This document discusses disrupting the attack chain through a modern architecture approach. It outlines how legacy security practices are problematic and how a purpose-built platform from Palo Alto Networks integrates network, endpoint, and intelligence solutions to provide prevention at every stage of the attack chain. The document also provides examples of automation using Splunk, including suspicious URL submission to the WildFire cloud service and automated compromised host isolation through integration with Palo Alto Networks firewalls.
1. Disrupting the Attack Chain
Splunk and Palo Alto Networks
Tim Treat
ttreat@paloaltonetworks.com
2. ▪ Modern Architecture to Solve Systemic Legacy Problems
▪ Prevention at Every Stage of the Attack Chain
▪ Three Phased Transformation
▪ Attack Chain Gap Analysis
▪ Automation Examples
▪ Suspicious URL Submission
▪ Compromised Host Isolation
Disrupting the Attack Chain
Agenda
3. Legacy Problems
1. Legacy port based security practices
2. Proliferation of known “advanced"
tactics to average attackers
3. Limited visibility and control of all
applications, users, network traffic
4. Limited threat vector coverage
5. Complex non-integrated systems and
manual burden for professionals
Know, control and defend the enterprise at all times
Modern Architecture to Solve Systemic Legacy Problems
Modern Architecture from Palo Alto Networks
1. Decode/Fully inspect all traffic regardless of port,
including SSL
2. Eliminate average attackers’ success with known
“advanced” tactics
3. Full visibility and control of all applications, users
and network traffic
4. Full threat vector coverage everywhere
5. Fully automated and integrated network,
intelligence and endpoint protection
4. Exfiltration
Command and Control
Delivery
Exploitation
and/or Install
Privileged Operations and
Resource Access
Modern Enterprise Protection
(Zero-Day, Unknown Threat and Known Threat Prevention)
IPS
URL Filtering
Anti-Malware
Sandboxing
SSL Decryption
IPS
Anti-Malware
Sandboxing
Segmentation
Zero Trust
App/User Control
Exploit Prevention
Anti-Malware
Anti-Virus
Full Threat Vector Coverage
Higher % Success Rate
Reduced Risk
Reduced Attack Surface
IPS
URL Filtering
Unknown App Blocking
SSL Decryption
Geo-Blocking
Sinkhole
IPS
Anti-Malware
Segmentation
Zero Trust
App/User Control
Content Control
Traps
PA-5060
PA-7050
5. Exfiltration
Command and Control
Delivery
Exploitation
and/or Install
Privileged Operations and
Resource Access
Purpose-Built Platform
(Fully Integrated System of Systems)
IPS
URL Filtering
Anti-Malware
Sandboxing
SSL Decryption
IPS
Anti-Malware
Sandboxing
Segmentation
Zero Trust
App/User Control
Exploit Prevention
Anti-Malware
Anti-Virus
IPS
URL Filtering
Unknown App Blocking
SSL Decryption
Geo-Blocking
Sinkhole
IPS
Anti-Malware
Segmentation
Zero Trust
App/User Control
Content Control
Traps
PA-5060
PA-7050
9. GPS, RFID, Hypervisor, Web
Servers, Email, Messaging,
Clickstreams, Mobile,
Telephony, IVR, Databases
Palo Alto Networks and Splunk “Google” Fast Correlation
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
Splunk storage
Real-time
Machine Data
Sensors, Telematics,
Storage, Servers,
Security devices,
Desktops, CDRs
Developer
Platform
Other Big Data
stores
9
Distributed Correlation
Throughout Architecture
10. Splunk App for Palo Alto Networks
10
• Includes: Technology add-on, dashboards, form boxes, custom commands
• Use cases: Reporting, trending, incident investigations, interaction
11. Getting the App
• Free download from Splunk.com > Community > Apps
http://apps.splunk.com/app/491
• Available on GitHub for cloning and forking
https://github.com/PaloAltoNetworks-BD/SplunkforPaloAltoNetworks
11
12. Getting Data in to the App
•Add Splunk server IP as syslog receiver in PAN
•Add an inputs.conf stanza in Splunk
•E.g. If you configured the PAN to send to UDP 514
•Edit $SPLUNK_HOME/etc/apps/SplunkforPaloAltoNetworks/local/inputs.conf
[udp://514]
index= pan_logs
connection_host = ip
sourcetype = pan_log
no_appending_timestamp = true
12
17. 17
Automated Suspicious URL Submission to Protect
Everyone!
• `pan_url` category=malware-sites
• This search will submit all URL’s accessed by the internal host at
10.5.4.2:
– `pan_url` src_ip=10.5.4.2 | wildfire_submit_url
• This search will submit all URL’s at the FQDN www.suspicious-
website.com that were accessed by anyone:
• `pan_url` dst_hostname=www.suspicious-website.com |
wildfire_submit_url
• Once verdict returned, additional automated remediation can occur
– Host Quarantine, URL or Host Blocked
17
19. Drill Down Shows Potential Malware
19
Suspicious URL Identified, Splunk
submits to WildFire for further
analysis
20. 20
Automated response based on real time analytics
• `pan_wildfire` category=malicious
• src_loc=external
• stats dc(dst_ip) by dst_ip
• panblock action=“add” group “enterprise_remediation” device=“PAN”
– RUN ON LIVE TRAFFIC
20
22. 22
Pull out offending IP address
from log.
panblock sends offending IP address to firewall(s) for policy handling.
External IP address will be blocked across the entire organization internationally.
Internal IP address of compromised host will be placed into “remediation”.
Successful
submission
to firewall
22
23. 23
Rule to DENY malicious IPs
This rule DENIES traffic to and from any
“malicious IP”
23
24. 24
• This rule ALLOWS hosts requiring remediation to the
“remediation network”
• This rule DENIES hosts anywhere else.
This prevents lateral infection, and allows engineering to collect
forensic details from host remotely.
Palo Alto Networks Remediation Rules
24