Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Transcription

1 Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

2 Executive Summary Palo Alto Networks strategic partnership with Splunk brings the power of our next generation enterprise security platform together with the Splunk next generation, big data security information and event management (SIEM) system. Featuring the tightly integrated Splunk App for Palo Alto Networks, the combined solution delivers unprecedented protection against advanced threats, including targeted attacks, sophisticated malware, and advanced persistent threats (APTs). Joint customers benefit from more thorough threat detection, faster response capabilities, and enhanced situational awareness for better, risk-informed decision-making. Advanced Threats A Compound Challenge Advanced threats are an even greater challenge than most people might initially think. The most obvious problem is the inability of traditional security approaches to detect Advanced Persistent Threats (APTs) and targeted attacks in the first place. Many common components of the enterprise security portfolio such as legacy stateful inspection firewalls and intrusion detection systems simply lack the necessary visibility and detection mechanisms required to identify anything other than known threats. In addition, traditional approaches are often disjointed, failing to correlate events between isolated technologies, limiting their ability to detect advanced threats. Many organizations also lack Security and Information Event Management (SIEM) systems which index and consolidate event data from all point security products in the organization. This lets security teams use a single product and console to do more efficient incident investigations, cross product threat correlation, and security/compliance reporting, Another challenge of APTs is that when a threat is detected, traditional security approaches are unable to facilitate a sufficiently quick response. For example, traditional SIEMs often require 15 minutes or longer to collect, process, and correlate relevant event data before issuing an alert. Then, security teams must confirm the alert, followed by the mostly manual task of re-configuring the organization s security infrastructure to prevent the threat from gaining access, or moving laterally within the organization. This post-alert exercise can easily stretch from an additional 15 minutes to hours, or even days. As the volume of advanced threats continues to increase, limited security resources are straining to respond. Often, this will create an ever growing backlog of alerts, allowing threats to stay inside organizations for extended periods of time before remediation can take place, and during this time the threats siphon off valuable intellectual property. Solving these challenges requires an integrated approach that can quickly detect advanced threats by correlating data from multiple security technologies, and accelerate both manual and automated response. Why a Combined Palo Alto Networks and Splunk Solution Makes Sense Individually, the solutions from Palo Alto Networks and Splunk provide tremendous value. Working together, however, the result is a combined solution that takes detection, response, and prevention of advanced threats to the next level. Palo Alto Networks The Next-generation Enterprise Security Platform Our enterprise security platform consists of three major elements: our Next-generation Firewall, our Next-generation Endpoint Protection, and our Next-generation Threat Intelligence Cloud. Our Nextgeneration Firewall delivers application, user, and content visibility and control as well as protection against network based cyber threats integrated within the firewall through our proprietary hardware and software architecture. Our Next-generation Endpoint Protection delivers protection against cyber attacks that aim to exploit software vulnerabilities on a broad variety of fixed and virtual endpoints. Our Next-generation Threat Intelligence Cloud provides central intelligence capabilities as well as automation of delivery of preventative measures against cyber attacks. PAGE 2

3 Splunk The Next-generation SIEM Platform By taking a big data approach to security intelligence, Splunk delivers a next-generation, big data SIEM platform that enables enterprises to make the most effective data-driven security decisions possible. Architected to collect tens of terabytes of data per day, to index all types of security and non-security data from anywhere in the computing environment with no data normalization/ reduction, and to deliver fast time-to-answer for queries made against both current and historical data sets, the Splunk solution supports a wide range of security use cases, including: Real-time, cross-product event correlation and alerting; Flexible, fast investigations of both ongoing and historical incidents; Detection of both known and unknown threats; Rapid operationalization of forensic findings (e.g., by using saved searches to automatically watch for hard-to-detect patterns of malicious activity); Long-term retention of all collected security logs/data; and Flexible reporting capabilities to measure and visualize security, compliance, and risk posture The wide range of data sources that Splunk can index includes firewalls, anti-virus, IDS, DLP, authentication systems/active Directory, DNS, DHCP, vulnerability scanners, databases, web proxies, servers, custom applications, operating systems, storage devices, hypervisors, cloud infrastructure/aws, NetFlow, physical badge records, and much more. Splunk can also enrich this indexed data with external data sources such as AD, a CMDB, or 3rd-party threat intelligence feeds. The Splunk App for Palo Alto Networks Splunk s next generation SIEM is an ideal complement to Palo Alto Networks next-generation enterprise security platform. By using the combined solution, Palo Alto Networks customers gain further defenses against advanced threats, along with core SIEM functionality that is an essential part of an enterprise security program. PAGE 3

4 A significant outcome of the partnership is the Splunk App for Palo Alto Networks. Free to Splunk customers, this integrated offering enables enterprise security teams to further capitalize on the rich network, application, user, content, and threat data made available by the Palo Alto Networks platform. Among numerous other features, the Splunk App automatically populates an extensive collection of pre-defined reports and dashboards for comprehensive, real-time visualization of an organization s network and threat-related activity. Beyond the Splunk App, Palo Alto Networks customers can also leverage the broader functionality of the Splunk platform such as real-time cross-product event correlation and alerting to further improve their ability to detect advanced threats. How the Combined Solution Works The individual components have been integrated to interoperate as follows: Palo Alto Networks syslog records are forwarded to the core Splunk product, called Splunk Enterprise, either directly from PAN-OS devices, or in aggregate from the Panorama centralized management console Splunk Enterprise dynamically pulls WildFire events, providing intelligence on zero-day exploits and unknown malware Splunk Enterprise indexes all received data and makes it available to any Splunk Apps which sit on Splunk Enterprise The Splunk App for Palo Alto Networks reports on the underlying Palo Alto Networks data in Splunk in an extensive array of dashboards and reports. The Splunk App for Palo Alto Networks also contains form boxes and time range pickers to facilitate incident investigations involving Palo Alto Networks data. The Splunk App for Palo Networks can, in real-time, send known bad external or internal IPs to Panorama and PAN-OS devices to have Palo Alto Networks blacklist bad IPs or quarantine internal machines. This is enabled by real-time Splunk searches that use custom commands which come with the Splunk App for Palo Alto Networks. Described in detail in the sections that follow, specific capabilities and strengths of the combined solution include enhanced visibility, expanded detection of advanced threats, accelerated threat response, and substantially improved situational awareness. Complementary Data Sources Enhanced Visibility At a foundational level, the Palo Alto Networks next-generation enterprise security platform fuels the Splunk data engine with invaluable data about the applications, users, content, and threats responsible for and contained within each network session. This enhances the visibility and analysis results provided by Splunk. At the same time, Splunk delivers the bigger picture by collecting machine data from countless other sources including application servers, cloud services, storage infrastructure, HR databases, personnel time management systems, and more. This represents invaluable information that security teams can use to uncover hidden threats, reduce false positives, and better gauge the business-level significance of a given threat. Data gathered by Splunk can also be fed back to Panorama. For example, custom commands within the Splunk App for Palo Alto Networks can automatically trigger the transfer of user/ip address pairs not already available to PAN-OS devices based on integration with enterprise directories. This data can then be used to more granularly define and enforce policies for secure application enablement. By bringing complementary data to the table, the individual components of a combined solution significantly enhance each other s visibility and overall effectiveness. Expanded Detection of Advanced Threats In addition to the core detection and prevention capabilities within the Palo Alto Networks security platform, this integration extends organizations ability to detect advanced threats by adding: Statistical anomaly detection. Generated over time, statistical baselines of normal activities provide a revealing backdrop for identifying outliers indicative of potential threat activity. PAGE 4

5 Splunk Enterprise dynamically pulls WildFire events, providing intelligence on zero-day exploits and unknown malware. Infrastructure-wide event correlation. Splunk enables correlation across far more data sources than just the Palo Alto Networks platform. This ability to account for an extended breadth of events is steadily growing in importance as advanced threats become increasingly proficient at hiding within allowed/normal network communications. Ad-hoc and continuous monitoring for indicators of compromise. Telltale signs of advanced attacks also known as indicators of compromise (IOCs) include unexpected changes to certain network services, uncommon port/protocol combinations, and IP addresses for the sources of files WildFire determines to be malware. Security teams can use Splunk to search for these IOCs across the organizational-wide data in Splunk as part of incident and forensic investigations to see if the threat at some point in time was in the organization or may still be present. Optionally, Splunk users can also configure the system to perform recurring searches of the IOC pattern and alert if the pattern is seen again, thereby establishing a form of continuous monitoring. In fact, the Splunk App for Palo Alto Networks leverages this exact approach to create a dashboard identifying probable malware-related traffic based on IP addresses it automatically extracts from WildFire intelligence reports. Accelerated Threat Response Being able to quickly respond to advanced threats in a way that thoroughly mitigates their impact is also essential to claiming success. The combined offering helps meet this objective in several ways: Instantly makes data available. Because it is a high-performance, real-time system, Splunk eliminates the processing delay typical of traditional SIEMs and reduces the time to alert from minutes to seconds. Also, since Splunk s big data architecture is schema-less and uses no database, that means all the original data is indexed and can be searched or reported on. Unlike with traditional SIEMs, Splunk does not throw away any data that might contain the minute fingerprints of a threat. Automated quarantine and blocking. The Splunk App for Palo Alto Networks allows security teams to setup sophisticated automated security response in Palo Alto Networks firewalls, such as quarantining an infected user, restricting access, or sending suspicious traffic to an advanced security stack for further analysis. All actions can be triggered from Splunk without any user intervention, updating the Palo Alto Networks security platform directly from the App. PAGE 5

6 Security teams are able to reduce their exposure to the ever-increasing number of known and unknown threats, as well as operationalize their response with this real-time intelligence, and automated remediation actions. Faster Incident and Forensic Investigations The combined offering also simplifies the process of performing routine troubleshooting tasks and conducting details forensics investigations for Palo Alto Networks devices. With the Splunk App for Palo Alto Networks, security and networks teams can: View threat activity by geographic region Quickly review summarized traffic, app, web, and threat activity data Easily drill down and navigate deeper levels of detail, including raw PAN-OS logs and full WildFire reports Leverage the highly flexible yet intuitive Splunk search language to create powerful searches of all security-relevant data and conduct in-depth analysis of incidents Quickly analyze and visualize data to build dashboards and reports using Splunk data pivot capabilities Capture any search/analysis results in a custom, re-usable report Investigating incidents and determining the root cause and extent of security breaches only takes minutes, instead of hours or days. Real-time Situational Awareness Today s IT and business-line managers also require an accurate picture of their organization s current security posture in order to make better, risk-informed decisions. To support this requirement, the combined solution from Palo Alto Networks and Splunk delivers: Numerous, high-level dashboards that summarize all network, web, application, content, and threat activity Operational status of all Palo Alto Networks devices. Splunk users can quickly and easily customize any of the out-of-the-box views/panels, plus create entirely new ones on demand. They can also define, monitor, and trend the key performance indicators (KPIs) that matter most to their organization while taking advantage of a single, unified solution for all security and compliance reporting. Conclusion Palo Alto Networks and Splunk have brought the power of the leading next-generation enterprise security platform and the leading next generation SIEM together to provide today s enterprises with an unparalleled solution for addressing advanced threats. Featuring the free Splunk App for Palo Alto Networks, the combined solution delivers more thorough detection of advanced threats, faster response capabilities, and comprehensive, real-time situational awareness for better, risk-informed decision making. For more information about the Palo Alto Networks, please visit For more information about Splunk, please visit To download the free Splunk App for Palo Alto Networks visit: Great America Parkway Santa Clara, CA Main: Sales: Support: Copyright 2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_CNGSDAT_033115