If you’ve been to any recent Palo Alto Networks Ignite conferences, you’ve likely attended sessions led by our Product Management team on best practices for various Palo Alto Networks technologies and security initiatives.
Actually, those best practices sessions are, by far, our most requested and well-attended sessions. Customers have been very interested in how technologies on our platform can be combined to improve their security posture and make their lives easier. As one of my customers once put it, “Your platform is like a Swiss Army knife. There are all these cool tools and features, and you just have to figure out how to combine them to solve the problem at hand.”
- Combine SSL decryption and URL Filtering to easily identify URL categories for decryption and inspection.
- Combine URL Filtering and file blocking to disallow .exe downloads from high-risk URL categories, such as dynamic-DNS or unknown URLs.
- Combine App-ID, User-ID, and Content-ID technologies to identify known versus unknown users, restrict their access to applications housing sensitive data, and enforce strict decryption and threat inspection policies. This combination will make sure that unknown users are not doing anything malicious to your network.
- Combine User-ID and file blocking to help prevent the delivery of malware via watering hole or a spear phishing attack to groups of users who don’t have a business reason for downloading Portable Executable (PE) files types, such as .exe, .dll, and .scr.
Over the years, we have accumulated tons of tips and tricks throughout our tens of thousands of customer engagements that we actively recommend to our customer base. We are still discovering new ways our customers combine and use features on our platform to solve their problems.
Here are just a few of these recommendations:
- Enable file blocking profiles within your application-based policies and allow only certain file types to be downloaded or uploaded to prevent malware downloads and data exfiltration.
- Utilize the dynamic block list feature on the NGFW to prevent traffic to and from known malicious IPs. Or, better yet, copy the IP addresses that have triggered a number of IPS signatures in a certain amount of time, and paste them into a dynamic block list to help prevent attacks from actively targeting your organization.
- Enable DNS sinkhole functionality on the NGFW to provide your security and IR teams with a list of users and endpoints actively attempting to connect to command-and-control domains, as they’ve very likely been compromised. The sinkhole will block the communication and provide a high fidelity list of users for whom you should probably re-image devices.
- Alert on or disallow SSL traffic over unexpected ports, especially if it’s traffic you aren’t able to decrypt and fully inspect for threats.
- Activate strict threat profiles for Threat Prevention signature sets (IPS, AV, anti-CnC) and leverage WildFire to configure signature updates every 15 minutes within your data center to help prevent lateral movement on east-west traffic and data exfiltration.
We use tips like these to help our customers better secure their organizations and more fully leverage technology and features within the Palo Alto Networks Next-Generation Security Platform. For us, it’s all about enabling business and preventing breaches.
That’s why we’re collecting these tips, tricks, and tactics and publishing them in a series of chapters – our recommended best practices. The first chapter, on leveraging application-based policies to provide complete visibility (the first step in reducing the attack surface), is available now within our Fuel community and will be followed by chapters on decryption and user-based policies in the next few weeks.
Be sure to download our best practices to find out how you can better secure your organization or confirm that you’re already ahead of the game.
[Palo Alto Networks Blog]