Skip to content

Better Together: Splunk and Palo Alto Networks

A Combined Solution for Advanced Threat Protection, Security Information and Event Management

An Increase in Targeted Attacks

It’s no secret that targeted attacks are on the rise, with advanced persistent threats and the new strains of malware they rely on fueling the ambition of cybercriminals globally.

According to Symantec’s Annual Threat Report:

  • 1/131 emails contains a malicious link or attachment, which is the highest rate in five years.
  • The size of ransoms demanded have spiked 266%, with the U.S. being the top-targeted country. This could be because 64% of Americans end up paying the ransom.
  • Most CIOs estimate up to 40 cloud apps are used internally, but they’re grossly underestimating. The numbers often near 1,000.

So, what makes targeted attacks different from traditional threats? Explained by Trend Micro, targeted attacks, first and foremost, have very specific targets: political groups, government agencies, or businesses. Attackers are typically in it for the long haul with specific end goals in mind, whether for profit, theft of data, or some kind of political gain. Targeted attacks are not one-time strikes, but rather ongoing processes conducted as campaigns using advanced persistent threats. They’re not isolated incidents, and they make up a series of both successful and failed attempts to penetrate deeper into a target’s network. As the attackers continue with their efforts, they will tailor, change, and enhance the tools and methods they rely on depending on the nature of the target. They’re patient, and less interested in quick wins.

Palo Alto Networks and Splunk Partner Up to Take on Advanced Threat Protection

Here’s the problem with targeted attacks: these malicious attackers have patience, and they’re committed to getting what they’re looking for. They don’t develop their methods randomly, but use the nuances of your industry and organization to craft advanced threats meant to exploit your unique vulnerabilities, and they’ll change their tactics along the way. It’s no wonder, then, that targeted attacks are one of the top security challenges faced by organizations today.

Without the proper solution, a security team may detect a particular threat, but slow response times and extended exposure periods don’t help matters. Admins often have to coordinate and configure changes to security infrastructure manually in a scenario where there’s really no time to be wasted. Given the dangerous implications of targeted attacks, Palo Alto Networks and Splunk saw the opportunity to work together and deliver an integrated solution that provides incident investigation, coordinated detection, and response for advanced threats.

With the Splunk App for Palo Alto Networks, security teams have access to a robust platform for security visualization monitoring, and analysis, which together give analysts the opportunity to fully leverage the data generated by Palo Alto Networks devices, whether from applications, users, contents, or threats. The solution is made up of a combination of tactics for identifying advanced threats:

  • Static and dynamic sandbox analysis
  • Statistical anomaly detection
  • Infrastructure-wide event correlation
  • Automated blocking of malicious sources
  • Automated quarantine of compromised devices

How Palo Alto Networks’ Next-Generation Security Platform Fuels Splunk’s Data Engine and Informs Your Security Team

Let’s talk about the specifics. The Palo Alto Networks Next-Generation Security Platform feeds rich data into Splunk’s data engine. That includes data network and endpoint traffic data, details of apps, users, content, and threats, with the goal being to enhance analysis results and visibility of Splunk as a whole.

The Palo Alto Networks integration with Splunk Enterprise Security gives you a lot of power—more than we can list here, so here are our top three favorite capabilities:

1. Accelerated Threat Response

This one’s important because as we mentioned, security teams are sometimes slow to respond because they don’t have the proper tools to expedite the process, which in turn increases exposure. When unwanted activity or a threat is discovered, quarantining and blocking policies are triggered on Palo Alto Networks devices from the Splunk App, which can be done by hand, or automated (we favor the automated option) in minutes. Using real-time security intelligence and establishing defenses quickly improves response time and reduces exposure.

2. Advanced Security and Visibility in the Cloud

Given the frequency of both infrastructure and critical workloads moving to the public cloud, we’re a big fan of this benefit. Securing data in the cloud can be a worry for cloud-forward enterprises, but this concern is greatly reduced as Palo Alto Networks and Splunk enable cloud deployments to adhere to security and compliance standards. Businesses have much more visibility into applications, can protect against advanced attacks in the clouds, AND prevent lateral movement.

3. Enhanced Detection of Advanced Threats

One of the things that makes advanced threats so dangerous is they can be subtle and easy to miss. This integration couples Palo Alto Networks WildFire™ cloud-based threat analysis service with Splunk’s detection and correlation techniques to find advanced threats fast so that your security team won’t miss a beat. WildFire detects threats using static and dynamic analysis which are then brought together with Splunk’s threat identification techniques, including statistical anomaly detection, infrastructure-wide event correlation, third-party indicators of compromise (IOCs), and custom scenario-based searches (e.g., monitoring for company-specific IOCs).

Getting Ahead of Targeted Attacks

There’s no way to keep your business from being targeted, but there are definitely ways to stay a step ahead of malicious actors and their methods. Want to know more about how the Palo Alto Networks App for Splunk can give your security team a leg up and protect your organization? We’re happy to help. Get in touch with an August Schell cybersecurity specialist, or call us at (301)-838-9470 today.