Has anyone else had this happen? Obvious throwaway account is obvious but I need a little anonymity here. We have a dual vendor security stack featuring Palo and Cisco where our Cisco ASAs block traffic at the internet edge and our Palo Altos act as a secondary line of defense inbound from the internet as inline IPS units. We replaced our Cisco Sourecfires with Palos for vendor variety and capability in 90% of our locations but still use Sourcefires as inline IPS units in the other 10%. We recently saw our Palo gear allow two pieces of malware to get by them that were blocked by our Sourcefires. I've heard mention that Fortigate/Fortinet and Sourcefire have flagged things as high that Palo Alto hasn't in the past from our IR guys, but I seem to see nothing but positive and glowing reviews by others on most of Reddit. We definitely use strict rules that we have a lot of manual input on for our profiles and policies.
Does anybody know what procedure Palo uses to classify files & hashes as malware? How do they determine risk level? TAC is tight-lipped due to NDA and in the cases we've opened with them the only answer seems to be enable SSL-Decryption and we'll get back to you on the rest? Palo flagged them both as grayware once we opened a case.
No comments:
Post a Comment