In this post, we\u2019ll highlight new features in the Infrastructure Assurance 8.4 release, including an anomaly detection engine that uses machine learning models to identify outliers for several metrics in your Palo Alto Networks and BlueCat Integrity devices. Further, we\u2019ll delve into the new CVE analysis engine that uncovers device vulnerabilities for certain CVEs. And finally, we\u2019ll briefly highlight other reporting, alerting, and knowledge enhancements.<\/p>\n
![\"Diagram](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4.jpg?w=640&ssl=1\")
<\/p>\n
Anomaly detection engine<\/h2>\n
The anomaly detection engine uses machine learning models to identify outliers and unusual behaviors for several metrics in your Palo Alto Networks Next-Generation Firewalls and BlueCat Integrity<\/a> DNS and DHCP Server (BDDS) devices. An anomaly detection generates a warning alert.<\/p>\n With awareness of such anomalies, Infrastructure Assurance can identify early symptoms and emerging issues, allowing you to address them before they become bigger problems. Our implementation uses the standard score or z-score<\/a> method to detect anomalies. A z-score measures exactly how many standard deviations above or below the mean a data point is.<\/p>\n The system evaluates several metrics based on a week\u2019s worth of data points. The newly embedded time-series database stores these data points. When a new data point is collected, a z-score is calculated. An alert is generated if the z-score of that data point is greater than 3 (or less than -3). The alert will remain active for 10 minutes. During that time, if no other anomalies are detected, the alert will resolve itself and go into the cooldown state. If another data point has a z-score greater than 3 (or less than -3), the alert will remain active for another 10 minutes.<\/p>\n Next, we\u2019ll look at what metrics we\u2019re applying to the method to detect outliers and why they\u2019re important.<\/p>\n Palo Alto Networks Next-Generation Firewalls keep a count of all drops and what causes them. Analyzing these drop counters provides insights into the processes, packet flows, and sessions on the firewall. Infrastructure Assurance 8.4 now analyzes four global drop counters for anomaly detection.<\/p>\n For Integrity enterprise customers, Infrastructure Assurance provides proactive observability and automated troubleshooting<\/a> to root out hidden issues in your DDI environment, along with recommended steps to address them.<\/p>\n A new anomaly alert in Infrastructure Assurance 8.4 for Integrity BDDSes is \u201cA sudden increase in SERVFAIL\u201d. A temporary server overload or a temporary connectivity disruption can cause SERVFAIL errors<\/a>. A small number of SERVFAIL errors may not be of concern, but a spike in SERVFAIL errors could mean a combination of many issues that can lead to bigger problems.<\/p>\n For example, it could be a technical problem with your DNS servers, firewalls blocking users from going to a domain, or DNSSEC verification failures. These issues can cause downtime for many domains, users, or both. Any of these cases warrant an investigation.<\/p>\n In the screenshot below, Infrastructure Assurance displays anomalies it has identified in Integrity BDDSes, including issue descriptions and recommended remediation steps.<\/p>\n And a final note: This anomaly detection feature is not enabled by default. Infrastructure Assurance customers should contact Customer Success<\/a> for assistance with enabling it.<\/p>\n Coalition\u2019s 2024 Cyber Threat Index<\/a> anticipates that the total count of published common vulnerabilities and exposures (CVEs) for 2024 will rise by 25%. This expected sharp increase in CVEs further heightens security concerns. CVE disclosures put tremendous pressure on an already overloaded security team, making automation essential.<\/p>\n Infrastructure Assurance\u2019s CVE analysis engine analyzes a network device\u2019s vulnerability. The engine automatically compares CVE information from MITRE\u2019s CVE database<\/a> and NIST\u2019s National Vulnerability Database<\/a> with OS versions running on the devices in your network. Using this comparison, Infrastructure Assurance will automatically generate alerts for devices exposed to certain CVEs.<\/p>\n Imagine the possibility of receiving near real-time alerts about new CVEs that impact your environment. Coupled with Infrastructure Assurance\u2019s new system-defined CVE report, you can get a list of devices with vulnerabilities categorized by severity with just a click. You can run this report after every upgrade to detect new CVEs impacting your environment.<\/p>\n In the screenshots below, Infrastructure Assurance\u2019s system-defined CVE report displays devices with CVE vulnerabilities, categorized by severity.<\/p>\n Infrastructure Assurance 8.4\u2019s new CVE analysis engine brings more than 200 alerts, dated from 2022 and onward, to the release. Supported devices for the CVE analysis engine include Broadcom Symantec (formerly Blue Coat) Content Analysis series and ProxySG, Check Point secure gateways, Cisco ASA, F5 BIG-IP Local Traffic Manager (LTM), Fortinet FortiGate firewalls and Palo Alto Networks Next-Generation Firewalls.<\/p>\n Further, so as not to overwhelm the Issues page with more than 200 new alerts, Infrastructure Assurance 8.4 includes a new rule category called CVE. By design, the Issues page and the Knowledge Explorer page exclude rules from the CVE category.<\/p>\n To see rules in the CVE category, reset the default filters by selecting CVE in the Categories column. The new rule headline shows the CVE ID (CVE-2024-xxx). The description consists of details about the vulnerability.<\/p>\n You can also navigate to your CVE alerts from the Issues-At-A-Glance widget from the analytics dashboard.<\/p>\n Infrastructure Assurance 8.4 also includes enhancements to reporting features, more control over how many alerts you receive, and more than 200 auto-detection knowledge enhancements.<\/p>\n The release introduces a new out-of-the-box Payment Card Industry Data Security Standard<\/a> (PCI DSS) report. More than 100 rules are mapped to the PCI compliance standard.<\/p>\n The screenshots below provide examples of PCI DSS report results.<\/p>\n With Infrastructure Assurance 8.4, you can now change the legend and save it in your report. The new Hide All option in the legend makes it easy for you to hide some of the attributes in your graph.<\/p>\n You can now change the legend and save it in your report.<\/p>\n Alert fatigue is real. Infrastructure Assurance keeps noise levels down without letting problems escape you. The issue item feature is one technique to reduce noise.<\/p>\n A great example is VPN tunnels. A firewall typically has many VPN tunnels connecting remote sites and users. Instead of alerting you to every event in which a VPN tunnel is down, Infrastructure Assurance associates a tunnel as an issue item. When the first VPN tunnel goes down, it creates a new alert. When the second VPN tunnel goes down, it adds the second VPN tunnel down event as an issue item to the existing alert.<\/p>\n With Infrastructure Assurance 8.4, you can disable issue item collection by changing the configuration file. Instead of concatenating issue items to an existing alert, the system generates a new alert for every issue item. But enabling this feature can greatly increase the number of alerts in your environment.<\/p>\n The Infrastructure Assurance 8.4 release includes more than 200 auto-detection knowledge elements and enhancements. Devices supported by these enhancements include BlueCat Integrity, Broadcom Symantec (formerly Blue Coat) Content Analysis series, Check Point Maestro, and Palo Alto Networks Next-Generation Firewalls. For a complete list of enhancements, see details in the release notes<\/a>.<\/p>\n Ready to see the anomaly detection engine and CVE analysis engine in Infrastructure Assurance 8.4 for yourself? Request a live demo<\/a> today.<\/p>\n BlueCat Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" For IT operations teams needing deeper and more automated insight<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[94],"tags":[95],"class_list":["post-3588","post","type-post","status-publish","format-standard","hentry","category-blog","tag-blog"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Blue Cat","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/bluecat\/"},"category_info":"Blog<\/a>","tag_info":"Blog","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3588"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3588\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Anomalies for Palo Alto Networks Next-Generation Firewalls<\/h3>\n
\n
Anomalies for BlueCat Integrity BDDSes<\/h3>\n
![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4.png?w=640&ssl=1\")
<\/p>\nCVE analysis engine<\/h2>\n
![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-1.png?resize=640%2C406&ssl=1\")
<\/p>\n![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-2.png?resize=640%2C402&ssl=1\")
<\/p>\n![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-3.png?w=640&ssl=1\")
<\/p>\n<\/p>\nReporting, alerting, and knowledge enhancements<\/h2>\n
A new system-defined PCI DSS compliance report<\/h3>\n
![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-4.png?w=640&ssl=1\")
<\/p>\n![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-5.png?w=640&ssl=1\")
<\/p>\n![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-6.png?w=640&ssl=1\")
<\/p>\nLegend improvements for reports<\/h3>\n
![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-7.png?w=640&ssl=1\")
<\/p>\n![\"Screenshot](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/detect-anomalies-and-cve-risks-with-infrastructure-assurance-8-4-8.png?w=640&ssl=1\")
<\/p>\nAlerts for every issue item<\/h3>\n
Knowledge enhancements<\/h3>\n