{"id":106496,"date":"2020-02-21T06:00:35","date_gmt":"2020-02-21T14:00:35","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=106496"},"modified":"2020-03-19T15:11:53","modified_gmt":"2020-03-19T22:11:53","slug":"cortex-network-traffic-analysis","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/02\/cortex-network-traffic-analysis\/","title":{"rendered":"How to Use a Firewall for Network Traffic Analysis and Behavioral Detection"},"content":{"rendered":"<p><i><span style=\"font-weight: 400;\">On March 17, we hosted a webinar called \u201c<\/span><\/i><a href=\"https:\/\/event.on24.com\/wcc\/r\/2189502\/CF4EA3DD7C83BE1FE5F0B51774C4DB68\" rel=\"nofollow,noopener\" ><i><span style=\"font-weight: 400;\">Leverage Your Firewall to Expose Attackers Hiding in Your Network<\/span><\/i><\/a><i><span style=\"font-weight: 400;\">\u201d to share tips on how you can use your firewall for network traffic analysis. We\u2019ll go into lots of detail on scenarios like the ones described below and the benefits for your organization. Register today!<\/span><\/i><\/p>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-106497 alignright lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/02\/image2-2.png\" alt=\"This conceptual image illustrates the function of next-generation firewalls. Next-generation firewall logs can be sent to Cortex XDR for network traffic analysis.\" width=\"497\" height=\"291\" \/><span style=\"font-weight: 400;\">The ultimate goal of cybersecurity teams is to prevent all attacks. However, even when the best defenses are in place, adversaries can launch unlimited intrusion attempts, consequence-free, until they find a way in. Gaining visibility into attacks that have successfully penetrated your network \u2013 including understanding how attackers got there and what damage they\u2019ve done \u2013 is a key component of overall security.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Network traffic analysis (NTA) \u2013 <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/resources\/whitepapers\/network-visibility-detection-and-response\"><span style=\"font-weight: 400;\">sometimes called network detection and response<\/span><\/a><span style=\"font-weight: 400;\"> \u2013 is one such tool that provides that visibility. NTA is a category of technologies designed to provide visibility into things like traffic within the data center (east-west traffic), VPN traffic from mobile users or branch offices, and traffic from unmanaged IoT devices. NTA is also a key capability of Cortex XDR that many network teams don\u2019t realize they have access to.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Any organization that uses Palo Alto Networks, Cisco, Check Point and\/or Fortinet firewalls can send their next-generation firewall logs \u2013 including traffic logs, enhanced application logs, threat logs and URL filtering logs \u2013 to Cortex XDR. Then Cortex XDR applies behavioral analytics and machine learning to the data to detect stealthy attacks like lateral movement or exfiltration. Cortex XDR also groups related alerts into incidents to reduce the number of individual alerts that security analysts need to review.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This allows network security teams to:\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Detect and stop active attackers operating in the network.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Improve visibility into east-west traffic.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Protect managed and unmanaged devices, eliminating network blind spots.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Stop malware, targeted attacks and insider abuse, with detection of all network-based tactics and techniques including <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/command-and-control-explained\"><span style=\"font-weight: 400;\">command and control<\/span><\/a><span style=\"font-weight: 400;\">, lateral movement, exfiltration and malware activity.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Palo Alto Networks customers can simply add these capabilities as a subscription to their Next-Generation Firewalls without needing to deploy extra software or network appliances.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Organizations can take this to the next level by connecting their firewalls to other security sensors throughout their organization. The ability to connect network data to endpoint and cloud data is one of the core benefits of XDR. This cross-infrastructure visibility lets security analysts (and their analytics tools) quickly and confidently answer questions like, \u201cWhat\u2019s happening on an endpoint that is making a network alert fire, and is it problematic?\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">These seemingly basic questions are not basic at all when you have siloed tools that each offer only partial visibility. We\u2019ve <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/resources\/videos\/spotlight-cherwell-software\"><span style=\"font-weight: 400;\">heard from customers<\/span><\/a><span style=\"font-weight: 400;\"> that prior to XDR, they\u2019d waste hours each day manually tracking suspicious activity on an endpoint only to find out that adversaries were blocked by the firewall before they could access sensitive data.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Conversely, connecting your firewalls to Cortex XDR means that all of your artifact, user and computer data from across your infrastructure is extracted and stitched together with threat intel in a visualized chain of events. This fundamentally changes the process of investigating the root cause of suspicious network events.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In a <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/resources\/use-case\/how-a-security-company-does-security\"><span style=\"font-weight: 400;\">case study<\/span><\/a><span style=\"font-weight: 400;\"> of the Palo Alto Networks Security Operations Center (SOC), SOC Manager Matt Mellen gave us a detailed rundown of what the firewall alert investigation process looked like before and after adopting XDR, and how the team was able to make that process eight times faster:<\/span><\/p>\n<blockquote><p><i><span style=\"font-weight: 400;\">Cortex XDR gives us insight we never had before, especially around firewall-based alerts. Historically, when responding to something like a command-and-control (C2) firewall alert, it\u2019s taken around 40 minutes to answer the question, \u201cWhat did this endpoint talk to, and was that bad?\u201d We relied on third-party threat intelligence to know if domains or hashes were bad. We would get an alert in one tool, verify traffic, turn to another tool to see if the system was online, and then to <\/span><\/i><b><i>another<\/i><\/b><i><span style=\"font-weight: 400;\"> tool to see what was causing the C2. Now, we ask, \u201cWhat on the endpoint resulted in that firewall alert?\u201d That\u2019s a much better question \u2013 it lets us know the causality of offending firewall traffic, and we can evaluate it all in one tool within five minutes. It\u2019s significantly more accurate and much faster to analyze compared to the former model.<\/span><\/i><\/p><\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\"  class=\" wp-image-106510 alignright lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/02\/image1-5.png\" alt=\"Analyzing Firewall Alerts Before and After Cortex XDR\" width=\"564\" height=\"322\" \/><\/p>\n<p><span style=\"font-weight: 400;\">As useful as it is to have this birds-eye view across your whole infrastructure, most solutions that claim to provide this level of visibility can only do so with really shallow data (e.g. SIEM), or otherwise can only see data from their own sensors (e.g. most XDR vendors). Cortex XDR is unique in its ability to extend this visibility to third-party network data with enough rich context that you can resolve the issue without having to pivot to another tool. Your security teams can connect Cisco, Check Point and Fortinet firewall data together with your Palo Alto Networks firewall, endpoint and cloud sensors to gain the benefit of Cortex XDR\u2019s powerful machine learning, behavioral analytics and incident visualization across your entire infrastructure.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To learn more about how to use Cortex XDR to help solve your network security challenges, sign up for our March 17 webinar, \u201c<\/span><a href=\"https:\/\/event.on24.com\/eventRegistration\/EventLobbyServlet?target=reg30.jsp&amp;referrer=https%3A%2F%2Fwcc.on24.com%2Fwebcast%2Fregistration%2F2189502&amp;eventid=2189502&amp;sessionid=1&amp;key=CF4EA3DD7C83BE1FE5F0B51774C4DB68&amp;regTag=&amp;sourcepage=register\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">Leverage Your Firewall to Expose Attackers Hiding in Your Network<\/span><\/a><span style=\"font-weight: 400;\">.\u201d<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Network traffic analysis is a key capability of Cortex XDR, and it works with next-generation firewall logs from multiple vendors.<\/p>\n","protected":false},"author":657,"featured_media":106497,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6770],"tags":[125,111],"coauthors":[6810],"class_list":["post-106496","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-future","tag-network-traffic","tag-ngfw"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/02\/image2-2.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/106496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/657"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=106496"}],"version-history":[{"count":7,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/106496\/revisions"}],"predecessor-version":[{"id":108084,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/106496\/revisions\/108084"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/106497"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=106496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=106496"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=106496"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=106496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}