Palo Alto Networks (PAN) recently released PAN-OS 9.0, the software behind their next-generation firewalls. PAN-OS 9.0 helps simplify operations with analytics and automation, giving you visibility and control across the data center, perimeter, branch, mobile and cloud networks.
They tout over 60 new capabilities to help prevent cyberattacks, from firewall performance upgrades for enhanced computing power and dedicated memory to DNS Security services that use predictive analytics to disrupt DNS traffic threats.
To support and secure remote workers today, PAN-OS 9.0 also now allows for user location visibility on GlobalProtect gateways and portals. That means you can identify the source regions where end users are connected to GlobalProtect, Palo Alto’s virtual private network (VPN) that allows for secure connections to the network.
It also includes features to help you distribute reports received from GlobalProtect sent to other gateways, firewalls, dedicated log collectors and Panorama appliances to simplify policy enforcement and management. See a full list of GlobalProtect features.
Sending Firewall Logs to Blumira for Threat Analysis
Blumira’s vendor-agnostic security platform integrates with a wide variety of firewall, endpoint protection, identity, cloud infrastructure and many other solutions to collect and centralize logs.
That includes integrating with Palo Alto Next-Generation Firewalls to help you glean insights from their firewall logs – by ingesting them into Blumira’s platform, you can start detecting and responding to threats earlier in the attack chain. We parse your firewall logs for you into useful information, reducing the amount of alert noise and false-positives to only the most important detections.
Here’s a few examples of detections that Blumira can alert you to, once integrated with your firewall:
Reconnaissance (or discovery) is a term to describe when an attacker is attempting to figure out your environment, gaining knowledge about your system and internal network before they take action (MITRE).
In this example, Blumira detected external attackers scanning to determine which hosts within the DMZ are vulnerable to server-side exploitation methods. An external scan is performed from outside of your network and aimed at identifying known weaknesses in your network’s public-facing infrastructure. An internal scan is performed from a system behind your perimeter firewall searching for vulnerabilities on internal hosts that could be exploited (SecurityMetrics).
We correlated a sequence/series of IPS events (a set of signatures an intrusion prevention system uses to detect malicious network behavior) aided by the many threat intelligence feeds we use to determine that they are, in fact, listed as bad actors.
This activity is notable because it’s based on the combination of both targeted enumeration (when an attacker establishes an active connection to a target host to discover attack vectors in the system) and the source originating from a known attacker infrastructure.
Blumira’s platform gives admins an easy way to see all of the associated information, one-click remediation, plus easy configuration options for automated mitigation of future attacks – all integrated with your firewall.
Stacked Matched Evidence
Under the detection analysis, we provide matched evidence stacked below for ease of investigation and analysis – this lists out a brief summary of the finding, the source countries the scanning is originating from, the destination IP/ports, source IPs and the specific threat feeds that correlate with our findings.
Within the same Findings dashboard, you can respond to this threat with one click. Our pre-built playbooks come with security recommendations from our team of security experts to help your team understand how to take action, once alerted to a priority finding. Below, you can choose to immediately block the “bad guy” IPs for the next seven days.
Automated Response via Firewall Block Lists
Or, instead of manually blocking these IPs every time they’re detected, you can choose to block the IPs at the firewall permanently. Blumira integrates with Palo Alto’s External Dynamic Lists (formerly called Dynamic Blocklists), giving admins an automated way to reduce your attack surface.
Below is an example of where you can configure your blocklist options, add a block rule via IP address, and then check “Automated” in order to automatically block these IPs or domains.
You can also choose to opt into the Blumira blocking community, which means your organization accepts blocked IPs and domains from other organizations that have opted in. This type of shared community-based detection helps you respond early and further reduce your overall attack surface without much manual intervention on the part of your administrators or responders.
In addition to this reconnaissance (or discovery) example, Blumira can help you detect other indicators of a compromise, such as data exfiltration. The platform can also alert you to common misconfigurations, like allowing connections from public IP addresses, so you can reconfigure to reduce your overall attack surface.
See our video walkthrough of Blumira’s integration with Palo Alto Next-Gen Firewall to learn more: