Best Practice Assessment Executive Summary Overview

vsharma1 · ‎09-29-2022

BPA Executive Summary

Overview

The BPA overview section provides the overall security posture of your Palo Alto Network Next-Generation Firewall, Panorama and Prisma Access. The three major components are:

BPA System rating
CDSS Capabilities
Vulnerability Protection Score

BPA System Rating

The BPA system rating evaluates the device (Next-Generation Firewall, Panorama, or Prisma Access) security capabilities and feature adoption against best practices. It is the average percentage of following:

Overall capability adoption
And, the average passing percentage for all the BPA checks (it can be found under Mapping Definition page)

BPA System Rating Calculation

BPA System Rating = (Avg. of overall capability adoption + Avg. of mapping definitions) / 2

Example

Avg. of overall capability adoption

Avg. of mapping definitions

BPA System Rating

600 / 9 = 66.66%

52.3%

(66.66 + 52.3) / 2 = 59.48%

The BPA system ratings are categorized in three different categories based on the score from the above calculation.

Severity	Score Range	Color in Box	Description	Conclusion
Low	0 - 39	Red	Based on the results of the assessment, there are significant gaps in your overall capability adoption and passing percentage of BPA checks.	It's recommended that users review each section and work through the results to understand gaps and where improvements can be made.
Moderate	40 - 79	Yellow	The assessment results indicate that some security capabilities and best practice checks have been implemented.	It's recommended that users review each section and work through the results to understand gaps that need to be addressed in order to fully ensure a consistent and secure approach.
High	80 - 100	Green	The assessment results show a mature security capability approach.	Review individual areas or questions that scored lower and continue to build on an otherwise strong platform.

Cloud-Delivered Security Services (CDSS) Utilization

CDSS utilization score focuses on the efficiency of a company’s use of its network security assets. The score measures the extent to which companies have adopted services they have purchased.

CDSS Utilization Calculation

CDSS Utilization Score = (sum of average adoption percentages of each CDSS service category) / # of service categories

Service Categories in BPA Exec Summary: Wildfire, Threat Prevention, DNS Security, URL Filtering
For each category, average adoption percentage = (sum of adoption % of all services within the category) / # services in the category

Example (using data from Serial Number & Vsys):

Average Adoption %

WildFire = 85.7 %

Threat Prevention (IPS)
= (92.9 + 7.1 + 100.0 + 85.7) / 4 = 71.425%

DNS Security = 0.0 %

URL Filtering

= (0.0 + 0.0) / 2 = 0/0%

CDSS Utilization Score

39.28 %

= (85.7 + 71.425 + 0.0 + 0.0) / 4

CDSS utilization score is categorized in three different categories based on the score from the above formula.

Severity	Score Range	Color in Box	Description	Conclusion
Low	0 - 39	Red	The assessment indicates there are significant gaps in adoption of at least two of the CDSS utilization categories (Wildfire, Threat Prevention, DNS Security, URL Filtering).	To ensure efficient, secure use of CDSS resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations.
Moderate	40 - 79	Yellow	The assessment indicates there are moderate to significant gaps in adoption of at least one of the CDSS utilization categories (Wildfire, Threat Prevention, DNS Security, URL Filtering).	To ensure efficient, secure use of CDSS resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations.
High	80 - 100	Green	The assessment indicates there are no significant gaps in any of the CDSS utilization categories, suggesting an efficient use of resources.	Review individual categories with lower adoption percentages to maximize use of best practices.

Vulnerability Protection

The vulnerability protection score will measure the effectiveness of network security assets in responding to cyber attacks. Below is the list of BPA checks that must be counted when calculating vulnerability protection score.

Check ID	BPA Check Name	top_nav	left_nav
7	Log Forwarding	Policies	Security
13	Intrazone Allow Rules with Logging	Policies	Security
41	Vulnerability Protection Profile Threat Exceptions	Objects	Vulnerability Protection
42	Vulnerability Protection Strict Profile	Objects	Vulnerability Protection
51	Traffic Settings	Objects	Log Forwarding
52	Threat Settings	Objects	Log Forwarding
60	Zone Protection Profile Applied to Zone	Network	Zones
86	Reconnaissance Protection	Network	Zone Protection
87	Packet Based Attack Protection	Network	Zone Protection
189	Apps & Threats	Device	Dynamic Updates
192	Apps & Threats Sync to Peer	Device	Dynamic Updates
200	Vulnerability Protection Low/Informational Profile	Objects	Vulnerability Protection
237	Apps & Threats Content Update	Device	Dynamic Updates

Vulnerability Protection Calculation

Formula will be based on the average of passing % of all the BPA checks as listed above.

Example - Here we will calculate the average percentage of all three checks passing %

Vulnerability Protection Score = (0 + 25 + 50) / 3 = 25% (Here, we will count all the above listed BPA checks in the table for actual calculation)

Below screen is from the Mapping definition under Best Practice Assessment tab.

Vulnerability Protection Score categorized in three different categories based on the score from the above formula.

Severity	Score Range	Color in Box	Description	Conclusion
Low	0 - 39	Red	The assessment indicates there are significant gaps in adoption of at least two or more capabilities.	To ensure efficient, secure use of resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations.
Moderate	40 - 79	Yellow	The assessment indicates there are moderate to significant gaps in adoption of at least one of the capabilities.	To ensure efficient, secure use of resources, it is recommended that users review the adoption percentage of each category to identify and resolve misconfigurations.
High	80 - 100	Green	The assessment indicates there are no significant gaps in any of the capabilities configured on the device, suggesting an efficient use of resources.	Review individual categories with lower adoption percentages to maximize use of best practices.

Capability Adoption

This shows overall adoption across key capabilities and compares it against Industry benchmarks. Users will also be able to view capability adoption data for the current report and will also have a drop down list option to select and view capability adoption data for previously generated reports. We are already capturing Capability adoption data in a BPA report, we will use the same data and present it in the new format for Exec Summary.

The Coverage across key compliance standard section consists of following.

NIST Avg. - The calculation for NIST Security Controls can be obtained from the Best Practice Summary page (as shown below).

CIS Avg. - This will be the average percentage of all the CIS Critical Security Controls Summary listed under Best Practice Summary screen.

Capability Avg. - This represents the average of overall capability adoption percentage in best practice mode under adoption summary screen from a BPA report.