Securing cloud applications With (AWS) and Palo Alto Networks

Name | Title

Date Key challenges every organization is facing

Growing number of Environments are Everyone is a now stakeholder entities to secure constantly changing

Cloud services, along with Developers, DevOps, and I&O are Security is no longer a gate at growing IaaS, PaaS, and building and deploying at a the end of the application CaaS environments, lead to frantic pace, often without lifecycle. Every team along a huge estate for security security guidance or controls the pipeline needs to teams to protect participate in security How security teams are impacted

Inability to rapidly detect Lack of visibility Complexity of compliance & respond to threats

Increased likelihood of undetected Increased costs of achieving Alert fatigue due to constant misconfigurations and difficulty to compliance and delayed initiatives changes and lack of context for quantify risk to management due to difficulty investigations of proving compliance AWS and Palo Alto Networks provide complete security for the cloud

Palo Alto Networks helps customers CUSTOMER DATA enhance security in the cloud Customers have their choice of security PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT configurations IN the Cloud OPERATING SYSTEM, NETWORK & CONFIGURATION

CLIENT-SIDE DATA NETWORKING TRAFFIC SERVER-SIDE & DATA PROTECTION ENCRYPTION (FILE INTEGRITY (ENCRYPTION, SYSTEM AND/OR DATA) AUTHENTICATION INTEGRITY, IDENTITY) SOFTWARE COMPUTE STORAGE DATABASE NETWORKING AWS is responsible for the security OF HARDWARE/AWS GLOBAL INFRASTRUCTURE the Cloud AVAILABILITY REGIONS EDGE LOCATIONS ZONES How Palo Alto Networks works with AWS Enhance your investment and protect cloud applications

Protect Integrate & enhance Secure compute, network and Integrate with AWS Security storage services - and the services to enhance context applications they run and consolidate visibility Palo Alto Networks complements native AWS services across all solution areas

Identity & access Detective Infrastructure Data Incident management controls protection protection response Palo Alto Networks and AWS solve for common security use cases

Visibility and Risk management Automated response compliance

Understand cloud Better understand and Simplify and streamline environments, maintain mitigate risk across your SOC operations with compliance with industry business-critical scalable, automated standard and enforce application workloads processes guardrails Comprehensive cloud security with a strong foundation

• The NIST Cybersecurity Framework (CSF) provides a foundation for cloud security and an accelerated path According to , to cloud adoption NIST CSF is projected to be • AWS and Palo Alto Networks utilize this foundation to build solutions that support the five risk management functions – Identify, Protect, used by 50% of U.S. private Detect, Respond, and Recover sector organizations by 20201

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER

Develop an organizational Develop and implement Develop and implement Develop and implement Develop and implement understanding to manage appropriate safeguards appropriate activities to appropriate activities to appropriate activities to cybersecurity risk to to ensure delivery of identify the occurrence take action regarding a maintain plans for resilience systems, people, assets, critical services of a cybersecurity event detected cybersecurity and to restore any capabilities data, and capabilities incident or services that were impaired due to a cybersecurity incident

1 https://www.nist.gov/industry-impacts/cybersecurity Palo Alto Networks integrations with AWS Security and automation for every aspect of your cloud investment

VM-Series Prisma Cloud Cortex XSOAR

Secure networks and prevent Secure cloud applications and Unburden security teams with advanced threats with the maintain compliance across the automated incident response industry leading NGFW entire development lifecycle and security workflows Prisma Cloud customer use case Prisma Cloud on AWS keeps Western Asset Management agile

Challenge “Our senior IT management really has the confidence now For Western Asset Management (WAM), time-sensitive transactions and in our cloud team being able decision-making based upon fast-changing market conditions are key to to leverage Prisma Cloud for differentiate in an increasingly competitive and evolving investment landscape. the compliance, security WAM needed an agile, dynamic cloud environment that was secure and could governance, auditing and speed the application delivery process. network visibility that we get. Outcomes The ROI has just been WAM migrated to AWS and deployed Prisma Cloud giving them: immense – allowing our • Full visibility across all Accounts: Prisma Cloud acts as a pseudo Asset business to work faster, and Inventory which is aware of every workload across all accounts. Provides more efficiently.” single pane of view. -David Pace • Faster response times: Prioritized alert routing improves incident and Global Information Security, potential misconfiguration response times from days to minutes. Western Asset Management • Better compliance: Built in, single click compliance reporting and alerting in Prisma Cloud eliminates the need to manually sift through audit files and empowers SecOps and Compliance teams with actionable alerts. VM-Series

Migrate to the cloud securely and at scale with AWS services and Palo Alto Networks VM-Series

• Migrate business-critical applications to the cloud Elastic Load Balancing with a prevention-based approach to protecting AWS Transit Gateway apps and data on AWS • Unmatched application visibility and control • Prevent threats from moving laterally between Amazon GuardDuty AWS Security Hub workloads and stop data exfiltration • Automation and centralized management VPC Traffic Mirroring Amazon VPC Ingress Routing

Integrations planned for 2020 • AWS Outposts • AWS Network Manager VM-Series VM-Series integration with AWS Transit Gateway

How it works • The VM-series integration with Transit Gateway simplifies the setup of centralized inspection, leverages infrastructure as code and allows for scalability of a customer’s security controls with applications • Maintains a consistent security posture and allows for security and networking teams to easily deploy and provide infrastructure protection for their application owners • Deployment architecture sets up security VPCs in which the firewalls are deployed and connect to the Transit Gateway via VPC or VPN attachments • All traffic routed to the VM-series firewall for inspection • Can be used with AWS Resource Access Manager to create a clear delineation between security and application owners

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER VM-Series VM-Series integration with AWS Transit Gateway

Spoke 1 Spoke 2 Customer benefits 10.1.0.0/16 10.2.0.0/16 • Application, User and Content specific web-a web-b db-a db-b 10.1.1.0/24 10.1.2.0/24 10.1.1.0/24 10.1.2.0/24

security across the AWS landscape Mgmt-a TGW-a 10.255.110.0/4 10.255.1.0/24 • Scalable to meet customer demand VM-Series Pub-a Priv-a • Utilizes VPC connectivity options for 10.255.100.0/24 10.255.11.0/24 Inbound highest resiliency Inbound Web Pub-b Priv-b • Encompasses all traffic flow patterns 10.255.100.0/24 10.255.11.0/24 Services-a and return traffic 10.3.1.0/24 • Integrates with CI/CD Pipeline VM-Series Mgmt-b TGW-b • Integrates with AWS security products 10.255.110.0/4 10.255.1.0/24

like GuardyDuty and Security Hub Services-b 10.3.2.0/24 Transit Gateway

TGW-a Internet 10.255.1.0/24 Pub-a 10.255.100.0/24 VM-Series Priv-a Services 10.255.11.0/24 Outbound 10.3.0.0/16

Outbound Mgmt-b 10.254.120.0/24 TGW-a 10.255.1.0/24 initiated traffic Pub-b 10.255.100.0/24 VPN or Pub-a VM-Series Direct VM-Series 10.255.100.0/24 TGW-b Mgmt-a 10.255.1.0/24 Connect 10.253.110.0/24

VPN

Mgmt-b 10.253.120.0/24 NGFWs Pub-b 10.255.100.0/24 VPN Attachment VM-Series TGW-b 10.255.1.0/24 VPC Attachment On-Prem or Colo 172.16.0.0/16 Security-East-West 10.253..0.0/16 East-West Traffic VM-Series VM-Series integration with Elastic Load Balancing

How it works • Protects public facing assets • Auto-scale based on demand • Deploy VM-Series in a load balancer “sandwich” architecture to adjust capacity in a controlled or dynamic :801 :80

manner independent from :4431 :443 applications VM-Series • Inspect the application stream to detect and prevent known and unknown threats, such as advanced persistent threats Transit Gateway :801 :80 Customer benefits VM-Series • Layer 7 inspection for Application :4431 :443 Hosting • Application Specific Security • Scalable to meet customer demand • Integrated with Autoscaling (not req) • Multi-application ready • Transit Gateway ready (not req)

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER VM-Series VM-Series integration with Amazon GuardDuty

How it works • Enable automated responses to malicious actors and protect business critical workloads • VM-Series integration with GuardDuty uses an AWS Lambda function to VPC collect threat findings Security group • Create a dynamic address group within a security policy that blocks any Untrust VM- VM- Series Series VM-Series VM-Series activity emanating from the IP Amazon address CloudWatch • Dynamic address groups and security Malicious policies are automatically updated, IP address VPC Amazon without administrative intervention GuardDuty Security group Customer benefits AWS Lambda Untrust • Streamlined actioning of GuardDuty VM-Series VM-Series findings • Aggregation and correlation of threat intelligence feeds • Unified logging of GuardDuty indicators within the VPC NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER VM-Series VM-Series integration with AWS Security Hub

How it works • Enable automated responses to malicious actors and protect business critical workloads • VM-Series integration with Security APPLICATION VPC Hub and AWS Lambda collect threat intelligence and send it to the firewall Malicious IP address • Automatic security policy updates Subnet2 block malicious IP address activity. Amazon • Security policies are updated without EC2 administrative intervention VM-Series Subnet1

Customer benefits AWS Security Hub Python Dynamic Policy: Drop • Streamlined actioning of Security Hub Automation Address Group Session Amazon Script Findings EC2 • Aggregation and correlation of threat intelligence feeds • Unified logging of GD indicators within the VPC

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER VM-Series VM-Series integration with VPC Traffic Mirroring

How it works • VM-Series integration with Traffic Mirroring is a scalable and non-obtrusive approach to detect threats for out of band protection • VM-Series firewalls can be deployed behind an NLB and associated to an autoscaling Orchestration and group allowing for the firewalls to scale out Artificial collaboration if needed VPC Traffic intelligence • VM-Series is able to inspect the VXLAN Mirroring traffic utilized by Traffic Mirroring to rules Behavioral Demisto Task War room encapsulate the instance’s communications Cortex Data Lake Analytics automation • Out of band deployment supports granular VM-Series App 1 visibility into application traffic and detection Critical alerts Cortex XDR of network-borne threats through inspection Playbook editor Auto- documentation of mirrored traffic NLB • Rapid detection and response against advanced attacks using an AI-driven VM-Series approach, with Cortex XSOAR Response VM- Customer benefits App 2 Series • Out of Band inspection VM-Series integration with AWS VPC Traffic Mirroring • No routing changes necessary • Scalable inspection within a VPC • Works across a Transit Gateway • Actioning with Lambda and/or Cortex NIST FRAMEWORK XSOAR IDENTIFY PROTECT DETECT RESPOND RECOVER VM-Series VM-Series integration with VPC Ingress Routing

How it works • Protect your applications and data from UnTrust Subnet Route Table inbound internet threats with a smooth Destination Target Trust Subnet Route Table firewall process 0.0.0.0/0 igw-05b811 Destination Target • Ingress Routing provides option for 10.1.0.0/16 local 10.1.0.0/16 local secure connectivity to and from a VPC with minimal changes to the existing infrastructure Active APP1 • Define routing rules at the Internet UnTrustSubnet UnTrustSubnet (10.1.20.0/24) VM- Gateway (IGW) and Virtual Private eni-005e624 Series eni-0176e0f Gateway (VGW) level to redirect ingress

traffic to third-party appliances, such as VM- the VM-Series virtual firewalls Internet Series • Associate route tables to your virtual Standby private gateway and add route rules to redirect all ingress traffic to AWS services through the firewalls Internet Gateway Route Table Destination Target

Customer benefits 10.1.0.0/16 eni-005e624 Customer VPC (10.1.0.0/16) • Security insertion into a VPC without routing or EIP changes • Inspect traffic traversing an IGW or VGW Inbound Traffic • Positioned for growth with addition of Appliance Gateway • Great option for an existing VPC NIST FRAMEWORK deployment IDENTIFY PROTECT DETECT RESPOND RECOVER Prisma Cloud Security across your full-lifecycle and full-stack AWS workloads with Prisma Cloud integrations

• Vulnerability and Infrastructure as Code (IaC) scanning integrated across IDE, SCM, and CI tools Amazon GuardDuty • Bring security into the build phase • Implement security checks into CD workflows and registries to prevent insecure deployments AWS Security Hub • Complete visibility and governance with total protection across the entire stack, anywhere

AWS Firelens

Compute and containers workloads Prisma Cloud Secure the full lifecycle with Prisma Cloud

BUILD DEPLOY RUN

Dev Repo A

Dev Repo B Central Repo 1 Dev Repo C

Dev Repo D Central Repo 2

IaC config scan via IaC & Vuln scan in CI/CD Security, compliance & visibility IDE & SCM Plugins and registry across workloads and services Prisma Cloud Prisma Cloud Integration with AWS GuardDuty Enterprise edition How it works Prevent, Detect & • Continuously ingests resource configurations (AWS Respond SDK), user activity (cloudtrail), net flow (VPC flow logs). Prisma Cloud • Imports findings from AWS GuardDuty and host Visibility, vulnerabilities from AWS Inspector. Compute Network Identity Compliance • Prisma collects, aggregates, normalizes and correlates Security Security Security data from various AWS services across multiple Governance accounts. • Findings and vulnerabilities are correlated with resource configurations, network flows and Policy-Based ML-assisted user/account activity. DETECTION • Prisma runs OOB policies and customer defines security compliance policies against data from AWS. • Presents relevant findings and vulnerabilities from COLLECTION, AGGREGATION, NORMALIZATION & CORRELATION GuardDuty and Inspector to enable SOC investigation and remediation workflow. APIs Findings Customer benefits • Prisma adds context and correlates findings from Inspector and GuardDuty with AWS resource configs and network traffic. • 360-degree view of AWS resources (eg. ec2 instances) with config info, network settings, network traffic, SDKCloudtrail Flow logs Inspector Guardduty vulnerabilities from Inspector, GuardDuty Findings, Threats user activity and audit history on a single pane of glass. Resource User Network Host Malicious Configurations Activity Traffic Vulnerabilities • Customer can filter Inspector CVEs and GuardDuty activity Findings. • Prioritize remediation of Inspector and GuardDuty findings. (Eg. show all EC2 instances with open security groups receiving malicious Internet traffic with NIST FRAMEWORK unpatched CVEs and open GuardDuty findings). IDENTIFY PROTECT DETECT RESPOND RECOVER Prisma Cloud Prisma Cloud Integration with AWS Security Hub Enterprise edition How it works • Prisma Cloud continuously collects: • Resource config data, user Prisma Cloud activities, network traffic from Resource Configs, VPC Flow Prisma customer’s AWS accounts using logs, Cloud Trail, Prisma Findings defender detections,. AWS APIs • Runtime and application threats from compute and container workloads using the defenders AWS APIs AWS APIs • Using and hundreds AWS Cloud of Security & Compliance checks, Prisma Cloud detects a variety of risks, threats and compliance violations • Prisma Cloud generates alerts and VPC continuously sends them to AWS Security Hub as Findings and Insights

Customer benefits AWS Security Hub • Customers have single pane of glass VPC and to review and monitor security Instances posture of their AWS environment

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER Prisma Cloud Prisma Cloud with AWS Firelens Compute edition How it works Deployment phase • Adopt DevSecOps practices and address the needs of both DevOps and SecOps teams with DevOps the Prisma Cloud Compute Edition integration with Firelens Defender logs • Give security teams access to high fidelity Logs security logs and incidents that are seamlessly command line AWS Console aggregated into AWS services such as Cloud interface Firelens Watch, Athena, and Kinesis Amazon Amazon Amazon • Prisma Cloud Compute Edition secures App logs workloads deployed on AWS services such as Kinesis Data S3 Athena Firehose Amazon ECS, Amazon EKS, and AWS Fargate • Minimal additions to deployment scripts such as container yaml files, high fidelity images, SecOps serverless vulnerability, and incident data from Prisma Cloud Compute Edition are streamed to backend data sources on AWS Apps Defender Apps Defender Apps Defender Customer benefits Runtime • Empowers SecOps to build security into their Nodes Nodes Nodes existing DevOps pipelines and can integrate into phase logging frameworks to provide increased visibility security incidents. • The Prisma Cloud integration with AWS Firelens ECS/EKS Cluster enables the adoption of DevSecOps practices by addressing the needs of both the DevOps and SecOps teams. NIST FRAMEWORK IDENTIFY PROTECT DETECT RESPOND RECOVER Prisma Cloud CI/CD Prisma Cloud - Securing AWS workloads AWS Code Pipeline

AWS Code Deploy • Prisma Cloud provides vulnerability and compliance management, run time behavior-based anomaly detection, and Cloud native layer-4 network & layer- Compute 7 application protection firewalls for AWS workloads AWS EC2 AWS Lambda • Analyze Docker Images, AMIs for vulnerabilities, compliance and secrets across CI/CD and registries VMware cloud on AWS • Visualize runtime topology, detect application threats, segment east-west traffic Containers Compute edition • Setup rules for alerts or actions AWS ECR • Collect audit events and collate incidents for threat detection and forensics AWS ECS AWS EKS • Integrate findings from container and serverless AWS Fargate deployments into Security hub • Pool logs from defenders along with the ECS/EKS AWS Appmesh clusters into Firelens for analysis Integrations

AWS Firelens

Enterprise edition AWS Security Hub Prisma Cloud Prisma Cloud with AWS compute and container workloads Compute edition How it works

• Prisma Cloud defenders are deployed Prisma on the compute and container Cloud workloads • Deployment options are specific to Defenders the compute stack EC2 Instances (kernel modules), ECS, EKS, Fargate AppN AppN AppN (side-car to the task and Lambdas (as App1 App2 App3 App1 App2 App3 App1 App2 App3 App4 layers) Functions EC2 Instances • Defenders collect data for various security parameters that are analyzed Node Node ECS/EKS Serverless platform and evaluated for vulnerabilities, compliance, and threats at Prisma Cloud EC2 EC2 EKS Fargate Lambda

• Defenders also provide preventive kernel Container per Pod/node embedded function actions like block anomalous module host layer processes, kill/quarantine containers, block execution with the functions to protect the workloads

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER Prisma Cloud Prisma Cloud with AWS compute and container workloads Compute edition Customer benefits • Comprehensive security coverage for the compute stack across the full life application cycle • Gain total visibility of your AWS deployments (hosts, containers, and serverless) topology and the inter- application communication with AWS Lambda Prisma Cloud’s Radar view AWS ECS/EKS/Fargate AWS • Shift -Left, automate security AWS Code ECR AWS EC2 Instances detections in the CI/CD pipeline and Pipeline setup security gates to avoid risks by deploying vulnerable applications CI TOOLS REGISTRY COMPUTE BUILD SHIP RUN Manage security and prioritize risks for dynamic runtime deployments with advanced machine learning, automating detection and response to threats

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER Prisma Cloud customer use case Western Asset Management technical architecture

Benefits Prisma Cloud 1. Pinpoint risks across environments in Sandbox Account governance policies real-time 2. Granular monitoring of IAM activities Security Groups and privileged access 3. Visibility into overly permissive IAM configurations 4. Both inbound and outbound network Centralized dashboards traffic monitoring across accounts QA Account 5. Single pane of view Security Groups

IAM

Production Account

Security Groups

IAM Cortex XSOAR Automate security team responses with Cortex XSOAR integration with AWS

• Cortex XSOAR is a comprehensive Security Orchestration, Automation & Response (SOAR) platform • Automate up to 95% of all response Amazon GuardDuty actions requiring human review • Ingest alerts across sources and execute standardized, automatable playbooks for accelerated incident ! response Amazon Inspector • Parse, manage, and act on threat intelligence AWS Security Amazon CloudWatch Cortex XSOAR Hub Events

Amazon Macie

Third-party providers

DetectAggregate Report Take Action Prisma Cloud Cortex XSOAR Prisma Cloud and Cortex XSOAR with AWS Security Hub

How it works • Prisma Cloud alerts on AWS esource misconfigurations, compliance violations, risks and anomalous user activities are ingested in Cortex XSOAR, triggering automated playbooks to speed response • Comprehensive out-of-the box auto-remediation playbooks address AWS security use cases such as IAM policy, EC2 instance and security group misconfigurations • Multi-source alert and threat data ingestion, case management, and real-time collaboration features provide a single location for incident response investigation and end-to-end incident lifecycle management • Leverage hundreds of Cortex XSOAR product integrations to coordinate and automate response across hybrid cloud and on-premise environments

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER Prisma Cloud Cortex XSOAR Prisma Cloud and Cortex XSOAR with AWS Security Hub

Cloud Hosted Customer benefits • Eliminate repetitive, manual tasks so

analysts can focus on critical threats AWS Security Amazon Amazon AWS AWS Amazon and reduce their MTTR (mean time to Hub GuardDuty EC2 CloudTrail IAM Athena respond) from hours to minutes

• Automated playbooks make the policy AWS Amazon Amazon Amazon Amazon IAM Access compliance process predictable, Lambda S3 Route 53 CloudWatch SQS Analyzer Ingest repeatable and measurable

• Gain visibility and control over your Amazon AWS AWS Amazon Threat Feedback DynamoDB Feed Certificate SageMaker Intelligence incident response with one platform Manager Sources to collaborate, investigate and document On Premise

AWS Security Hub SIEM EDR Firewall Email UEBA Ticketing

NIST FRAMEWORK

IDENTIFY PROTECT DETECT RESPOND RECOVER Accelerate cloud security with Palo Alto Networks and AWS today

The AWS Marketplace makes it easy to find, test, buy and deploy software that runs on AWS

Find Palo Alto Networks solutions in the AWS AWS security resources Marketplace: AWS Security Prisma Cloud AWS Partner Network VM-Series Next-Generation Firewall AWS Marketplace

Learn more about Cortex XSOAR Learn more about security solutions from AWS:

Amazon GuardDuty Traffic Mirroring

AWS Security Hub Amazon VPC Ingress Routing

AWS Transit Gateway AWS Inspector

Elastic Load Balancing AWS Firelens