you're reading...
IT & TECHNOLOGY, Palo Alto Networks

If You’re Trying To Find a Needle In A Haystack, Use A Metal Detector!


I don’t usually blog about specific product features, but I’m so excited about our new correlation objects, released in our 7.0 update to PAN-OS, that I really can’t help myself. It’s been a month now since we released 7.0, and I’m still particularly jazzed about this new feature!

Correlation objects, available in our PA-5000 Series, PA-3000 Series, the PA-7050, andPanorama, accurately identify infected devices based on patterns of network behavior that are correlated to characteristics of specific threats. So, for example, if a device is infected, the correlation engine can identify a pattern of a behavior: a host having visited a malware URL, then a vulnerability being exploited, and then abnormal DNS requests generated from said host.

Maybe a user took a corporate laptop home and inadvertently picked up some known malware (looks like GlobalProtect wasn’t activated!). When this user reconnects to the network, the correlation object correlates suspicious activities stemming from that device, which may not be of any concern individually, but taken together, alert the security team that this laptop needs to be remediated.

Meanwhile, the infection is stopped from spreading because Threat Prevention IPS, AV, and anti-spyware protections have blocked the malware from moving laterally inside the network and ended its outbound command and control beacons.

What’s really cool about this, though, is how it works with WildFire to dynamically correlate network activities based on zero-day malware.

Take the same concept of looking for patterns of abnormal behavior that point to infection, and from there, factor in zero-day malware that WildFire discovers. As soon as WildFire analyzes new file behavior, which only takes a few minutes for completely unknown files, a report on the file’s malicious behavior is sent back to the security platform. Our correlation engine consumes that report and looks for patterns of behavior specific to the newly discovered malicious file across the device from which it originated and other devices in the network, both going forward (analyzing in real time) and looking back through logs from 96 hours before the file was forwarded to WildFire.

At Palo Alto Networks, we believe that prevention isn’t futile – in fact, it’s central to stopping breaches. However, quick mitigation is also important to limit the damage and learn from threats that get past your defenses. With the right ecosystem of detection, intelligence, and prevention, infection doesn’t have to turn into a catastrophe.

There are currently five correlation objects available: three static objects that were created from Unit 42 research and two that are dynamically fed information from WildFire submissions. These five correlation objects are just the beginning. Our threat research teams, including Unit 42, will eventually be able to create new correlation objects based on their ongoing research into new attack campaigns and deliver them to deployed platforms through weekly content updates.

To learn more about the automated correlation engine and correlation objects, please visithttps://www.paloaltonetworks.com/products/features/correlation-engine.html.

[Palo Alto Networks Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 17 years' experience in ICT/Cybersecurity industry in various sectors & positions.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 129,892 hits


@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 17 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,720 other followers

Twitter Updates


July 2015
« Jun   Aug »
%d bloggers like this: