Sky’s the Limit with SOAR [Webinar]Webinar Slides] Skys the...IT Team DevOps After Scenario Value Proposition Deploy automated workflows for cloud security remediation Coordinate

[Webinar] Sky’s the Limit with SOAR

Housekeeping

• Ask questions by using text box in right hand area of the GoToWebinar platform, as the audience will be on mute

• Everyone will receive recording and slides by Friday, January 24• Speakers

○ Parth Shah, Senior Product Manager○ Prasen Shelar, Senior Product Manager

Prisma Overview

enterprise apps today are cloud-enabled/cloud-native

Cloud is Redefining How Applications Are Built

cloud users leverage 2 or more clouds

enterprises will use containers by 2020

The Security Landscape is Fragmented

To secure the cloud, you need to protect every resource, across the entire lifecycle, consistently across any cloud.

Protect Every Resource

Prisma Cloud secures any deployed resource, across IaaS, PaaS, Containers,

Serverless and advanced Cloud Services

Protect The Lifecycle

Prisma Cloud seamlessly integrates with your CI/CD

pipelines and secures applications from

development to production

Protect Any Cloud

Prisma Cloud protects both public and private clouds, including AWS,

Azure, GCP, and Alibaba Cloud

Our vision - Build the most comprehensive security and compliance solution for public cloud

CSPM 1.0CSPM 2.0

CWPP

CNSP

Config & Compliance Monitoring

Network Threat Detection & UEBA

Workload Protection (Host, Containers, Serverless)

Data, User, Network & Application Security

Product Strategy: Enable multi-cloud adoption by building best-in-class security & compliance capabilities through all phases of the application lifecycle

Demisto Overview

NEWS & ALERTS

The Reality (and Complexity) of Security Operations!

Alert sources

Respond and automate Manage incidents Collaborate and learn

Playbook-based orchestration with 300+ vendor integrations

Ingest, search and query ALL security incidents

Collaborate with other security analysts

Respond, Automate and Manage with Demisto

Prisma & DemistoJoint Solution

Before Scenario

SecOps

Ticketing

Data

ActionData

ActionFirewall

Data

Action

Firewall Admin

No defined cloud security response processes, 100% manual

Disparate security infrastructures (multi-cloud, on-prem)

Repetitive, high-quantity tasks for post-event enrichment and response

Product and team silosIT Team DevOps

After Scenario

Value Proposition

Deploy automated workflows for cloud security remediation

Coordinate actions across your product

stack and teams

Gain alert visibility with case mgmt. that unifies cloud alerts/data across

sources

AWS IAM Policy Misconfiguration

AWS IAM Policy Misconfiguration : Challenges

● Lack of checks and automation○ Access key management○ MFA enforcement

● Role and permission sprawl○ 1000s of roles with 100s of permissions each○ Hard to follow least privilege permission

● Lack of anomaly detection○ Access key compromise○ Location and activity based anomalies○ Excessive login failures

Misconfiguration Stats

80%security breaches involve

privileged credentials

Classifying Prisma alerts into Demisto based on the

remediation logic

AWS IAM Policy Misconfiguration: Solution

INCIDENT CREATION

Incidents are created with a specific incident type

GET POLICYGet AWS account’s password policy

CLASSIFY

AUTO REMEDIATE?Determine whether or not to auto-remediate?

NOTIFY OWNERSend an email notifying the account owner

Remediate: IAM policy does not expire in 90

daysRemediate: IAM policy allows password reuse

Remediate: IAM policy does not have a

number Remediate: IAM policy does not have a

symbol

Remediate: IAM policy does not have

password expiration

Remediate: IAM policy does not have a

minimum of 14 chars

Remediate: IAM policy does not have an

uppercase character

Remediate: IAM policy is insecure

Remediate: IAM policy does not have

lowercase character

IAM Password Policy Misconfiguration

INGESTPrisma alerts are ingested into Demisto

Demo

AWS EC2 Instance Misconfiguration

AWS EC2 Instance Misconfiguration : Challenges

● Visibility○ Difficult to enforce port and security group checks○ Difficult to view traffic that flowed into open instances○ Difficult to do user attribution for any changes

● Continuous security and response○ Folks move fast in cloud and change configurations on the console

without knowing what else can be affected○ Lack of automation to remediate issues

● Security only done in runtime○ Security checks not present in application development lifecycle○ IaC templates not scanned for vulnerabilities

Misconfiguration Stats

50%organizations unknowingly and

mistakenly have some IaaS storage services, network

segments, applications or APIs directly exposed to the public

internet

AWS EC2 Instance Misconfiguration: Solution

INCIDENT CREATION

Incidents are created with a specific incident type

GET MISCONFIG TYPE

Get AWS account policy misconfiguration

CLASSIFY

REMEDIATE?Determine whether or not to auto-remediate?

NOTIFY OWNER

Send an email notifying the account owner

Remediate : EC2 Security Group Misconfig

Remediate : Security Group Allows Internet Traffic To

TCP Port

INTERNET PORTS SECURITY GROUPS

Classifying Prisma alerts into Demisto based on the

remediation logic

INGESTPrisma alerts are ingested into Demisto

AWS EC2 Security Group Misconfiguration : Sub-PlaybookGET SECURITY GROUP DETAILS

Describes one or more of your security groups.

EXECUTE Remediation

SG Group overly permissive to all

traffic

SG allows internet traffic

Default SG does not restrict all traffic

Revoke Security group ingress rules permitting all traffic

Revoke public security group ingress rules

Is there a default security group?

Revoke all security group ingress rules

Any public rules? Manually update security group

Did we encounter an error?

Get the latest security group

details

AWS Security Group Allows Internet Traffic To TCP Port : Sub-Playbook

INGEST

Prisma alerts are ingested into Demisto

INCIDENT CREATION

Incidents are created with a specific incident type

Get the latest Security Group IP permissionsCLASSIFY

REMEDIATE?Auto removal of public security group rules

Get TCP public Security Group Rules

Revoke public TCP ingress rules

No Yes

Manually remove public TCP ingress rules

Classifying Prisma alerts into Demisto based on the

remediation logic

Demo

Exploring New Use Cases

Exploring New Use Cases

Additional Resources1. Symphony 2020 | Cortex User Conference

a. https://register.paloaltonetworks.com/symphony20202. [Webinar] Best SOAR Use Cases

a. https://www.demisto.com/5-best-soar-use-cases-webinar/3. [Webinar] Unexpected Use Cases

a. https://go.demisto.com/webinar-unexpected-soar-use-cases-recording4. [Webinar] Summertime, Livin’ is Easy

a. https://www.demisto.com/webinar-top-ten-soar-use-cases/5. [Download] Free Edition

a. https://start.paloaltonetworks.com/sign-up-for-demisto-free-edition6. [Summit] Cloud Native is more than containers and Kubernetes

a. https://register.paloaltonetworks.com/prisma-cloud-native-security-virtual-summit

Thank YouQ & A