CYBERSECURITY

INTRODUCTION TO CYBERSECURITY

This course introduces the fundamentals of cybersecurity, including the concepts needed to
recognize and potentially mitigate attacks against home networks and mission-critical
infrastructure.

Topics

1. Cybersecurity Landscape
2. Cyberattack Types
3. Cyberattack Techniques
4. APT’s and WI-FI Vulnerabilities
5. Security Models

1. Cybersecurity Landscape

The modern cybersecurity landscape is a rapidly evolving hostile environment with advanced
threats and increasingly sophisticated threat actors. This lesson describes the current
cybersecurity landscape, explains SaaS application challenges, describes various security and
data protection regulations and standards, identify cybersecurity threats and attacker profiles, and
explains the steps in the cyberattack lifecycle.

Web 3.0
The vision of Web 3.0 is to return the power of the internet to individual users, in much the same
way that the original Web 1.0 was envisioned. To some extent, Web 2.0 has become shaped and
characterized, if not controlled, by governments and large corporations dictating the content that
is made available to individuals and raising many concerns about individual security, privacy,
and liberty.

New Application Threat Vectors

Exploiting vulnerabilities in core business applications has long been a predominant attack
vector, but threat actors are constantly developing new tactics, techniques, and procedures
(TTPs).

2. Cyberattack Types

Attackers use a variety of techniques and attack types to achieve their objectives. Malware
and exploits are integral to the modern cyberattack strategy. This lesson describes the
different malware types and properties, the relationship between vulnerabilities and exploits,
and how modern malware plays a central role in a coordinated attack against a target. This
lesson also explains the timeline of eliminating a vulnerability.

Department Of Information Technology, Pragati Engineering College Page no.1

 CYBERSECURITY

Cyber Security is a procedure and strategy associated with ensuring the safety of sensitive
information, PC frameworks, systems, and programming applications from digital assaults.
Cyber assaults is general phrasing which covers enormous number of themes, however, some
of the common type of assaults are:
• Altering frameworks and information existing in it
• Abuse of assets
• Unapproved access to framework and getting to delicate data
• Jeopardizing typical working of the business and its procedures
• Utilizing ransomware assaults to scramble information and coerce cash
from casualties

3. Cyberattack Techniques

Attackers use a variety of techniques and attack types to achieve their objectives. Spamming and
phishing are commonly employed techniques to deliver malware and exploits to an endpoint via
an email executable or a web link to a malicious website. Once an endpoint is compromised, an
attacker typically installs back doors, remote access Trojans (RATs), and other malware to
ensure
persistence. This lesson describes spamming and phishing techniques, how bots and botnets
function, and the different types of botnets.

Business Email Compromise (BEC)

Business email compromise (BEC) is one of the most prevalent types of cyberattacks that
organizations face today. The FBI Internet Crime Complaint Center (IC3) estimates that "in
aggregate" BEC attacks cost organizations three times more than any other cybercrime and BEC
incidents represented nearly a third of the incidents investigated by Palo Alto Networks Unit 42
Incident Response Team in 2021. According to the Verizon 2021 Data Breach Investigations
Report (DBIR), BEC is the second most common form of social engineering today.

4. APT’s and WI-FI Vulnerabilities

With the explosive growth in fixed and mobile devices over the past decade, wireless (Wi-Fi)
networks are growing exponentially—and so is the attack surface for advanced persistent threats
(ATP). This lesson describes Wi-Fi vulnerabilities and attacks and APTs.

Wi-Fi Challenges
A security professional's first concern may be whether a Wi-Fi network is secure. However,
for the average user, the unfortunate reality is that Wi-Fi connectivity is more about
convenience than security.
Security professionals must secure Wi-Fi networks—but they must also protect the mobile
devices their organization’s employees use to perform work and access potentially sensitive
data, no matter where they are or whose network they are on.

Department Of Information Technology, Pragati Engineering College Page no.2

 CYBERSECURITY

5. Security Models

The goal of a security model is to provide measurable threat prevention through trusted and
untrusted entities. This can be a complicated process, as every security model will have its own
customizations and many variables need to be identified. This lesson describes the core concepts
of a security model and why the model is important, the functions of a perimeter-based security
model, the Zero Trust security model design principles, and how the principle of least privilege
applies to the Zero Trust security model.

Perimeter-Based Security Model

Perimeter-based network security models date back to the early mainframe era (circa late
1950s), when large mainframe computers were located in physically secure “machine rooms.”
These rooms could be accessed by a limited number of remote job entry (RJE) terminals
directly connected to the mainframe in physically secure areas.

Assumes Trust on Internal Network

The primary issue with a perimeter-based network security strategy, which deploys
countermeasures at a handful of well-defined entrance and exit points to the network, is that the
strategy relies on the assumption that everything on the internal network can be trusted. Click
the tabs for more information about modern business conditions and computing environments
that perimeter-based strategies fail to address.

Allows Unwanted Traffic

A broken trust model is not the only issue with perimeter-centric approaches to network
security. Another contributing factor is that traditional security devices and technologies (such
as port-based firewalls) commonly used to build network perimeters let too much unwanted
traffic through.

Click the tabs for more information about the typical shortcomings and inabilities of perimeter-
centric approaches.

Zero Trust Security Model

The Zero Trust security model addresses some of the limitations of perimeter-based network
security strategies by removing the assumption of trust from the equation.

With a Zero Trust model, essential security capabilities are deployed in a way that provides
policy enforcement and protection for all users, devices, applications, and data resources, as
well as the communications traffic between them, regardless of location.

No Default Trust
With Zero Trust there is no default trust for any entity – including users, devices, applications,
and packets – regardless of what it is and its location on or relative to the enterprise network

Department Of Information Technology, Pragati Engineering College Page no.3

 CYBERSECURITY

Fundamentals of Network Security

The fundamentals of network security including concepts they must understand to recognize
and potentially defend home networks and mission-critical infrastructure.

Topics

1. The Connected Globe

2. Addressing and Encapsulation
3. Network Security Technologies
4. Endpoint Security and Protection
5. Secure the Enterprise

1. The Connected Globe

In this we will discuss how hundreds of millions of routers deliver Transmission Control
Protocol/Internet Protocol (TCP/IP) packets using various routing protocols across local-area
networks and wide-area networks. Also will discuss about how the Domain Name System
(DNS) enables internet addresses, such as www.paloaltonetworks.com, to be translated into
routable IP addresses.
The Net
In the 1960s, the U.S. Defence Advanced Research Projects Agency (DARPA) created
ARPANET, the precursor to the modern internet. ARPANET was the first packet-switched
network. A packet-switched network breaks data into small blocks (packets), transmits each
individual packet from node to node toward its destination, and then reassembles the individual
packets in the correct order at the destination.

2. Addressing and Encapsulation

This lesson describes the functions of physical, logical, and virtual addressing in networking,
IP addressing basics, subnetting fundamentals, OSI and the TCP/IP models, and the packet
lifecycle.
TCP/IP Overview
In cybersecurity, you must understand that applications sending data from one host computer to
another host computer will first segment the data into blocks and will then forward these data
blocks to the TCP/IP stack for transmission.

Numbering Systems
You must understand how network systems are addressed before following the path data takes
across internetworks. Physical, logical, and virtual addressing in computer networks require a
basic understanding of decimal (base 10), hexadecimal (base 16), and binary (base 2) numbering.

Department Of Information Technology, Pragati Engineering College Page no.4

 CYBERSECURITY

3. Network Security Technologies

In this lesson, we will discuss

the basics of network security technologies such as firewalls,
intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), web content filters,
virtual private networks (VPNs), data loss prevention (DLP), and unified t reat management
(UTM), which are deployed across the industry.
Legacy Firewalls
Firewalls have been central to network security since the early days of the internet. A firewall is a
hardware platform or software platform or both that controls the flow of traffic between a trusted
network (such as a corporate LAN) and an untrusted network (such as the internet).

4. Endpoint Security and Protection

In this we will explore endpoint security challenges and solutions, including malware protection,
anti-malware software, personal firewalls, host-based intrusion prevention systems (HIPSs), and
mobile device management (MDM) software. We will also introduce network operations
concepts, including server and systems administration, directory services, and structured host and
network troubleshooting.
Endpoint Security
In 2022, there were more than 11.5 billion internet of things (IoT) devices worldwide, including
machine-to-machine (M2M), wide-area IoT, short-range IoT, massive-and-critical IoT, and
multi-access edge computing (MEC) devices. Traditional endpoint security encompasses
numerous security tools, such as anti-malware software, personal firewalls, HIPSs, and MDM
software.

5. Secure the Enterprise

The networking infrastructure of an enterprise can be extraordinarily complex. The Palo Alto
Networks prevention-first security architecture secures enterprises' perimeter networks, data
centers, cloud-native applications, SaaS applications, branch offices, and remote users with a
fully integrated and automated platform that simplifies security.
Prevention-First Architecture
Simplifying your security posture allows you to reduce operational costs and infrastructure
while increasing your ability to prevent threats to your organization.

Fundamentals of Cloud Security

This training introduces someone with no prior knowledge to the fundamentals of cloud
security including concepts they must understand to recognize threats and potentially defend
data centers, enterprise networks, and small office/home office (SOHO) networks from
cloud-based attacks.

Department Of Information Technology, Pragati Engineering College Page no.5

 CYBERSECURITY

TOPICS

1. Cloud Computing
2. Cloud Native Technologies
3. Cloud Native Security
4. Hybrid Data Center Security
5. Prisma Access SASE Security
6. Prisma SaaS
7. Prisma Cloud Security

1. Cloud Computing

The move toward cloud computing not only brings cost and operational benefits but also
technology benefits. Data and applications are easily accessed by users no matter where they
reside, projects can scale easily, and consumption can be tracked effectively.

Cloud computing is not a location but rather a pool of resources that can be rapidly provisioned
in an automated, on-demand manner. Read the quote below for the defi ition of cloud
computing according to the U.S. National Institute of Standards and Technology.

Value
Click the tabs for more information regarding the value of cloud computing.

Economies of scale Agility

One value of cloud computing iss the ability to pool resources to achieve economies of scale.
This ability to pool resources is true for private or public clouds.

Cloud Computing Ecosystem

The cloud computing ecosystem consists of service models, deployment models,
responsibilities, and security challenges.

Service Models, Deployment Models, and Responsibilities

Virtualization is a critical component of a cloud computing architecture that, when combined
with software orchestration and management tools that are covered in this course, allows you to
integrate disparate processes so that they can be automated, easily replicated, and offered on an
as-needed basis.

Cloud Computing Service Models

As data centre managers face
a burgeoning population of mobile users, the distributed
workforce – with multiple endpoints and cloud applications – is forcing organizations to evolve
both their in-house and cloud cybersecurity infrastructures.

Department Of Information Technology, Pragati Engineering College Page no.6

 CYBERSECURITY

Three Computing Service Models

NIST defines three distinct cloud computing service models.
Click each card for more information about each cloud computing service model.
Cloud Computing Deployment Models
Data and applications now reside in a multitude of cloud environments – including private and
public clouds – spanning infrastructure, platform, and security.

Four Cloud Deployment Models

NIST defines four cloud computing deployment models.

Click the arrows for more information about each cloud computing model.

Shared Responsibility Model

The security risks that threaten your network today do not change when you move from on-
premises to the cloud. The shared responsibility model defines who (customer and/or provider)
is responsible for what (related to security) in the public cloud.

2. Cloud Native Technologies

Like a new universe, the cloud native ecosystem has many technologies and projects quickly
spinning off and expanding from the initial core of containers.

Cloud Native Technology Properties

A useful way to think of cloud native technologies is as a continuum spanning from virtual
machines (VMs) to containers to serverless. On one end are traditional VMs operated as
stateful
entities, as we have done for over a decade now. On the other are completely stateless,
serverless apps that are effectively just bundles of app code without any packaged
accompanying operating system (OS) dependencies.

Virtualization
Virtualization is the foundation of cloud computing. You can use virtualization to create
multiple virtual machines to run on one physical host computer.

Hypervisor
Hypervisor software allows multiple, virtual guest operating systems to run concurrently on a
single physical host computer. The hypervisor functions between the computer operating
system and the hardware kernel.

Security Considerations
Virtualization is an important technology used in data centers and cloud computing to optimize
resources.

Department Of Information Technology, Pragati Engineering College Page no.7

 CYBERSECURITY

Click each tab for more information about important security

considerations associated with virtualization.

Serverless Computing and Function as a Service

Serverless architectures, also referred to as function as a service (FaaS), enable organizations
to build and deploy software and services without maintaining or provisioning any physical or
virtual servers. Applications made using serverless architectures are suitable for a wide range
of services and can scale elastically as cloud workloads grow.

Benefits of Using Serverless Computing and FaaS

Here are some of the major benefits of using serverless computing and FaaS. Focus on
Core Product Functionality
From a software development perspective, organizations adopting serverless architectures can
focus on core product functionality and completely disregard the underlying operating system,
application server, or software runtime environment.

Serverless App Package and Environment

While on-demand containers greatly reduce the “surface area” exposed to end users and, thus, the
complexity associated with managing them, some users prefer an even simpler way to deploy
their apps. Serverless is a class of technologies designed to allow developers to provide only their
app code to a service, which then instantiates the rest of the stack below it automatically.

App Package
In serverless apps, the developer only uploads the app package itself, without a full container
image or any OS components. The platform dynamically packages it into an image, runs the
image in a container, and (if needed) instantiates the underlying host OS and VM as well as the
hardware required to run them. In a serverless model, users make the most dramatic trade-offs
of compatibility and control for the simplest, most efficient deployment and management
experience.

Serverless Environment
Examples of serverless environments include Amazon Lambda and Azure Functions. Arguably,
many platform-as-a-service (PaaS) offerings, such as Pivotal Cloud Foundry, are also effectively
serverless even if they have not historically been marketed as such. While on the surface,
serverless may appear to lack the container-specific, cloud-native attribute, containers are
extensively used in the underlying implementations, even if those implementations are not
exposed to end users directly.

Adopting a Serverless Model

Click the cards for more information about how adopting a serverless model can impact
application development.

Department Of Information Technology, Pragati Engineering College Page no.8

 CYBERSECURITY

3. Cloud Native Security

The speed and flexibility that are so desirable in today’s business world have led companies to
adopt cloud technologies that require not just more security but new security approaches. In the
cloud, you can have hundreds or even thousands of instances of an applic tion, presenting
exponentially greater opportunities for attack and data theft.

The Four Cs of Cloud Native Security

The CNCF defines a container security model for Kubernetes in the context of cloud native
security. Each layer provides a security foundation for the next layer.
Prioritizing Software Security in the Cloud
The customer is ultimately responsible for providing security for the data, hosts, containers,
and serverless instances in the cloud.
Public cloud service providers have done a great job with the build, maintenance, and updating of
computing hardware, virtual machines, data storage, and databases along with the minimum
baseline security protection mechanisms. However, the customer is ultimately responsible for
providing security for the data, hosts, containers, and serverless instances in the cloud.

Customers should follow three DevOps models and processes to better secure their data in the
cloud.

DevOps Software Development Model

The DevOps software development model is enhancing or replacing the traditional software
development life cycle (SDLC) model.

Introduction
In the traditional software development model, developers write large amounts of code for new
features, products, bug fixes, and such, and then pass their work to the operations team for
deployment, usually via an automated ticketing system. The operations team receives this request
in its queue, tests the code, and gets it ready for production – a process that can take days, weeks,
or even months.

Important Characteristics
DevOps unites the development and operations teams throughout the entire
software delivery process, enabling them to discover and remediate issues earlier, automate
testing and deployment, and reduce time to market.

DevOps CI/CD Pipeline

DevOps is a cycle of continuous integration and continuous delivery (or continuous
deployment), otherwise known as the CI/CD pipeline.
However, the customer is ultimately responsible for providing security for the data, hosts,
containers, and serverless instances in the cloud. In the traditional software development
model,

Department Of Information Technology, Pragati Engineering College Page no.9

 CYBERSECURITY

and then pass their work to the operations team for deployment, usually via an automated
ticketing system.

4. Hybrid Data Center Security

Data centers are rapidly evolving from a traditional, closed environment with static, hardware-
based computing resources to an environment in which traditional and cloud computing
technologies are mixed.

The Hybrid Cloud

Many organizations are using public cloud compute resources to expand private cloud capacity
rather than expand compute capacity in an on-premises private cloud data center.

Virtualization of Guest Operating Systems

The use of private cloud and public cloud compute resources to expand services is called the
hybrid cloud. The virtualization of guest operating systems has forced organizations to adopt a
hybrid cloud model over a traditional data center.

Click each image for more information about the traditional data center and the hybrid
cloud.

Traditional Data Center vs. Hybrid Cloud

The ”ports first” traditional data center security solution limits the ability to see all traffic on
all ports.
The move toward towards a cloud computing model – private, public, or hybrid improves
operational efficiencies.

Private Cloud Traffic Types and Compute Clusters

Organizations usually implement security to protect traffic flowing north-south, but this approach
is insufficient for protecting east-west traffic within a private cloud. To improve their security
posture, enterprises must protect against threats across the entire network, both north-south and
east-west.

Private Cloud Security

The use of virtual firewalls for east-west protection provides unprecedented traffic and threat
visibility.

East-West Protection Benefits

Virtual data center security best practices dictate a combination of north-south and east-west
protection.
Click the tabs for more information about the benefits that east-west protection
provides.
Authorizes only allowed applications to flow inside the data center, between VMs

Department Of Information Technology, Pragati Engineering College Page no.10

 CYBERSECURITY

Traffic and Threat Visibility

An added benefit of using virtual firewalls for east-west protection is the unprecedented traffic
and threat visibility that the virtualized security device can now provide. After Traffic logs and
Threat logs are turned on, VM-to-VM communications and malicious attacks become visible.
This virtual data-center awareness allows security teams to optimize policies and enforce
cyberthreat protection (for example, IPS, anti-malware, file blocking, data filtering, and DoS
protection) where needed

5. Prisma Access SASE Security

Secure Access Service Edge (SASE) is designed to help organizations embrace cloud and
mobility by providing network and network security services from a common cloud-
delivered architecture.

Cloud Native Security Platform (CNSP)

The cloud native approach takes the best of what cloud has to offer – scalability, deployability,
manageability, and limitless on-demand compute power – and applies these principles to
software development, combined with CI/CD automation, to radically increase productivity,
business agility, and cost savings.
Continuous Integration/Continuous Delivery (CI/CD)
Application development methodologies are moving away from the traditional “waterfall”
model toward more agile continuous integration/continuous delivery (CI/CD) processes
with end-to-end automation.

Cloud Native Architectures

Cloud native architectures consist of cloud services such as containers, serverless security,
platform as a service (PaaS), and microservices.

These services are loosely coupled, which means they are not hardwired to any infrastructure
components, thus allowing developers to make changes frequently without affecting other
pieces of the application or other team members’ projects across technology boundaries such as
public, private, and multicloud deployments.

"Cloud native” refers to a methodology of software development that is essentially

designed for cloud delivery and exemplifies all the benefits of the cloud by nature.

SecOps and DevOps

Cloud native security point products that began to appear in the market were engineered to
address one part of the problem or one segment of the software stack, but on their own they could
not collect enough information to accurately understand or report on the risks across cloud native
environments. This situation forced security teams to use multiple tools and vendors, which
increased cost, complexity, and risk and also created blind spots where the tools overlapped but
didn’t integrate.

Department Of Information Technology, Pragati Engineering College Page no.11

 CYBERSECURITY

The solution to this problem requires a unified platform approach that can envelop the entire
CI/CD lifecycle and integrate with the DevOps workflow.

Prisma Cloud
Prisma Cloud is the most comprehensive cloud-native security platform. It was designed to
protect all aspects of cloud use with the industry’s leading technology.

Introduction
Prisma Cloud provides broad security and compliance coverage for the entire cloud native
technology stack and for applications and data throughout the entire application lifecycle, across
multicloud and hybrid cloud environments. Prisma Cloud takes an integrated approach that
enables SecOps and DevOps teams to accelerate cloud native application deployment by
implementing security early in the development cycle.

Four Pillars

Prisma Cloud rests on four pillars.

Click each tab for more information about each pillar.

Visibility, Governance, and Compliance

Compute Security
Network Protection
Identity Security
Gain deep visibility into the security posture of multicloud environments. Track everything that
gets deployed with automated asset inventory, and maintain compliance with out-of-the-box
governance policies that enforce good behavior across your environments.

Prisma Access
Prisma Access delivers globally distributed networking and security to all your users and
applications.

Introduction
Whether at branch offices or on the go, your users connect to Prisma Access to safely access
cloud and data center applications, and the internet. Prisma Access provides consistent security
services and access to cloud applications (including public cloud, private cloud, and software as
a service), delivered through a common framework for a seamless user experience.

Enablement
Prisma Access consistently protects all traffic, on all ports and from all applications, enabling
your organization in three important areas.

Department Of Information Technology, Pragati Engineering College Page no.12

 CYBERSECURITY

6. Prisma SaaS

Prisma SaaS builds on the existing SaaS visibility and granular control capabilities of Palo Alto
Networks prevention-based architecture provided through App-ID, with detailed SaaS-based
reporting and granular control of SaaS usage.

SaaS Application Challenges

SaaS applications have become incredibly popular in recent years due to their widespread
availability, ease of use, and low costs. Gartner estimates that, by 2021, more than 70% of
businesses will be substantially provisioned with cloud office capabilities.

Introduction
SaaS applications are easy but that does not necessarily mean they are secure. In fact, most
companies struggle to adopt and use SaaS applications with confidence.

Defining SaaS Applications

To safely enable SaaS usage in your organization, start by clearly defining the SaaS applications
that should be used and which behaviors within those applications are allowed.

There are three types of SaaS applications: sanctioned, tolerated, and unsanctioned.

SaaS Data Exposure

Unsanctioned SaaS apps can expose sensitive data and propagate malware, and even
sanctioned SaaS adoption can increase the risk of data exposure, breaches, and
noncompliance.

Sanctioned SaaS Control

To control sanctioned SaaS usage, an enterprise security solution must provide threat
prevention, visibility and data exposure control, and risk prevention.
SaaS Document Classification and Policy
Prisma SaaS uses supervised machine learning algorithms to sort sensitive documents into top-
level categories for document classification and categorization.
Prisma SaaS enables you to discover and classify data stored across the supported SaaS
applications.
Click the tabs for more information about the different document classifications and policies
within Prisma SaaS.

7. Prisma Cloud Security

Effective cloud security requires complete visibility into every deployed resource as well as
absolute confidence in their configuration and compliance status. As enterprises further adopt
cloud native methodologies and gain the flexibility of multicloud architectures, stitching

Department Of Information Technology, Pragati Engineering College Page no.13

 CYBERSECURITY

together security data from disparate legacy tools becomes a considerable obstacle. DevOps and
security teams need a single, integrated solution like Prisma Cloud. This lesson provides an
overview of how Prisma Cloud prevents and detects security risks.
Cloud Security Posture Management (CSPM)
Prisma Cloud takes a unique approach to CSPM, going beyond mere compliance or configuration
management. Vulnerability intelligence from more than 30 data sources provides immediate
clarity on critical security issues, while controls across the development pipeline prevent insecure
configurations from ever reaching production.

Threat Detection
Prisma Cloud provides policies for a myriad of use cases such as detecting account hijacking
attempts, backdoor activity, network data exfiltration, unusual protocol, and DDoS activity. After
a threat is detected, an alert will be generated notifying administrators of the issue on hand so
that they can quickly remediate it.

Some of the anomaly policies provided by Prisma Cloud threat detection

in CSPM are:

User and Entity Behavior Analytics (UEBA)

Prisma Cloud analyses millions of audit events and then uses machine learning to detect
anomalous activities that could signal account compromises, insider threats, stolen access keys,
and other potentially malicious user activities.

Navigate to the Investigate page. For UEBA anomaly policies, you can also see a Trending
View of all anomalous activities performed by the entity or user.
Network Anomaly Detection
Prisma Cloud monitors cloud environments for unusual network behavior and can detect
unusual server port or protocol activity, including port-scan and port-sweep activities that
probe a server or host for open ports.

Automated Investigation and Response

Prisma Cloud provides automated remediation, detailed forensics, and correlation capabilities.
Insights combined from workloads, networks, and user activity, data, and configurations
accelerate incident investigation and response.

After a threat is detected, an alert will be generated notifying administrators of the issue on
hand so that they can quickly remediate it.
Data Security
The Data Security capabilities on Prisma Cloud enable you to discover and classify data stored
in AWS S3 buckets and protect against accidental exposure, misuse, or sharing of sensitive data.

Department Of Information Technology, Pragati Engineering College Page no.14

 CYBERSECURITY

Click the arrows for more information about different features that are included with Prisma
Cloud Data Security.
The new Data Dashboard tab provides complete visibility into your S3 storage. The dashboard
widgets below give you insight into how many storage buckets and objects you have, what kind
of data is stored in those objects, across which regions, who owns what, and what is the
exposure of the objects. This tab is available under the Dashboard menu.

The Compliance Overview is a dashboard that provides a snapshot of your overall compliance
posture across various compliance standards.
The new Data Dashboard tab provides complete visibility into your S3 storage. The dashboard
widgets below give you insight into how many storage buckets and objects you have, what kind
of data is stored in those objects, across which regions, who owns what, and what is the exposure
of the objects. This tab is available under the Dashboard menu.

User and Entity Behavior Analytics (UEBA)

Prisma Cloud analyses millions of audit events and then uses machine learning to detect
anomalous activities that could signal account compromises, insider threats, stolen access keys,
and other potentially malicious user activities.

Navigate to the Investigate page. For UEBA anomaly policies, you can also see a Trending
View of all anomalous activities performed by the entity or user.
Network Anomaly Detection
Prisma Cloud monitors cloud environments for unusual network behavior and can detect
unusual server port or protocol activity, including port-scan and port-sweep activities that
probe a server or host for open ports.

Automated Investigation and Response

Prisma Cloud provides automated remediation, detailed forensics, and correlation capabilities.
Insights combined from workloads, networks, and user activity, data, and configurations
accelerate incident investigation and response.

After a threat is detected, an alert will be generated notifying administrators of the issue on
hand so that they can quickly remediate it.
Data Security
The Data Security capabilities on Prisma Cloud enable you to discover and classify data stored
in AWS S3 buckets and protect against accidental exposure, misuse, or sharing of sensitive data.

Click the arrows for more information about different features that are included with Prisma
Cloud Data Security.

Department Of Information Technology, Pragati Engineering College Page no.15

 CYBERSECURITY

The new Data Dashboard tab provides complete visibility into your S3 storage. The dashboard
widgets below give you insight into how many storage buckets and objects you have, what kind
of data is stored in those objects, across which regions, who owns what, and what is the
exposure of the objects. This tab is available under the Dashboard menu.
The Compliance Overview is a dashboard that provides a snapshot of your overall compliance
posture across various compliance standards.
The new Data Dashboard tab provides complete visibility into your S3 storage. The dashboard
widgets below give you insight into how many storage buckets and objects you have, what kind
of data is stored in those objects, across which regions, who owns what, and what is the exposure
of the objects. This tab is available under the Dashboard menu.

Security Orchestration:
Security Orchestration - Automates the Process
Security orchestration is a method of connecting disparate security technologies through
standardized and automatable workflows that enable security teams to effectively carry out
incident response and operations. "Security orchestration" as a concept is defined as automation
of as many processes within security operations as possible. Automating proc sses help remove
the manual processes that were performed by a member of the SOC team which slows down the
flow and reduces the ability to review and analyze security issues. Automation can analyze data at
a much faster rate to accurately assess, respond to, and then mitigate the security incident
appropriately.

BUSINESS
Both Erik and the SOC team are responsible for protecting the business. The reason for Security
Operations, for all of the equipment, for everything SOC does is ultimately to service one main
goal, protect the business. Without the Business pillar, there would be no need for Erik or the
SOC team.

The Business pillar defines the purpose of the Security Operations team to the business and
how it will be managed. The Business pillar helps to provide Erik and the rest of the SOC team
with answers to questions such as "Who do we need to help protect the business?"; "How will
we protect the business?"; "Where are we going to do this from?"; and "How do we know if
what we have in place is working effectively?"

Facility
The facilities needed for your Security Operations team will depend on how you will be
delivering the service. A physical SOC may need separation from other parts of the business,
including the Network Operations Center (NOC). Although these two groups need to tightly
interface with each other, they may need separate spaces to adhere to need-to-know principles

Department Of Information Technology, Pragati Engineering College Page no.16

 CYBERSECURITY

and avoid specific legal issues. Where fusion centers are established, additional training for the
Network Operations staff is required to ensure adherence to privacy principles.

A facility should include basic locking capabilities, and preferably, an advanced access schema
that includes a two-factor authentication. Virtual SOCs (VSOC) are composed of team
members that do not hold a physical space. They utilize online, secure portals to monitor traffic.
The use of a VSOC requires extra care to secure the VPN and endpoint devices that access the
security portal, and a private space must be available for phone calls and discussions within the
Security Operations team.

Collaboration

A set of tools is required to facilitate communication and collaboration within and around the
Security Operations organization. These tools can include features around ticketing, war room
collaboration, shift turnover, process documentation, and may contain the entirety of the IR
documentation for every event. They can also include communication features such as email
distribution lists, shared inboxes, instant messaging, and video conferencing tools.

Collaboration tools are often incorporated into other tools and are at high risk of feature
duplication. The Security Operations team should define what the main tool(s) used will be,
which will be the single source of truth, and what information will be captured. Access to these
tools typically extends beyond the Security Operations organization, especially in the case of war
rooms, so access control must be addressed by the chosen tools.

PEOPLE
The People pillar defines who will be accomplishing the goals of the Security Operations team
and how they will be managed. As a part of the People pillar, Erik received training necessary
for him to be able to triage the alerts in addition to the other processes and functions within the
SOC. This training provides Erik with the skills necessary to become efficient at detecting and
prioritizing alerts. As Erik’s knowledge increases, he will have opportunities to grow on the
SOC team. He will also have the skills to advance in his career to other areas.

Employee Utilization
Methods should be developed to maximize the efficiency of a Security Operations team specific
to the existing staff. Security Operations staff are prone to burnout due to console burn out and
extreme workloads. To avoid this, team members should be assigned different tasks throughout
the day. These tasks should be structured and may include:

• Event triage
• Incident response
• Project work
• Training
• Reporting

Department Of Information Technology, Pragati Engineering College Page no.17

 CYBERSECURITY

• Shift turnover stand-up meeting (end of shift)

Another tactic to avoid burnout is to schedule shifts to avoid high-traffic commute times.
Depending on the area, 8am-5pm may line up with peak (vehicle) traffic patterns. Shifting
the schedule by two hours could reduce stress on the staff.

Training:

Types of Training Content

Proper training of staff will create consistency within an organization. Consistency drives
effectiveness and reduces risk. Use of a formal training program will also enable the organization
to bring on new staff quickly. Some organizations resort to on-the-job or shadow training for
new hires, which is not recommended on its own. While shadowing other analysts during initial
employment in the SOC is important, it should not be the only means of training.

Formal documentation should exist around capabilities, tools, processes, and communication
plans (both internal and external) that new and existing staff can reference. Enablement plans for
new tools should also be contained in the formal training program. This continuous education
requires time and investment and should be supported by the business.

Tabletop Exercises
Tabletop exercises are planned events where the stakeholders for the SOC or the entire security
organization walk through a security event to test the processes and reactions to the type of
incident. They can include simulated network activity or social engineering.

PROCESSES

While monitoring the ticketing queue, Erik notices a new set of alerts that has been sent to the
SOC team by one of the network devices. Based on the alert messages, Erik needs to determine
whether the alert message is a security incident, so he opens an incident ticket. Erik starts by
doing his initial research in the log files on the network device to determine if the threat is real.
After reviewing the log files, Erik determines that the alert is a real threat. Based on the Severity
Triangle, Erik has determined that the severity level for this alert is currently High.

INTERRFACES
As Erik is investigating the alert generated by the network device, he partners with the Threat
Intelligence Team to identify the potential risks this threat may pose to the organization. Erik also
interfaces with the Help Desk, Network Security Team, and Endpoint Security Teams to
determine the extent the threat has infiltrated the network.

Security operations is not a silo and needs to work with many other functions or teams. Each
interaction with another team is described as an interface. The Interfaces pillar defines which

Department Of Information Technology, Pragati Engineering College Page no.18

 CYBERSECURITY

functions need to take place to help achieve the stated goals, and how the SOC will interface with
other teams within the organization by identifying the scope of each team’s responsibilities and
the separation of each team’s duties.

Threat Hunting; Content Engineering

Threat Hunting

Threat hunting is often thought of as a function of the Security Operations team. However,
because it is separate from identify, investigate, and mitigate, it is distinct from the analyst
activities and is included as an interface. Hunting allows you to dig into the data to find
situations that the machines and automation may have missed. Threat hunting can be structured
or unstructured. Structured hunts begin with a single piece of intelligence. Then a hypothesis is
formed, and then the hunt to find the threat in the network begins. Formalized structured hunts
tend to be more useful to an organization than unstructured efforts.

Content Engineering

Content engineering is the function that builds alerting profiles that identify the alerts that will be
forwarded for investigation. The content engineer and the Security Operations team need to be
tightly interfaced and feedback needs to continuously flow. An interface agreement between the
teams needs to be created to identify how often content updates will be made, how they will be
vetted, and the feedback process. It should identify how the Security Operations team and threat
hunting team make requests for new alerts or modifications to existing alerts. Properly configured

alerts will allow the Security Operations team to focus on important alerts that require
further investigation.

Types of Collected Data

Every security team must use both telemetry and forensics. Telemetry from network and
endpoint activity and from cloud configurations will provide readily available information
necessary to triage and investigate the majority of alerts and incidents. Forensic data
supplements telemetry and provides the information needed to conclude the small number of
high-priority or difficult incident investigations that often lead to breach identification. Should a
breach be validated, all data and results will be required by government and regulatory bodies.

Threat Intelligence Team; Red & Purple Teams

Threat Intelligence Team

Threat intelligence function identifies potential risks to the organization that was not observed in
the network. It uses real-time information feeds from human and automated sources about the
background, details, specifics, and consequences of present and future cyber risks, threats,
vulnerabilities, and attacks. They are responsible for validating threats and then working with the

Department Of Information Technology, Pragati Engineering College Page no.19

 CYBERSECURITY

Intelligence Team delivers threat landscape reports at agreed-upon intervals to security teams that
are responsible for updating the security stack based on their findings.

Red and Purple Teams

Red and purple teams provide penetration testing to simulate threats to the organization and
provide feedback for improvements to the Security Operations organization. The red team
simulates advanced persistent threats (APTs) and will attempt to hide and slow-play their attacks
to avoid detection by SOC analysts. Purple teams work with both the red and SecOps teams to
help improve operations. They provide information to the red team about gaps in an analyst’s
focus areas and guide the SecOps team toward approaches to identify red team efforts. Red and
purple team exercises should have an allotted time limit, and the results should be given as
feedback to the SOC to improve capabilities, add processes and procedures, and add controls
before an actual APT gains hold

Department Of Information Technology, Pragati Engineering College Page no.20

 CYBERSECURITY

CONCLUSION: -

This internship has been a unique opportunity to improve the skills I already had and to learn several
new ones. Cyber security by palo alto networks is a complex subject whose understanding requires knowledge
and expertise from multiple disciplines, including but not limited to computer science and information
technology, psychology, economic, organizational behavior, political science, engineering, sociology,
decision sciences, international relations, and law. In practice, although technical measures are an important
element, cyber security is not primarily a technical matter, although it is easy for policy analysts and others to
get lost in the technical details. Furthermore, what is known about cyber security is often compartmented
along disciplinary lines, reducing the insights available from cross-fertilization. This primer seeks to
illuminate some of these connections. Most of all, it attempts to leave the reader with two central ideas. The
cyber security problem will never be solved once and for all. Solutions to the problem, limited in scope and
longevity though they may be, are at least as much nontechnical as technical in nature

Department Of Information Technology, Pragati Engineering College Page no.21