Device Security
Device Security Solution Structure
Table of Contents
Device Security Solution Structure
The Device Security solution involves multiple components working together to discover,
classify, and secure IoT devices on your network.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Using AI and machine learning, Device Security automatically discovers and identifies all
network-connected devices and constructs a data-rich, dynamically updating inventory. In
addition to identifying IoT devices and IT devices (laptops and servers for example),
Device Security provides deep visibility into network behaviors, establishing
what’s normal and discerning what’s suspicious. When it detects a device vulnerability
or anomalous behavior posing a threat, Device Security notifies administrators, who
can then take action to investigate and remediate the issue.
To accomplish all this, the cloud-based Device Security app works
with Palo Alto Networks next-generation firewalls, logging service,
and update server, and optionally with Panorama and integrated third-party
products. These elements of the Device Security solution collaborate
to carry out the following tasks:
- Firewalls with Device Security subscriptions collect information about network traffic and forward their logs to the logging service, which streams metadata to Device Security for analysis.
- The update server provides firewalls and Panorama with a regularly updated device dictionary file of device attributes (profile, vendor, category, and so on) that Security policy rules use for device identification, or Device-ID.
- Device Security recommends Security policy rules based on Device-ID to firewalls. When Panorama provides centralized firewall management, Device Security works through it to recommend Security policy rules to managed firewalls. When Panorama is not in use, Device Security interacts directly with firewalls.
- Device Security maps IP addresses to devices and notifies firewalls of their corresponding device attributes so they can enforce Device-ID-based Security policy rules that reference attributes in IP address-to-device mappings.
With a third-party integrations add-on license for your Device Security
account, you are able to expand Device Security capabilities to include
product-specific features and those of the integrated products to
include IoT.
Learn about the major components that constitute the Device Security
solution:
1 - Device Data Collection
For Device Security to identify IoT devices and establish a baseline of their acceptable network
behaviors, it needs to analyze their network activity. That’s where next-generation
firewalls come in. They log network traffic to which they apply Security policy
rules and then forward logs to the logging service where Device Security accesses them.
Depending on whether your Device Security subscription includes data storage, the
logging service either streams metadata to your Device Security account and Strata Logging Service instance or just to your Device Security account.
Detailed Instructions
2 - Data Analysis
Device Security uses AI and machine-learning algorithms
to analyze numerous aspects of the network behavior of a device
and classify it within three levels or tiers. At the broadest tier,
Device Security identifies behavioral similarities that enable its
algorithms to assign a device to a device category, such as security camera,
even if it doesn’t yet know the exact vendor and model. At the next
tier, Device Security gathers more granular behavioral attributes shared
by certain vendors and models of security cameras to assign it a
device profile. At the third tier, the algorithms create a model
of unique behaviors for this individual security camera, such as
its usage pattern.
In addition to device identification, Device Security applies proprietary and supplemental
machine-learning technologies to threat detection. It automatically detects device
vulnerabilities and notifies Device Security administrators. It also detects
anomalous network behavior indicative of attack or reconnaissance and generates
security alerts.
Detailed Instructions
3 - IoT Device Protection
Device Security coordinates with next-generation firewalls
to recommend Security policy rules for IoT device traffic. After
identifying devices and establishing a baseline of acceptable network
behavior, Device Security automatically generates recommended Security
policy rules for device profiles based on the network behavior it
observes. Panorama or firewall administrators then import the recommendations
to Panorama or directly to firewalls where they decide which ones to
add to their policy set.
Firewalls and Panorama must have a list of device profiles or
other device attributes for Device-ID-based Security policy rules.
This list is provided as a device dictionary file from the update
server, which firewalls and Panorama check regularly for updates
to download.
So that firewalls apply imported Device-ID-based rules appropriately,
Device Security continually sends the firewall IP address-to-device
mappings, which include the profile and other attributes of all
devices monitored and protected by Device Security.
Device Security also
integrates with
Prisma Access to identify and secure devices.
Detailed Instructions
4 - Third-party Integrations
In addition to protecting IoT devices by coordinating
with next-generation firewalls, Device Security also integrates with
third-party products to do the following:
- Increase device inventory and enrich device context—sometimes for Device Security and sometimes for the integrated third-party product
- Broaden the coverage of specific features in integrated products to include IoT
- Expand the capabilities of Device Security; for example, through integrations that allow you to do vulnerability scanning, quarantine devices with critical vulnerabilities or security alerts, and apply access control lists (ACLs) to IoT devices
Device Security integrates with other products through a third-party
integrations add-on, which is based on a Cortex XSOAR module.
Detailed Instructions
5 - Using Prisma Access instead of Next-generation Firewalls
When using Device Security with Prisma Access, the process for collecting
device data is similar to the
previous description of data
collection except that you substitute Prisma Access for firewalls. In
addition, Device Security can coordinate with Prisma SD-WAN ION devices to collect data
at branch sites. When Prisma Access and SD-WAN forward data logs to the logging
service, Strata Logging Service must be used.
Device Security sends Security policy rule recommendations through
Panorama to Prisma Access. It sends IP address-to-device mappings
to Prisma Access directly. Likewise, the update server sends device
dictionary updates directly to Prisma Access as well as to Panorama.
Detailed Instructions