Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats



Similar documents
WHITE PAPER SPLUNK SOFTWARE AS A SIEM

How To Buy Nitro Security

WildFire. Preparing for Modern Network Attacks

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

QRadar SIEM and FireEye MPS Integration

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

SANS Top 20 Critical Controls for Effective Cyber Defense

Enterprise Security Platform for Government

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

The SIEM Evaluator s Guide

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

IBM QRadar Security Intelligence April 2013

Analyzing HTTP/HTTPS Traffic Logs

The Purview Solution Integration With Splunk

Breaking the Cyber Attack Lifecycle

IBM SECURITY QRADAR INCIDENT FORENSICS

Unified Security, ATP and more

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Requirements When Considering a Next- Generation Firewall

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Evolution Of Cyber Threats & Defense Approaches

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Moving Beyond Proxies

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Content-ID. Content-ID URLS THREATS DATA

24/7 Visibility into Advanced Malware on Networks and Endpoints

The Sophos Security Heartbeat:

End-user Security Analytics Strengthens Protection with ArcSight

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Concierge SIEM Reporting Overview

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

CASE STUDY. AUSTRIAN AIRLINES Modernizes Network Security for First Class Performance

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

Redefining Incident Response

Splunk: Using Big Data for Cybersecurity

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

IBM Security Intelligence Strategy

Carbon Black and Palo Alto Networks

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Boosting enterprise security with integrated log management

APPLICATION PROGRAMMING INTERFACE

End-to-End Application Security from the Cloud

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Cisco Advanced Malware Protection for Endpoints

The Hillstone and Trend Micro Joint Solution

IBM Security IBM Corporation IBM Corporation

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

Cyber Security Services: Data Loss Prevention Monitoring Overview

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Streamline PCI Compliance With Next-generation Security

SORTING OUT YOUR SIEM STRATEGY:

How To Manage Security On A Networked Computer System

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

IBM Security QRadar Risk Manager

Securing the Database Stack

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Detect & Investigate Threats. OVERVIEW

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

BeyondInsight Version 5.6 New and Updated Features

IBM Security re-defines enterprise endpoint protection against advanced malware

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

CA Vulnerability Manager r8.3

Cisco Advanced Malware Protection

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection

Cyber Situational Awareness for Enterprise Security

Splunk Company Overview

Vulnerability Management

SecureVue Product Brochure

Panorama. Panorama provides network security management beyond other central management solutions.

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Payment Card Industry Data Security Standard

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

QRadar SIEM and Zscaler Nanolog Streaming Service

STEALTHWATCH MANAGEMENT CONSOLE

CyberArk Privileged Threat Analytics. Solution Brief

Critical Security Controls

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Continuous Network Monitoring

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Secure Cloud-Ready Data Centers Juniper Networks

McAfee Server Security

A Case for Managed Security

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

ControlFabric Interop Demo Guide

IBM Security QRadar Vulnerability Manager

Enabling Security Operations with RSA envision. August, 2009

LogInspect 5 Product Features Robust. Dynamic. Unparalleled.

Transcription:

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Executive Summary Palo Alto Networks strategic partnership with Splunk brings the power of our next generation enterprise security platform together with the Splunk next generation, big data security information and event management (SIEM) system. Featuring the tightly integrated Splunk App for Palo Alto Networks, the combined solution delivers unprecedented protection against advanced threats, including targeted attacks, sophisticated malware, and advanced persistent threats (APTs). Joint customers benefit from more thorough threat detection, faster response capabilities, and enhanced situational awareness for better, risk-informed decision-making. Advanced Threats A Compound Challenge Advanced threats are an even greater challenge than most people might initially think. The most obvious problem is the inability of traditional security approaches to detect Advanced Persistent Threats (APTs) and targeted attacks in the first place. Many common components of the enterprise security portfolio such as legacy stateful inspection firewalls and intrusion detection systems simply lack the necessary visibility and detection mechanisms required to identify anything other than known threats. In addition, traditional approaches are often disjointed, failing to correlate events between isolated technologies, limiting their ability to detect advanced threats. Many organizations also lack Security and Information Event Management (SIEM) systems which index and consolidate event data from all point security products in the organization. This lets security teams use a single product and console to do more efficient incident investigations, cross product threat correlation, and security/compliance reporting, Another challenge of APTs is that when a threat is detected, traditional security approaches are unable to facilitate a sufficiently quick response. For example, traditional SIEMs often require 15 minutes or longer to collect, process, and correlate relevant event data before issuing an alert. Then, security teams must confirm the alert, followed by the mostly manual task of re-configuring the organization s security infrastructure to prevent the threat from gaining access, or moving laterally within the organization. This post-alert exercise can easily stretch from an additional 15 minutes to hours, or even days. As the volume of advanced threats continues to increase, limited security resources are straining to respond. Often, this will create an ever growing backlog of alerts, allowing threats to stay inside organizations for extended periods of time before remediation can take place, and during this time the threats siphon off valuable intellectual property. Solving these challenges requires an integrated approach that can quickly detect advanced threats by correlating data from multiple security technologies, and accelerate both manual and automated response. Why a Combined Palo Alto Networks and Splunk Solution Makes Sense Individually, the solutions from Palo Alto Networks and Splunk provide tremendous value. Working together, however, the result is a combined solution that takes detection, response, and prevention of advanced threats to the next level. Palo Alto Networks The Next-generation Enterprise Security Platform Our enterprise security platform consists of three major elements: our Next-generation Firewall, our Next-generation Endpoint Protection, and our Next-generation Threat Intelligence Cloud. Our Nextgeneration Firewall delivers application, user, and content visibility and control as well as protection against network based cyber threats integrated within the firewall through our proprietary hardware and software architecture. Our Next-generation Endpoint Protection delivers protection against cyber attacks that aim to exploit software vulnerabilities on a broad variety of fixed and virtual endpoints. Our Next-generation Threat Intelligence Cloud provides central intelligence capabilities as well as automation of delivery of preventative measures against cyber attacks. PAGE 2

Splunk The Next-generation SIEM Platform By taking a big data approach to security intelligence, Splunk delivers a next-generation, big data SIEM platform that enables enterprises to make the most effective data-driven security decisions possible. Architected to collect tens of terabytes of data per day, to index all types of security and non-security data from anywhere in the computing environment with no data normalization/ reduction, and to deliver fast time-to-answer for queries made against both current and historical data sets, the Splunk solution supports a wide range of security use cases, including: Real-time, cross-product event correlation and alerting; Flexible, fast investigations of both ongoing and historical incidents; Detection of both known and unknown threats; Rapid operationalization of forensic findings (e.g., by using saved searches to automatically watch for hard-to-detect patterns of malicious activity); Long-term retention of all collected security logs/data; and Flexible reporting capabilities to measure and visualize security, compliance, and risk posture The wide range of data sources that Splunk can index includes firewalls, anti-virus, IDS, DLP, authentication systems/active Directory, DNS, DHCP, vulnerability scanners, databases, web proxies, email servers, custom applications, operating systems, storage devices, hypervisors, cloud infrastructure/aws, NetFlow, physical badge records, and much more. Splunk can also enrich this indexed data with external data sources such as AD, a CMDB, or 3rd-party threat intelligence feeds. The Splunk App for Palo Alto Networks Splunk s next generation SIEM is an ideal complement to Palo Alto Networks next-generation enterprise security platform. By using the combined solution, Palo Alto Networks customers gain further defenses against advanced threats, along with core SIEM functionality that is an essential part of an enterprise security program. PAGE 3

A significant outcome of the partnership is the Splunk App for Palo Alto Networks. Free to Splunk customers, this integrated offering enables enterprise security teams to further capitalize on the rich network, application, user, content, and threat data made available by the Palo Alto Networks platform. Among numerous other features, the Splunk App automatically populates an extensive collection of pre-defined reports and dashboards for comprehensive, real-time visualization of an organization s network and threat-related activity. Beyond the Splunk App, Palo Alto Networks customers can also leverage the broader functionality of the Splunk platform such as real-time cross-product event correlation and alerting to further improve their ability to detect advanced threats. How the Combined Solution Works The individual components have been integrated to interoperate as follows: Palo Alto Networks syslog records are forwarded to the core Splunk product, called Splunk Enterprise, either directly from PAN-OS devices, or in aggregate from the Panorama centralized management console Splunk Enterprise dynamically pulls WildFire events, providing intelligence on zero-day exploits and unknown malware Splunk Enterprise indexes all received data and makes it available to any Splunk Apps which sit on Splunk Enterprise The Splunk App for Palo Alto Networks reports on the underlying Palo Alto Networks data in Splunk in an extensive array of dashboards and reports. The Splunk App for Palo Alto Networks also contains form boxes and time range pickers to facilitate incident investigations involving Palo Alto Networks data. The Splunk App for Palo Networks can, in real-time, send known bad external or internal IPs to Panorama and PAN-OS devices to have Palo Alto Networks blacklist bad IPs or quarantine internal machines. This is enabled by real-time Splunk searches that use custom commands which come with the Splunk App for Palo Alto Networks. Described in detail in the sections that follow, specific capabilities and strengths of the combined solution include enhanced visibility, expanded detection of advanced threats, accelerated threat response, and substantially improved situational awareness. Complementary Data Sources Enhanced Visibility At a foundational level, the Palo Alto Networks next-generation enterprise security platform fuels the Splunk data engine with invaluable data about the applications, users, content, and threats responsible for and contained within each network session. This enhances the visibility and analysis results provided by Splunk. At the same time, Splunk delivers the bigger picture by collecting machine data from countless other sources including application servers, cloud services, storage infrastructure, HR databases, personnel time management systems, and more. This represents invaluable information that security teams can use to uncover hidden threats, reduce false positives, and better gauge the business-level significance of a given threat. Data gathered by Splunk can also be fed back to Panorama. For example, custom commands within the Splunk App for Palo Alto Networks can automatically trigger the transfer of user/ip address pairs not already available to PAN-OS devices based on integration with enterprise directories. This data can then be used to more granularly define and enforce policies for secure application enablement. By bringing complementary data to the table, the individual components of a combined solution significantly enhance each other s visibility and overall effectiveness. Expanded Detection of Advanced Threats In addition to the core detection and prevention capabilities within the Palo Alto Networks security platform, this integration extends organizations ability to detect advanced threats by adding: Statistical anomaly detection. Generated over time, statistical baselines of normal activities provide a revealing backdrop for identifying outliers indicative of potential threat activity. PAGE 4

Splunk Enterprise dynamically pulls WildFire events, providing intelligence on zero-day exploits and unknown malware. Infrastructure-wide event correlation. Splunk enables correlation across far more data sources than just the Palo Alto Networks platform. This ability to account for an extended breadth of events is steadily growing in importance as advanced threats become increasingly proficient at hiding within allowed/normal network communications. Ad-hoc and continuous monitoring for indicators of compromise. Telltale signs of advanced attacks also known as indicators of compromise (IOCs) include unexpected changes to certain network services, uncommon port/protocol combinations, and IP addresses for the sources of files WildFire determines to be malware. Security teams can use Splunk to search for these IOCs across the organizational-wide data in Splunk as part of incident and forensic investigations to see if the threat at some point in time was in the organization or may still be present. Optionally, Splunk users can also configure the system to perform recurring searches of the IOC pattern and alert if the pattern is seen again, thereby establishing a form of continuous monitoring. In fact, the Splunk App for Palo Alto Networks leverages this exact approach to create a dashboard identifying probable malware-related traffic based on IP addresses it automatically extracts from WildFire intelligence reports. Accelerated Threat Response Being able to quickly respond to advanced threats in a way that thoroughly mitigates their impact is also essential to claiming success. The combined offering helps meet this objective in several ways: Instantly makes data available. Because it is a high-performance, real-time system, Splunk eliminates the processing delay typical of traditional SIEMs and reduces the time to alert from minutes to seconds. Also, since Splunk s big data architecture is schema-less and uses no database, that means all the original data is indexed and can be searched or reported on. Unlike with traditional SIEMs, Splunk does not throw away any data that might contain the minute fingerprints of a threat. Automated quarantine and blocking. The Splunk App for Palo Alto Networks allows security teams to setup sophisticated automated security response in Palo Alto Networks firewalls, such as quarantining an infected user, restricting access, or sending suspicious traffic to an advanced security stack for further analysis. All actions can be triggered from Splunk without any user intervention, updating the Palo Alto Networks security platform directly from the App. PAGE 5

Security teams are able to reduce their exposure to the ever-increasing number of known and unknown threats, as well as operationalize their response with this real-time intelligence, and automated remediation actions. Faster Incident and Forensic Investigations The combined offering also simplifies the process of performing routine troubleshooting tasks and conducting details forensics investigations for Palo Alto Networks devices. With the Splunk App for Palo Alto Networks, security and networks teams can: View threat activity by geographic region Quickly review summarized traffic, app, web, and threat activity data Easily drill down and navigate deeper levels of detail, including raw PAN-OS logs and full WildFire reports Leverage the highly flexible yet intuitive Splunk search language to create powerful searches of all security-relevant data and conduct in-depth analysis of incidents Quickly analyze and visualize data to build dashboards and reports using Splunk data pivot capabilities Capture any search/analysis results in a custom, re-usable report Investigating incidents and determining the root cause and extent of security breaches only takes minutes, instead of hours or days. Real-time Situational Awareness Today s IT and business-line managers also require an accurate picture of their organization s current security posture in order to make better, risk-informed decisions. To support this requirement, the combined solution from Palo Alto Networks and Splunk delivers: Numerous, high-level dashboards that summarize all network, web, application, content, and threat activity Operational status of all Palo Alto Networks devices. Splunk users can quickly and easily customize any of the out-of-the-box views/panels, plus create entirely new ones on demand. They can also define, monitor, and trend the key performance indicators (KPIs) that matter most to their organization while taking advantage of a single, unified solution for all security and compliance reporting. Conclusion Palo Alto Networks and Splunk have brought the power of the leading next-generation enterprise security platform and the leading next generation SIEM together to provide today s enterprises with an unparalleled solution for addressing advanced threats. Featuring the free Splunk App for Palo Alto Networks, the combined solution delivers more thorough detection of advanced threats, faster response capabilities, and comprehensive, real-time situational awareness for better, risk-informed decision making. For more information about the Palo Alto Networks, please visit www.paloaltonetworks.com. For more information about Splunk, please visit www.splunk.com. To download the free Splunk App for Palo Alto Networks visit: http://apps.splunk.com/app/491/ 4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com Copyright 2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_CNGSDAT_033115

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information