Security Operations

Plays Well With Others: The Respond Analyst Integrates with Palo Alto Networks for 24×7 Continuous Monitoring and Analysis

Mitch Webb
by Mitch Webb
category Security Operations

We talk a lot about coverage here at Respond Software. It’s a fact: the more visibility you have into your environment, the better you’re able to contain and manage the cybersecurity risks you face. The relationship between security sensor data and risk is simple and linear. The more useful sensor data you can collect and effectively monitor in real time, the lower your risk.

This is why we partner with industry leaders like Palo Alto Networks. Palo Alto Networks Next-Generation Firewall solutions enhance visibility across today’s complex networks. You can build truly comprehensive coverage into your network security monitoring program with Palo Alto Networks integrated solutions, including Threat Prevention Services with Network Intrusion Detection and Prevention System (NIDPS) tools, advanced URL filtering, and the Traps endpoint protection and response platform.

Boost Your Ability to Analyze Data from Your Palo Alto Security Sensors

With more than 60,000 customers worldwide, Palo Alto Networks offers tightly integrated network security monitoring solutions that simplify the process of gathering data from billions of these customers’ devices and platforms. By implementing multiple modules from Palo Alto Networks security stack, you can collect detailed information from a wide range of sources, including network traffic logs and URL and endpoint event records.

Palo Alto Networks tools and solutions provide your security team with a wealth of data. Pair them with the Respond Analyst to be sure that you’re able to extract maximum value from that data, even with limited time and employee resources.

Better Together: With The Respond Analyst, More Data= Better Decisions = Effective Security Operations

By nature, Palo Alto Network IDPS and endpoint protection tools generate a high volume of events. It can be challenging for security teams to sort through all – or even just a few – of them.

For each security event that your PAN solution generates, you must ask yourself the following questions:

  • Why was this event generated?
  • Which assets are involved, and how critical are they?
  • What stage has this attack reached? Are the attackers just gaining a foothold, or has it progressed further?
  • Were any vulnerabilities targeted?
  • Where are the external systems or sites involved located? Do we have intelligence to suggest they are suspicious?

Building context like this for every alert you receive is neither simple nor effortless. But without it, you’re not going to be able to make the best decision every time. The standard way of dealing with this problem is to turn off or ignore security controls that are too noisy. Until recently, this was the only workable solution. Its unfortunate result was that significant amounts of relevant security data was disregarded, limiting security teams’ ability to see potentially important events, and increasing time to detection.

With autonomous security monitoring software like the Respond Analyst on board, you can rest assured that you’re not overlooking threats by filtering out valuable information. The Respond Analyst is security analysis software that can take over the task of monitoring the feeds from your Palo Alto Networks solutions, enriching every alert with deep contextual information that’s easy to interpret. The Respond Analyst performs consistent and logical analysis, and it has all the skill of an experienced human security analyst built into it. But it operates at the speed and scale of a machine.

From a technical perspective, the Respond Analyst and Palo Alto Networks tools simply work well together. The Respond Analyst can consume the logs that these tools generate without significant onboarding time or “training.” It’s ready to begin adding value to your implementation right out of the box. All you need to do is forward the feed, and the Respond Analyst takes over from there.

The Respond Analyst Helps Security Teams Defend Against Attacks They’d Otherwise Miss

Let’s take a look at a real incident that the Respond Analyst handled in a real customer environment last year. All identifying information, including names and IP addresses, have been anonymized to protect confidentiality..

In this incident, the Respond Analyst alerted our customer’s security team to a man-in-the-middle (MITM) attack that affected an employee’s iPhone. The employee, “Jim,” had downloaded a third-party app to his iOS device, and the app exploited a known vulnerability in Apple’s FairPlay digital rights management technology to install additional malware on the iPhone.

With access to event data generated by the NIDPS tools included in the Threat Prevention service component of Palo Alto Networks Next-Generation Firewall, the Respond Analyst was able to detect the anomalous network traffic patterns the attack was generating right away. 19 different events were detected by the NIDPS, and because our customer also had the Palo Alto Networks URL filtering module deployed, their security team was able to see that an additional 14 web filter events were correlated to the attack.

The Respond Analyst gave the incident response team a wealth of detail about the attack—including an assessment of its severity, the reasons that assessment was made, the assets involved, the times that the suspicious communications occurred, and details for the external IP addresses involved. With so much detail provided on a dashboard display that’s easy to understand and interpret, security team members are much better positioned to remediate the incident with speed and confidence.

Working together with Palo Alto Networks IDPS and advanced endpoint protection modules, the Respond Analyst helps security teams monitor their environments with greater effectiveness and efficiency. With the Respond Analyst’s help, they’re able to detect and contain threats quickly—successfully preventing attackers from reaching their targets.

To learn more about integrating the Respond Analyst with the existing security solutions within your organization’s infrastructure to build a stronger security monitoring program, contact us to schedule a consultation with a member of our team of experts.