Cloud Native Security Automation with Palo Alto Networks Cortex XSOAR
XSOAR is a Security Orchestration, Automation, and Response (SOAR) platform that helps to coordinate and accelerate incident response across your cloud, data center, edge and hybrid environments. With over 500+ product integrations XSOAR integrates to cloud native security services and built-in threat intelligence reduces the noise in security operations.
Human interaction is increasing at a rapid rate in security operations and in this over 80% of the alerts are false positives, though they don’t carry any significant interpretation in the security landscape of the organization, it still consumes valuable human resource hours.
SOAR product line is the answer, it brings security orchestration – onboarding and full visibility to the infrastructure and the application ecosystem. Automation – reducing time to deploy and Response – automated response to the incidents and alerts.
Cortex XSOAR integrates with public cloud platforms and leverage native cloud security services and help you automate and standardize incident response for more efficient security operations.
For this example, I will use Google Kubernetes Engine (GKE) to demonstrate the solution.
Prisma Cloud is a cloud native security platform that enables cloud security posture management (CSPM) and cloud workload protection platform (CWPP) for comprehensive visibility and threat detection across your organization’s hybrid, multi-cloud infrastructure.
Install Prisma Cloud Compute Console
Download the Prisma Cloud Instance
To Install: Run
tar xvzf prisma_cloud_compute_edition_20_09_365.tar.gz -C prisma_cloud_compute_edition/
use kubectl to create the Prisma Cloud Console:
Run the following command to check and see if the Prisma Cloud Compute service has come up fully:
Open a browser window and browse to https://[YOUR-EXTERNAL-IP]:8083 to open Prisma Cloud
The first thing you will be asked for is the license key – activate with the license
Next install the Prisma Cloud Compute Defender Daemonset. The Defender is a software module that will monitor every container. Defender communicates with the Prisma Cloud Compute Console using Transport Layer Security (TLS).
Note: You will update the list of identifiers in Console's certificate that the Defenders will use to validate the Console's identity. This will change your current browser certificate and force you to log back in to the Prisma Cloud Compute Console.
To install the dameonset on your Kubernetes cluster – copy install command from the target machine OS as Linux
The Defender Daemon Set install script creates and deploys the Prisma Cloud Compute defender.yaml file. The script will direct the Defender to connect to Prisma Cloud Compute Console using the service account the script creates. It may take a minute for the script to be fully deployed.
Once Script is completed and install the Defender, you can see the defenders on the Prisma console.
Prisma Cloud (formerly RedLock and Evident) is a security and compliance service that dynamically discovers cloud resources and sensitive data, and subsequently detects risky configurations, network threats, suspicious user behavior, malware, data leakage, and host vulnerabilities across GCP, AWS, and Azure. It combines the most comprehensive collection of rule-based security policies and industry-leading machine learning to detect threats.
It actually acts as a Large Data Lake of Security Events and Logs, by continuously ingesting data using hundreds of cloud service provider APIs and threat intelligence sources. Which we will use as "Source" for Cortex XSOAR to inspect, interpret, act and respond upon.
CORTEX XSOAR DASHBOARD
XSOAR provides Integrations (sources from where the events/logs should be inspected) Playbooks (Workflows, in case events/logs represent a recognized pattern - what to do)
and Automation (Automated Response)
War Rooms is another interesting feature of XSOAR, War Rooms act like a repository of artifacts, teams, process and collaboration required in an organization to address and mitigate security incidents.
Configure Integration Instance and Playbook
Lets first start with a simple integration - Email Sender (Email you will use to notify a particular member or team in the playbooks)
Settings - Integrations - Mail Sender
Add the email, password, smtp server details and transport protocol and test the connectivity.
Playbooks: Playbooks like the terminology commonly used in software products provides a detailed workflow.
CORTEX XSOAR provides hundreds of playbooks by default. (Depending on the license you are using) - community edition generally comes with a very few playbooks by default.
This is how a Playbook looks in Cortex XSOAR
Lets proceed to configure the integration of our Cloud Prisma (twistlock)
With Prisma configured, its pulling the incidents to Cortex XSOAR
Security Incident Review
This is the case management page for Cortex XSOAR. The automated playbook has already run and completed this incident investigation. On the case management page, security teams can review the case details such as incident type, severity, source, timeline information and the associated playbook name. The work plan section will highlight any tasks that require analyst review and approval.
Notice that the Investigation Details section has listed the infected hostname, image name, id and container name, and id, source, and destination port information for this Crypto Mining activity by the Graboid worm.
Additionally, you can click on the IP address to view Cortex XSOAR's full blown indicator information page that provides additional details on the IP address such as its reputation information, other related incidents, indicator timeline information that highlights any sightings, tags and comments (if any) etc. This is a living page and provides most current information on the indicator.
In Summary, Cortex XSOAR is easy to setup and integrates with hundreds of integrations readily available and also support BYOI (Bring Your Own Integration) Cortex XSOAR also comes with hundreds of playbooks and its easy to create or customize an existing playbook.
Recommendations: Plan your Security Operations in advance by building use cases that fit automation. Do it in phases with multiple testing scenarios. Start with a sandbox environment and adopt slowly with concrete testing in every phase of process maturity. Train your SOC Team to create and validate playbooks.