If You’re Trying To Find a Needle In A Haystack, Use A Metal Detector!

I don’t usually blog about specific product features, but I’m so excited about our new correlation objects, released in our 7.0 update to PAN-OS, that I really can’t help myself. It’s been a month now since we released 7.0, and I’m still particularly jazzed about this new feature!

Correlation objects, available in our PA-5000 Series, PA-3000 Series, the PA-7050, and Panorama, accurately identify infected devices based on patterns of network behavior that are correlated to characteristics of specific threats. So, for example, if a device is infected, the correlation engine can identify a pattern of a behavior: a host having visited a malware URL, then a vulnerability being exploited, and then abnormal DNS requests generated from said host.

Maybe a user took a corporate laptop home and inadvertently picked up some known malware (looks like GlobalProtect wasn’t activated!). When this user reconnects to the network, the correlation object correlates suspicious activities stemming from that device, which may not be of any concern individually, but taken together, alert the security team that this laptop needs to be remediated.

Meanwhile, the infection is stopped from spreading because Threat Prevention IPS, AV, and anti-spyware protections have blocked the malware from moving laterally inside the network and ended its outbound command and control beacons.

What’s really cool about this, though, is how it works with WildFire to dynamically correlate network activities based on zero-day malware.

Take the same concept of looking for patterns of abnormal behavior that point to infection, and from there, factor in zero-day malware that WildFire discovers. As soon as WildFire analyzes new file behavior, which only takes a few minutes for completely unknown files, a report on the file’s malicious behavior is sent back to the security platform. Our correlation engine consumes that report and looks for patterns of behavior specific to the newly discovered malicious file across the device from which it originated and other devices in the network, both going forward (analyzing in real time) and looking back through logs from 96 hours before the file was forwarded to WildFire.

At Palo Alto Networks, we believe that prevention isn’t futile – in fact, it’s central to stopping breaches. However, quick mitigation is also important to limit the damage and learn from threats that get past your defenses. With the right ecosystem of detection, intelligence, and prevention, infection doesn’t have to turn into a catastrophe.

There are currently five correlation objects available: three static objects that were created from Unit 42 research and two that are dynamically fed information from WildFire submissions. These five correlation objects are just the beginning. Our threat research teams, including Unit 42, will eventually be able to create new correlation objects based on their ongoing research into new attack campaigns and deliver them to deployed platforms through weekly content updates.

To learn more about the automated correlation engine and correlation objects, please visit https://www.paloaltonetworks.com/products/features/correlation-engine.html.

1 Reader Comment

  1. Truly, no matter how bushy the haystack is, a metal detector could help you sort through it. 🙂

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS