Quickly gain situational awareness and visibility into your network environment
We all know visibility is the key to prevent breaches: gaining situational awareness focused on network traffic is usually a great way to start.
Attackers often spend 3 or more months moving around inside business networks before launching attacks. Yet, with the right tools and detection capabilities their presence can be detected and destructive attacks (ransomware?) can be thwarted.
Also, getting data on what applications are really being consumed inside a business environment can improve risk insights and perhaps address weaknesses on time.
The first step in this security hygiene process is to deploy the proper tools to quickly get situational awareness.
However, to do it properly, you need:
wide and deep protocol coverage (from HTTP(S) to DNS, over the latest tunneling and stealth P2P protocols).
Do it with least disruptions or changes to network infrastructure. This usually means not relying on HTTPS interception or any kind of proxy technology that will impact user productivity (at least when the goal is to gain visibility).
Enrichment of collected data with high quality threat intelligence, usually performed in a custom data lake. Threat intel quality is usually proportional to the amount of existing device telemetry a vendor has worldwide: the more, the better.
There is an easy way to get this done with Palo Alto Networks (PANW) Security Lifecycle Review (SLR).
All you need is to place a PANW next-gen firewall device (appliance or virtual) into the network as a passive non-intrusive element, acting as data collector. No disruptions or changes to network infrastructure are required. Leave it there and let it collect traffic data for 7 days. The traffic metadata collected by the device is then uploaded into Palo Alto Networks' data lake and enriched with PANW threat intelligence to gain visibility into your network.
The recommended way to get initial situational awareness is to place the device as data collector via a tap or span port:
Of course, to get even more data, you might intercept traffic by placing the device in-line. More options in this respect are found here: