Traps

Palo Alto Networks Traps provides advanced endpoint protection that prevents sophisticated vulnerability exploits and unknown malware-driven attacks. Traps accomplishes this through a highly scalable, lightweight agent that uses an innovative new approach for defeating attacks without requiring any prior knowledge of the threat itself. By doing so, Traps provides organizations with a powerful tool for protecting endpoints from virtually every targeted attack.

Instead of looking to identify the millions of individual attacks themselves, or detect malicious behavior that may be undetectable, Traps focuses on the core techniques that every attacker must link together in order to execute their attack. With this approach, Traps can thwart the attack before any malicious activity can successfully run.

Traps

Advanced or Zero-Day Attack Prevention
Advanced attacks and zero-day malware must be handled swiftly, and automation must be used to ensure threat prevention immediately upon attack or zero-day discovery. This is critical to prevent subsequent evasion and attack attempts.

Exploit Mitigation
Traps focuses on the core techniques leveraged by exploits in advanced cyberattacks. Traps renders these techniques ineffective by breaking the exploit sequence and blocking the technique the moment it is attempted.

Malicious Executable Prevention
Traps prevents executable malware by preventing core malware techniques. Additionally, policy-based restrictions can be used to reduce the endpoint attack surface, and integration with the WildFire threat intelligence cloud offers rapid analysis of executables before they can run.

Lightweight yet Comprehensive
Traps does not perform any system scanning, or rely on signature updates, the way many endpoint solutions do. This approach results in minimal impact to the user experience and system-level resources while protecting all applications, including proprietary and third-party ones.

Traps Deployment Architecture

Endpoint Security Manager – Console
The Traps infrastructure supports various architectural options to allow for scalability to large distributed environment. Installation of the ESM creates a database on a Microsoft SQL server and installs the administrative console within IIS. Microsoft SQL 2008 and 2012 are supported and the SQL server may be dedicated to ESM or a database can be created on an existing SQL server.

Endpoint Security Manager – Servers
ESM servers essentially act as proxies between Traps agents and the ESM database. Communications from Traps agents to ESM servers occur over HTTPS. ESM servers do not store data and therefore can be easily added and removed from the environment as needed to ensure adequate geographic coverage and redundancy.

Traps Agent
The Traps agent installer is a ~9 MB MSI package that can be deployed using your software deployment tool of choice. Subsequent updates to the agent can be deployed via the ESM. The agent consumes less than 25 MB on disk and less than 40 MB while running in memory. Observed CPU utilization is less than 0.1 percent. The agent employs various tamper proofing methods that prevent users and malicious code from disabling protection or tampering with agent configuration. The lightweight structure allows for the Traps environment to scale horizontally and support large deployments of up to 50,000 agents per ESM while still maintaining a centralized configuration and database for policies. Traps can co-exist with most major endpoint security solutions, and the CPU utilization and I/O remains incredibly low. With such minimal disruption this makes Traps optimal for critical infrastructures, specialized systems, and VDI environments.

External Logging
The ESM can write logs to an external logging platform, such as SIEM, SOC or syslog, in addition to storing its logs internally. For an organization that deploys multiple ESMs, an external logging platform allows an aggregated view those log databases.