Sky’s the Limit with SOAR [Webinar]Webinar Slides] Skys the...IT Team DevOps After Scenario Value...
Transcript of Sky’s the Limit with SOAR [Webinar]Webinar Slides] Skys the...IT Team DevOps After Scenario Value...
Housekeeping
• Ask questions by using text box in right hand area of the GoToWebinar platform, as the audience will be on mute
• Everyone will receive recording and slides by Friday, January 24• Speakers
○ Parth Shah, Senior Product Manager○ Prasen Shelar, Senior Product Manager
enterprise apps today are cloud-enabled/cloud-native
Cloud is Redefining How Applications Are Built
cloud users leverage 2 or more clouds
enterprises will use containers by 2020
To secure the cloud, you need to protect every resource, across the entire lifecycle, consistently across any cloud.
Protect Every Resource
Prisma Cloud secures any deployed resource, across IaaS, PaaS, Containers,
Serverless and advanced Cloud Services
Protect The Lifecycle
Prisma Cloud seamlessly integrates with your CI/CD
pipelines and secures applications from
development to production
Protect Any Cloud
Prisma Cloud protects both public and private clouds, including AWS,
Azure, GCP, and Alibaba Cloud
Our vision - Build the most comprehensive security and compliance solution for public cloud
CSPM 1.0CSPM 2.0
CWPP
CNSP
Config & Compliance Monitoring
Network Threat Detection & UEBA
Workload Protection (Host, Containers, Serverless)
Data, User, Network & Application Security
Product Strategy: Enable multi-cloud adoption by building best-in-class security & compliance capabilities through all phases of the application lifecycle
Alert sources
Respond and automate Manage incidents Collaborate and learn
Playbook-based orchestration with 300+ vendor integrations
Ingest, search and query ALL security incidents
Collaborate with other security analysts
Respond, Automate and Manage with Demisto
Before Scenario
SecOps
Ticketing
Data
ActionData
ActionFirewall
Data
Action
Firewall Admin
No defined cloud security response processes, 100% manual
Disparate security infrastructures (multi-cloud, on-prem)
Repetitive, high-quantity tasks for post-event enrichment and response
Product and team silosIT Team DevOps
Value Proposition
Deploy automated workflows for cloud security remediation
Coordinate actions across your product
stack and teams
Gain alert visibility with case mgmt. that unifies cloud alerts/data across
sources
AWS IAM Policy Misconfiguration : Challenges
● Lack of checks and automation○ Access key management○ MFA enforcement
● Role and permission sprawl○ 1000s of roles with 100s of permissions each○ Hard to follow least privilege permission
● Lack of anomaly detection○ Access key compromise○ Location and activity based anomalies○ Excessive login failures
Misconfiguration Stats
80%security breaches involve
privileged credentials
Classifying Prisma alerts into Demisto based on the
remediation logic
AWS IAM Policy Misconfiguration: Solution
INCIDENT CREATION
Incidents are created with a specific incident type
GET POLICYGet AWS account’s password policy
CLASSIFY
AUTO REMEDIATE?Determine whether or not to auto-remediate?
NOTIFY OWNERSend an email notifying the account owner
Remediate: IAM policy does not expire in 90
daysRemediate: IAM policy allows password reuse
Remediate: IAM policy does not have a
number Remediate: IAM policy does not have a
symbol
Remediate: IAM policy does not have
password expiration
Remediate: IAM policy does not have a
minimum of 14 chars
Remediate: IAM policy does not have an
uppercase character
Remediate: IAM policy is insecure
Remediate: IAM policy does not have
lowercase character
IAM Password Policy Misconfiguration
INGESTPrisma alerts are ingested into Demisto
AWS EC2 Instance Misconfiguration : Challenges
● Visibility○ Difficult to enforce port and security group checks○ Difficult to view traffic that flowed into open instances○ Difficult to do user attribution for any changes
● Continuous security and response○ Folks move fast in cloud and change configurations on the console
without knowing what else can be affected○ Lack of automation to remediate issues
● Security only done in runtime○ Security checks not present in application development lifecycle○ IaC templates not scanned for vulnerabilities
Misconfiguration Stats
50%organizations unknowingly and
mistakenly have some IaaS storage services, network
segments, applications or APIs directly exposed to the public
internet
AWS EC2 Instance Misconfiguration: Solution
INCIDENT CREATION
Incidents are created with a specific incident type
GET MISCONFIG TYPE
Get AWS account policy misconfiguration
CLASSIFY
REMEDIATE?Determine whether or not to auto-remediate?
NOTIFY OWNER
Send an email notifying the account owner
Remediate : EC2 Security Group Misconfig
Remediate : Security Group Allows Internet Traffic To
TCP Port
INTERNET PORTS SECURITY GROUPS
Classifying Prisma alerts into Demisto based on the
remediation logic
INGESTPrisma alerts are ingested into Demisto
AWS EC2 Security Group Misconfiguration : Sub-PlaybookGET SECURITY GROUP DETAILS
Describes one or more of your security groups.
EXECUTE Remediation
SG Group overly permissive to all
traffic
SG allows internet traffic
Default SG does not restrict all traffic
Revoke Security group ingress rules permitting all traffic
Revoke public security group ingress rules
Is there a default security group?
Revoke all security group ingress rules
Any public rules? Manually update security group
Did we encounter an error?
Get the latest security group
details
AWS Security Group Allows Internet Traffic To TCP Port : Sub-Playbook
INGEST
Prisma alerts are ingested into Demisto
INCIDENT CREATION
Incidents are created with a specific incident type
Get the latest Security Group IP permissionsCLASSIFY
REMEDIATE?Auto removal of public security group rules
Get TCP public Security Group Rules
Revoke public TCP ingress rules
No Yes
Manually remove public TCP ingress rules
Classifying Prisma alerts into Demisto based on the
remediation logic
Additional Resources1. Symphony 2020 | Cortex User Conference
a. https://register.paloaltonetworks.com/symphony20202. [Webinar] Best SOAR Use Cases
a. https://www.demisto.com/5-best-soar-use-cases-webinar/3. [Webinar] Unexpected Use Cases
a. https://go.demisto.com/webinar-unexpected-soar-use-cases-recording4. [Webinar] Summertime, Livin’ is Easy
a. https://www.demisto.com/webinar-top-ten-soar-use-cases/5. [Download] Free Edition
a. https://start.paloaltonetworks.com/sign-up-for-demisto-free-edition6. [Summit] Cloud Native is more than containers and Kubernetes
a. https://register.paloaltonetworks.com/prisma-cloud-native-security-virtual-summit