by Blake Wofford
The reality is that I had no idea whether or not I was being effective. When an attack came through and got detected by my IDS/IPS (or anti-virus or because someone had a pop-up on their screen that they noticed), I would block a URL, or create a blacklist, or use some other form of remediation. I always knew in the back of my mind that this was the least effective way to work. I didn't know a better way to work. I needed focus and clarity. I needed context.
Defense in Depth was the mantra at the time: prevention was thought to be impossible, and achieving compliance was our only real goal. Defense in Depth is the idea of putting so many filters in place, that if it gets through one, it will get caught by another. Good concept, but flawed. An ounce of prevention is worth a pound of cure. This is as true today as it was for your grandmother. If you can prevent bad things from happening, you are much more likely to never skip a beat. If you have to pause the enterprise, redirect focus away from the business at hand, to clean up a mess that was created by an attack, you are working for the attacker.
Context is King! Whether you are coming into the middle of a conversation, or are reading a history book, or searching through logs on your firewall or SIEM. Knowing what the logs actually mean, what they're tied to, and what they've impacted is the first key in protection and understanding. But, how do you do that? How do you get the proper context? My environment receives millions of log entries from thousands of devices per day. I could hire an army of analysts who would go insane looking at logs day after day after day, or I could get best of breed tools that can filter these things for me. That is the premise of the SIEM industry. The problem is, who defines what the context is? Who is going to sit down and write all those correlation rules? How do you write a correlation rule for something you don't see happening, or have meaningful log entries for?
Enter Auto-Focus and WildFire. WildFire has been around for several years and continues to grow in it's intelligence on a minute by minute basis. Palo Alto Networks AutoFocus, is a brand new service, and is looking pretty exciting. The service takes information from WildFire, and puts it in context. This is done by basing the correlation of events from a global repository of threat intelligence. So, no longer do you have context that's based on your network alone, you have it based on all the attacks that have ever been seen, or not seen in the entire world. The alliance that Palo Alto has started with other anti-malware vendors like Symantec and McAfee have rapidly increased the amount of threat data that is now in the threat intelligence cloud.
AutoFocus gives you the ability to see what's relevant very quickly. You’ll still get to work on your top 10 threat events, and you’ll be able to deep dive into interesting items that you’ve only seen once before, or are otherwise intriguing. One of the most impressive features, is that you don't have to write a query, and run it on your SIEM and wait an hour to receive a result. Elastic Search capabilities within AutoFocus return results on search queries almost immediately. So, if I'm curious about an artifact of data, and I want to deep dive into it further, I can do that, and not lose my train of thought as I wait endlessly for a result that may come back with unuseful data.
AutoFocus was just released yesterday, and you can sign up for community access to the tool here.