Security Assurance provides extra help from Palo Alto Networks experts for initial investigation of incidents.
If you detect suspicious activity in your network, Security Assurance provides extra help from Palo Alto Networks when you need it the most. Security Assurance provides:
- Access to Palo Alto Networks security experts and their specialized threat intelligence tools and threat hunting practices.
- Advanced log and indicators of compromise (IOC) analysis.
- Configuration assessment that includes customized product security recommendations.
- Next step recommendations to expedite the transition to your incident response (IR) vendor to help manage and resolve the incident.
To take advantage of Security Assurance, you must subscribe to the Premium Support Contract (on or after November 1, 2019) or to the Platinum Support Contract.
The first step toward Security Assurance is to run the Best Practice Assessment (BPA) to measure your adoption of seven key security capabilities: WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, URL Filtering, Vulnerability Protection, and Logging. We recommend that you ensure your adoption rate for those security capabilities is at least equal to your industry’s average adoption rate.
Running the BPA and adopting higher levels of key security capabilities provides better protection for your network and helps avoid incidents. The BPA also measures the adoption level of many other security capabilities such as App-ID and User-ID, zone configuration, other security profiles such as File Blocking and DoS Protection profiles, and the BPA makes recommendations on how to improve your security posture.
Run the BPA at regular intervals (for example, monthly or quarterly) to measure the adoption of key security capabilities, understand the state of your network security, and prioritize security improvements.
When you subscribe to the Premium Support Contract (on or after November 1, 2019) or to the Platinum Support Contract and run the BPA, if it shows that you have adopted the seven key security capabilities at a rate that meets your industry’s average, Security Assurance is enabled automatically. If you need assistance to adopt these key capabilities at a rate that meets your industry average, contact your Palo Alto Networks sales representative for help in defining requirements, providing justification criteria, etc. If business reasons prevent you from adopting the key security capabilities at this level, please work with your Palo Alto Network sales representative on how to gain access to the benefits of Security Assurance.
The Seven Key Security Capabilities to Adopt
Adopt seven key security capabilities for Security Assurance: WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, URL Filtering, Vulnerability Protection, and Logging.
We strongly recommend adopting the following seven key security capabilities for the following reasons:
- WildFire—Attach a WildFire security profile to security policy rules that allow traffic to protect your network from new, unknown threats. WildFire is a strong defense against advanced persistent threats (ATPs).
- Antivirus—Attach an Antivirus security profile to security policy rules that allow traffic to block known malicious files such as malware, ransomware, bots, and viruses.
- Anti-Spyware—Attach an Anti-Spyware security profile to security policy rules that allow traffic to detect command-and-control (C2) traffic initiated by malicious code running on a server or endpoint and to prevent compromised systems from establishing an outbound connection from your network.
- DNS Sinkhole—Configure the DNS Sinkhole portion of an Anti-Spyware security profile that is attached to security policy rules that allow traffic. DNS Sinkhole identifies potentially compromised hosts that attempt to access suspicious domains by tracking the hosts and preventing them from accessing those domains.
- URL Filtering—Attach a URL Filtering profile to security policy rules that allow traffic to prevent access to risky web content (sites that may contain malicious content). URL Filtering profiles and URL categories give you granular control over the types of websites to which you allow access.
- Vulnerability Protection—Attach a Vulnerability Protection security profile to security policy rules that allow traffic to prevent attackers from exploiting client-side and server-side vulnerabilities and delivering malicious payloads to your network and users, and to prevent attackers from using vulnerabilities to move laterally within your network.
- Logging—Enable logging on all traffic (allowed and denied) to provide a time-stamped audit trail for system events and network traffic events. Logs provide critical information for investigating incidents. Log Forwarding enables you to send logs from all your firewalls to Panorama or to external to aggregate the logs for analysis.
Adopting these key capabilities greatly improves your security posture, reduces your attack surface, increases your visibility into network traffic, prevents known and new attacks, and protects your the data, assets, applications, and services that are most valuable to your network.
Check Adoption of the Seven Key Security Capabilities
Check your adoption of key security capabilities to prepare for Security Assurance.
In the detailed BPA report (HTML format) you receive when you generate and download your BPA results, go to the Adoption Summary page to check your overall adoption of the six security profile (WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, Vulnerability Protection, and URL Filtering) capabilities and your industry’s average adoption of those capabilities (logging is a separate check). The Adoption Summary page shows your security capability adoption compared to your industry and helps you identify gaps in adoption. For example, if your industry is High Technology:
The results show that the configuration meets the industry average adoption for four capabilities: WildFire, Antivirus, Anti-Spyware, and Vulnerability Protection profiles. The results also show that the configuration does not come up to the industry average adoption of two capabilities: DNS sinkhole and URL Filtering. This indicates the next course of action: configure DNS sinkhole in the Anti-Spyware profile and apply URL Filtering to internet traffic.
In the detailed HTML BPA report, go to the
Trendingpage to check your overall adoption of logging capabilities and your industry’s average adoption of logging.
This page shows not only your level of adoption compared to your industry, it also shows your level of adoption compared to the last time you ran the BPA. This is a measure of security improvement over time as well as a call to action if your results indicate that your security is not as tight as you want it to be.
If the profile and logging results show that your adoption of all seven capabilities meet your industry’s average, Security Assurance is automatically enabled. If you need assistance to adopt these key capabilities at a rate that meets your industry average, contact your Palo Alto Networks sales representative for help in defining requirements, providing justification criteria, etc. If business reasons prevent you from adopting the key security capabilities at this level, please work with your Palo Alto Network sales representative on how to gain access to the benefits of Security Assurance.
Improve Adoption of the Seven Key Security Capabilities
Improve adoption of key security capabilities to improve your security posture and prepare for Security Assurance.
Use the BPA in conjunction with Palo Alto Networks technical documentation to identify the security capabilities that need improvement and to make the needed improvements, especially in the seven key security capabilities. Improving your security posture helps to safeguard your users and your valuable devices, assets, applications, and services.
- Anti-Spyware and DNS Sinkhole—DNS Sinkhole configuration is on theDNS Signaturestab in the Anti-Spyware security profile. Transition Anti-Spyware Profiles Safely to Best Practices and then implement Anti-Spyware Best Practices (or slightly stricter Anti-Spyware Best Practices for the data center).
- Vulnerability Protection—Transition Vulnerability Protection Profiles Safely to Best Practices and then implement Vulnerability Protection Best Practices (or slightly stricter Vulnerability Protection Best Practices for the data center)).
- Logging—Security policy rules log at session end by default.
In addition, the BPA and the technical documentation show you how to improve many other security capabilities such App-ID, User-ID, File Blocking profiles, DoS and Zone Protection, and credential theft protection. Some key resources are:
- Getting Started with the BPA—Shows you how to use the BPA to review the adoption of security capabilities and identify gaps in adoption, evaluate your configuration including policies, objects, network, and device and Panorama configuration, and prioritize changes including strengthening your device management posture, improving visibility into traffic, and implementing initial best practice controls.
- Decryption Best Practices—Shows you how to increase you visibility by decrypting all of the traffic that your business model, privacy considerations, and regulations allow so that you can inspect the maximum amount of traffic and protect your network from encrypted threats.
- DoS and Zone Protection Best Practices—Shows you how to take a layered approach to protecting against denial-of-service (DoS) attacks that try to take down your network and to defending your network perimeter, zones, and individual devices.
- Best Practices for Applications and Threats Content Updates—Deploying content and applications updates in the best manner for your business requirements ensures that your network is protected against the latest threats and identifies the latest applications.
How to Engage Security Assurance
Capture relevant log data and then use Security Assurance to help with suspicious activity.
If you experience suspicious activity, when you engage Security Assurance, you must provide a specific set of data about the suspected incident so Palo Alto Networks’ experts can investigate the activity.
Data to Collect Before Engaging Security Assurance
Gather relevant log data before you engage Security Assurance to help with suspicious activity.
Palo Alto Networks’ experts need at a minimum the following information about the suspicious activity to begin diagnosing the potential issue. Please collect this data before you engage Security Assurance.
Basic details regarding the suspicious activity:
- The suspected attack vector and type: What evidence of suspicious activity alerted your administrative or response team?
- Date and time of the suspected initial attack, if known.
- The time at which you identified the potential issue.
- Incident details:
- Known IP addresses of impacted systems.
- The IP addresses of impacted hosts that are publicly available through NAT.
- Critical services that could make the system or systems a target, for example, databases, web services, remote access (RDP, Citrix, etc.) servers.
- Known or suspicious IP addresses that may be related to the attack.
- The User-IDs of compromised user accounts (if any).
- Topology diagram or overview: The location of the firewall in relation to the impacted hosts. (A complete network topology diagram is not required.)
- Malware and indicators-of-compromise:
- Tech Support Files:
- If you use Panorama to manage the firewalls, generate and upload the Panorama Tech Support file.
- Firewall logs: Export logs from the firewall and Panorama appliances from two hours before the suspicious activity. Before you export logs, verify that the CSV row setting is at is maximum value of 65535 rows (). If the value is lower, increase it to the maximum of 65535 rows. Export logs for each of the following basic log categories (if logs are enabled) based on IP address information and Timestamp details (you can filter logs to display log entries based on IP address and time):DeviceSetupManagementLogging and Reporting Settings
It’s important to understand your deployment’s log retention policy and log retention capacity to ensure that no relevant data is unexamined. Administrators may need to take additional actions such as exporting data from firewalls or other logging servers to assure continuity and completeness of data for the duration of the investigation.
More ways to identify meaningful data about suspicious activity:
Engaging Security Assurance
There are two ways to engage Security Assurance to help with suspicious activity.
After you collect data about the suspicious activity to ensure the timely analysis of the relevant information, you’re ready to engage Security Assistance. You can engage Security Assistance in two ways:
- Your sales engineer (SE) can open a support case on your behalf.
Recommended For You
Recommended videos not found.