Over the years many companies have looked to build integrations, but typically only with other products in their portfolios or to check a box. While this created an interesting marketing story, it wasn’t addressing the customer challenge.

Most organizations want to buy best of breed tools and then have these products work together to solve actual problems, yet we still see many security analysts having to spend their time jumping and searching between 30-40 different tools. One of our first customers used to tell me if I have 10 tools and one of them integrates with the other 9, then that tool is my most important tool.

As cyberattacks become increasingly sophisticated, more frequent, and the resource pool becomes more strained, the need for integrations grows exponentially. Managing disjointed security products makes it harder and more time consuming to investigate security events. Making these products speak a common language provides a comprehensive view into an ever-changing threat landscape, and the context security teams need to improve speed and accuracy.

Ideally, analysts need access to the data and the workflows to complete their jobs faster, no matter what tool they are using, meaning data and integrations need to flow both directions. Palo Alto Networks has been innovating the prevention layer since their beginning - and while they do a fantastic job at it, no security product will ever be 100% effective at blocking all threats.

The ProtectWise and Palo Alto partnership enables us to provide the forensic memory of the network in a platform that can analyze the network traffic continuously to find things that may have previously been missed and to deliver the full forensic data necessary to understand the impact to the organization.  

Our integration with Palo Alto Networks empowers security analysts with the data they need when they need it by offering a streamlined solution that provides complete detection-triage-remediation workflows, from the network to the firewall, giving analysts back valuable time they can use to investigate incidents and to threat hunt with greater efficiency.

When we analyzed the workflows and user experience of an analyst using The ProtectWise Grid we discovered a few very valuable integration use cases, including:

  • Context Fusion - Adding rich data - logs of threat detections or access - on demand to show the analyst if something was blocked, or to give them more details from other tools

  • Threat Detections - Feed external threat detections into The ProtectWise Grid to add additional data points for correlation

  • Remediation - Leverage the existing enforcement points on the network to block the attack in the future.

Today, The ProtectWise Grid leverages a robust API framework to easily pull in specific firewall log and threat information to add context. Another example is being able to integrate with Palo Alto Networks WildFire to validate if a file is truly malicious.

We are excited to announce at Ignite `17 that we can now help remediate an event now and in the future by leveraging Palo Alto Networks Firewalls as enforcement points.  When analysts are investigating a security event or threat observation in The ProtectWise Grid, they can now click an IP or domain and have it added to a block list on the Palo Alto Firewall automatically.

This new workflow allows analysts to view connections to the enterprise network and data sent on the network both retrospectively and in real-time. They also have access to unlimited forensics and retrospective analysis, making it easier to identify the cause of an attack confidently, and reducing the time required for remediation.

By pivoting from the log detail view in Panorama, or from the firewall management interface into The ProtectWise Grid, analysts also gain valuable context into security events and threat observations associated with a source or destination IP, as well as full-fidelity PCAP data for analysis. At any point analysts can view the PCAP and/or TCP or UDP stream associated with events and observations, enabling them to reduce incident response times.

Please join ProtectWise for a demonstration of our Palo Alto Networks integration live June 12-15 in booth 124 at Ignite `17 in Vancouver. This integration is one example of how our open platform enables security teams to perform faster, more reliable threat investigations, alongside our partnerships with Carbon Black, Demisto, Gigamon, and Phantom Cyber. ProtectWise also arms security teams with limitless retrospective and forensic capabilities, to discover threats that were previously missed and to use what was discovered to remediate security events predictively in the future.

Next blog post