YTread Logo
YTread Logo

Palo Alto Networks Demisto Demonstration

Jun 07, 2021
so I think a quick summary of what different people covered in the last two hours and I'm going to tie this back to automation, so we looked at the firewall demo and Neves' position on how different security solutions are delivered like a service and also what is important. piece that is if you look at the application ID of the firewall concept, how easy it is to add rules, how easy it is to configure policies, cloud pieces where you can evaluate policies, you can use machine learning for detection and then with the piece core-tex where all this network and point cloud data is linked to anomaly detection.
palo alto networks demisto demonstration
I think where domestic comes into play is linking these alerts that come from different sources and helping the analyst automate them, as I say, if you look at a typical analyst. They are doing this, they are looking at the security data that is coming in from different places following processes and I think it is the human angle that for the last 1012 years we have completely ignored the insecurity that is built - laughter - cold laughter and assuming and hoping that someone we'll be able to manage them correctly, which I think has happened in the last 15 years in the security space, but I think this whole security automation space is trying to help animals normally investigate, collaborate with their peers completely As if we were completely unaware of how people work together to solve problems when we started Mr. 4 years ago, one of the biggest things was how one analyst talks to another and says, oh, we picked up the phone, called and asked, have you seen this IP?, oh, I saw this IP, they're that funny, the question more common than In any research asked if I had seen this before, right, and it's strange that that data, so this says yes, let me go look at my notebook.
palo alto networks demisto demonstration

More Interesting Facts About,

palo alto networks demisto demonstration...

I wrote it down here, an online digital notebook, it was everywhere and then coercive measures are taken, so what is the misto and how do we help them? So the misto is mainly a workflow engine, it is the ticketing system, no matter how boring a ticketing system is, the ticketing system has different needs and it is a collaboration platform. We believe this is where analysts do their work once a day. The alert comes and the alert could come from all the different tools today, out of the box, we integrate about 300 different products, not just Palo Alto products, and this is a very important thing, the power of this platform is independent of the vendor. out and integrated with about 300 different products with APIs, it's no different as the products are already API enabled, I mean any security product created in the last seven to ten years has an API, we build an integration with those thousands of shares right now. 300 integrations not only collect data, they did it well, data collectors have been available, this data collection, this integration is two-way.
palo alto networks demisto demonstration
I can check and get more details. I can perform an action. I can create a firewall policy. I can delete it, a blocking rule and an endpoint. I can upload a file to a third party threat. Intel powers all of these pieces and the last piece that I'm going to show you live is this visual editor, so what you're seeing here is nothing more than a workflow diagram and being able to build that diagram just like you would in Visio, but it's not a visual diagram, you actually run these commands, so the individual actions in the product manuals that you automate, customers have created dozens and dozens of integrations of all kinds of things, whether it's from a malware response to a deep investigation of a phishing, right down to getting the AV feed or a video feed from your cameras in a notification where the user entered a different part of a building, so these playbooks are complete. it's built by customizable people, we talk about the ticketing system, one of the core pieces, security to clean systems is very different than IT ticketing systems, right, you need segregation of duties, you need controls, that's why we build a system Tightly integrated ticketing because every alert must be investigated and tracked. and all those full metric pieces every two pieces the last piece as I mentioned is collaboration now when I ask this question, have you seen this before?
palo alto networks demisto demonstration
Point I made, of course, you can collaborate with your teammates for each incident, so we created a slack type wardroom. right, it's called a war room, it's a chat room where you can invite colleagues to talk about that incident, but you can actually talk to our bots and ask these questions. Have you seen this before? The question could be asked to a bot, not in a natural language, but The structured commands and C find me this IP on all my network connections at the endpoint where this file landed and that's what we call D bot and I'll show you that light to be kind of a quick overview of the product that these use.
In many cases and these capabilities are not just for security operations and Zen Student Response, we are seeing customers use them from cloud security to threats to light management because it is effectively an automation platform in which they combine these integrations and a workflow engine is built. A quick snapshot of our integrations, like I said, we couldn't fit all 300 on one slide, they're all available on our website, but I think these integration partners are building, we have a very large community, over 6000 security analysts In a public community, it is a lazy community. I'll have a URL to share with you at the end and let's look at the demo now, a quick summary of the demo the way I designed a demo: It's a phishing attack that happens on a healthcare organization and that phishing attack someone forward.
It's then that someone thinks something suspicious is happening here and they forward it to a mailbox, let's say a parody in your health communication, then let's see how the gentleman runs from there in the entire investigation process, so the core of the misto is as I call all these integrations, the integrations here that you see are in different categories, so Sims 2, case management, two databases, two email gateways, as you see, different integrations, the integrations are extremely easy to configure, time to generate value, like everything. I'm talking about human efficiency here, so you're set up and integration is as easy as adding an instance by entering the API key apk URL and ApS secret, that's all you need, you don't need it in the old days, integration meant writing code, which means doing some things now, what if we don't have an integration with one? of the products that are internal people have custom products people have a custom date Alex, we actually allow you to create your own integrations, we call it bio.
This is the integration screen. I was talking about hundreds of integrations that exist very easily. to configure by just providing the API key and so on, now there is always a chance that we don't have an integration that you can have a product or an internal product for, you can go directly to the full Python code SDK to create your own integration because effectively is a set of APIs and you are calling the selected APIs. The second time you have these integrations, the most important piece is what we call a playbook, and in fact, I think this is a tool designed for the lazy person in each of you.
I say if you do the same task twice, the guy writes the script, you write it correctly and I think I've seen the best developers, the basic security analysts are the ones who are lazy, there's something like, hey, I need to automate this. and you automate and you become more efficient are they are efficient lazy is efficient I always say lazy Sakhalin efficient so these game books for example are super easy to edit look at this workflow I'm trying to edit this or you can start from scratch , choose your tool, then you say you know what I'm going to go to alienvault and I want to check the reputation of an IP, an address of an alien vault, so you press add and you provide the IP address of where you pick up the IP. direction you say hey, I'm going to take it from a previous step or a detail of the incident and I'll pick it up from the incident or a previous step and then you say "okay" and that's how easy it is to put a task here and then attach it in the flow work you wanted here, so basically every task has an input, has outputs, the inputs are passed to that API, the output is the result which could now be passed to something else with this basic premise you can start creating workflows incredibly powerful. to automate your security response actions, that's the core of one of the most important pieces we call the playbook.
Let's look at a live incident here, so in this incident where the phishing alert appeared, what we have done is automatically notified to the socks administrator first. so we go ahead and notify the sock manager so start with that then we accept and then we extract the flags so this step is to extract all the flags. What does email have? I mean, normally it would take an analyst 45 minutes to an hour to analyze it. that email lookup hashes find URL find sender look at sender reputation all that is done because you automatically get URLs and flags let's check IP reputation with multiple thread sources and find out what is actually bad and why it is it's bad because IBM x-force exchange or some other source would say it's bad and then where else it exists all that data comes here so this information shows up and then you can see the same information about URL hashes.
Malicious URLs were found, so what were the URLs and what did we find about them? All this data. Wow, what did I click on all this data? My mouse is a little bit out of here, so all this data comes in and an analyst can review it. ease and now the analyst says: notify the analyst to review it. What do you want to do next? Let's talk at the given time. The next step is usually an analyst saying, "You know what I need." I need some to take notes and change. from the work plan view to what I call the war room view, the war room view, I can actually say: Hi Nilima, I need help, so I can call a colleague for help and they will be added to this investigation and we can chat about life or like I said.
Now I need details. I want to turn and ask D a question, but I want to ask D the question. The bot says it will get details from the user. I won't get the user's Sam account and with this I want to give them a SAM account name, maybe ours. park and get more details about this user. This is just an example. I can get user details from the ad, but let's actually do something more interesting: I want to get IP details for 8.8.8.8. We all know it's Google's DNS server, but if there was another place where you would go to five different sources that are all connected here.
Getting that data would take a long time. Your d-bots came in and repeated multiple different things, so it figured out to catch me, what do you think? about it, which I have no idea about. Co. offense has no idea about the virus, total stuff, these are the details, all the data that was given to you and I update this information, I would say internal things, yes, so if this is an internal information, you can really continue . this particular thing, you can actually mark it as bad so you can take a whitelist removed, a bunch of actions around these, okay so an analyst can start doing their regular research now, although you know, let's say you've taken Inner Pain, you've got all this information back here, but I want to add more while keeping what exists there absolutely so I can start getting feedback.
I start the end of the following, ok, marketers have an evidence market as a note, so I can highlight it as a note so that it is highlighted, but I want to mark it as evidence, it says interesting information, but I want to do the following correctly to As you begin to build your chain of evidence, you can also take notes and comments here. My point is, and again I know we're very short on time, this tool that we designed is focused on the analyst doing the work, the human angle here of security, who is sitting in the sock and focused on automating that workflow and then Bring that collaboration piece back so they can talk when you mark it as evidence.
Do you do anything else to it, like maybe check the chain of custody? All these things you are grateful for. I know I was very fast. What about the reports? Let's say I need. to make this in a more readable format for a higher level guy absolutely so obvious that at some point you're going to say hey, I'mclose to this incident, you want to turn it into a report, you can actually say, I have in the timeline information basic incident information linked all of this I really don't care about the work plan of the book because it is too detailed for me if you want the line of time of the incident in certain files it is not necessary who worked on the team such suspicious attachments indicator that you choose and say generate report and boom, the complete PDF appears with all the pieces of investigation, whatever the work that was done, it that was automated, everything and the irrigation is already recorded in a file, everything is recorded, every human touch, right? writing notes everything because this is it, by the way, a lot of this work today happens in Evernote or another notebook that is never recorded ever or today like when we did interviews it was like oh yeah, I have this notebook of mine that I write the center in.
Can you do the reports halfway so someone says yes? I did not close the incident at this time. Okay, so you don't have to close the ticket and the clients actually do all the reporting for each of our reports and stuff. Can you automate the process? reports and you can actually automate reporting, one of the tasks that we do recurrently, Dustin's what not, so you can send a report every hour to a similar long running incident, you can send a report every hour to your exact management and bring it back and then it will be recorded as a generated report and periodic reports and so on in the PDF are now part of the incident.
If it is not part of the incident, it goes to the water.room and attached is fine, thanks to summarize. I think this was the piece that is when we look at it as domestic and this is my kind of seat, we integrated with all of those tools, standardizing processes, unifying security infrastructure and automating incident response and code. The message I would like to convey is that we see this as bringing back the human angle to security, linking all products together and living it efficiently.

If you have any copyright issue, please Contact