The Pandion Plug-in for Palo Alto Firewalls
Create a solution that would allow Palo Alto firewall users to drill-down into the details of a specific security event in a way that is fast, intuitive and easy-to-use. An example is the need to view files that have been downloaded from a specific website by a user.
Credocom is a Palo Alto Diamond partner and a trusted provider of security solutions to IT organizations. Credocom has created a solution using the Pandion Network Recorder that allows their customers to drill down into the details of each security incident.
By leveraging the Palo Alto “log-link” integration concept, it was possible to create a one-click solution that would extract the relevant file from the detailed packet data captured and stored by the Pandion Network Recorder solution.
This saves valuable time and scarce security professional resources so more security events can be examined and analyzed leading ultimately to more threats and breaches being detected. In addition, the solution provides greater context and depth leading to a more accurate forensic analysis and faster detection and containment of breaches.
INDUSTRY PAIN POINTS
In cybersecurity, time is of the essence. The faster you can detect and contain a breach, the less damage and cost is incurred. But, how do you determine if a security incident is serious or harmless? You need evidence!
One of the key issues for security experts today is that the number of security incidents each day are far more than the experts can handle. According to Ponemon Research, the average large enterprise security team will see about 2500 security incidents per day, but they only get to investigate about 4% of these! Being able to determine the severity of these cases quickly is therefore paramount in ensuring that you are prioritizing the right incidents to investigate. For that you need to get to the hard facts quickly.
In a separate report, Ponemon Institute indicated that the average time to identify a malicious attack is 229 days and the corresponding time to contain an attack is 82 days. But, the average cost of identifying and containing an attack can be lowered by 29% if the attack can be identified within 100 days and contained within 30 days. This can be significant as the average cost of a data breach is now $4m.
Cybersecurity solutions, such as Palo Alto firewalls are on the front line of preventing malicious attacks. They are very sophisticated and can provide many detailed logs for security incidents of different types. However, these logs are snapshots that can provide an indication that something happened, but might not provide all the detail that is needed to resolve the issue. This is circumstantial evidence at best!
For example, a web security log can tell you that a user downloaded a named file from a specific website. However, it is not possible to open the file and see the content from this log and quickly determine whether the download is suspicious or not. To do this, you need to go to an extra level of detail that requires looking at the actual packet data associated with this session.
This is just one example of several similar use cases where there is a need to see the details of what happened before a determination can be made as to the seriousness of the event. And the clock is ticking.
Source: ”The Cost of Malware Containment”, Ponemon Institute, January 2015
THE CHALLENGE OF QUICKLY COLLECTING
THE DETAILED FACTS
Accessing the level of detail to make a reliable determination of the seriousness of a security incident can be a challenge. Historical packet traces are often created on-demand when an incident has already occurred. This provides insight into what is happening right now, but not what happened at the time of the event. This might be sufficient for network forensics where a configuration issue leads to a persistent error, but for security forensics, the evidence of the breach is no longer available. What is required is a packet trace of what happened at the time of the event.
Today, this involves manually matching information from the various security systems with real-time packet capture information from a separate network monitoring system. This can be a challenge, as the time information in both systems might not be synchronized making it difficult to match packet data to security events. In addition, the session needs to be recreated so that any file or other object can be extracted for further examination.
All of this is time-consuming and resource intensive, especially when we consider the number of security events that need to be examined, which can be overwhelming. Reducing the time it takes to extract the next level of detail related to a specific log event would improve the efficiency and effectiveness of security analysis leading to more threats detected and stopped in time.
CLIENT CHALLENGE AND THE VALUE
The challenge today for users is that it is difficult to access the level of detail required for full security analysis in a way that is simple, intuitive and easy-to-use. The needs of users are also very specific as no two organizations or networks are the same.
As a solution integrator and Diamond partner of Palo Alto, Credocom often bridges the gap between the specific security challenge that the client wants to address and the capabilities of installed security solutions. Upgrading to a higher spec solution or introducing a new security solution to address the challenge are valid options, but this will often result in higher costs than the client is willing to bear. A lot of functionality will also go to waste as it is not relevant to the challenge, but delivered as part of the solution all the same.
Providing a value-added solution that addresses exactly the challenge at hand is what clients expect from solution integrators like Credocom. Ideally, this solution should be provided in a way that leverages installed systems and enables further additions to be made in the future as the client’s needs become more sophisticated.
For customers using Palo Alto firewalls, the Napatech Pandion is the perfect complementary solution. With the Napatech Pandion, you are no longer working with circumstantial evidence, but with hard facts.
The Palo Alto firewall provides a range of different log views of security incidents. In addition, these log views can be extended with “log-links” that allow external solutions to be “linked” with the log providing more details on the event in question. Using this log-link integration capability, a more integrated solution for the security analyst could be delivered enabling them to work faster and more efficiently.
As a Diamond partner of Palo Alto, Credocom had the expertise and knowledge to create such a log-link integration for the Napatech Pandion Network Recorder solution. This allows the user with a single mouse click to drill-down for more detailed information based on network data packets captured to disk in real-time by the Napatech Pandion.
The Napatech Pandion Network Recorder captures and writes all network data to disk at speeds from 10 Gbps to 40 Gbps without losing a single bit. The amount of storage can be extended to match retention time requirements in a scalable and flexible way. Multiple applications can access the Napatech Pandion through a REST API to retrieve data in PCAP file format from multiple Pandion instances at once. Common open-source tools, such as Wireshark, can then be used to analyze the data. An intuitive GUI interface is also available to allow direct user access to the Pandion.
As part of the solution, Credocom created multiple ways to retrieve the data from the Napatech Pandion. One log-link opened the Napatech Pandion GUI interface with prefilled search fields relevant to the log in question. Another log-link used the REST API interface to retrieve the PCAP file with the relevant parameters and make that available in the Palo Alto GUI.
In addition, Credocom went a step further and built a middleware solution that provided a quick and easy way to drill down and extract files related to specific logs. There are many instances where a file needs to be examined, but the log only provides the name. Recreating the file from the PCAP info can be done, but the middleware solution automates this process allowing the user to just quickly extract and view the file in question.
With the Pandion integration via log-links in Palo Alto firewalls, the user can now quickly drill down and see the details of a specific event with just the touch of a button. In addition, extra functionality can be added, such as middleware that can extract PCAP files from the Pandion and extract the details relevant to the case at hand in a fast and easy way.
In this specific solution, the end-user applied this functionality to examine files downloaded by users and logged as web security events. By being able to quickly extract and view the files, the security administrator can quickly determine if this is suspicious or not. This saves time and scarce professional resources allowing more events to be inspected, vetted and, ultimately, more security threats and breaches to be detected.
When the average cost of one data breach is $4m and the current average number of incidents examined is only 4%, any improvement in the number of incidents examined is significant.
OTHER POSSIBLE CHALLENGES THAT CAN BE ADDRESSED
In this particular use case, a specific challenge of viewing downloaded files was targeted resulting in a highly valuable solution for the end-user. But, this is not the only challenge that can be addressed in this manner as there are a number of use cases where access to detailed data quickly provides major benefits.
For network security, in general, it is important to complement the information available from installed security appliances like the Palo Alto firewall with detailed historical network data. This allows threats that try to circumvent these solutions or which have never been seen before to be detected as network behavior will often change once these breaches take effect.
One concrete example of this is data exfiltration where sensitive data that is normally not shared with the outside world is now being sent out of the building. With the historical data available in the Pandion Network Recorder, it is possible to see exactly what was being sent, who sent it and when it was sent.
This kind of detail allows audit trails to be established, not just for security, but also for a range of other needs, such as regulatory compliance. There is a range of new regulations emerging that require IT organizations to have the capability in place to react quickly in the event of a breach. For example, the upcoming GDPR data privacy regulations stipulate that users whose data has been compromised by a data breach must be informed within 72 hours. With the historical data available in the Pandion Network Recorder, it is possible to see exactly who was affected and exactly which data was exposed.
Knowing exactly what happened and having the hard evidence and facts that can be presented on demand is useful in a number of normal business practices. Conflicts over invoicing or meeting Service Level Agreements (SLAs), which can be detrimental to business relationships, can be quickly resolved. Ensuring that employees are adhering to company policies on Internet behavior and data usage is another challenge for which the Pandion Network Recorder provides indisputable evidence.
The availability of historical network data thus provides the fundamental hard facts that enable IT organizations to continue their daily business with as little disruption, conflict or uncertainty as possible.
SOLUTIONS/COMPANIES IN BRIEF
CREDOCOM SECURITY SOLUTIONS
Network, datacenter and security are the key focus of Credocom, and as a Palo Alto Networks Diamond Partner many different security challenges are addressed every day. One key component for threat analysis and forensic activities is the availability of rich and relevant data.
High performance, Next-Generation firewalls handle large amounts of traffic and generate metadata in the form of logs. Logs however are a strong aggregation of reality and need to be complemented with the possibility to look back in time in order to warrant a precise verdict. Traditional SIEMs and similar external systems cannot provide this functionality.
The combination of Palo Alto Networks firewalls and the Pandion Network Recorder creates an optimal solution when next generation security, high performance and 100% data integrity and availability are needed. With that combination, Credocom can deliver what demanding security focused customers need.
NAPATECH PANDION NETWORK RECORDER
In a time of data overload, relevance is everything. The Pandion network recorder enables you to seize all traffic in real time and retrieve only the relevant data on demand. Pandion is based on Napatech FPGA SmartNICs available in a range of Ethernet interface options, with configurable storage and Pandion software. Pandion builds on more than a decade of industry-proven Napatech FPGA technology and delivers 100% capture and write to disk for leading security analytics and compliance applications.