Palo Alto Networks is introducing a service that tips customers off when it discovers unique or particularly dangerous attacks against their networks, giving them a heads up that perhaps they are the targets of particularly resourceful, dedicated adversaries.
Called AutoFocus, the service is an add-on to the company’s existing cloud-based service WildFire that constantly analyzes all its customers’ networks for malware and exploits and downloads new rules every 15 minutes to Palo Alto gear to automatically block the new threats it finds.
AutoFocus sorts through all the attacks it discovers and breaks them down into components and looks for the same components being used in other attacks. If it finds similar tools, techniques and procedures (TTP) being used in other attacks, it makes a correlation that may indicate the same adversary is behind them.
It may find that the attack is unique, never seen before among the 360 million malware sessions Palo Alto has gathered from customer networks comprised of 30 billion individual malicious behaviors of malware it has found. In that case the attack is flagged because it means the customer has been targeted by an organization with resources to come up with new TTPs and has chosen to expend this valuable attack resource on them.
The goal of AutoFocus is to provide information about the attacks it discovers and the attackers so customers can look for indicators that the same group is trying other attacks it is known for. “It puts what we’re seeing in context,” says Phil Cummings, system administrator for Health Information Technology Services of Nova Scotia, a health network with 20,000 endpoints.
What gets flagged may be a repeat of an attack six months ago, indicating a persistent adversary, or just linking different events together, such as finding a common IP address used in different attacks, he says.
Customers receive alerts from AutoFocus via the console or email or posted to a Web site to call attention to them. Then they can dig deeper to find out more about the attack.
The AutoFocus dashboard supplies information about flagged attacks with tags that flesh out whether they come from a particular group or whether they are part of a larger campaign against a particular industry, for example. The tags are sorted into three groups, those supplied by Palo Alto threat researchers, those supplied by the customer itself based on its own analysis, and those supplied by other Palo Alto customers based on their experiences.
Customers can choose the type of alerts AutoFocus supplies, such as those unique to a particular customer, to the industry – defense, finance, healthcare - the customer is part of, or to the Internet at large.
All the alerts AutoFocus sends are vetted by analysts at Palo Alto’s threat research group called Unit 42.
Palo Alto will start rolling out AutoFocus the week of April 19 to a group of Palo Alto customers. The company has set up a Web site where customers can register to participate. Pricing and general availability of the service is scheduled for later this year.