Professional Documents
Culture Documents
Palo Alto Networks 101 - Pre-Migration Best Practices
Palo Alto Networks 101 - Pre-Migration Best Practices
TABLE OF CONTENTS
Whether you’re looking to move away from your current firewall provider, to simplify and unify your cybersecurity
approach, or thinking about tomorrow’s risks today, there are a lot of reasons to consider taking advantage of
Next-Generation Firewall technology.
VIRUSES, EXPLOITS AN D WORMS, OH MY!
Today’s cybersecurity considerations go far beyond the need to filter traffic from a few malicious URLs or spotting
standard suspicious email attachments. The number and complexity of attacks on organizations of all sizes
increases every day, and the speed with which hackers adapt and invent has reached a break-neck pace. It is no
longer possible to be reactive to threats to your organization; in fact, it never was. The Next-Generation Firewall
offers a proactive approach to managing malware, and utilizes a targeted strategy based on information and a
more sophisticated policy structure.
DISTRIBUTED ENVIRONMENTS
Gone is the ability to set up a perimeter around your network and call it a day. With the explosion of SaaS, cloud
storage, mobile computing and an increasing number of at-risk endpoints, your cybersecurity strategy must be
prepared to allow the right traffic and users while identifying zero-day threats and negating that. Traditional
firewalls offer no capability to protect and monitor beyond your own network.
THE THREAT FROM WITHIN
In their2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders; this
includes both malicious efforts and unwitting actors who were exploited for access. You cannot prevent human
error, and even the best organizations can face a risk from employees, so user-driven policy management, careful
reporting and logging, and pattern assessment are critical safety components. A traditional firewall limits what can
come in, but a Next-Generation Firewall can also keep your assets and information secure from the inside.
PRACTICAL BUSINESS C ONSIDERATIONS
There are so many other technological risks to consider when evaluating your firewall, but there are also several
important factors on your organization’s balance sheet and org chart that factor into a migration decision:
Retiring Legacy Equipment – If you are working with outdated equipment, making the shift to a new
platform may make more long-term financial success
Simplicity – Using multiple vendors for services and equipment means integrations, different monitoring
tools, and difficulty looking at your organization holistically. A unified cybersecurity stack can help to
create efficiencies and ensure seamless coverage.
Future Strategic Needs – Can your defenses scale with your organization? What about addressing future
needs, or growing threats to your industry? Can you meet the compliance guidelines and
recommendations, and for how long? Being proactive in your approach to security may require an initial
investment, but compared to the recovery costs from a breach, this is a small concern.
Customer Confidence – From a business standpoint, being able to highlight your advanced security
strategies helps your customers feel secure.
So you’ve been selected to evaluate whether now is the right time to migrate to a Next-Generation Firewall, and to
provide a comparison between options. There are many templates and checklists of features you will want to
consider when choosing a firewall (links provided in the Checklist section), but this move has an impact on your
entire organizationally, and as such, your evaluation team should include representation from multiple business
and technological teams
YOUR TECHNOLOGY TEAM
Your CISO/CSO – It goes without saying that, if your organization has a c-level security role, they will be
deeply involved in this decision. Make sure you understand their expectations, major concerns, and how
they will measure the success of this project before you even begin collecting information.
Infrastructure Security – Any division of your organization that has a direct connection to your network
must be included, and will bring insight you may not have. This includes network & system
administrators, data center managers, hardware management, and more.
Corporate IT – If you have a separate team for addressing employee hardware (computers, phones, etc.),
make sure they have a representative, since they will be the front line for questions from users whose
processes are impacted.
Your development teams may not need to be directly involved, but they should be aware that you are
considering a shift, and why. This could impact the ability of their programs and apps to access data,
communicate with third party sites, and more. If you are trying to address a gap or prevent a repeat
breach, you should be talking to all teams that could re-open this door.
INCLUDE OPERATIONS
CIO – Your CSO will most likely deliver updates to your CIO on progress and developments, but make sure
you understand what his/her goals are and how they will measure your success.
Business Units – Many business processes may have to be altered or stopped entirely once your new
security measures are in place, so it’s a good idea to include representation from your business units.
They can also help understand what their most common and critical tasks are, and act as an advocate
during the migration as you work to communicate changes with organizational employees.
o Give some special attention to Human Resources. Depending on your plans for monitoring and
storing information on users, there may be privacy considerations, or updates that your HR team
needs to make to their documentation.
Once you’ve finalized your decision and drafted your migration timeline, it’s a good idea to give all
organizational employees a “heads up” about the change. You want users to know this change is
occurring in case they experience issues after the migration, and how to report them.
It’s very easy to only think about the impact within your business, but make sure you have a plan in place
to communicate this change to partners and customers who make be affected. Any organization you
share information with, or who does business through your channels could be affected.
For clients, any impacts to the location of your data and how it is security could have compliance
considerations.
BEGINNING AN EVALUATION
First things first: you’ll want to understand what your current firewall is providing in terms of coverage and what
will need to be covered going forward. While it may seem like there’s a chance to either start with a clean slate, or
to hoard policies and take everything with you, this is the time to figure out what’s worth keeping, what isn’t
working, and what you’re not sure about
Which policies are currently in use? How many haven’t been used in more than 6 months?
How much traffic is hitting your active policies? Where is it coming from and where is it going?
o You may need to consider a virtualized solution that will cover cloud-based apps and assets.
Look at your documentation – is there any rationale for the current policies, and does it still hold true?
Are your policies very general, or extremely granular? Remember that, to take full advantage of a Next-
Generation Firewall, you may need to change the methodology behind your policy development.
SANS has a policy audit checklist you may find helpful.
Consider creating a topological map of your current architecture and traffic patterns so that you can
visualize your needs.
Look at what vendors or third party services will be affected, too. How well will they work post-migration?
Consider your greatest asset: your staff team. How is your team organized? Will roles change, increase or
merge with a more robust cybersecurity strategy in place?
DEFINE IMPROVEMENT
Chances are, you didn’t just decide to start considering a migration. Did you read about an attack and it
made you nervous? Have you experienced a breach? Make a list of your most pressing cybersecurity
concerns, and then note how well you think your current system manages them.
If you’re using a traditional firewall, you’re not incorporating any protecting around any cloud-based
systems, employee usage of SaaS, mobile device management, or endpoint security. You also probably
don’t have strong analysis capabilities, or have to use another vendor to supply them.
o What efficiencies would a migration create for your organization?
o What current gaps in your protection strategy would this fill? Can you measure how much traffic
is moving through these channels right now?
What business opportunities might be created through a more secure organization? How would it
improve service to your customers or clients?
What are the risks if you do not enhance your protection? Consider documenting the cost of a breach,
service attack or exposure to malware.
o Looking for examples? Try the Unit 42 blog.
REFERENCE DOCUMENTS
This checklist covers both pre- and mid- and post-migration considerations
Palo Alto Networks also has a document for planning your deployment that might give you some ideas.
Don’t forget to consider your cloud environment needs: https://www.sans.org/reading-
room/whitepapers/cloud/introduction-securing-cloud-environment-34052
This SANS whitepaper includes some great information on what you should document pre-migration:
https://www.sans.org/reading-room/whitepapers/firewalls/migrating-services-firewall-technologies-1199
Take a look at this
Don’t forget to look at the business considerations; you’ll need to translate technical needs into business
terms
There is a great video on Palo Alto Networks that outlines some of the biggest points you’ll need to cover:
Once you’ve collected your historical information, made a list of your business needs, and brought your team
together, it’s time to evaluate your potential firewall options.
After completing your historical analysis, gathering your team, developing your criteria, and agreeing on priorities,
you’re ready to begin you evaluation.
Make a short list of possible options and submit a request for more information.
After team review, cull your list to only the top 2-3 options, and provide a more detailed set of follow up
questions.
Schedule demos or meetings to review the proposals with your team and ask questions.
Consider developing a matrix for evaluation that will help your team objectively measure your options on
the same criteria.
When it’s time to make your recommendation, make sure you have all of the following:
COUNTDOWN TO MIGRATION