B ATT L E -TE S T E D I ND U S T R I A L CY BER SECUR I T Y

SOLUTION BRIEF

PALO ALTO NETWORKS AND CYBERX KEY BENEFITS OF INTEGRATION

The CyberX platform is tightly integrated
IoT & ICS Threat Detection and Prevention with the Palo Alto Networks® Security
Operating Platform and Cortex™ through
native APIs.

The Challenge The CyberX platform uniquely combines

Companies with critical industrial infrastructure are increasingly concerned about IoT and ICS a deep, embedded understanding
cyberattacks by nation-states and cybercriminals. of industrial devices, protocols, and
applications with continuous monitoring
As IT and Operational Technology (OT) networks become increasingly connected to support
and patented ICS-aware behavioral
digitalization and collection of real-time intelligence from production operations, this has
analytics, asset and network topology
increased the attack surface and hence the risk from both targeted attacks and malware.
discovery, risk and vulnerability
While downtime in a traditional IT environment can result in the lack of business continuity, management, automated threat
breaches in OT environments can have far more devastating impacts including costly production modeling, and threat intelligence.
outages, catastrophic safety failures, environmental damage, and theft of corporate IP.
Palo Alto Networks® Next Generation
Firewall for ICS provides highly granular
visibility into traffic at the application

CyberX and user levels as well as being able to

apply these parameters in policy.
The CyberX platform provides continuous monitoring with specialized behavioral analytics that
were purpose-built for detecting unauthorized or suspicious IoT and ICS traffic. The platform Palo Alto Networks Cortex enables you
incorporates ICS-aware self-learning engines that automatically inventory and profile assets, to consume security innovations quickly
identify vulnerabilities, and detect a wide range of threats in real time — without relying on rules and efficiently. The framework is a
or signatures, specialized skills, or prior knowledge of the environment. Plus, it uses passive cloud-based infrastructure that collects
monitoring to ensure zero impact on the IoT and ICS network with an operational selective data from the Palo Alto Networks
probing capability that uses safe, vendor-approved commands to query devices. Security Operating Platform, offering
a suite of cloud-delivered APIs that
connect innovative apps to data and
enforcement points. Your teams can use
Palo Alto Networks apps for detection, analytics, automated
The Palo Alto Networks® Security Operating Platform prevents successful cyberattacks prevention and rapid response, and
through intelligent automation. The platform combines network and endpoint security with can quickly consume new capabilities
threat intelligence and accurate analytics to help streamline routine tasks, automate protection without requiring additional sensors or
and prevent cyber breaches. Tight integrations across the platform and with ecosystem enforcement points, extending the value
partners deliver consistent security across clouds, networks and mobile devices, natively of your existing investment in Palo Alto
providing the right capabilities at the right place across all stages of an attack lifecycle. Networks.
Because the platform was built from the ground up with breach prevention in mind – with
important threat information being shared across security functions system-wide – and
architected to operate in modern networks with new technology initiatives like cloud and
mobility, customers benefit from better security than legacy or point security products provide
and realize better total cost of ownership.

CyberX.io
SOLUTION BRIEF: Palo Alto Networks and CyberX

Palo Alto Networks + CyberX

Joint customers of Palo Alto Networks and CyberX now can rapidly block malicious traffic detected by the CyberX platform. Together,
we’ve developed an off-the-shelf integration that automatically creates new policies in Palo Alto Network next-generation firewalls
(NGFW), based on contextual information provided by the CyberX platform. A 1-click confirmation mode ensures a human is in the loop
at all times to approve the new policy and push it to all affected firewalls.

B ATT LE -TE STE D INDUSTR IAL CY B E R SE CUR IT Y

CyberX’s integration with the Panorama™ centralized management system enables joint customers to rapidly block sources of malicious traffic in IoT and
ICS networks

Five Malicious Activities That the Integration Prevents

• Unauthorized PLC changes: An update to the ladder logic
or firmware of a device. Can represent a legitimate activity
or an attempt to compromise the device by inserting
malicious code, such as a RAT or parameters causing the
physical process — such as a spinning turbine — to operate
in an unsafe manner.
• Protocol Violation: An unpermitted packet structure or field
value that violates the protocol specification. Can represent
a misconfigured application or a malicious attempt to
compromise the device – for example, by causing a buffer
overflow condition in the target device.
• PLC Stop: A command that causes the device to stop
functioning, thereby risking the physical process that is
being controlled by the PLC.
• Malware found in the IoT and ICS networks: ICS-specific
malware that manipulates ICS devices via their native
protocols, such as TRITON and Industroyer. CyberX also
detects IT malware that has moved laterally into the IoT and
ICS environment, such as TRITON, WannaCry, and NotPetya.
• Scanning malware: Reconnaissance tools that collect
data about system configurations in a pre-attack phase.
For example, the Havex Trojan scans industrial networks for
devices using OPC (a standard protocol used by Windows-
based SCADA systems to communicate with ICS devices).

CyberX.io 2
SOLUTION BRIEF: Palo Alto Networks and CyberX

Rapid Creation of Granular, Asset- Integration with Palo Alto

Based Segmentation Policies Networks Cortex
CyberX has also developed an integration with the Palo Alto Additionally, CyberX has developed a native integration with Palo
Networks Security Operating Platform that facilitates automatic Alto Networks Cortex that leverages Palo Alto Networks sensors
creation of fine-grained, ICS-aware policy templates using tags, that customers already have deployed.
based on the type of asset.
The application maps Palo Alto SCADA App-IDs to CyberX’s
Using passive Network Traffic Analysis (NTA), the CyberX automatically-generated baseline of all IoT and ICS network
platform automatically discovers all assets and their behavior, providing extensive detection, visibility, monitoring, and
communication behavior, thereby fingerprinting the asset type analysis capabilities. This enables security teams to:
and associated properties (protocol, vendor, firmware revision
• Easily implement fine-grained policies to prevent
level, etc.).
malicious or unauthorized activities
By automatically tagging devices with their discovered • Accelerate detection and investigation of targeted IoT and
properties — such as device type (HMI, PLC, etc.), and ICS attacks via deep forensic, threat hunting, and ICS threat
authorization status — the CyberX application enables modeling capabilities
administrators to rapidly create asset-based policies.
• Identify vulnerable or compromised OT devices, so they
Administrators can also easily create Dynamic Access Groups
can be rapidly remediated or isolated
(DAGs) using these asset-based tags.
• Alert on suspicious or risky behaviors such as PLC
Examples of ICS-aware policies include:
programming changes and network scanning
• “HMIs can only communicate with PLCs using the
MODBUS protocol”
• “Only engineering workstations are allowed to
program PLCs”
• “Unauthorized devices are not allowed to communicate
between subnets”

CyberX.io 3
ABOUT CYBERX
We know what it takes.
CyberX delivers the only industrial cybersecurity platform built by blue-team experts with a track record
defending critical national infrastructure. That difference is the foundation for the most widely-deployed
platform for continuously reducing IoT and ICS risk and preventing costly production outages, safety
failures, environmental incidents, and theft of sensitive intellectual property.

CyberX delivers the only IoT & ICS security platform addressing all five requirements of the NIST CSF
and all four requirements of Gartner’s Adaptive Security Architecture. CyberX is also the only IoT &
ICS security company to have been awarded a patent for its ICS-aware threat analytics and machine
learning technology.

Notable CyberX customers include 2 of the top 5 US energy providers; a top 5 US chemical company; a
top 5 global pharmaceutical company; and national electric and gas utilities across Europe and Asia-
Pacific. Strategic partners include industry leaders such as Palo Alto Networks, IBM Security, Splunk,
McAfee, Optiv Security, DXC Technology, and Deutsche-Telekom/T-Systems.

Customers choose CyberX because it’s the simplest, most mature, and most interoperable solution for
auto-discovering their assets, identifying critical vulnerabilities and attack vectors, and continuously
monitoring their IoT and ICS networks for malware and targeted attacks. What’s more, CyberX provides
the most seamless integration with existing SOC workflows for unified IT/OT security governance.

For more information, visit CyberX.io or follow @CyberX_Labs.

ABOUT PALO ALTO NETWORKS

We are the global cybersecurity leader, known for always challenging the security status quo. Our
mission is to protect our way of life in the digital age by preventing successful cyberattacks. This
has given us the privilege of safely enabling tens of thousands of organizations and their customers.
Our pioneering Security Operating Platform emboldens their digital transformation with continuous
innovation that seizes the latest breakthroughs in security, automation, and analytics. By delivering
a true platform and empowering a growing ecosystem of change‐makers like us, we provide highly
effective and innovative cybersecurity across clouds, networks, and mobile devices. Find out more at
www.paloaltonetworks.com

B ATT L E -TE S T E D IND US T RIAL CYBER SECU R IT Y