Bringing High-Fidelity Threat Intelligence to Prisma Cloud

Jul 13, 2020
3 minutes
... views

This post is also available in: 日本語 (Japanese)

We've integrated AutoFocus threat intelligence into Prisma Cloud. This will allow users to realize the promise of threat intelligence for their cloud security. Users will get the intelligence, analytics and context required to detect attacks and understand which ones require an immediate response — you’ll even gain the ability to predict and prevent future attacks.

We hear often that cloud SOCs are overwhelmed with alerts. In addition to their sheer volume, alerts lack context or clarity, making risk prioritization and remediation slow, ultimately exposing vulnerabilities for too long. Of course, we know that accurate threat intelligence is the key to high-fidelity alerts. But most solutions today require the collection of multiple, disparate feeds for accurate threat management and risk prioritization.

 

What AutoFocus Provides

AutoFocus provides a massive repository of high-fidelity threat intelligence, crowdsourced from a massive footprint of network, endpoint and cloud intelligence sources. Every threat is enriched with the deepest context from our own Unit 42 threat researchers.

Auto Focus brings threat intelligence to Prisma Cloud, and the numbers show it. Crowdsourced from a massive footprint of network, endpoint and cloud intelligence sources, AutoFocus brings together more than 14 billion suspicious samples, 7 trillion artifacts, 65,000 enterprise customers, 2 billion daily URL queries, 46 million daily DNS queries and 300 million monthly never before seen samples. The image displays these numbers and intelligence sources in a chart.

Prisma Cloud now leverages the power of AutoFocus to:

  • Detect: Automatically detect and alert across over 15 categories of common public cloud threats including cryptomining, ransomware, Linux malware, backdoor malware, hacking tools and more. This is achieved through new out-of-the-box policies that leverage the curated AutoFocus IP Threat Intel Feed.
  • Investigate: Gain the ability to use Resource Query Language (RQL) to run network investigations and discover cloud-specific threats detected by AutoFocus. 
  • Understand: See detailed context on identified threats based on AutoFocus intelligence, allowing SOC teams to fully understand the depth and scope of threats.

AutoFocus is bundled with Prisma Cloud Enterprise Edition and enables threat hunters to seamlessly search for even more details based on the investigation results from Prisma Cloud. 

 

How It Works

Threat intelligence from AutoFocus will automatically populate in the Prisma Cloud Console. 

The screenshot below shows how AutoFocus surfaces deeper insight for a suspicious resource within a public cloud account:

AutoFocus brings threat intelligence to Prisma Cloud in part by surfacing deep insight for a suspicious resource within a public cloud account, as shown in this screenshot of the AutoFocus threat feed in Prisma Cloud.
AutoFocus threat feed in Prisma Cloud

With AutoFocus integrated into Prisma Cloud, users can obtain deep insight into any flagged suspicious IP connections:

With the integration of AutoFocus, bringing threat intelligence to Prisma Cloud, users can obtain deep insight into any flagged suspicious IP connections, as shown in this screenshot.
Detailed investigative information in Prisma Cloud

With the addition of AutoFocus, Prisma Cloud provides users with comprehensive threat intelligence and vulnerability data sourced across multiple unique sources:

  • Prisma Cloud Intelligence Stream: Our own collection of 30-plus upstream data sources across commercial, open-source and proprietary feeds; offering vulnerability data for hosts, containers and functions as well as malware and IP-reputation lists.
  • Palo Alto Networks sources: In addition to AutoFocus, Prisma Cloud integrates with WildFire for malware scanning as part of data security capabilities.
  • Third-party sources: Prisma Cloud integrates with data provided from Qualys, Tenable, AWS Inspector and others to provide a single view into risk within cloud environments.

When combined with AutoFocus, Prisma Cloud lets users experience unmatched alert accuracy with the risk clarity required to effectively protect today’s highly dynamic, distributed cloud environments.

 

How to Begin Using AutoFocus in Prisma Cloud

The AutoFocus integration is now available for existing Prisma Cloud Enterprise Edition users, providing the powerful insights discussed above. 

New users can begin a free trial of Prisma Cloud today.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.