify and group users according to their
privilege levels and to which data they should have access.
Whats more, the policies that you construct must be enforced
within the context of applications traversing the network and
their expected interactions. Granular network access policies
are the foundation to reducing the attack surface and to
blocking unauthorized transactions, as they provide the most
fundamental context around incoming and outgoing traffic.
Its not enough just to protect the roads between users and
stores of data: the integrity of both users and the data itself must
be verified and maintained.
6
2
Identify threats on all applications, ports,
users and devices, all the time.
Attackers dont want to be detectedthis is their prime
directive. They purposely craft threats to lurk in the dark corners
of your organization by utilizing deceptive techniques, like
applications that port-hop and use non-standard ports, hiding
within SSL traffic and on seemingly legitimate websites, using
protocols that arent anticipated, and disguising themselves as
benign files. If your protections are only capable of identifying
application threats on certain ports or your sandboxing solution
only supports HTTP and SMTP protocols, youre likely missing
many of these threats.
Data is constantly in transit to and from both physical and
virtual locations via a slew of different ports, protocols, and
applications. Machine-to-machine communication represents
a vector for lateral movement thats rarely monitored, creating
opportunities for attackers. Data moves back and forth
from things like security cameras, VMs in the cloud via SaaS
applications, POS devices, and printers, all of which have been
used by attackers to sail past traditional defenses and gain a
foothold within the target organization.
Complete, end-to-end threat identification for all applications,
users, and devices in all locations, on and off the corporate
network, is imperative for an effective cybersecurity strategy.
Requirements
Know your business, know your network, know your usersyour
team and your tools can only protect your organization from
the things they can see, so choose a cybersecurity solution that
gives you visibility into everything, everywhere. Assume that any
application can carry threats and can run on any port. Monitor
incoming and outgoing traffic on both common and uncommon
protocols, like POP, IMAP, and FTP, as well as files that may be
deceptively dangerous, like Microsoft Office, PDFs, Adobe
Flash files, and Android APKs. Selectively decrypt traffic using
SSL and unpack compressed files regularly for inspection.
Choose a solution that allows you to more effectively segment
your network based on expected interactions and behavior.
Control who and what can communicate, and how. Understand
how each application, user, and device is used, how they may
be leveraged at different stages of an attack, and protect your
network by protecting them.
3
Protect data at multiple stages in the attack lifecycle.
All attacks are comprised of multiple stages strung together
to form the attack lifecycle, which was discussed earlier in this
guide. However, all stages must succeed before the attackers
objective can be met. The four key stages where where the
opportunity to prevent the attack manifests are: delivery,
exploitation, installation, and command and control. Stand-alone
security tools, like traditional IPS or Web proxies that focus
solely on one stage may fail, especially where new or unknown
techniques are used. For instance, any application can be used
for delivery or exploitation, installation can occur on any device,
Palo Alto Networks | Cybersecurity Buyers Guide
and any outbound channel may be used to communicate with
attacker-controlled servers (command and control). An effective
prevention strategy includes coordinated technologies that
detect and prevent across each stage and easily block known
threats to ultimately stop attackers from reaching their objective.
Requirements
Choose a cybersecurity solution that focuses on attack
behaviors at multiple stages: blocking delivery through
compromised Web pages and malicious files, protecting
against exploits kits and application vulnerabilities, stopping
the execution of files (installation) containing known malware
through accurate payload identification, shutting down
outbound command and control communication, and restricting
lateral movement through segmentation.
Attack surface reduction, combined with full visibility and
prevention mechanisms at each stage, guarantees that as an attack
progresses through each attack stageeven those that use new
techniquesthere is a decreasing possibility it will succeed and an
increasing likelihood that your network will remain secure.
4
Outsmart advanced threats specifically designed
to outmaneuver security tools.
Advanced threats are designed to be evasive in order to
bypass security defenses. Sometimes, evasive traffic is not ill-
intentioned, but instead meant to provide constant availability to
users. We can classify evasions into three groups:
Network-level evasions involve packet order and sequence
modification. Tricks like fragmentation and obfuscation, in
which a malicious payload is divided into separate packets or
is separated by benign packets, are used to bypass intrusion
prevention systems. Once inside the network, the packets are
put together correctly and the malicious payload is assembled,
delivering an exploit. Whats more, an individual vulnerability
that exists within either the network or an application can
be exploited in hundreds of different ways. Similarly, known
malware can be altered very easily with a simple hash or file-
name change.
Application-level evasions fall into two classes: those that are
expressly designed to evade security, like external proxies
and encryption tunnels, and those that can be adapted to
easily achieve the same goal, like remote server and desktop
management tools. Not all evasive applications carry the
same risksremote access applications have legitimate
uses, as do many encrypted tunnel applications. However,
attackers are increasingly adopting these same tools as part
of ongoing persistent attacks. Without the ability to identify
these security evasion techniques, control nested applications
and sub-features, analyze file payloads, and enforce security
policies on all of these, you can inadvertently expose your
organization to uncalculated risk.
User-level evasions include tactics like phishing and malvertising,
where victims are tricked into clicking a link containing an
exploit kit or spoofed website, or opening an attachment that
executes malicious code on the victims machine. Attackers
7
 commonly compromise legitimate Web pages, spoof file
extensions, compress executable files several times, and create
spoofed websites that appear to be legitimate but are designed
to trick users into handing over valid credentials.
Cybersecurity tools that offer protection capabilities in the form
of static signatures that are too broad or too unique are limited
in that they can only protect against threats that are known
known malware delivered by a known malicious URL using a
known exploit, communicating to a known command and control
domain. Its incredibly easy for attackers to modify existing
malware and exploits to make them essentially unknown to
bypass traditional defenses. These minor variations in threats
create moving targets for security tools with static protections.
Whats more, malicious URLs and command and control domains
come and go quickly, often only remaining active for a few hours
or days at a time.
Requirements
The sheer number of exploit and malware variations available
necessitates protection capabilities that can handle the load,
either by an enormous and constantly growing library of exploit-
and hash-based signatures, or by a smaller set of payload-
based signatures capable of detecting and preventing multiple
variations individually. Smart signatures capable of uncovering
threats deep within each packet and file and comprehensively
across many protocols, file types, exploits, and hashes offer
increased protection, as well as future protection against
variation and reuse of the same attack components.
Also consider the granular detection capabilities within
sandboxing and URL filtering tools. They should be able to
determine whether email links and individual web pages are
malicious, detect malicious code hidden within commonly used
file types and compressed files, and put prevention mechanisms
in place to identify and protect your users from being deceived.
5
Facilitate the translation of new intelligence
into protections within security policies.
Sophisticated attacks are designed to leverage vulnerable users
or systems to stealthily enter the network, carefully avoiding
techniques that will trigger traditional defenses and remaining
inside the network for prolonged periods of time, slowly
chipping away at their objectives so as not to arouse suspicion.
The challenge with sophisticated attacks for security teams is
that some of the attack components may be completely new
true zero-day threats. Furthermore, those threats, when taken
by themselves, may not indicate anything interesting that you
and your security team should investigate.
In 60 percent of attacks4, it only takes minutes for compromise
to occur. This infection speed necessitates the quick translation
of data into intelligence, and then into protections that are
enforced, allowing you to prevent network and device infection
in near real-time and rely less on manual research-and-remediate
processes after compromise has already occurred.
Verizon Data Breach Investigations Report, 2015
4
Palo Alto Networks | Cybersecurity Buyers Guide
Requirements
Prevent gaps in prevention capabilities by quickly translating
intelligence, such as new malware payloads, URLs hosting
exploits, and command and control server locations, into
protections that can be enforced by existing security
technologies across your network.
Consider a solution that is self-learning to automate this process
and reduce it to minutes. A constant feed of newly created
protections against newly discovered attacks, broken down into
its components, translated into protections, and distributed
to points of enforcement within your segmented network,
increases the effectiveness of your cybersecurity solution. Not
only should it prevent future occurrences of the threat, it should
identify devices exhibiting behaviors indicative of compromise,
and immediately alert you to them.
The more relevant your intelligence is, the more up-to-date
your security protections are, and the better able youll be to
successfully defend your data and make prevention part of your
cybersecurity strategy.
6
Be up to date with intelligence and
protections against the latest attacks.
Threats are constantly changing as attackers evolve their methods
in a continuous effort to be more deceptive and evasive. We can
group attacks into two types:
Targeted attacksare aimed at specific groups or organizations
within any given industry. Making matters worse, they target
particular individuals or systems with known vulnerabilities, and
deploy exploits or malware that leave those systems defense-
less. It is vital that the infection be identified quickly after a
targeted attack. Components must be detected and defenses
must be customized and distributed across the infrastructure
(i.e., other devices and network segments), to contain the
spread of infection.
Opportunistic attacksin which an attacker casts a wide net in
hopes of infecting as many victims as possible. Opportunistic
attacks are less customized to specific organizations, but can be
just as dangerous as targeted attacks. In opportunistic attacks,
viruses and bots are typically used to propagate the infection
widely and rapidly, compromising thousands and sometimes
hundreds of thousands of devices across many organizations.
Knowing when and how other organizations were attacked can
provide valuable intelligence that may help you to determine if
your organization has been infected with the same threat and
prevent you from being victimized in the future.
The rate at which attacks are changing dictates that what
protected your network against attacks this morning may not
be effective against attacks being launched in the next few
minutes. Keeping prevention capabilities within your security
technologies as current as possible helps to minimize risk of
infection and restricts attackers to threats containing pristine,
8
zero-day exploits and malware, and brand new command and
control domains. This seriously increases their cost to attack and
severely limits their opportunities for success, resulting in fewer
attacks for you to deal with.
Requirements
While a dedicated threat research team is important, it is rarely
enough. Attackers are automating new threats, and therefore,
your data-to-protection process must also be automated if it is
to stay ahead of the evolution. To do this, your cybersecurity
solution must be able to:
Compile threat data quickly from new attacks into intelligence.
Produce protections against those threats as soon as attackers
operationalize them. This includes attacks on your network and
other organizations around the world.
Consider investing in tools that:
Analyze threats seen around the globe.
Generate new signatures for future protection that prevent at
each attack stage automatically.
Deliver those protections to all policy enforcement within
your network, proactively preventing threats seen by other
organizations from infecting your network.
Generated protections should be smartan individual signature
should protect against multiple variations of the originally
analyzed threat to ensure maximum coverage. Additionally,
technologies that provide automated detection and prevention
capabilities should also provide you with tools to help mitigate
any current network infection.
7
Enable quick and accurate mitigation.
Youve likely heard the phrase, Theres no silver bullet. Vendors
use this phrase to express that even the most advanced defense
capabilities cannot guarantee 100 percent protection from zero-
day attacks.
After being hit by a sophisticated attack, its critical to identify
the infection quickly and protect other devices and network
segments against its spread. Because most network defenses
comprise best-of-breed tools from multiple vendors, prevention
becomes difficult. The process is arduous, highly manual and
time consumingespecially if threat data is isolated in different
systems and stored in different locations.
Thus, mitigation and remediation planning continue to be an
important part of an organizations cybersecurity strategy.
However, relying too heavily on continuous remediation to solve
security problems is costly and does nothing to prevent breaches
from happening.
As weve seen in the attack lifecycle, infection doesnt necessarily
mean youve been breached. If youre able to prevent outbound
communication with attackers (command and control), youve
effectively caused the attack to fail, even though you may still
Palo Alto Networks | Cybersecurity Buyers Guide
need to identify and scrub the infected device. In addition to
bolstering prevention capabilities, technologies that ingest a
constant feed of threat information can help. Where remediation
is concerned, every minute counts.
Requirements
There are different ways cybersecurity solutions handle detection
logs and incident reports. Look for those that offer:
Correlated threat logs across each detected stage in an attack.
Alerts to high fidelity indicators of compromise through active
searches, including identifying the infected device beyond simple
IP addresses.
Consider a solution that correlates suspicious behaviors to highly
accurate infection alerts, so you know with complete confidence
that infection has taken place and can prioritize accordingly to
swiftly limit the networks exposure. Remember that, because
many attackers will try to leverage uncommon, and therefore
likely undefended attack vectors, any threat analysis tool must
also cover all locations and devices within your infrastructure.
Threat logs correlated with in-network heuristics, such as a
specific vulnerability exploit combined with a specific malware
download and subsequent attempts to reach specific domains at
abnormal times, can inform you of both the original victim device
and the direction of the threats lateral movement with a great
deal of accuracy.
Consider a solution that does more than merely alert you to
infections; for instance, one that isolates compromised devices
from the rest of the network or blocks them from outbound
communication. Keep in mind that mitigation planning should
be done as part of disaster recovery tacticswhat to do in an
emergency situationbut it shouldnt be the norm. Secure your
infrastructure to prevent most attacks, so that infection alerts
that necessitate emergency remediation actions arent an
everyday occurrence.
8
Coordinate actions comprehensively across
individual security technologies.
Throughout our lives, stress is put on the importance of working
as a team because we know we can achieve optimum efficiency
through coordinated, yet specialized action. The same is true when
it comes to cybersecurity. Security technologies and individual
sensors throughout your network contain information-gathering
and enforcement capabilities that, if built to work together, have
the power to make your teams efforts to secure the organization
more effective. Being able to identify individual pieces of an
attackwhats going on in a given attack stageand correlate
those pieces to create a larger picture of the attack as a whole is
essential to effectively stopping it. The big picture sets the context
of the attack for understanding where gaps in security may exist,
where protections must be created, and distributing enforcement
to block the attack and close those gaps.
9
Requirements
Coordinated cybersecurity technologies are of utmost
importance when it comes to usability and closing security
gaps in your infrastructure. Technologies that are natively
integrated, or have open APIs that can be easily integrated in
a customized way, are best suited to comprehensively share
intelligence and update policies across your entire network, and
immediately alert you to infection, regardless of location.
For example, if a device in one network segment indicates
compromise, your cybersecurity solution must:
Identify the attack.
Break it down into its components (i.e. the delivery method or
URL, the malware payload used and its subsequent effect on
the contaminated device, the specific application or system
vulnerability exploited, the command and control domains).
Distribute that information to all other security technologies
protecting other parts of your network and data infrastruc-
ture, so theyre able to identify similar indicators and prevent
the infection from spreading.
Automatic, coordinated enforcement like this relieves you of
the intensive manual labor often involved in translating network
information to policy, and ensures that prevention happens at a
stage in the attack lifecycle before a breach can occur.
9
Keep your business running.
Many organizations struggle when it comes to choosing
between securing the organization and enabling the thousands
of applications that accelerate business efficiency and
profitabilityone of these is usually sacrificed. More often than
not, turning on security features means that users must accept
high latency or worse, restriction from using the applications or
accessing the data they need. If your cybersecurity solution is
architected correctly, this compromise is unnecessary.
Requirements
Reducing the attack surface is a key component to maintaining
usability. Eliminating unknown or unnecessary traffic and data
interactions reduces the amount of allowed traffic that must be
scanned for threats, which lightens the processing load that your
cybersecurity tools must take on.
Cobbling together stand-alone security functions from different
technological origins or several blades usually means there are
redundant networking layers, scanning engines, and policies,
which translates into more complexity for you and a higher
probability that desired applications arent safely enabled or
enabled at all. The latter outcome can also mean an increased
number of IT support cases submitted by frustrated users.
Palo Alto Networks | Cybersecurity Buyers Guide
Given the requirement for computationally intensive tasks (e.g.,
application identification and threat prevention performed on
high-traffic volumes with low tolerance for latency associated
with critical infrastructure), your cybersecurity solution must be
designed for the task. This means dedicated, specific processing
for management, security, and content scanning, so traffic isnt
processed more than once.
10
Be easy to use.
A few notable breaches in recent years have highlighted
the importance of prioritization and actionable data where
threats and potential incidents are concerned. Even with a
centralized management system in place, sifting through logs
from multiple products for important data and correlating it is
an enormous task.
Manually integrating data from different products can be
an arduous process as well, often introducing mistakes and
imperfect end results. As each additional hour passes after
compromise occurs, infection spreads, and the likelihood that
youll need to disclose a breach to your executives and board
members increases. You cannot afford the extra time associated
with arduous monitoring, investigation, and reporting. Having
simple policies set up, and correlated threat data ready and
available on one device within one interface, gives security
teams a complete view of whats going on within their
network infrastructure and data, without hassle.
Requirements
Although we can automate many processes needed for
mitigation and risk assessment, human interaction is still required
at some point. Natively integrated security technologies that run
on a single device allow you to easily glimpse whats going on
with each data flow; search for, correlate, and prioritize critical
security events; and make it simple to granularly adjust policy
based on present events. Its especially helpful if policies can
be updated once and that update applied to multiple functions,
instead of having to make the same update several times in
multiple places to achieve your desired security coverage.
Look for a cybersecurity vendor who correlates security data
both at a local level, so you know exactly whats going on in
your network and can respond accordingly, and on a global level,
providing you with actionable intelligence on threat campaign
details. That way, you can make informed decisions on how to
keep your organization safe from future attacks simply
and efficiently.
10
 USING THE RFP
PROCESS TO SELECT
A SOLUTION
Typically, when selecting critical security infrastructure components, organizations will use a request for proposal (RFP) as
a means to ensure that their specific needs are addressed. According to Gartner research around information security and
advanced targeted attacks, The future of information security infrastructure is contextual and adaptive, capable of changing to
support rapidly changing threat and business environments in near real time,5 and advises organizations to shift their focus to
increasing the amount of context provided by their security tools.6 As new deployment opportunities occur, organizations should
expand their RFP selection criteria to include end-to-end application, user, device, and data visibility, and protection (offered by
holistic cybersecurity providers).

The previous section established the 10 key requirements your next cybersecurity solution must have; this section will translate those
requirements into tools you can use to identify and select a cybersecurity vendor. There are many elements to consider when evaluating
how effectively a vendor can deliver application, user, device, and data security. Cybersecurity technologies sitting out of band in alert-only
mode are better than not having any security at all. However, in this context, theyre not actually securing anything. Your ultimate goal in
evaluating and implementing any cybersecurity solution should be to secure your organization by preventing threats in real time.

Protecting Network Infrastructure and Data

Modern network users assume the ability to connect and
work from many locations beyond the traditional corporate
network perimeter. These users and all data stores must remain
protected, even in instances where users are working outside
of the corporate network or data is stored in public or private
cloud environments.
Describe how the solution protects data stored in public and
private clouds.
How does the solution protect mobile devices? Will you be
able to provide consistent policy enforcement when users are
on external networks, as well as internal wireless networks?

Consider the following questions and statements when
issuing an RFP:
Describe segmentation requirements. How many
users, servers, or virtual machines can be supported
simultaneously?
How does the solution address the allowance for, or denial
of applications?
How does the solution address BYOD issues?
If a client component is included as part of the solution, how
is it distributed to each client and maintained?
Provide a detailed description, including all necessary
components, of the available options for securing remote
users.
Is the solution capable of performing multiple file format
analysis, including but not limited to LNK, Microsoft objects,
PDF, EXE, SWF, DLL, JAR, CLASS, SCR, and APK?

5
Gartner, Prevention Is Futile in 2020, 2013
6
Gartner, The Future of Information Security Is Context Aware and Adaptive, 2010

Palo Alto Networks | Cybersecurity Buyers Guide 11

Identifying Threats in Context
The RFP must determine the details around how the cybersecurity
architecture accurately identifies threats hiding inside traffic
within the context of applications, users, devices, and data, over
any port, SSL encryption, or other evasive techniques in use.
To ensure your RFP covers contextual threat identification,
consider the following:
When traffic is first received, does it collect application, user,
device, or behavioral context from another security tool?
How is application state tracked and utilized to ensure
consistent contextual awareness to secondary functions?
Describe in detail how traffic is accurately contextualized.
Which mechanisms besides signatures are used to
contextualize traffic?
Describe the breadth of application and file protocol decoder use.
How are SSL and SSH decryption implemented?
Does the solution implement SSL decryption for both inbound
and outbound traffic?
Is traffic re-encrypted after being scanned?
How does the solution determine user-based context?
How does the solution determine device-based context?
In virtualized environments, describe how the traffic is
contextualized throughout the virtual machine (e.g., north-
south, east-west).
Describe the points of integration within the virtualized
environment.
Describe the process of building security policies for newly
created virtual machines.
Prevention at Multiple Attack Stages
Because advanced threats are more accurately identified when
broken down into multiple events, analysts are consistently
recommending that organizations consolidate traditional threat
prevention technologies into a single cybersecurity platform.
To ensure your RFP covers multi-stage attack prevention, consider
the following:
Describe all threat prevention technologies included (IPS,
anti-malware, anti-command and control, sandboxing, data
filtering, etc.)
Describe the coordination between prevention technologies.
Are these prevention technologies hardware or software
add-ons?
How are these prevention technologies licensed?
Palo Alto Networks | Cybersecurity Buyers Guide
How is application identification and control performed by
the solution?
Many applications can evade detection using non-standard
ports, port hopping, or by being configured to run on a
different port.
Describe how the application identification mechanisms are
part of the core cybersecurity solution.
Are the application identification mechanisms dependent on
the applications standard port?
Can threat policies be applied to an application on all ports, and
is the process automatic or manually configured?
Does the solution have the ability to deny unknown traffic?
Is the solution able to identify users, and what is that
identification based on?
What
with?
third-party directory services does the solution integrate
How does the solution identify users operating remotely and/
or on personal devices?
What kinds of threat signatures are included with
the solution (e.g., URL, malware, vulnerability, DNS
signatures, etc.)?
How often is the threat signature database updated, and is it
a dynamic update or a system reboot upgrade?
Describe how the solution addresses these stages in the
attack lifecycle:
Delivery
Exploitation
Installation
Command and control
Describe which prevention mechanisms are developed in
house or obtained via a third-party service?
How do the prevention mechanisms scan content within
compressed files like ZIP?
Describe threat research and development processes.
How effective are malware signatures?
How many malware variants can a single signature prevent?
How does the solution defend against lateral movement?
12

Detecting Evasive Threats
Threats are becoming increasingly more evasive as attackers
adjust their methods to bypass new defensive technologies.
The ability to, not only detect evasion tactics, but also
accurately identify the threat that underlies it is critical for
effective security.
To ensure your RFP covers evasive-threat detection, consider the
following:
How does the solution handle packet-level evasions?
Does the solution support TCP and UDP reassembly for
fragmented packet protection?
How is SSL decryption performed?
Can the solution support at least 4 levels of compression
(i.e. encryption, encoding, and at least 2 levels of file
compression)?
Describe how the solution detects custom or polymorphic
malware.
What mechanisms are used to block these types of malware?
How does your sandboxing feature address the use of
multiple application versions?
Does the device include built-in virtual execution environments
within a single appliance to simulate the file activities and find
malicious behaviors for advanced threat detection?
Can the solution identify the use of dynamic DNS?
Can the solution identify malicious URLs?
Iffileyes, how granular is the URL identification (i.e. by domain, by
path, by page)?
Palo Alto Networks | Cybersecurity Buyers Guide
Implementing Up-to-Date Protection
from Contextualized Intelligence
Because attackers are constantly modifying existing threats and
creating new threats, having up-to-date protection is the only
way to successfully keep up with the changing threat landscape.
The solution must be able to adapt its detection capabilities
accordingly and constantly refresh existing protections based on
current threat tactics.
To ensure your RFP covers up-to-date protection, consider the
following:
How does the solution update its library of known threats
(exploits, malware, delivery sources, command and control
domains, etc.)?
What is the cadence for new signature updates?
How quickly after zero-day threats are discovered is coverage
added to the devices threat signature library?
How many external threat intelligence sources are fed into the
solution?
Describe how the solution handles rapidly changing command
and control domains.
Describe how the solution handles legitimate websites or
domains that have been compromised.
13
Effective Mitigation
Although prevention is preferable, there will still be campaigns
that infect devices on your network, which is why rapid
mitigation and remediation are necessary. Analysts recommend
that security teams invest in solutions that help them quickly
understand the scope and impact of a detected infection.
To ensure your RFP covers effective mitigation, consider the following:
Is the solution able to analyze files for zero-day threats and
mitigate them within minutes?
How does the solution accurately identify infections?
How does the solution rate infection severity and fidelity?
How does the solution correlate suspicious behaviors for
devices across multiple segments within the organization?
Are infection reports logged in real time?
How quickly are protections or blocking actions enabled after
identifying an infection?
Impact to the Business
Real-world performance is a critical component of a cybersecurity
deployment. Application control and threat scanning requires a
far deeper investigation of traffic and is more computationally
intensive than simple port-based firewalling. It is critical to
determine the performance on the network when all security
features are enabled and analyzing a real-world mix of traffic.
To ensure your RFP covers business impact, consider the following:
How does the solution address signature fidelity?
Investigate the hardware architecture to confirm appropriate
processing power for continuous application-level traffic and
threat classification.
Describe the traffic mix used to produce the published
performance metrics for:
Application control
Application control + logging
Application control + IPS
Application control + IPS + AV
Application control + IPS + AV + anti-spyware
What is the rated throughput for:
Application control
Application control + logging
Application control + IPS
Application control + IPS + AV
Application control + IPS + AV + anti-spyware
Does the sandboxing feature add latency for the end user,
and if so, by how much?
Palo Alto Networks | Cybersecurity Buyers Guide
Management
Management is a critical element for implementing effective
cybersecurity. In moving to your next cybersecurity solution,
a key goal must be to simplify security management wherever
possible.
To ensure your RFP covers security management, consider the
following:
Does solution management require a separate server or
device?
Does the solution have a separate management system with
dedicated CPU, memory and disk?
Describe all of the management options that are supported:
Command line interface (CLI)? Browser? Software client?
Centralized server?
For each of the management alternatives supported, describe
how much effort is required to move from one management
technique to another.
Describe the centralized management architecture and
deployment options.
What visibility tools, outside of the log viewer and reports,
are available to enable a complete picture of attack
campaigns within the context of applications, users, devices,
and data traversing the network?
Are the visibility tools included as part of the base functionality,
or are they extra cost/added licenses?
Are the visibility tools deployed on-box, or are they a separate
device/appliances?
Provide a detailed description of the effort and steps
required to gain a comprehensive view of all application
and data traffic, user and device information, and threats
detected or blocked.
Can application, user, device, data, and threat policy controls
all be enabled on a single rule?
Describe how management access is ensured when the
device is under heavy traffic load.
Describe the relationship between individual devices and the
centralized management of multiple devices.
Describe the difference in management between hardware
and virtualized instances.
Are different or separate devices required to secure public and
private cloud environments?
14
 Cybersecurity with
Next-Generation Security Platforms

At one time, the concept of cyberattacks as

constantly moving targets was impossible, an
irrational theory only possible at some point far
into the future. But now, the future is here and
this is our reality.
10 Things Your Next Cybersecurity Must Do
validates the fact that the best location to execute
secure application enablement is at every location
within the network and cloud, and on endpoints.
It should be clear after using the tools within
this document that attempts to claim effective
security using single-function devices in a bolt-on
approach are unrealistic. In order to truly prevent
a breach, a holistic cybersecurity solution that
can dynamically adapt to the changing threat
landscape is crucial.

Palo Alto Networks | Cybersecurity Buyers Guide 15

 Palo Alto Networks

Palo Alto Networks natively integrated next-generation

security platform brings network, cloud and endpoint security
into a common architecture, with complete visibility and control,
ensuring your organization can detect and prevent attacks.
The next-generation security platform streamlines day-to-day
operations and boosts security efficacy, and the one-of-a-kind,
multi-layered defense model prevents threats at each stage of the
attack lifecycle. Palo Alto Networks products are used by more
than 23,000 customers in over 100 countries.

For more information, visit

paloaltonetworks.com/cybersecurity

Palo Alto Networks Copyright 2015.

4401 Great America Parkway
Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Santa Clara, California, 95054
Alto Networks. A list of our trademarks can be found at http://www.paloalto-
networks.com/company/trademarks.html. All other marks
+1-408-753-4000 main mentioned herein may be trademarks of their respective companies.
+1-866-320-4788 sales
+1-866-898-9087 support
www.paloaltonetworks.com

Palo Alto Networks | Cybersecurity Buyers Guide 16