Focus
Focus
Table of Contents

Security Assurance

Security Assurance provides help from Palo Alto Networks experts for initial investigation of incidents.
If you detect suspicious activity in your network, Security Assurance provides extra help from Palo Alto Networks when you need it the most. Security Assurance provides:
  • Access to Palo Alto Networks security experts and their specialized threat intelligence tools and threat hunting practices.
  • Advanced log and indicators of compromise (IOC) analysis.
  • Configuration assessment that includes customized product security recommendations.
  • Next step recommendations to expedite the transition to your incident response (IR) vendor to help manage and resolve the incident.
To take advantage of Security Assurance, you must subscribe to the Platinum Support Contract.
The first step toward Security Assurance is to run the on-demand BPA or check the Best Practices Dashboards in Strata Cloud Manager to measure your adoption of seven key security capabilities: WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, URL Filtering, Vulnerability Protection, and Logging. We recommend that you ensure your adoption rate for those security capabilities is at least equal to your industry’s average adoption rate.
Adopting higher levels of key security capabilities provides better protection for your network and helps avoid incidents. The Best Practices Dashboards and BPA also measure the adoption level of many other security capabilities such as App-ID and User-ID, zone configuration, other security profiles such as File Blocking and DoS Protection profiles.
Check the Beset Practices Dashboards regularly and run the BPA at regular intervals (for example, monthly or quarterly) to measure the adoption of key security capabilities, understand the state of your network security, and prioritize security improvements.
When you subscribe to the Platinum Support Contract, the BPA shows your adoption level for the seven key security capabilities at a rate that meets your industry’s average, Security Assurance is enabled automatically. If you need assistance to adopt these key capabilities at a rate that meets your industry average, contact your Palo Alto Networks sales representative for help in defining requirements, providing justification criteria, etc. If business reasons prevent you from adopting the key security capabilities at this level, please work with your Palo Alto Network sales representative on how to gain access to the benefits of Security Assurance.

The Seven Key Security Capabilities to Adopt

Adopt seven key security capabilities for Security Assurance: WildFire, Antivirus, Anti-Spyware, DNS Sinkhole, URL Filtering, Vulnerability Protection, and Logging.
We strongly recommend adopting the following seven key security capabilities for the following reasons:
  • WildFire—Attach a WildFire security profile to security policy rules that allow traffic to protect your network from new, unknown threats. WildFire is a strong defense against advanced persistent threats (ATPs).
  • Antivirus—Attach an Antivirus security profile to security policy rules that allow traffic to block known malicious files such as malware, ransomware, bots, and viruses.
  • Anti-Spyware—Attach an Anti-Spyware security profile to security policy rules that allow traffic to detect command-and-control (C2) traffic initiated by malicious code running on a server or endpoint and to prevent compromised systems from establishing an outbound connection from your network.
  • DNS Sinkhole—Configure the DNS Sinkhole portion of an Anti-Spyware security profile that is attached to security policy rules that allow traffic. DNS Sinkhole identifies potentially compromised hosts that attempt to access suspicious domains by tracking the hosts and preventing them from accessing those domains.
  • URL Filtering—Attach a URL Filtering profile to security policy rules that allow traffic to prevent access to risky web content (sites that may contain malicious content). URL Filtering profiles and URL categories give you granular control over the types of websites to which you allow access.
  • Vulnerability Protection—Attach a Vulnerability Protection security profile to security policy rules that allow traffic to prevent attackers from exploiting client-side and server-side vulnerabilities and delivering malicious payloads to your network and users, and to prevent attackers from using vulnerabilities to move laterally within your network.
  • Logging—Enable logging on all traffic (allowed and denied) to provide a time-stamped audit trail for system events and network traffic events. Logs provide critical information for investigating incidents. Log Forwarding enables you to send logs from all your firewalls to Panorama or to external to aggregate the logs for analysis.
Adopting these key capabilities greatly improves your security posture, reduces your attack surface, increases your visibility into network traffic, prevents known and new attacks, and protects your the data, assets, applications, and services that are most valuable to your network.

Improve Adoption of the Seven Key Security Capabilities

Improve adoption of key security capabilities to improve your security posture and prepare for Security Assurance.
Use the BPA in conjunction with Palo Alto Networks technical documentation to identify the security capabilities that need improvement and to make the needed improvements, especially in the seven key security capabilities. Improving your security posture helps to safeguard your users and your valuable devices, assets, applications, and services.
In addition, the BPA and the technical documentation show you how to improve many other security capabilities such as application-based Security Policy, administrative access to firewalls, User-ID, File Blocking profiles, DoS and Zone Protection, and credential theft protection. Some key resources are:
  • Decryption Best Practices—Shows you how to increase you visibility by decrypting all of the traffic that your business model, privacy considerations, and regulations allow so that you can inspect the maximum amount of traffic and protect your network from encrypted threats.
  • DoS and Zone Protection Best Practices—Shows you how to take a layered approach to protecting against denial-of-service (DoS) attacks that try to take down your network and to defending your network perimeter, zones, and individual devices.
  • Best Practices for Applications and Threats Content Updates—Deploying content and applications updates in the best manner for your business requirements ensures that your network is protected against the latest threats and identifies the latest applications.
You can find all of these documents and much more from the Best Practices portal and the Transition to Best Practices page.

How to Engage Security Assurance

Capture relevant log data and then use Security Assurance to help with suspicious activity.
If you experience suspicious activity, when you engage Security Assurance, you must provide a specific set of data about the suspected incident so Palo Alto Networks’ experts can investigate the activity.

Data to Collect Before Engaging Security Assurance

Gather relevant log data before you engage Security Assurance to help with suspicious activity.
Palo Alto Networks’ experts need at a minimum the following information about the suspicious activity to begin diagnosing the potential issue. Please collect this data before you engage Security Assurance.
Basic details regarding the suspicious activity:
  • The suspected attack vector and type: What evidence of suspicious activity alerted your administrative or response team?
  • Timeline:
    • Date and time of the suspected initial attack, if known.
    • The time at which you identified the potential issue.
  • Incident details:
    • Known IP addresses of impacted systems.
      • The IP addresses of impacted hosts that are publicly available through NAT.
      • Critical services that could make the system or systems a target, for example, databases, web services, remote access (RDP, Citrix, etc.) servers.
    • Known or suspicious IP addresses that may be related to the attack.
    • The User-IDs of compromised user accounts (if any).
  • Topology diagram or overview: The location of the firewall in relation to the impacted hosts. (A complete network topology diagram is not required.)
  • Malware and indicators-of-compromise:
    • Samples.
    • Hashes.
Firewall data:
  • Tech Support Files:
    • Generate and upload Tech Support files from the firewalls in the path to potentially impacted devices at the time of the suspicious activity.
    • If you use Panorama to manage the firewalls, generate and upload the Panorama Tech Support file.
  • Firewall logs: Export logs from the firewall and Panorama appliances from two hours before the suspicious activity. Before you export logs, verify that the CSV row setting is at is maximum value of 65535 rows (DeviceSetupManagementLogging and Reporting Settings). If the value is lower, increase it to the maximum of 65535 rows. Export logs for each of the following basic log categories (if logs are enabled) based on IP address information and Timestamp details (you can filter logs to display log entries based on IP address and time):
It’s important to understand your deployment’s log retention policy and log retention capacity to ensure that no relevant data is unexamined. Administrators may need to take additional actions such as exporting data from firewalls or other logging servers to assure continuity and completeness of data for the duration of the investigation.
More ways to identify meaningful data about suspicious activity:

Engaging Security Assurance

There are two ways to engage Security Assurance to help with suspicious activity.
After you collect data about the suspicious activity to ensure the timely analysis of the relevant information, you’re ready to engage Security Assistance. You can engage Security Assistance in two ways:
  • Log in to the Customer Support Portal. Click Create a Case to open a support case. When you fill out the form, select Threat.
  • Your sales engineer (SE) can open a support case on your behalf.