Magnifier Behavioral Analytics

by ‎02-01-2018 02:52 AM - edited ‎04-13-2018 05:36 AM (8,377 Views)

 

Security admins are facing more challenges these days. With the growing number of devices, the attack surface has become greater than ever and the amount of logs that are gathered has grown to astronomical proportions.

 

Security at the perimeter has long been considered insufficient. It used to be enough to block the attacks from reaching the protected environment. But attackers have evolved and are now using trusted credentials or applications that are allowed inside the network.

 

How will security admins detect the events that actually matter through all the overwhelming noise? 

 

Especially in big environments these days, security admins are overwhelmed by the alerts they see and depend on inadequate correlation rules to find threats.

 

By creating a baseline of normal activity, Magnifier will be able to detect anything that's considered an anomaly. Notifications of these abnormal behaviors to the admins will enable them to respond quickly and mitigate the threat!

 

Magnifier can generate the accuracy levels advertised after three weeks of automatically profiling an organization’s network. Some Magnifier detectors will begin firing during the first week, others within the second week because they require different baselines or time profiles. Between the third and fourth weeks, all detectors will be operational, and customers will be able review their behavioral analytics results. Plus, customers will have had the opportunity to white list alerts that they do not want to see by that time.

 

Magnifier is a cloud-based service that uses automation and machine learning. It uses the logs from the Logging Service (so a subscription is required) and provides insight into activity of interest in your environment!

 

Magnifier will be able to detect any of the following threats:

  • Advanced and targeted attacks
  • Insider attacks (activity using valid credentials and permissions)
  • Risky behavior (insecure remote access, data exposure with SaaS applications)
  • Malware

 

Magnifier detects and stops command and control, lateral movement, and data exfiltration by detecting behavioral anomalies indicative of attack.

 

2018-02-01_11-02-41.jpg

 

 

 

Using supervised and unsupervised maching learning, Magnifier can automatically detect attacks using behavioral analytics.

 

As for the requirements, the following is needed :

 

  • Logging Service
  • Pathfinder VM
  • Palo Alto Networks Next-Generation Firewall with PAN-OS 8.0.6+
  • Panorama with PAN-OS 8.0.6+

 

The Magnifier UI is extremely user friendly and makes it easy for security admins to verify attacks by presenting all the information they need in an intuitive web interface:

 

2018-02-01_11-39-07.jpg

 

 

So how exactly is Magnifier different from AutoFocus ?

 

AutoFocus complements Magnifier. AutoFocus provides contextual threat intelligence to accelerate investigations. Security analysts can look up information about suspicious files, URLs, or IP addresses with AutoFocus. Plus, AutoFocus can alert customers’ security teams about high-priority events, enabling them to take swift action to mitigate attacks. It is a resource for threat hunters to get additional information about incidents that they are already investigating.  
 
Magnifier, in contrast, is designed to detect attacks—especially command and control, lateral movement, exfiltration, and compromised endpoints—by analyzing network activity. Magnifier also helps security analysts confirm threats with Pathfinder endpoint analysis.  Although both products help organizations investigate threats, they provide different types of data—threat intelligence information with AutoFocus versus network security alerts with Magnifier—and are designed for different stages in incident response processes.

 

Magnifier is well suited to stopping Internet of Things (IoT) threats. IoT devices can be exploited to become a point of entry for a network attacker or to launch different kind of attacks like DDoS attacks. Industry researchers have demonstrated successful attacks on cars, thermostats, video cameras and televisions. Many of these devices are not well protected and organizations cannot easily install antivirus or intrusion detection agents on them. Because Magnifier can detect network behaviors indicative of attack, Magnifier can identify command and control and lateral movement originating from or to IoT devices

 

Resources:

 

Magnifier Getting Started

Magnifier Behavioral Analytics 

How to Activate Eval Magnifier Cloud Service

Magnifier Datasheet

 

As always, comments and questions are welcome in the comment section below!

 

-Kiwi out!

Ask Questions Get Answers Join the Live Community