Focus
Focus
Table of Contents

Step 2: Map and Verify Transactions

Understand transactions between users, applications, and infrastructure to understand who should access which assets and how.
Map the transactions between users, applications, and data, so that you can verify and inspect those transactions. Map:
  • Which applications have access to which critical data.
  • Which users have access to those applications.
  • Which users and applications have access to which infrastructure.
Ensure that only the right applications have access to the right data and that only the right users have access to the right applications and assets. Understand who has business reasons to access each asset, in what manner, and at what time, so that you can create security policy that allows only authorized users to access specific assets using specific applications (principle of least privilege access). Inspect every transaction continuously—on initial access, on changes in device posture, on changes in user behavior, and on changes in application behavior.
There are many ways to map transactions. Some techniques for defining your attack surface also apply to mapping transactions.
  • Leverage existing flow diagrams (compliance and auditing often requires businesses to create flow diagrams) and enhance them as you learn about your network. Flow maps help you understand where to place segmentation gateways to control access and security.
  • Work with application, network, and enterprise architects, and with business representatives to understand the purpose of applications and the transaction flow the architects and business representatives envision.
  • Insert one or more next-generation firewalls transparently into your network in virtual wire (vwire) mode to gain visibility into traffic. Check Traffic logs to view and analyze traffic.
  • Use third-party tools from Palo Alto Networks’ integrated partners.
  • Use log information from to gain visibility into and map transactions.
    Cortex Data Lake
    aggregates logs from the next-generation firewall, VM-Series firewalls,
    Prisma Access
    , and Cortex XDR.
  • For users, map user groups and individual users to the assets they need to access and understand what type of access they need. For example, some administrators may only need read-only access. Other administrators may need read-write access only to certain areas, for example, only to Decryption policy, profiles, and certificates on firewalls. As you map users and user groups to assets and levels of access, apply the principle of least privilege access so that no users can access resources that they don’t need for business purposes.
  • For applications, map the workflows, including the flow of application data, the computing objects required for each application, and who uses each application.
  • For data, find out who uses the data, where you collect, store, use and transfer the data, and how the data is stored, encrypted, archived, or destroyed after use.
  • For services, map the service workflows across the environment.
  • For infrastructure, find the location, who uses the infrastructure, how they use it, when they use it, and where it fits into workflows.
In addition to revealing who uses what applications where and when, mapping transactions provides granular visibility that aids with disaster recovery planning and compliance. It also gives you an opportunity to optimize workflows and examine who has legitimate business reasons to access each attack surface.
Verify transactions by inspecting them using security policy. To ensure that you have the latest protections, use Palo Alto Networks Cloud-Delivered Security Services (CDSS), which are updated in real time to stay ahead of attackers. In security policy, apply:
  • Enterprise DLP to inspect traffic for data theft and exfiltration.
  • DNS Security to block threats in DNS traffic and prevent connection to malicious DNS sites.
  • Advanced Threat Prevention (PAN-OS 10.2 and later) for antivirus, anti-spyware (command-and-control), and vulnerability protection and prevention (use standard threat prevention if you run PAN-OS 10.1 and earlier).
  • WildFire to identify and block both known and unknown malware.
  • SaaS Security to secure and inspect SaaS applications.
  • Advanced URL Filtering to enable safe web access and prevent credential phishing attacks.
  • IoT Security to secure IoT unmanaged endpoints.
In addition, configure File Blocking to block potentially dangerous file types.
To inspect transaction payloads, you must decrypt the traffic. Decrypt all the traffic that your business requirements, local regulations, compliance, and your firewall capacity allow. If lack of firewall capacity prevents you from decrypting all the traffic you want to decrypt, consider upgrading to a firewall with higher capacity.
When you understand your transactions, you’ll know how to segment the network and where to insert controls because you’ll understand who uses applications and infrastructure, how they use them, where they are located, and the interactions that enable each application.

Recommended For You