Splunk and Palo Alto Networks: Security Through Synergy

The following is a guest blog post by Chris Ebley, Director of Engineering, BAI.

For a long time now, cybersecurity experts have been championing the importance of cross-platform integrations as a way to accomplish more with less. At its core, integration is a classic “the whole is greater than the sum of its parts” story. By enabling two or more solutions to enhance one another, security visibility, detection and enforcement functions are greatly improved.

As long-standing leaders in the cybersecurity world, Palo Alto Networks and Splunk have an established history of prioritizing real-world customer needs. Both companies provide open APIs that has made integrating the two both easy and extremely potent, going as far as formally collaborating to provide their customers plug and play bi-directional context, workflows and automated actions in many ways.

Securing SaaS

The last few years have seen widespread adoption of software as a service offerings, consequently securing these applications now falls under the purview of security operations. Recent releases from Palo Alto Networks (7.1 - 8.0) and Splunk Enterprise Security (4.7) both feature expanded capabilities in SaaS control and security analysis. The Palo Alto Networks App for Splunk allows granular tracking of Palo Alto Networks firewall logs to view SaaS usage by user, providing an in-depth look into what applications are being used, how often they’re being leveraged and if any threats are identified alongside them. That same data is now supported in Splunk’s Common Information Model, enabling it to be directly ingested to provide SaaS perspective alongside other sources and to enhance correlation searches in the Splunk Enterprise Security App.

User Identification

Tracking and enforcing access by user is one of the most powerful ways to reduce risk to an enterprise. In that same light, it’s also one of the more complex. You’re no longer enforcing based on IP but rather WHO is behind the IP. Both Palo Alto Networks and Splunk can capitalize on that valuable correlation. What’s more, both solutions are able to provide that insight to each other. PAN firewalls can correlate users to session activity and send that data to Splunk for easy attribution of activity in the environment and Splunk can forward syslog from sources such as radius that might map user and IP so that PAN firewalls can more frequently and accurately update their own mappings for user-based policy enforcement.

Taking Action

Mitigating risk is always something best done pre-threat. Strategies around network segmentation, reduced and controlled access, and categorical prevention can all be employed to reduce the threat surface. That said, anyone worth their salt in the world of cybersecurity understands that you’re going to get breached and the real issue is what happens immediately afterwards. In short, if you’re waiting for an email to come through with an alert that you’re going to react to after you’re done sitting in four hours of meetings, you’re not in a good place.

Splunk and Palo Alto Networks both understand that all of the detection in the world is great but limited if you don’t possess the ability to intervene. Through substantial collaboration efforts these companies have developed custom search commands like “pantag” to allow Splunk correlations to automatically identify any asset (user or device) in a PAN device and immediately alter the access whether it be isolating to a controlled vlan or blocking all access altogether. What’s more, Palo Alto Networks is a contributing member of Splunk’s Adaptive Response Community. There are fully developed response actions for Enterprise Security that enable alerts to take action and be fully tracked through the security lifecycle, effectively becoming a seamless part of the SOC workflow.

As cybersecurity professionals, we should be looking to get every ounce of value from the solutions we work with daily. Long gone are the days of deploying a tool for a point function, rather automation, orchestration, and integration are king. It’s obvious, that as businesses are advancing, you should be requiring your partners to grow with you into SaaS, cloud and borderless arenas. It’s equally important that you challenge them to become a fluid part of your world, not the other way around.

Happy Splunking!

Learn more: Join Splunk at Palo Alto Networks Ignite 2017

Chris Ebley is a cybersecurity engineer out of Annapolis, MD. He currently serves as Director of Engineering at BAI, a 40-year technology specialist and long-standing Splunk partner. When not engaged with customers, Chris spends his time relaxing with his beautiful wife and 200lbs of yellow labs.

Posted by


Show All Tags
Show Less Tags