Insight by Palo Alto Networks

No more patient zero: A new paradigm for agency network protection

This content is provided by Palo Alto Networks.

Imagine receiving an email from a trusted colleague who asked that you review the attached PDF before it is sent to leadership. When you open the PDF, you see several pop-ups flash on the screen, and then you see it. On your screen you see a banner that says, “Oops your files have been encrypted!” You have been the target of a phishing email that contained ransomware. More than likely your agency has spent significant money on cybersecurity tools, so what happened?

The cybersecurity industry has long accepted the idea that “patient zero”—the first person or system to be the victim of a previously unknown cyberattack—is inevitable. Patient one or two might be prevented after the ten to fifteen minutes most defensive solutions need to recognize and block an attack; but someone unfortunately has to be the first.

With the sophisticated automation technologies now widely available to the good guys as well as the bad actors, that is simply no longer acceptable. Response time matters now more than ever; even five minutes for detection is too slow. Rather, the speed of detection needs to match the speed of today’s attacker. That means finding threats inline with the massive volumes of agencies’ network traffic that flow every day.

The Limits of Reactive Approaches

Prevalent models of cyber protection accept the patient zero casualty for a mission performance reason: no user will wait ten minutes for a file to be sandboxed and analyzed before they can download it.

Rather than stalling operations and workflow, the industry norm settled on allowing files through and then analyzing the risk in the background. If a file is found to be malicious, security can quickly write a signature for it and distribute that signature to halt further spread within the network. The best case for that to happen is within five to ten minutes. While it can certainly help other users, for patient zero, it’s too late.

What’s more, patient zero is often a high-value asset. From a practical perspective, attackers will pursue their most critical target on the first attempt (e.g., through a whaling [phishing] attack) rather than crawl across an organization and risk detection before the goal is reached. Beyond dangerous email attachments, sophisticated attackers may also “cloak” phishing webpages, sending a specific malicious URL only to the high-value target; anyone else attempting to access the page gets directed elsewhere.

Once patient zero is compromised, for instance with a ransomware payload, there is nothing to stop the ransomware’s execution. It could take less than a minute to encrypt that user’s system. If patient zero controls the most critical information, it doesn’t really matter if patient one or two is impacted; the damage is already done.

There are limits to established workarounds for these kinds of attacks. Running a proxy service to circumvent malicious webpages helps prevent cloaking, but it slows performance and can even interfere with the correct loading of other unrelated pages. Creating signatures can’t keep pace with the literally hundreds of thousands of new malware programs popping up daily. Polymorphism enables thousands of those programs to instantly derive from the original code. Most signatures lack the general preventive ability to block those derivations.

Of course once malware penetrates the organization, security teams must fix it after the fact. Continual cleanup imposes expense beyond the direct damages that an attack may inflict: human labor, capital outlay, and potentially days or weeks of lost productivity for the users involved.

These reactive approaches don’t adequately address present threat realities. Rather, true protection requires that anything malicious is detected before it ever gets into the network.

Reinventing Threat Detection for Federal Agencies

Despite considerable industry effort, no solution has tackled this problem in an efficient time frame—until now. Palo Alto Networks has just unveiled Intelligent Network Security, a radical new way to detect threats—inline, at speed.

Running on any form factor of our Next-Generation Firewall (e.g., appliance-based, physical or virtualized), intelligent features are offered as add-on subscription services. For existing federal customers, these powerful new capabilities are integrated into the regular software update process, thereby simplifying adoption and use.

Our Intelligent Network Security leverages the enormous volumes of rich data we’ve collected (using privacy-centric methods) from our FedRamp-authorized WildFire® sandboxing service. That includes up to a million unique portable executable files (PEs) every day. Extracting features from this data enables us to accurately and instantly predict if an anomalous file is potentially malicious, and block it from getting through. The need for maintaining malware lists or performing local tuning is thereby eliminated.

WildFire’s URL filtering and sandboxing capabilities also prevent cloaking, automatically crawling up to 50 million webpages per day and assessing which may be phishing pages. By continually learning from this vast and growing data set, the intelligence within WildFire can instantly recognize what is and isn’t malicious, and identify attacks at line speed—including not previously seen zero-day attacks. The platform blocks user access to these cloaked URLs—something other platforms that surrender to patient zero inevitability cannot do.

The breakthrough advance of Intelligent Network Security will empower federal agencies to reinvent their security posture. With rampant threats, tight budgets, and skilled talent in short supply, Intelligent Network Security is what’s needed to match the urgency of the current environment. Time matters, and your agency’s mission deserves nothing less.

If you’d like to learn more about Intelligent Network Security, please contact us at