Scribd
Upload
80 views

Automate Global Secure Access With Prisma Access and Cortex XSOAR

automated-global-secure-access

Uploaded by

Prith Gajbhiye
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
80 views

Automate Global Secure Access With Prisma Access and Cortex XSOAR

automated-global-secure-access

Uploaded by

Prith Gajbhiye
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Automate Global

Secure Access with


Prisma Access and
Cortex XSOAR
Benefits
• Coordinate remote access and
incident monitoring actions via
automated playbooks
Thousands of users connect to organizations’ networks
• Improve security administrator
productivity by eliminating from different geographic locations and many types
repetitive, manual tasks
of endpoints, all of them accessing different types of
• Scale to support thousands of applications. The net result is too many logs and alerts
remote users efficiently and quickly
for security operations centers (SOCs) and network
Compatibility administrators to deal with. Security teams are not
Prisma Access, Cortex XSOAR 5.5 adequately resourced to ramp up quickly to triage these
alerts, and they don’t have enough context into these alerts
to ensure they take the right action. In addition, remediation
actions are mostly manual, resulting in delayed action—or
no action at all—and putting the organization at risk.

Palo Alto Networks | Automate Global Secure Access with Prisma Access and Cortex XSOAR | Brief 1
Integration Features Automate Source IP-Based
As organizations newly depend on largely remote w ­ orkforces, ­Whitelisting
Prisma™ Access provides cloud-delivered security and a ­ ccess
for employees anywhere in the world. It ­ rapidly enables Challenge
remote workers without the need for additional hardware
­ When you deploy workloads in a public cloud, it is a security
or infrastructure deployment, and it automatically scales as best practice to enforce source IP-based restrictions by setting
the workforce grows. At Palo Alto Networks, our own ­global up appropriate security groups or firewall rules—for ­instance,
workforce of more than 7,000 employees across 39 office a rule to only allow SSH access to a cloud instance from a spe-
­locations is now entirely remote, leveraging our own solu- cific set of IP addresses. To allow your users to access this
tions. Moreover, we’ve successfully transitioned our inter- ­instance via Prisma Access, you need to whitelist Prisma Access
nal SOC to a fully operational remote model, which continues egress IPs.
to monitor for threats, protecting our user population with
­Prisma Access and Cortex™ XSOAR. Prisma Access can auto-scale in response to surge in remote
workers. Whenever there is an auto-scale event, or when new
Cortex XSOAR consumes feeds from Prisma Access and ­Cortex Prisma Access locations are provisioned, these new egress IPs
Data Lake. These feeds can include alerts (e.g., egress IP need to be whitelisted to ensure continuous user c
­ onnectivity
­notifications) or indicators of compromise (e.g., malicious or to those workloads. Using legacy security, administrators
anomalous user behavior) that are relevant to a SOC analyst or have to manually update all their security groups and fire-
network administrator. Upon receiving these triggers, Cortex wall rules when such events happen, making it hard to scale
XSOAR can automatically correlate data from other sources, ­quickly or respond in real time to any changes.
enrich the data, and take the right actions, such as whitelisting
egress IPs, logging out a user, or disabling a user account. All Solution
these actions are performed by way of automated playbooks for
With Prisma Access and Cortex XSOAR, when an auto-scaling
quick and consistent incident response.
or new provisioning event comes in, the related Cortex XSOAR
Cortex XSOAR enables organizations to: playbook immediately picks up the new list of Prisma Access
• Automate triage of remote connectivity and user activity egress IPs and automatically updates the relevant security
alerts. groups or firewall rules on the cloud platform. This ensures
• Manage indicator blocklists (add, access, delete) auto- business continuity with no loss or interruption for your users
matically in real time. who need access to these workloads or software-as-a-service
(SaaS) applications.
• Leverage hundreds of third-party product integrations to
coordinate response across security functions based on
insights from Prisma Access and Cortex Data Lake.
• Run hundreds of commands (including for Prisma Access)
interactively via a ChatOps interface while collaborating
with other analysts and the Cortex XSOAR chatbot.

Panorama Prisma Access Cortex Data Lake

PN
Manage Logs

Alerts
Indicators of
Cortex XSOAR compromise

Automated response

Enriched data

Other enforcement WildFire, AutoFocus,


points and other sources

Figure 1: Prisma Access and Cortex XSOAR integration


Figure 2: Playbook automating IP whitelisting

Palo Alto Networks | Automate Global Secure Access with Prisma Access and Cortex XSOAR | Brief 2
Automate Multi-Factor Automate M ­ alicious User
­Authentication ­Enforcement Activity Response
Challenge Challenge
Your remote access policy probably includes multi-factor Many modern organizations allow users to connect from
­authentication (MFA) for users connecting from untrusted or ­corporate-managed devices as well as their personal devices.
unknown IPs. This is configured in your identity and access When the security posture of an endpoint cannot be trusted,
management (IAM) solution, such as Okta, where you define or when your users visit phishing sites or malicious domains,
trusted IPs. For example, when a user connects from head- you want to track those endpoints and users so that you can
quarters, from a branch office, or through Prisma Access—all take corrective actions. Manually tracking user logins and
considered trusted networks—MFA is not required. However, ­triaging malicious logins is repetitive and time-­consuming,
when that same user connects from a public Wi-Fi hotspot, and high volumes of threat logs and alerts are difficult to
MFA is required. parse and address in a timely manner, presenting attackers
With auto-scaling or provisioning of new locations, the list of with a window of opportunity.
Prisma Access IPs assigned for your organization will change.
Solution
Whitelisting these new egress IPs is done manually (and thus
often slowly), so a user connected to these new Prisma Access Alerts such as threat logs or compromised endpoints talking
instances may still be required to do MFA even if accessing to command-and-control servers can trigger Cortex XSOAR
their SaaS applications via a trusted network. This results in playbooks to automatically pull user details from a directory
poor user experience and less-than-seamless connectivity. such as Active Directory, log the user out, and enforce MFA
and/or disable the user’s account. This playbook can moni-
Solution tor active users and take actions—such as logging users out
A Cortex XSOAR playbook triggered by an incoming if there is unauthorized activity, or updating user tags on the
­auto-scaling or new provisioning event immediately picks firewall—all from the Cortex XSOAR interface.
up the new list of Prisma Access egress IPs and a
­ utomatically
updates your IAM. So, when users connected to these new Panorama Prisma Access Cortex Data Lake

Prisma Access instances access SaaS applications, the IAM


PN
Manage Logs
correctly identifies them as users connecting from a trusted
network and does not force them to perform MFA. There is no
longer lag time due to manual intervention. 2
1
Log out user and Cortex XSOAR
enforce MFA Identify malicious
user activity

SaaS 3
Disable user account

No MFA No MFA No MFA Directory Server

• No MFA required from trusted IPs


Figure 4: Automated triage of malicious user activity
• Trusted IPs: IP1, IP2, IP3

Egress IPs
IP1 IP2 IP3

Prisma Access Cortex XSOAR

HQ/Branch Prisma Access user Prisma Access user


WFH WFH

Figure 3: Automated enforcement of MFA

Palo Alto Networks | Automate Global Secure Access with Prisma Access and Cortex XSOAR | Brief 3
­ onitor and Alert on Broken
M Solution
­Tunnels Between Branches Enter Jobs, a Cortex XSOAR feature that runs playbooks and
helps SOCs automate proactive security operations. An auto-
mated VPN tunnel monitoring playbook can be scheduled to
Challenge poll Prisma Access connection statuses on a regular basis and
In a security team’s busy day, there is no time to proactively send a Slack® alert for remediation actions if a tunnel is down.
monitor for potential connectivity downtime as staff is usually
busy firefighting and triaging critical incidents. Among other
things, this makes it difficult to keep track of the health status
of all VPN tunnels to ensure 100% uptime for users.

Figure 5: Tunnel health check playbook

About Prisma Access About Cortex XSOAR


Prisma Access is a secure access service edge (SASE) that helps Cortex XSOAR unifies case management, automation,
organizations embrace cloud and mobility by providing net- ­real-time collaboration, and Threat Intel Management in the
working and network security services from the cloud. With industry’s first extended security orchestration, automation,
growing numbers of users, branch offices, and services—and and response offering. SOC teams can supercharge their effi-
massive amounts of data—located outside the protection of ciency with the world’s most comprehensive operating plat-
traditional network security appliances, organizations need a form for enterprise security, enabling them to manage alerts
cloud-based infrastructure that converges these capabilities. across all sources, standardize processes with playbooks, take
Prisma Access provides consistent security services and access action on threat intelligence, and automate response for any
to cloud applications (including public clouds, private clouds, security use case, resulting in 90% faster response times and a
and software as a service), delivered through a common frame- 95% reduction in alerts requiring human intervention.
work for a seamless user experience. Prisma Access is delivered
as a cloud service from more than 100 locations in 76 countries,
enabling connectivity and security for mobile users, branch
offices, and retail locations.

3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 ­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 automate-global-secure-access-with-prisma-access-and-cortex-
Support: +1.866.898.9087 xsoar-b-060820

www.paloaltonetworks.com

You might also like