Palo Alto service to flag particularly evil security attacks

Palo Alto Networks is introducing a service that tips customers off when it discovers unique or dangerous attacks against their networks.

Palo Alto Networks is introducing a service that tips customers off when it discovers unique or particularly dangerous attacks against their networks, giving them a heads up that perhaps they are the targets of particularly resourceful, dedicated adversaries.

Called AutoFocus, the service is an add-on to the company's existing cloud-based service WildFire that constantly analyzes all its customers' networks for malware and exploits and downloads new rules every 15 minutes to Palo Alto gear to automatically block the new threats it finds.

+ More on Network World: 13 of the biggest security myths busted |10 disturbing attacks at Black Hat USA 2014 +

AutoFocus sorts through all the attacks it discovers and breaks them down into components and looks for the same components being used in other attacks. If it finds similar tools, techniques and procedures (TTP) being used in other attacks, it makes a correlation that may indicate the same adversary is behind them.

It may find that the attack is unique, never seen before among the 360 million malware sessions Palo Alto has gathered from customer networks comprised of 30 billion individual malicious behaviors of malware it has found. In that case the attack is flagged because it means the customer has been targeted by an organization with resources to come up with new TTPs and has chosen to expend this valuable attack resource on them.

The goal of AutoFocus is to provide information about the attacks it discovers and the attackers so customers can look for indicators that the same group is trying other attacks it is known for. "It puts what we're seeing in context," says Phil Cummings, system administrator for Health Information Technology Services of Nova Scotia, a health network with 20,000 endpoints.

What gets flagged may be a repeat of an attack six months ago, indicating a persistent adversary, or just linking different events together, such as finding a common IP address used in different attacks, he says.

Customers receive alerts from AutoFocus via the console or email or posted to a Web site to call attention to them. Then they can dig deeper to find out more about the attack.

The AutoFocus dashboard supplies information about flagged attacks with tags that flesh out whether they come from a particular group or whether they are part of a larger campaign against a particular industry, for example. The tags are sorted into three groups, those supplied by Palo Alto threat researchers, those supplied by the customer itself based on its own analysis, and those supplied by other Palo Alto customers based on their experiences.

Customers can choose the type of alerts AutoFocus supplies, such as those unique to a particular customer, to the industry -- defense, finance, healthcare - the customer is part of, or to the Internet at large.

All the alerts AutoFocus sends are vetted by analysts at Palo Alto's threat research group called Unit 42.

Palo Alto will start rolling out AutoFocus the week of April 19 to a group of Palo Alto customers. The company has set up a Web site where customers can register to participate. Pricing and general availability of the service is scheduled for later this year.

Join the CSO newsletter!

Error: Please check your email address.

Tags palo alto networkssecurityadvanced persistent threats

More about CustomersPalo Alto NetworksTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place