Cloud Security Posture

Management

DEMO GUIDE

VER 1. 0 , J U N E 2 0 2 1
 Introduction and Objective

Introduction and Objective

Cloud Security Posture Management (CSPM) is defined by Gartner as “a continuous process of cloud
security improvement and adaptation to reduce the likelihood of a successful attack.” The scale, pace
of change, and “sprawl” across multiple public clouds makes it difficult for security teams to keep
pace. At the same time, cloud skills are in short supply. According to Gartner research, in 2021, 50% of
organizations will mistakenly have infrastructure as a service (IaaS) storage services, network segments,
applications or APIs directly exposed to the public internet, and almost all of them will be the result of
misconfigurations.

CSPM is a valuable discipline that helps organizations discover and automatically remediate threats,
misconfigurations, misuse, and compliance violations in public clouds. This demo was developed to help
you introduce a potential customer to the ways in which Prisma Cloud can help with CSPM. The objective
of this demo is for you to provide an overview of how Prisma Cloud works, with the primary focus being
visibility.

SETTING THE DEMO STAGE

This guide is intended to provide you with enough information to introduce a potential customer to
Prisma Cloud. You should plan on spending 30 minutes or less to complete this demonstration. The goal
is to showcase the visibility that Prisma Cloud offers once cloud accounts have been connected. The focus
should be on the numerous out-of-the-box, preconfigured features that are included. If you are interested
in showing the investigation and remediation aspects of Prisma Cloud, be sure to check out the Prisma
Cloud 5 Minute Fix Demo.

The Prisma Cloud demo system is a read-only environment and has been preconfigured with AWS, GCP,
and Azure connections already established. Before you present this demo to a prospect, you should go
through the steps provided in this document and verify everything works as expected. Additionally, an
example of how to deliver a quick 5 minute of Prisma Cloud can be found here: Prisma Cloud Visibility -
Demo Example

It is possible that the demo system data will change over time. While every attempt has been made to
provide accurate screenshots, your experience may vary slightly. If the data has changed and doesn’t
exactly match this document, find similar data, and then follow the same flow and steps provided in the
subsequent sections. If you are not seeing enough good data, consider changing the Time Range option in
the drop-down as you go through the demo.

Palo Alto Networks 4

 Prep Work

Prep Work
The Prisma Cloud demo environment is already connected to various AWS, Azure, and GCP accounts and is
populated with data. Therefore, all you need to do to prepare is spend a few minutes verifying everything
is working properly. Follow the tasks outlined in this section to review and confirm proper operation
before you present the demo. Complete this prep work before you perform the demo with your customer
to verify proper operation and save some initial setup time.

TASK 1: LOG INTO THE LAB ENVIRONMENT

1. If you have not already requested access to the Prisma Cloud environment, do so by clicking
HERE. It is important to use your NextWave partner information when completing the request
because this demo system uses single sign on (SSO).

Once you have submitted the request, generally within 5-10 minutes you will receive an email
similar to the one shown here:

2. Click the Get Started link in the email. You will see an SSO screen and are prompted to enter
your NextWave credentials as shown below (Note: if you have issues, try using an incognito /
private mode browser window)

Palo Alto Networks 5

 Prep Work

3. Once you have successfully authenticated, you will be logged into the Prisma Cloud demo system.
Click the Get Started button to continue logging in as shown here:

4. You must review the EULA before you can click Agree and Submit.

5. You might also be given the opportunity to take a brief tour before you start. The tour is not part
of this demonstration, so click Skip the tour as shown here:

Note: When you request access to the Prisma Cloud demo system, a Prisma Cloud account will
be provisioned using your email address and authenticated using single sign-on (SSO). Your
account will stay active for 48 hours, and then is automatically deleted. Simply submit another
request for login credentials if you require additional time.

Palo Alto Networks 6

 Prep Work

TASK 2: FAMILIARIZE YOURSELF WITH THE ENVIRONMENT

If you are new to Prisma Cloud, you should take a few moments to familiarize yourself with the various
aspects of the application. Although the intent of this demo is to provide an introductory overview of
Prisma Cloud, you should know enough about Prisma Cloud to answer other questions that might arise
during your presentation. You might consider reviewing this overview of Prisma Cloud and/or completing
this Prisma Cloud training.

Palo Alto Networks 7

 Demo Steps

Demo Steps
TASK 1: ONBOARDING CLOUD ACCOUNTS

When you add a cloud account to Prisma Cloud, the Infrastructure as a Service (IaaS) module ingests data
from flow logs, configuration logs, and audit logs in your cloud environment over an encrypted connection
and stores the encrypted metadata in RDS3 and Redshift instances within the Prisma Cloud AWS Services
module. You then use the Prisma Cloud administrative console or the APIs to interact with this data to
configure policies, to investigate and resolve alerts, to set up external integrations, and to forward alert
notifications.

Your demo account has read-only access to Prisma Cloud. As a result, you will have limited access to cloud
account settings. However, as mentioned above, a few cloud accounts have already been connected to
Prisma Cloud, and you will use those accounts for this demonstration.

1. Although you will not onboard a cloud account as part of this demo, you will see that in this
example, three cloud accounts have already been added to Prisma Cloud. Using the menu on the
left side of the Prisma Cloud application, navigate to >Settings >Cloud Accounts.

2. Scroll to the far right, and you will see that when these accounts are added to Prisma Cloud, they
were configured to ingestion flow logs, configuration logs, and audit logs as shown here:

Palo Alto Networks 8

 Demo Steps

3. You may be asked questions about onboarding cloud accounts. Prisma Cloud provides wizards
designed to help you easily onboard cloud accounts. As the administrator is going through
the wizard, various options are provided allowing you to determine roles, permissions, and
many other aspects of the configuration. Shown below, is a summary screen of a successfully
onboarded cloud account.

Although you cannot show the actual onboarding process in this demo environment, it is
important to take a couple of minutes at the beginning to mention how quickly and easily you
can onboard cloud accounts and enable ingestion of the configurations and logs. The 3 cloud
accounts that are connected to this demo system form the basis for all alerts, compliance checks,
and reports.

TASK 1: REVIEW THE DISCOVERED ASSETS

1. Once the cloud accounts have been onboarded, Prisma Cloud will begin analyzing the ingested
data and automatically build out various dashboards. Use the navigation bar on the left and
select >Inventory > Assets. You will see there are 1863 unique assets. Take a moment to review
the information presented on this screen. Of the 1863 unique assets, you will see that 1380 pass
the many compliance checks performed by Prisma Cloud. The remaining 483 assets have issues
ranging from low to high severity.

Palo Alto Networks 9

 Demo Steps

2. Review the middle section of the screen. This area provides easy to interpret graphs showing a
timeline representation of assets and their status, as well as a breakdown of cloud providers and
the pass/fail status as shown here:

3. Although you can see that there are failed compliance issues with all 3 connected cloud
providers, for this demo, we will focus on AWS. Using the Cloud Type checkboxes in the options
along the left, click the AWS checkbox. This will allow you to focus only on AWS assets and
services for now. Also, using the drop-down, select Region as shown below. Point out how
flexible Prisma Cloud is allowing you the ability to filter the views to help easily pinpoint areas
of concern.

Palo Alto Networks 10

 Demo Steps

4. Now review the AWS services displayed below the charts/graphs. This provides an inventory of
all discovered services deployed in AWS along with a coverage score, pass/fail rating, and the
number of alerts for each service. As you can see in the following screenshot, the Amazon VPC
only has a 50% pass rate. To quickly review all the failed checks, click the view alerts icon next
to the number of failed alerts:

You are now presented with a breakdown of all the Amazon VPC alerts that Prisma Cloud has
discovered. Point out the various high severity issues that have been discovered.

Normally the analyst would continue the investigation and remediate any open alerts. However,
the intent of this demo is to show various aspects of the visibility provided by Prisma Cloud.
If you are interested in showing an investigate and remediate demo, be sure to check out the
Prisma Cloud Investigate and Remediate 5 minute fix.

A key discussion point to convey, is that all of this visibility was automatically created simply by
connecting cloud accounts to Prisma Cloud. The system then audits various aspects of the cloud
accounts to detect any issues and then reports the information in a consolidated, easy to use
interface.

This demo system only has a couple of thousand unique assets, whereas many customer
environments will have significantly more, which can make things very complex. Imagine trying
to manage all of this and maintain compliance across multiple cloud providers without a tool like
Prisma Cloud.

Palo Alto Networks 11

 Demo Steps

TASK 2: SECOPS REVIEW

The previous task showed how powerful Prisma Cloud is at ingesting configuration information to
determine any potential misconfiguration and compliance issues. However, it is also helpful to know what
is happening to your public cloud accounts from a security operations perspective. Prisma Cloud uses flow
logs from cloud accounts to provide you with valuable insight into potential security issues in an easy-to-
use dashboard.

1. Using the menu along the left side, navigate to > Dashboard > SecOps. By default, the Time
Range is set to the past 24 hours. If you do not see enough interesting information, consider
using the drop-down menu to select a longer timeframe. In this example we are selecting the
past 3 months. Take a quick moment to review the information provided. You can also quickly
show the graphical map that displays connections initiated to cloud resources from the public
internet. Any red circles indicate suspicious activity from that region:

Palo Alto Networks 12

 Demo Steps

2. For this demo, we will focus on the “Top Internet Connected Resources”. The dashboard
displays resources that are accessible from the internet. Exposed resources may or may not be
intentional. The goal is to close any open holes that might exist, potentially exposing valuable
information. Scroll down until you see the Top Internet Connected Resources dashboard, and
then click on the SSH graph as shown here:

3. You are now viewing a breakdown of which AWS resources are allowing SSH connections directly
from the internet. While all these connections probably should be reviewed to make sure there
is no malicious activity, of particular interest is the HR-DB server that appears exposed to the
internet allowing SSH connections. Click the HR-DB-Server graph to drill in as shown here:

Palo Alto Networks 13

 Demo Steps

4. You are now provided with a detailed view showing the various connections to the HR-DB-
Server. Prisma Cloud monitors the activity of all connected cloud accounts and using machine
learning, builds a profile of what is considered normal and abnormal activities. As shown here,
Prisma Cloud has determined that some of these connections appear to be suspicious. Click the
! icon on the LinuxBastion host to drill in and view additional details as shown below. Notice
that Prisma Cloud has built a query based on the dashboard drill-down actions you took. We will
discuss RQL in the next section.

5. Using the options along the right side of the screen, scroll down and expand the Alert Summary
section. You can review the corresponding Prisma Cloud Alerts by clicking on Prisma Cloud
Alerts as shown here:

Palo Alto Networks 14

 Demo Steps

6. You are now shown the alerts that Prisma Cloud has detected, one of which is the high severity
exposed instance to the internet as shown below.

To keep the demo flowing, we are not interested in investigating/remediating issues. As

mentioned above, there is a separate demo to showcase those features. We finish this demo by
showing some basic query and reporting capabilities of Prisma Cloud.

TASK 3: RLQ AND POLICIES

As shown in the prior sections, Prisma Cloud provides several preconfigured dashboards to help visualize
various aspects of the connected cloud accounts. However, there may be times where a dashboard / graph
does not provide the specific information the analyst is looking for.

Prisma Cloud Resource Query Language (RQL) is a powerful and flexible tool that helps you gain security
and operational insights about your deployments in public cloud environments. You can use RQL to
perform configuration checks on resources deployed on different cloud platforms and to gain visibility
and insights into user and network events. You can use these security insights to create policy guardrails
that secure your cloud environments. RQL is a structured query language that resembles Structured Query
Language (SQL). RQL supports the following types of queries:

• Config—Use Config Query to search for the configuration of the cloud resources.
• Event—Use Event Query to search and audit all the console and API access events in your cloud
environment.

• Network—Use Network Query to search real-time network events in your environment.

Use RQL to find answers to fundamental questions that help you understand what is happening on your
network. For example, you can find answers to the following questions:

• Do I have S3 buckets with encryption disabled?

• Do I have databases that are directly accessible from the internet?
• Who uses a root account to manage day-to-day administrative activities on my network?
• Which cloud resources are missing critical patches that make them exploitable?

Palo Alto Networks 15

 Demo Steps

1. Using the menu bar along the left side of Prisma Cloud, navigate to the >Investigate option.
The investigate tab allows you to build queries and will remember recent searches, as well as
allowing you the ability to save queries you have built to be reused whenever you need them as
shown here:

2. Click inside the RQL builder as shown below. The RQL provides a wizard driven experience to
help you build a query without requiring you to learn a complex query language.

3. When using RQL, everything begins with a question. For example, are you looking for potential
configuration issues, network activity, or a particular event? This will determine the first option
you select when building the query. In this example, you will build a very simple query to show
all suspicious IP network traffic to your cloud connected resources. Start by clicking on the
network from option, and build out the query as shown below:

network from vpc.flow_record where cloud.account = ‘AWS Prod’ AND source.publicnetwork IN

( ‘Suspicious IPs’ ) AND bytes > 0

Palo Alto Networks 16

 Demo Steps

4. You will likely need to change the date range to a custom date. Select a date that is several
months ago (or longer) if you are seeing no results. Once you have the query built, and the date
range updated, click the magnifying glass to execute the RQL as shown here:

As you can see in the screenshot above, the RQL query not only shows the LinuxBastion host
we saw earlier, but we now are quickly able to see any connection from the public internet to
a cloud connected resource coming from a suspicious IP address. And it was not necessary to
learn a complex language. If you would like to learn more about RQL (to help with any potential
questions you may get) you can review the RQL admin guide here: Prisma™ Cloud Resource
Query Language

Palo Alto Networks 17

 Demo Steps

5. Once a query has been created, you can save it for reuse. Saved queries also provide you the
ability to create a Prisma Cloud Policy directly from the saved query. To demonstrate this, click
the Clear All link in the upper-right corner of the interface. Next, click on the Saved Searches
link. For the sake of time, you will not build a new policy, however you can hover your cursor
over the option along the right side and show the option for building a new policy based on the
RQL.

6. Using the menu bar along the left side, click Policies. Take a quick moment to point out
how Prisma Cloud comes preconfigured with hundreds of policies designed to spot many
misconfigurations and compliance related issues. As such, Prisma Cloud can begin detecting
many issues as soon as you connect cloud accounts.

Palo Alto Networks 18

 Demo Steps

TASK 4: COMPLIANCE AND REPORTING

Depending on how much interaction you have had with your prospect, you might have already spent a fair
amount of time getting to this point of the demonstration. Remember, the primary objective of this demo
is to not get too deep into any one section, but provide an overview of a feature, and then keep the demo
moving forward.

The Compliance Overview is a dashboard that provides a snapshot of your overall compliance posture
across various compliance standards. Use the Compliance Dashboard as a tool for risk oversight across
all the supported cloud platforms and gauge the effectiveness of the security processes and controls you
have implemented to keep your enterprise secure. You can also create compliance reports and run them
immediately, or schedule them on a recurring basis to measure your compliance over time.

1. Use the menu bar along the left side and navigate to >Compliance > Overview. Like the other
dashboards, you have the ability to filter and show only the information that is most important
to you. The compliance dashboard provides the ability to quickly locate configuration issues
that are failing on or more compliance checks. All widgets on the dashboard are interactive (and
customizable).

Depending on the interest of the customer, decide how much of this dashboard you want to
show, and on what areas you want to focus on.

Palo Alto Networks 19

 Demo Steps

2. Finally, take a moment to show the reporting capabilities of Prisma Cloud. Navigate to
Compliance > Reports. Find a report that you feel might be of interest to the customer. In this
example, we will use the Demo-MITRE-Compliance report. Scroll down to locate and click on
the report name as shown here:

3. Take a moment to review the information presented. Like the other dashboards, this one is
interactive and can be further filtered. You might be wondering “Where is the report?” All
the information presented on this screen can be downloaded in a PDF report format. Click the
Download Report button to download a comprehensive report as shown here:

Palo Alto Networks 20

 Demo Steps

4. Once the report has been downloaded, open it and spend a few minutes reviewing the
information that is included. It is also worth noting that reports can be scheduled and emailed
automatically as shown here:

Palo Alto Networks 21

 Wrap Up

Wrap Up
This concludes the demonstration. This demo shows how Prisma Cloud automatically provides very
granular visibility into a multi cloud environment. In addition to the visibility, you were able to show how
the system looks for misconfiguration and compliance issues, and provides an easy to navigate interface,
making it easy to investigate and remediate configuration and compliance issues.

There are two editions of Prisma Cloud (Enterprise and Compute). This demonstration focused on
the Enterprise edition, and only showed a very small portion of the total capabilities of Prisma Cloud.
Remember, the intent of the demo is to provide a general overview of the various aspects of Prisma Cloud.
If customers are also interested in how an analyst would investigate and remediate alerts, check out the
Prisma Cloud 5 Minute Fix Demo.

Palo Alto Networks 22

HEADQUARTERS
Palo Alto Networks Phone: +1 (408) 753-4000
3000 Tannery Way Sales: +1 (866) 320-4788
Santa Clara, CA 95054, USA Fax: +1 (408) 753-4001
http://www.paloaltonetworks.com info@paloaltonetworks.com

© 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies. Palo Alto Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

Submit any feedback or issues to

nextwavetechsupport@paloaltonetworks.com