End-of-Life (EoL)
Security Assurance
Security Assurance provides extra help from Palo Alto
Networks experts for initial investigation of incidents.
If you detect suspicious activity in
your network, Security Assurance provides extra help from Palo Alto
Networks when you need it the most. Security Assurance provides:
- Access to Palo Alto Networks security experts and their specialized threat intelligence tools and threat hunting practices.
- Advanced log and indicators of compromise (IOC) analysis.
- Configuration assessment that includes customized product security recommendations.
- Next step recommendations to expedite the transition to your incident response (IR) vendor to help manage and resolve the incident.
To take advantage of Security Assurance, you must subscribe to
the Premium Support Contract (on or after November 1, 2019) or to
the Platinum Support Contract.
The first step toward Security Assurance is to run the Best Practice Assessment (BPA)
to measure your adoption of seven key security capabilities: WildFire,
Antivirus, Anti-Spyware, DNS Sinkhole, URL Filtering, Vulnerability
Protection, and Logging. We recommend that you ensure your adoption
rate for those security capabilities is at least equal to your industry’s
average adoption rate.
Running the BPA and adopting higher levels of key security capabilities
provides better protection for your network and helps avoid incidents.
The BPA also measures the adoption level of many other security
capabilities such as App-ID and User-ID, zone configuration, other
security profiles such as File Blocking and DoS Protection profiles,
and the BPA makes recommendations on how to improve your security
posture.
Run the BPA at regular intervals (for
example, monthly or quarterly) to measure the adoption of key security capabilities,
understand the state of your network security, and prioritize security
improvements.
When you subscribe to the Premium Support Contract (on or after
November 1, 2019) or to the Platinum Support Contract and run the
BPA, if it shows that you have adopted the seven key security capabilities
at a rate that meets your industry’s average, Security Assurance
is enabled automatically. If you need assistance to adopt these
key capabilities at a rate that meets your industry average, contact your
Palo Alto Networks sales representative for help in defining requirements,
providing justification criteria, etc. If business reasons prevent
you from adopting the key security capabilities at this level, please
work with your Palo Alto Network sales representative on how to
gain access to the benefits of Security Assurance.
The Seven Key Security Capabilities to Adopt
Adopt seven key security capabilities for Security Assurance:
WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, URL Filtering, Vulnerability
Protection, and Logging.
We strongly recommend adopting the following seven key
security capabilities for the following reasons:
- WildFire—Attach a WildFire security profile to security policy rules that allow traffic to protect your network from new, unknown threats. WildFire is a strong defense against advanced persistent threats (ATPs).
- Antivirus—Attach an Antivirus security profile to security policy rules that allow traffic to block known malicious files such as malware, ransomware, bots, and viruses.
- Anti-Spyware—Attach an Anti-Spyware security profile to security policy rules that allow traffic to detect command-and-control (C2) traffic initiated by malicious code running on a server or endpoint and to prevent compromised systems from establishing an outbound connection from your network.
- DNS Sinkhole—Configure the DNS Sinkhole portion of an Anti-Spyware security profile that is attached to security policy rules that allow traffic. DNS Sinkhole identifies potentially compromised hosts that attempt to access suspicious domains by tracking the hosts and preventing them from accessing those domains.
- URL Filtering—Attach a URL Filtering profile to security policy rules that allow traffic to prevent access to risky web content (sites that may contain malicious content). URL Filtering profiles and URL categories give you granular control over the types of websites to which you allow access.
- Vulnerability Protection—Attach a Vulnerability Protection security profile to security policy rules that allow traffic to prevent attackers from exploiting client-side and server-side vulnerabilities and delivering malicious payloads to your network and users, and to prevent attackers from using vulnerabilities to move laterally within your network.
- Logging—Enable logging on all traffic (allowed and denied) to provide a time-stamped audit trail for system events and network traffic events. Logs provide critical information for investigating incidents. Log Forwarding enables you to send logs from all your firewalls to Panorama or to external to aggregate the logs for analysis.
Adopting these key capabilities greatly improves your security
posture, reduces your attack surface, increases your visibility
into network traffic, prevents known and new attacks, and protects
your the data, assets, applications, and services that are most
valuable to your network.
Check Adoption of the Seven Key Security Capabilities
Check your adoption of key security capabilities to prepare
for Security Assurance.
In the detailed BPA report (HTML format) that
you receive when you generate and download BPA results, go to the Adoption Summary page to
check your overall adoption of DNS Sinkhole and the six security
profile (WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, Vulnerability
Protection, and URL Filtering) capabilities, and your industry’s
average adoption of those capabilities (logging is a separate check).
The Adoption Summary page shows your security capability adoption
compared to your industry and helps you identify gaps in adoption.
For example, if your industry is High Technology:

The
results show that the configuration meets or exceeds the industry
average adoption for WildFire, Antivirus, Anti-Spyware, Vulnerability
Protection, and URL Filtering profiles, and for DNS Sinkhole adoption.
The results also show that the configuration does not come up to
the industry average adoption of File Blocking profiles. In addition,
the results indicate that although Security profiles and DNS Sinkhole
are enabled on policies, in most cases, they aren’t best practice
implementations. This indicates the next courses of action: evaluate whether
you need to add File Blocking profiles to more policies and see
if you can elevate the existing profiles to best practice profiles
to tighten security.
In the detailed HTML BPA report, go to
the
Trending
page to check your overall adoption
of logging capabilities and your industry’s average adoption of
logging. 
This
page shows not only your level of adoption compared to your industry,
if you have run more than one BPA report, it also shows your level
of adoption compared to the last time you ran the BPA.

This
is a measure of security improvement over time as well as a call
to action if your results indicate that your security is not as
tight as you want it to be. This example shows how improvements
may take place over time.
If the profile and logging results
show that your adoption of all seven capabilities meet your industry’s
average, Security Assurance is automatically enabled. If you need
assistance to adopt these key capabilities at a rate that meets
your industry average, contact your Palo Alto Networks sales representative
for help in defining requirements, providing justification criteria,
etc. If business reasons prevent you from adopting the key security
capabilities at this level, please work with your Palo Alto Network
sales representative on how to gain access to the benefits of Security
Assurance.
Improve Adoption of the Seven Key Security Capabilities
Improve adoption of key security capabilities to improve
your security posture and prepare for Security Assurance.
Use the BPA in conjunction with Palo Alto Networks technical
documentation to identify the security capabilities that need improvement
and to make the needed improvements, especially in the seven key
security capabilities. Improving your security posture helps to
safeguard your users and your valuable devices, assets, applications,
and services.
- WildFire—Transition WildFire Profiles Safely to Best Practices and then implement WildFire Best Practices. The best practice WildFire profile is the default profile.
- Antivirus—Transition Antivirus Profiles Safely to Best Practices and then implement Antivirus Best Practices (or slightly stricter Antivirus Best Practices for the data center).
- Anti-Spyware and DNS Sinkhole—DNS Sinkhole configuration is on theDNS Signaturestab in the Anti-Spyware security profile. Transition Anti-Spyware Profiles Safely to Best Practices and then implement Anti-Spyware Best Practices (or slightly stricter Anti-Spyware Best Practices for the data center).
- URL Filtering—Transition URL Filtering Profiles Safely to Best Practices and then implement URL Filtering Best Practices.
- Vulnerability Protection—Transition Vulnerability Protection Profiles Safely to Best Practices and then implement Vulnerability Protection Best Practices (or slightly stricter Vulnerability Protection Best Practices for the data center)).
- Logging—Security policy rules log at session end by default.
In addition, the BPA and the technical documentation show you
how to improve many other security capabilities such App-ID, User-ID,
File Blocking profiles, DoS and Zone Protection, and credential
theft protection. Some key resources are:
- Getting Started with the BPA—Shows you how to use the BPA to review the adoption of security capabilities and identify gaps in adoption, evaluate your configuration including policies, objects, network, and device and Panorama configuration, and prioritize changes including strengthening your device management posture, improving visibility into traffic, and implementing initial best practice controls.
- Decryption Best Practices—Shows you how to increase you visibility by decrypting all of the traffic that your business model, privacy considerations, and regulations allow so that you can inspect the maximum amount of traffic and protect your network from encrypted threats.
- DoS and Zone Protection Best Practices—Shows you how to take a layered approach to protecting against denial-of-service (DoS) attacks that try to take down your network and to defending your network perimeter, zones, and individual devices.
- Best Practices for Applications and Threats Content Updates—Deploying content and applications updates in the best manner for your business requirements ensures that your network is protected against the latest threats and identifies the latest applications.
You can find all of these documents and much more from the Best Practices portal and
the Transition to Best Practices page.
How to Engage Security Assurance
Capture relevant log data and then use Security Assurance
to help with suspicious activity.
If you experience suspicious activity, when you engage
Security Assurance, you must provide a specific set of data about the
suspected incident so Palo Alto Networks’ experts can investigate
the activity.
Data to Collect Before Engaging Security Assurance
Gather relevant log data before you engage Security Assurance
to help with suspicious activity.
Palo Alto Networks’ experts need at a minimum the following
information about the suspicious activity to begin diagnosing the
potential issue. Please collect this data before you engage Security
Assurance.
Basic details regarding the suspicious activity:
- The suspected attack vector and type: What evidence of suspicious activity alerted your administrative or response team?
- Timeline:
- Date and time of the suspected initial attack, if known.
- The time at which you identified the potential issue.
- Incident details:
- Known IP addresses of impacted systems.
- The IP addresses of impacted hosts that are publicly available through NAT.
- Critical services that could make the system or systems a target, for example, databases, web services, remote access (RDP, Citrix, etc.) servers.
- Known or suspicious IP addresses that may be related to the attack.
- The User-IDs of compromised user accounts (if any).
- Topology diagram or overview: The location of the firewall in relation to the impacted hosts. (A complete network topology diagram is not required.)
- Malware and indicators-of-compromise:
- Samples.
- Hashes.
Firewall data:
- Tech Support Files:
- Generate and upload Tech Support files from the firewalls in the path to potentially impacted devices at the time of the suspicious activity.
- If you use Panorama to manage the firewalls, generate and upload the Panorama Tech Support file.
- Firewall logs: Export logs from the firewall and Panorama appliances from two hours before the suspicious activity. Before you export logs, verify that the CSV row setting is at is maximum value of 65535 rows (). If the value is lower, increase it to the maximum of 65535 rows. Export logs for each of the following basic log categories (if logs are enabled) based on IP address information and Timestamp details (you can filter logs to display log entries based on IP address and time):DeviceSetupManagementLogging and Reporting Settings
It’s important to understand your deployment’s log retention
policy and log retention capacity to ensure that no relevant data
is unexamined. Administrators may need to take additional actions
such as exporting data from firewalls or other logging servers to
assure continuity and completeness of data for the duration of the
investigation.
More ways to identify meaningful data about suspicious activity:
- . The ACC can show you traffic spikes, anomalies, and changes in the time before, during, and after the suspicious activity.
- Use the Threat Monitor Reportto view the top threats over a the time period preceding, during, and after the suspicious activity.
Engaging Security Assurance
There are two ways to engage Security Assurance to help
with suspicious activity.
After you collect data about
the suspicious activity to ensure the timely analysis of the relevant
information, you’re ready to engage Security Assistance. You can
engage Security Assistance in two ways:
- Log in to the Customer Support Portal. ClickCreate a Caseto open a support case. When you fill out the form, selectThreat.
- Your sales engineer (SE) can open a support case on your behalf.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.