In this week's Tips & Tricks, we will be talking about AutoFocus. As we have been focusing on Threats recently with the new Threat Vault and WildFire, we also want to talk about how AutoFocus aids a proactive approach to security and prevention. What better way to start our conversation of AutoFocus than with an FAQ?
What is AutoFocus?
AutoFocus is the threat research and intelligence service launched by Palo Alto Networks that allows you to quickly identify threats targeting your environment, and to contextualize them within the greater threat landscape.
The objectives of AutoFocus are to:
Simplify the prioritization of threats.
Provide context to threat-related data, assist with gathering actionable information for remediation, and ultimately allow you to use this knowledge to strengthen your overall security posture.
Who is able to use AutoFocus?
AutoFocus is available to Palo Alto Networks customers who have paid for an AutoFocus subscription.
Is customer data kept confidential?
Yes, all customer data transmitted is used only for file analysis and kept secure.
Are searches of threat intel in AutoFocus limited to only private samples, or can the public database be used?
The search scope can be specified in the query (private, public, or all), so searches are not limited to just private samples.
How is the AutoFocus dashboard data generated?
AutoFocus uses the WildFire database to generate all the data from samples submitted to the WildFire service. If you do not have a WildFire subscription, you will not see any data when you view the “My Organization” dashboard. However, you will still be able to access public data.
How much does AutoFocus cost?
Please contact the Palo Alto Networks sales team or your SE for licensing.
Is the WF-500 hardware supported with AutoFocus?
If data is not being pushed to the public cloud, then AutoFocus will not have any visibility to this data since it relies on the WildFire database for information. Several approaches are under consideration to mine offline data in private WildFire clouds, however nothing is available at this time.
What exporting functionality is provided in AutoFocus?
You can export AutoFocus artifacts, such as IP addresses, URLs, and domains to a CSV file. You can then use the CSV file to enable a Palo Alto Networks firewall to enforce policy based on AutoFocus artifacts or to import AutoFocus data to a security information and event management (SIEM) tool.
How does AutoFocus help to see if you have been hacked?
First, you will receive an alert that WildFire has detected a sample that indicates a particular piece of malware has been detected. You can then drill into the data and identify additional information, such as attempted connections, then check to see if this has been seen in other environments. Currently, WildFire detects unknown malware. However, that detection is not necessarily indicative of a breach, but rather an attempt to compromise a system. AutoFocus helps to provide context to see if this is part of a broad malware campaign, or is uniquely targeted at a particular company or industry.
How is AutoFocus deployed?
AutoFocus is a cloud-hosted service provided by Palo Alto Networks. It is not deployed by customers as an appliance or VM. Instead, you purchase a subscription to access the AutoFocus portal.