Magnifier is Palo Alto Networks' behavioral analytics solution that uses machine learning to analyze network, endpoint, and cloud data to detect stealthy threats across the attack lifecycle. It detects anomalies in device behaviors and generates actionable alerts with relevant context. Magnifier then facilitates rapid investigations through automated endpoint interrogation. It can also respond quickly by blocking malicious devices or destinations at the firewall. As a cloud-delivered application, Magnifier provides scalability, agility, and ease of deployment compared to on-premise solutions.

1. MAGNIFIER
BEHAVIORAL ANALYTICS

2. Palo Alto Networks at a glance
Founded in 2005; first customer shipment in 2007
Around 50 customers in UK Higher Education
More than 42,500 customers in 150+ countries
FY17 $1.8B revenue,
28% YoY growth that significantly outpaced the industry
Over 85 of the Fortune 100 and 60% of the Global 2000 rely on us
Excellent global support, awarded by J.D. Power and TSIA
Experienced team of nearly 5,000 employees

3. PALO ALTO NETWORKS PLATFORM
NETWORK SECURITY ADVANCED ENDPOINT PROTECTION CLOUD SECURITY
WildFireThreat Prevention URL Filtering AutoFocus Logging Service Magnifier MineMeld
CLOUD-DELIVERED SECURITY SERVICES

4. SECURITY REFERENCE BLUEPRINT FOR HIGHER EDUCATION

5. Logging Service

6. NETWORK SECURITY LOGGING NEEDS
6 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Insights into network,
apps, and user behavior
Scale logging
infrastructure with
changing business needs
E.g. Increasing retention
User
Behavior
Cloud
Apps
Network
Activity
Central repository for
NGFW & Cloud
Services logs
One-Place

7. INTRODUCING LOGGING SERVICE
7 | © 2017, Palo Alto Networks, Inc. Confidential and Proprietary.
• Designed to collect and store
large amounts of our high-value
log data
• Leverages powerful, elastic
cloud-based computing to provide
visibility and insights on large
amounts of data
• A centralized access point for the
data of innovative apps in the
Palo Alto Networks Application
Framework
1TB xTB

8. Logging Service
Branch
Mobile
GlobalProtect
Cloud Service
LOGGING SERVICE – CURRENT SOURCES
Headquarter Data Center
Log Collector
Branch
Cloud
Endpoint

9. LOGGING SERVICE BENEFITS
9 | © 2017, Palo Alto Networks, Inc. Confidential and Proprietary.
• Provides operational simplicity
• Reduces both work and guesswork from log management
• Improves business agility (new firewalls, acquisitions, new offices, etc.)
• Allows leveraging of the log data to enable innovative security capabilities
• Offers economic model of choice: pay for what you need, when you need it

10. A KEY COMPONENT OF THE APPLICATION FRAMEWORK
11 | © 2015, Palo Alto Networks. Confidential and Proprietary. THIS IS WORK IN PROGRESS. INTERNAL ONLY
MAGNIFIER

11. Magnifier

12. SUCCESSFUL ATTACKS REQUIRE MULTIPLE STEPS
Disrupt every step to prevent successful cyberattacks
• Occurs in seconds to minutes
• Involves a small number of network actions
• Can often be identified by IoCs
• Occurs over days, weeks, or months
• Involves a large number of network actions
• Can rarely be identified by IoCs
Attack Lifecycle
Data
Exfiltration
Lateral
Movement
Malware
Installation
Vulnerability
Exploit
Command
and Control
13 | © 2018, Palo Alto Networks. Confidential and Proprietary.

13. DETECTION AND RESPONSE MUST BE DIFFERENT
• Attackers must perform thousands of actions to achieve their objective
• Each individual action may look innocent
By profiling behavior, organizations can detect the
behavioral changes that attackers cannot conceal
Connectivity
rate change
Vulnerability
Exploit
Malware
Installation
Command
and Control
Lateral
Movement
Data
Exfiltration
14 | © 2018, Palo Alto Networks. Confidential and Proprietary.
Repeated access
to an unusual site
Unusually
large upload

14. STEALTHY THREATS THAT LEAD TO DATA BREACHES
Targeted Attacks
0%
10%
20%
30%
40%
50%
60%
SecondsM
inutes
H
ours
D
ays
W
eeksM
onths
Years
2017 Verizon Data Breach Investigations Report, 2017 Cost of Cybercrime Study, Ponemon Institute
• Multi-stage,
manual attacks
are the most
financially
devastating
Time to Attack Discovery
$3.62 million
average cost
of a breach
Risky Behavior
14%
data breaches
caused by human
error
• Risky behavior
increases risk
of malicious
attacks
Malicious Insiders
25%
of breaches
involve insiders
And it takes months
to discover attacks
Compromised Endpoints
51%
data breaches leverage
already compromised
machines
$2.4 million
Average cost
of malware
per company
15 | © 2018, Palo Alto Networks. Confidential and Proprietary.

15. TODAY’S DETECTION AND RESPONSE DOESN’T WORK
Static Rules
Manually-defined
correlation rules
• Hard to develop
and maintain
• False positives
Slow Investigations
Repetitive processes
Manual endpoint
forensics
• Days or weeks
to block threats
Wrong Data
Inconsistent logs;
mostly violations
Collecting right data
requires deploying
sensors and agents
Lack of Scale
Not built for big data
Cost-prohibitive to
log necessary data
Slow software
release cycles
16 | © 2017, Palo Alto Networks. Confidential and Proprietary.

16. Static Rules
Manually-defined
correlation rules
• Hard to develop
and maintain
• False positives
Slow Investigations
Repetitive processes
Manual endpoint
forensics
• Days or weeks
to block threats
Lack of Scale
Not built for big data
Cost-prohibitive to
log necessary data
Slow software
release cycles
Wrong Data
Inconsistent logs;
mostly violations
Collecting right data
requires deploying
sensors and agents
Rich Data
Comprehensive
network, endpoint
and cloud data
collected by existing
infrastructure
Cloud Scale
& Agility
Cloud elasticity
for data storage
Rapid innovation
Machine
Learning
Machine learning
to profile behavior
and automatically
detect attacks
Rapid Response
Small number of
actionable alerts
Threat intelligence
and endpoint analysis
Firewall remediation
WHAT IS NEEDED
17 | © 2017, Palo Alto Networks. Confidential and Proprietary.

17. MAGNIFIER BEHAVIORAL ANALYTICS
CLOUD-DELIVERED
SECURITY SERVICES
DATA FROM LOGS & TELEMETRY
NETWORK
MAGNIFIER
MACHINE LEARNING
ENDPOINT CLOUD
18 | © 2018, Palo Alto Networks. Confidential and Proprietary.
• Analyze rich network,
endpoint and cloud data
with machine learning
• Accelerate investigations
with endpoint analysis
• Gain scalability, agility and
ease of deployment as a
cloud-delivered app

18. Endpoint
Data Center
Campus Network Data Center
2 31
DETECT attacks based on
network, endpoint, and cloud data
HOW MAGNIFIER WORKS
Magnifier
Cloud Data
Center
Logging
Service
Pathfinder VM
Next-Generation
Firewall
Next-Generation
Firewall
Campus
Data Collection

19. Endpoint
Data Center
Magnifier
Cloud Data
Center
Logging
Service
Pathfinder VM
Next-Generation
Firewall
Campus
Endpoint Interrogation
Campus Network Data Center
2 3
INVESTIGATE attacks fast with
automated endpoint interrogation
1
DETECT attacks based on rich
network, endpoint, and cloud data
HOW MAGNIFIER WORKS
Next-Generation
Firewall

20. Endpoint
Data Center
Magnifier
Cloud Data
Center
Logging
Service
Pathfinder VM
Next-Generation
Firewall
Campus
Access Blocked
by Firewall
Campus Network Data Center
2 3
INVESTIGATE attacks fast with
automated endpoint interrogation
RESPOND by blocking devices
1
DETECT attacks based on rich
network, endpoint, and cloud data
HOW MAGNIFIER WORKS
Next-Generation
Firewall

21. HOW MAGNIFIER DETECTS INTERNAL RECONNAISSANCE
§ Profiles devices, their
types and their availability
§ Detects an unusual number
of failed connections to
nonexistent devices
• Compared to past behavior
• Compared to peer behavior
§ Shows other alerts for the
device, helping conclude
it’s a network scanner
By detecting behavioral anomalies rather than simply lots
of connections, Magnifier generates fewer false positives
22 | © 2017, Palo Alto Networks. Confidential and Proprietary.

22. 23 | © 2015, Palo Alto Networks. Confidential and Proprietary. THIS IS WORK IN PROGRESS. INTERNAL ONLY
MAGNIFIER WEB BASED ANALYST INTERFACE

23. MAGNIFIER WEB BASED ANALYST INTERFACE

24. HOW MAGNIFIER STOPS STEALTHY THREATS
Spambot Behavior,
Command and Control ,
Malware Behavior
Large File Uploads,
Remote Desktop
Services
New Administrative
Behavior,
Exfiltration
Command and Control,
Internal Reconnaissance,
Remote Command
Execution
Automatic Detection Streamlined Investigation Rapid Response
Actionable alerts
with context of:
• User
• Endpoint
• Process
Firewall
remediation:
• Block attack
sources
• Block malicious
destinations
Targeted
Attacks
Malicious
Insiders
Risky
Behavior
Compromised
Endpoints
25 | © 2017, Palo Alto Networks. Confidential and Proprietary.

25. Application
HTTP
protocol
http://abc.com/p?i=2
Response code: 301
Response size: 20
application context
abc.com
domain
Network Host User Process
co_afd.exe
executable
gengel
user
DEV1
hostname
10.8.1.10
source IP
64.81.2.23
destination IP
TCP/80
destination port
Malware
WildFire analysis
00:1b:17:05:2c:10
MAC address
DETAILED CONTEXT TO SPEED UP INVESTIGATIONS

26. MAGNIFIER PREREQUISITES
27 | © 2018, Palo Alto Networks. Confidential and Proprietary.
• 1000+ users in the main corporate network
• NGFW in the datacenter, inline or in tap mode,
running PANOS 8.0.6+
• Panorama (required for Logging Service)
• Logging Service

27. Prevent costly breaches with:
• Behavioral analytics built expressly for our
rich network, cloud and endpoint data
• Machine learning at cloud scale
• Integrated threat analysis and rapid
network-level response
Reduce
Risk
IN SUMMARY
MAGNIFIER
MACHINE LEARNING
• Automate detection and accelerate
response to free up analysts to
focus on threats that matter
• Simplify deployment
• Avoid costly on-premise log storage
Streamline
Operations
28 | © 2017, Palo Alto Networks. Confidential and Proprietary.
https://www.paloaltonetworks.com/resources/videos/magnifier