Practitioner Questions and Answers

A SASE solution converges networking and security services into one unified, cloud-delivered solution (see Figure 3-12) that includes the following:

● Networking

○ Software-defined wide-area networks (SD-WANs)

○ Virtual private networks (VPNs)

○ Zero Trust network access (ZTNA)

○ Quality of Service (QoS)

● Security

○ Firewall as a service (FWaaS)

○ Domain Name System (DNS) security

○ Threat prevention

○ Secure web gateway (SWG)

○ Data loss prevention (DLP)

○ Cloud access security broker (CASB)

Attack communication traffic is usually hidden with various techniques and

tools, including:

● Encryption with SSL, SSH (Secure Shell), or some other custom or proprietary encryption

● Circumvention via proxies, remote access tools, or tunneling. In some instances, use of

cellular networks enables complete circumvention of the target network for attack C2 traffic.

● Port evasion using network anonymizers or port hopping to traverse over any available open

ports

● Fast Flux (or Dynamic DNS) to proxy through multiple infected endpoints or multiple,

ever-changing C2 servers to reroute traffic and make determination of the true destination

or attack source difficult

● DNS tunneling is used for C2 communications and data infiltration

Wireshark is a network analysis tool that can capture packets from various network interfaces and protocols. It can display the captured packets in a human-readable format, as well as filter, analyze, and export them. Wireshark is widely used for network troubleshooting, security testing, and education purposes12. References: Wireshark · Go Deep, How to Use Wireshark to Capture, Filter and Inspect Packets, Palo Alto Networks Certified Cybersecurity Entry-level Technician

DevSecOps takes the concept behind DevOps that developers and IT teams should work together closely, instead of separately, throughout software delivery and extends it to include security and integrate automated checks into the full CI/CD pipeline. The integration of the CI/CD pipeline takes care of the problem of security seeming like an outside force and instead allows developers to maintain their usual speed without compromising data security

Cloud Security Posture Management (CSPM), including Prisma Cloud’s offering, continuously monitors all cloud resources — such as compute instances, storage, network configurations, and identities — to detect misconfigurations, vulnerabilities, and potential threats in near real time.

A stateless firewall is a network firewall that primarily filters traffic based on source and destination IP address, as well as port numbers and protocols. A stateless firewall does not keep track of the state or context of network connections, and only inspects packet headers. A stateless firewall is faster and simpler than a stateful firewall, but it is less secure and flexible. A stateless firewall cannot block complex attacks or inspect packet contents for malicious payloads. References: What Is a Packet Filtering Firewall? - Palo Alto Networks, Common IP Filtering Techniques – APNIC, What is IP filtering? - Secure Network Traffic Management

SOAR tools ingest aggregated alerts from detection sources (such as SIEMs, network security tools, and mailboxes) before executing automatable, process-driven playbooks to enrich and respond to these alerts.

Scripting of manual tasks – SOAR platforms automate repetitive, manual security tasks through playbooks and scripting, improving response time and efficiency.

Consistent incident handling – SOAR ensures that incidents are managed in a standardized and repeatable manner, reducing errors and improving compliance.

Isolated system and log retention are not core advantages of SOAR.

Cortex XDR is an endpoint tool or agent that can enact behavior-based protection. Behavior-based protection is a method of detecting and blocking malicious activities based on the actions or potential actions of an object, such as a file, a process, or a network connection. Behavior-based protection can identify and stop threats that are unknown or evade traditional signature-based detection, by analyzing the object’s behavior for suspicious or abnormal patterns. Cortex XDR is a comprehensive solution that provides behavior-based protection for endpoints, networks, and cloud environments. Cortex XDR uses artificial intelligence and machine learning to continuously monitor and analyze data from multiple sources, such as logs, events, alerts, and telemetry. Cortex XDR can detect and prevent advanced attacks, such as ransomware, fileless malware, zero-day exploits, and lateral movement, by applying behavioral blocking and containment rules. Cortex XDR can also perform root cause analysis, threat hunting, and incident response, to help organizations reduce the impact and duration of security incidents. References:

Cortex XDR - Palo Alto Networks

Behavioral blocking and containment | Microsoft Learn

Behaviour Based Endpoint Protection | Signature-Based Security - Xcitium

The 12 Best Endpoint Security Software Solutions and Tools [2024]

Lateral movement is a key stage where the attacker moves across the network to find valuable targets.

Privilege escalation involves gaining higher access rights to expand control within the compromised environment.

Communication with covert channels is a tactic used during persistence or exfiltration, while deletion of critical data is not a standard APT lifecycle stage — it’s more characteristic of destructive attacks.

Prisma Cloud comprises four pillars:

● Visibility, governance, and compliance. Gain deep visibility into the security posture of

multicloud environments. Track everything that gets deployed with an automated asset

inventory, and maintain compliance with out-of-the-box governance policies that

enforce good behavior across your environments.

● Compute security. Secure hosts, containers, and serverless workloads throughout the

application lifecycle. Detect and prevent risks by integrating vulnerability intelligence into

your integrated development environment (IDE), software configuration management

(SCM), and CI/CD workflows. Enforce machine learning-based runtime protection to

protect applications and workloads in real time.

● Network protection. Continuously monitor network activity for anomalous behavior,

enforce microservice-aware micro-segmentation, and implement industry-leading

firewall protection. Protect the network perimeter and the connectivity between

containers and hosts.

● Identity security. Monitor and leverage user and entity behavior analytics (UEBA) across

your environments to detect and block malicious actions. Gain visibility into and enforce

governance p

A botnet is a network of computers or devices that are infected by malware and controlled by a malicious actor, known as the botmaster or bot-herder. The botmaster uses a command and control (C2) server or channel to send instructions to the bots and receive information from them. The C2 communication is essential for the botmaster to maintain control over the botnet and use it for various malicious purposes, such as launching distributed denial-of-service (DDoS) attacks, stealing data, sending spam, or mining cryptocurrency. Therefore, the key to “taking down” a botnet is to prevent the bots from communicating with the C2 server or channel. This can be done by disrupting, blocking, or hijacking the C2 communication, which can render the botnet ineffective, unstable, or inaccessible. For example, security researchers or law enforcement agencies can use techniques such as sinkholing, domain name system (DNS) poisoning, or domain seizure to redirect the bot traffic to a benign server or a dead end, cutting off the connection between the bots and the botmaster. Alternatively, they can use techniques such as reverse engineering, decryption, or impersonation to infiltrate the C2 server or channel and take over the botnet, either to disable it, monitor it, or use it for good purposes. References:

What is a Botnet? - Palo Alto Networks

Botnet Detection and Prevention Techniques | A Quick Guide - XenonStack

Botnet Mitigation: How to Prevent Botnet Attacks in 2024 - DataDome

What is a Botnet? Definition and Prevention | Varonis

Software patches are updates that fix bugs, vulnerabilities, or performance issues in applications. Applying software patches regularly is one of the best practices to secure applications against exploits, as it prevents attackers from taking advantage of known flaws in the software. Software patches can also improve the functionality and compatibility of applications, as well as address any security gaps that may arise from changes in the operating system or other software components. Endpoint security solutions, such as Cortex XDR, can help organizations automate and streamline the patch management process, ensuring that all endpoints are up to date and protected from exploits. References:

Endpoint Protection - Palo Alto Networks

Endpoint Security - Palo Alto Networks

Patch Management - Palo Alto Networks

SOAR stands for security orchestration, automation and response. It is a software solution that enables security teams to integrate and coordinate separate tools into streamlined threat response workflows. SOAR systems allow for accelerated incident response through the execution of standardized and automated playbooks that work upon inputs from security technology and other data flows. SOAR systems can also help ensure consistency, reduce human errors, and improve efficiency and scalability of security operations. References:

Security Operations Infrastructure from Palo Alto Networks

What is SOAR (security orchestration, automation and response)? from IBM

Security Operations Fundamentals (SOF) Flashcards from Quizlet

To find the subnet that the host 192.168.19.36/27 belongs to, we need to convert the IP address and the subnet mask to binary form and perform a logical AND operation. The /27 notation means that the subnet mask has 27 bits of ones and 5 bits of zeros. In decimal form, the subnet mask is 255.255.255.224. The binary form of the IP address and the subnet mask are:

IP address: 11000000.10101000.00010011.00100100 Subnet mask: 11111111.11111111.11111111.11100000

The logical AND operation gives us the network prefix:

Network prefix: 11000000.10101000.00010011.00100000

To get the subnet address, we convert the network prefix back to decimal form:

Subnet address: 192.168.19.32

The subnet address is the first address in the subnet range. To find the last address in the subnet range, we flip the bits of the subnet mask and perform a logical OR operation with the network prefix:

Flipped subnet mask: 00000000.00000000.00000000.00011111 Logical OR: 11000000.10101000.00010011.00111111

The last address in the subnet range is:

Last address: 192.168.19.63

The subnet range is from 192.168.19.32 to 192.168.19.63. The host 192.168.19.36 belongs to this subnet. Therefore, the correct answer is B. 192.168.19.16, which is the second address in the subnet range.

IP Subnet Calculator

Subnet Calculator - IP and CIDR

Which subnet does the host 192.168.19.36/27 belong? - VCEguide.com

Identity and access management (IAM) is a software service or framework that allows organizations to define user or group identities within software environments, then associate permissions with them. The identities and permissions are usually spelled out in a text file, which is referred to as an IAM policy.

 Border Gateway Protocol (BGP) is a protocol that enables ISPs and NSPs to exchange routing information among themselves. BGP is used to determine the best path for sending data packets across the Internet. BGP is also known as the protocol of the Internet backbone, as it connects different autonomous systems (ASes) that form the Internet. BGP is not used by end systems or local networks, but only by routers that operate at the border of ASes. BGP is a complex and dynamic protocol that can handle changes in network topology, traffic load, and policy requirements. BGP is also a scalable protocol that can support the growth of the Internet1234 References:

1: Internet service provider - Wikipedia

2: 1.8: Internet Backbones, NAPs, and ISPs - cs.huji.ac.il

3: Lecture Notes – Unit 2 How does the Internet work?

4: Border Gateway Protocol - Wikipedia

Dynamic analysis is a method of malware analysis that executes the malware in a controlled environment and observes its behavior and effects. Dynamic analysis can reveal the malware’s network activity, file system changes, registry modifications, and other indicators of compromise. Dynamic analysis is performed by Palo Alto Networks WildFire, a cloud-based service that analyzes unknown files and links from various sources, such as email attachments, web downloads, and firewall traffic. WildFire uses a custom-built, evasion-resistant virtual environment to detonate the submissions and generate detailed reports and verdicts. WildFire can also share the threat intelligence with other Palo Alto Networks products and partners to prevent future attacks. References: WildFire Overview, WildFire Features, WildFire Dynamic Analysis

Signature-based antivirus software is a type of security software that uses signatures to identify malware. Signatures are bits of code that are unique to a specific piece of malware. When signature-based antivirus software detects a piece of malware, it compares the signature to its database of known signatures12. If a match is found, the software can do three things to provide protection:

Alert system administrators: The software can notify the system administrators or the users about the malware detection, and provide information such as the name, type, location, and severity of the malware. This can help the administrators or the users to take appropriate actions to prevent further damage or infection3.

Quarantine the infected file: The software can isolate the infected file from the rest of the system, and prevent it from accessing or modifying any other files or processes. This can help to contain the malware and limit its impact on the system4.

Delete the infected file: The software can remove the infected file from the system, and prevent it from running or spreading. This can help to eliminate the malware and restore the system to a clean state4.

What is a signature-based antivirus? - Info Exchange

What is a Signature and How Can I detect it? - Sophos

How Does Heuristic Analysis Antivirus Software Work?

What Is Signature-based Malware Detection? | RiskXchange

Code security in cloud environments involves using tools like Static Application Security Testing (SAST) to automatically analyze source code for vulnerabilities before deployment. This helps identify and remediate potential threats early in the software development lifecycle.

"The WildFire cloud-based malware analysis environment is a cyber threat prevention service that identifies unknown malware, zero-day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a scalable, virtual environment. WildFire automatically disseminates updated protections in near-real time to immediately prevent threats from spreading; this occurs without manual intervention"

"Or split tunneling can be configured to allow internet traffic from the device to go directly to the internet, while other specific types of traffic route through the IPsec tunnel, for acceptable protection with much less performance degradation."

 A sanctioned application is an application that is approved by the IT department and meets the security and compliance requirements of the organization. Sanctioned applications are allowed to access the organization’s network and data and are monitored and protected by the IT department. Examples of sanctioned applications are Office 365, Salesforce, and Zoom. Sanctioned applications are different from unsanctioned, prohibited, and tolerated applications, which are not approved by the IT department and may pose security risks to the organization. Unsanctioned applications are applications that are used by the employees without the IT department’s knowledge or consent, such as Dropbox, Gmail, or Facebook. Prohibited applications are applications that are explicitly forbidden by the IT department, such as BitTorrent, Tor, or malware. Tolerated applications are applications that are not approved by the IT department, but are not blocked or restricted, such as Skype, Spotify, or YouTube. References: Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET), Cloud Security Fundamentals - Module 4: Cloud Security Best Practices, Application Visibility and Control

Cloud-native security is the integration of security strategies into applications and systems designed to be deployed and to run in cloud environments. It involves a layered approach that considers security at every level of the cloud-native application architecture. The four C’s of cloud-native security are123:

Code: This layer refers to the application code and its dependencies. Security at this layer involves ensuring the code is free of vulnerabilities, using secure coding practices, and implementing encryption, authentication, and authorization mechanisms.

Container: This layer refers to the lightweight, isolated units that encapsulate the application and its dependencies. Security at this layer involves scanning and verifying the container images, enforcing policies and rules for container deployment and runtime, and isolating and protecting the containers from unauthorized access.

Cluster: This layer refers to the group of nodes that host the containers and provide orchestration and management capabilities. Security at this layer involves securing the communication between the nodes and the containers, monitoring and auditing the cluster activity, and applying security patches and updates to the cluster components.

Cloud: This layer refers to the underlying infrastructure and services that support the cloud-native applications. Security at this layer involves configuring and hardening the cloud resources, implementing identity and access management, and complying with the cloud provider’s security standards and best practices.

The correct order of the four C’s from the top (surface) layer to the bottom (base) layer is code, container, cluster, cloud, as each layer depends on the security of the next outermost layer. References: What Is Cloud-Native Security? - Palo Alto Networks, What is Cloud-Native Security? An Introduction | Splunk, The 4C’s of Cloud Native Kubernetes security - Medium

 A local area network (LAN) is a network that connects end-user devices such as personal computers, printers, scanners, and phones within a small geographic area, such as an office, school, or home. LANs allow users to share resources, such as files, applications, and internet access, among the connected devices. LANs typically use Ethernet or Wi-Fi as the communication medium and operate at high speeds with low error rates. LANs are usually owned and managed by a single person or organization. References: LANs, WANs, and Other Area Networks Explained, What is a LAN? Local Area Network, Types of area networks - LAN, MAN and WAN

PCI DSS stands for Payment Card Industry Data Security Standard, which is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment1. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the major card brands2. PCI DSS covers 12 requirements for compliance, organized into six control objectives, such as building and maintaining a secure network and systems, protecting cardholder data, and implementing strong access control measures3. References: Payment Card Industry Security Standards, PCI Security Standards Council – Protect Payment Data with Industry-driven Security Standards, Training, and Programs, What is PCI Compliance? 12 Requirements & More - Digital Guardian

Whaling is a targeted phishing attack aimed at high-profile individuals, such as executives. The attacker impersonates a trusted entity (e.g., IT department) to trick the executive into revealing sensitive credentials. This is a form of spear phishing specifically focused on “big fish” targets.

 A SIEM (Security Information and Event Management) is a system that collects, analyzes, and correlates security logs from multiple sources, such as endpoints, firewalls, servers, etc. A SIEM can provide a centralized and comprehensive view of the security posture of an organization, as well as detect and respond to threats. Configuring endpoints to forward logs to a SIEM is the recommended method for collecting security logs from multiple endpoints, as it reduces the network bandwidth and storage requirements, simplifies the log management process, and enables faster and more effective security analysis. Leveraging an EDR (Endpoint Detection and Response) solution to request the logs from endpoints is not recommended, as it may cause performance issues on the endpoints, increase the network traffic, and create a dependency on the EDR solution. Connecting to the endpoints remotely and downloading the logs is not recommended, as it is a manual and time-consuming process, prone to errors and inconsistencies, and may expose the endpoints to unauthorized access. Building a script that pulls down the logs from all endpoints is not recommended, as it requires technical skills and maintenance, may not be compatible with different endpoint platforms, and may introduce security risks if the script is compromised or misconfigured. References:

Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET) - Palo Alto Networks

Fundamentals of Security Operations Center (SOC)

10 Palo Alto Networks PCCET Exam Practice Questions - CBT Nuggets

Full-disk encryption is a method of protecting data on a laptop that has been stolen by encrypting the entire hard drive, making it unreadable without the correct password or key. This prevents unauthorized access to the proprietary data stored on the laptop, even if the thief removes the hard drive and connects it to another device. Full-disk encryption can be enabled using built-in features such as BitLocker on Windows or FileVault on macOS, or using third-party software such as Absolute Home & Office12. References: How to Protect your Data if a Laptop is Lost or Stolen, What to do when your laptop is stolen, Palo Alto Networks Certified Cybersecurity Entry-level Technician

Port hopping is a technique that changes protocols at random during a session to evade detection and analysis by security devices. Port hopping can be used by malware or attackers to communicate with command and control servers or to exfiltrate data. Port hopping makes it difficult to identify and block malicious traffic based on port numbers or signatures. References: Port Hopping, Ports Used for Management Functions, Adding a Custom Application/Ports to Security Policy

Advanced malware is designed to evade detection and persist within a system, often using stealthy techniques to spread laterally across multiple hosts in a network without triggering alerts, making it especially dangerous and difficult to remove.

A directory service is a database that contains information about users, resources, and services in a network.

Endpoint Detection and Response (EDR) tools monitor, record, and analyze endpoint activity to detect suspicious behavior, investigate incidents, and respond to threats on user devices such as laptops and desktops.

A Security Information and Event Management (SIEM) system collects data from various sources (logs, events, etc.) and uses correlation rules to analyze this data and trigger alarms when suspicious or predefined patterns are detected.

802.11ax, also known as Wi-Fi 6, is an internet of things (IoT) connectivity technology that operates on the 2.4GHz and 5GHz bands, as well as all bands between 1 and 6GHz when they become available for 802.11 use, at ranges up to 11 Gbit/s. 802.11ax is designed to improve the performance, efficiency, and capacity of wireless networks, especially in high-density environments such as smart homes, smart cities, and industrial IoT. 802.11ax uses various techniques such as orthogonal frequency division multiple access (OFDMA), multi-user multiple input multiple output (MU-MIMO), target wake time (TWT), and 1024 quadrature amplitude modulation (QAM) to achieve higher data rates, lower latency, longer battery life, and reduced interference for IoT devices. References:

•Wi-Fi 6 (802.11ax) - Palo Alto Networks

•What is Wi-Fi 6? | Wi-Fi 6 Features and Benefits | Cisco

•What is Wi-Fi 6 (802.11ax)? - Definition from WhatIs.com

A containerized architecture packages software along with its dependencies, libraries, and configuration into an isolated unit called a container. This ensures consistent behavior across environments and simplifies deployment and scaling.

A worm is a type of malware that replicates itself to spread rapidly through a computer network. Unlike a virus, a worm does not need a host program or human interaction to infect other devices. A worm can consume network bandwidth, slow down the system performance, or deliver a malicious payload, such as ransomware or a backdoor123. References: Types of Malware & Malware Examples - Kaspersky, 10 types of malware + how to prevent malware from the start, Computer worm - Wikipedia

A worm replicates through the network while a virus replicates, not necessarily to spread through the network.

Least privileges access control is the capability of a Zero Trust network security architecture that leverages the combination of application, user, and content identification to prevent unauthorized access. Least privileges access control means that users and devices are only granted the permissions they need to perform their tasks, and nothing more. This helps reduce the attack surface and makes it more difficult for attackers to gain access to sensitive data or resources. Least privileges access control is based on the principle of Zero Trust, which assumes that there are attackers both within and outside of the network, so no users or devices should be automatically trusted. Zero Trust verifies user identity and privileges as well as device identity and security, and requires end-to-end encryption. Least privileges access control also involves careful management of user permissions and network segmentation, which limit the amount of information and length of time people can access something, and contain the damage if someone does get unauthorized access. References: What Is Zero Trust Architecture? | Microsoft Security, Zero Trust security | What is a Zero Trust network? | Cloudflare, What is Zero Trust Architecture? | SANS Institute, What Is a Zero Trust Architecture? | Zscaler, What is Zero Trust Architecture (ZTA)? - CrowdStrike.

From a business perspective, XDR platforms enable organizations to prevent successful cyberattacks as well as simplify and strengthen security processes.

Workload security in a Cloud Native Security Platform (CNSP) is designed to secure containers, VMs, and serverless functions throughout the entire application lifecycle — from development to runtime — by detecting and blocking vulnerabilities, misconfigurations, and runtime threats.

Cortex XDR is a detection and response platform that natively integrates network, endpoint, and cloud data to stop sophisticated attacks. A key benefit of Cortex XDR is that it acts as a safety net during an attack while patches are developed. Cortex XDR uses machine learning and behavioral analytics to detect and validate threats, and automatically reveals the root cause of alerts to speed up investigations. Cortex XDR also enables flexible and rapid response actions to contain and remediate threats across the environment. References: Cortex XDR- Extended Detection and Response - Palo Alto Networks, What is Cortex XDR | Palo Alto Networks, Cortex XDR Datasheet - Palo Alto Networks

In anti-malware, a false positive incorrectly identifies a legitimate file or application as malware. A false negative incorrectly identifies malware as a legitimate file or application. In intrusion detection, a false positive incorrectly identifies legitimate traffic as a threat, and a false negative incorrectly identifies a threat as legitimate traffic.

To maximize the use of a network address, the administrator should use the subnet that can accommodate the required number of hosts with the least amount of wasted IP addresses. The subnet mask determines how many bits are used for the network portion and the host portion of the IP address. The more bits are used for the network portion, the more subnets can be created, but the fewer hosts can be assigned to each subnet. The formula to calculate the number of hosts per subnet is

2(32−n)−2

, where

n

is the number of bits in the network portion of the subnet mask. For example, a /30 subnet mask has 30 bits in the network portion, so the number of hosts per subnet is

2(32−30)−2=2

A /25 subnet mask has 25 bits in the network portion, so the number of hosts per subnet is

2(32−25)−2=126

The subnet 192.168.6.0/25 can accommodate 126 hosts, which is enough for the network with 120 hosts. The subnet 192.168.6.168/30 can only accommodate 2 hosts, which is not enough. The subnet 192.168.6.160/29 can accommodate 6 hosts, which is also not enough. The subnet 192.168.6.128/27 can accommodate 30 hosts, which is enough, but it wastes more IP addresses than the /25 subnet. Therefore, the best option is B. 192.168.6.0/25. References:

Getting Started: Layer 3 Subinterfaces - Palo Alto Networks Knowledge Base

DotW: Multiple IP Addresses on an Interface - Palo Alto Networks Knowledge Base

Configure NAT - Palo Alto Networks | TechDocs

SSL/TLS decryption allows security tools to inspect encrypted traffic, enabling them to detect hidden malware, command-and-control communication, or data exfiltration that would otherwise bypass inspection if left encrypted.

Managed Detection and Response (MDR) services combine incident impact analysis and proactive threat hunting to enhance organizational security posture. Incident impact analysis assesses the severity, scope, and potential damage of identified threats, helping prioritize responses. Proactive threat hunting involves skilled analysts searching for hidden threats that automated detection may miss, leveraging threat intelligence and behavioral analytics. Palo Alto Networks’ MDR integrates Cortex XDR and human expertise to detect, investigate, and remediate sophisticated threats early. Unlike routine firewall updates or development processes, MDR is focused on active threat discovery and comprehensive incident management.

Endpoint antivirus software is a type of software designed to help detect, prevent, and eliminate malware on devices, such as laptops, desktops, smartphones, and tablets. Endpoint antivirus software can block viruses that are not seen and blocked by the perimeter firewall, which is a network security device that monitors and controls incoming and outgoing network traffic based on predefined security rules. Perimeter firewall can block some known viruses, but it may not be able to detect and stop new or unknown viruses that use advanced techniques to evade detection. Endpoint antivirus software can provide an additional layer of protection by scanning the files and processes on the devices and using various methods, such as signatures, heuristics, behavior analysis, and cloud-based analysis, to identify and remove malicious code123. References:

What Is Endpoint Antivirus? Key Features & Solutions Explained - Trellix

Microsoft Defender for Endpoint | Microsoft Security

Download ESET Endpoint Antivirus | ESET

Mobile Device Management (MDM) enables firewall administrators to remotely and efficiently deploy corporate configurations, such as email accounts and VPN settings, to targeted mobile devices. It ensures consistent policy enforcement and security across all managed devices.

page 173 "AutoFocus makes over a billion samples and sessions, including billions of artifacts, immediately actionable for security analysis and response efforts. AutoFocus extends the product portfolio with the global threat intelligence and attack context needed to accelerate analysis, forensics, and hunting workflows. Together, the platform and AutoFocus move security teams away from legacy manual approaches that rely on aggregating a growing number of detectionbased alerts and post-event mitigation, to preventing sophisticated attacks and enabling proactive hunting activities."

XDR (Extended Detection and Response) uses machine learning (ML) to detect threats by identifying patterns and anomalies. XDR ingests data from multiple sources — including endpoints, networks, servers, and cloud workloads — to provide a unified and correlated view of threats across the environment.

The six pillars include:

1. Business (goals and outcomes)

2. People (who will perform the work)

3. Interfaces (external functions to help achieve goals)

4. Visibility (information needed to accomplish goals)

5. Technology (capabilities needed to provide visibility and enable people)

6. Processes (tactical steps required to execute on goals)

All elements must tie back to the business itself and the goals of the security operations

North-south refers to data packets that move in and out of the virtualized environment from the host network or a corresponding traditional data center. North-south traffic is secured by one or more physical form factor perimeter edge firewalls.

Host Intrusion Prevention Systems (HIPS) operate on endpoints to enforce security policies by monitoring system calls, file integrity, and configuration settings. HIPS can validate device compliance, including operating system versions and patch levels, before permitting network access. This capability prevents vulnerable or outdated devices from becoming attack vectors. Palo Alto Networks integrates HIPS functionalities in its endpoint security solutions, providing granular control to enforce organizational security standards and reduce risk from non-compliant endpoints. Unlike network-based inspection, HIPS works locally on hosts to stop threats at their origin.

Identity Threat Detection and Response (ITDR) leverages behavior analysis to identify suspicious or anomalous activities associated with user identities. This methodology involves continuously monitoring user authentication patterns, access events, and privilege escalations to build a baseline of “normal” behavior. By detecting deviations—such as unusual login locations, timeframes, or excessive access attempts—ITDR can flag potential identity compromises or insider threats that traditional signature or rule-based systems often miss. Palo Alto Networks’ ITDR integrates behavioral analytics with threat intelligence to deliver real-time alerts and automated response capabilities, essential in mitigating credential abuse and lateral movement within networks. This behavioral approach is crucial for adapting to sophisticated identity attacks that evolve constantly.

Authorization is the component of the AAA (Authentication, Authorization, and Accounting) framework that regulates user access and permissions to resources after identity has been verified. It determines what actions or resources a user is allowed to access.

A meddler-in-the-middle (MITM) attack is a type of Wi-Fi attack where the attacker intercepts and redirects the victim’s web traffic to serve content from a web server it controls. The attacker can use various techniques, such as ARP spoofing, DNS spoofing, or SSL stripping, to trick the victim into connecting to a rogue access point or a proxy server that acts as a middleman between the victim and the legitimate website. The attacker can then modify, inject, or drop the packets that are exchanged between the victim and the website, and perform malicious actions, such as stealing credentials, injecting malware, or displaying fake or misleading content. A MITM attack can compromise the confidentiality, integrity, and availability of the victim’s web traffic and expose them to various risks and threats. References:

What is a man-in-the-middle attack?

The 5 most dangerous Wi-Fi attacks, and how to fight them

What Are Sniffing Attacks, and How Can You Protect Yourself?

Morphing code, also known as polymorphism, allows advanced malware to change its code structure with each iteration or infection. This makes it extremely difficult for traditional signature-based detection tools to recognize and block the malware consistently.

 A switch is a network device that connects multiple devices on a local area network (LAN) and forwards data packets between them. A switch can be identified by its icon, which is a rectangle with four curved lines on each side. In the attached network diagram, device D is the switch, as it matches the icon and connects three computers to device A, which is another network device. References:

[What is a Network Switch and How Does it Work?]

[Network Diagram Symbols and Icons | Lucidchart]

SecOps is the organizational function that is responsible for security automation and eventual vetting of the solution to help ensure consistency through machine-driven responses to security issues. SecOps is a collaboration between security and operations teams that aims to align their goals, processes, and tools to improve security posture and efficiency. SecOps can leverage automation to simplify and accelerate security tasks, such as threat detection, incident response, vulnerability management, compliance enforcement, and more. Security automation can also reduce human errors, enhance scalability, and free up resources for more strategic initiatives. References:

SecOps from Palo Alto Networks

What is security automation? from Red Hat

What is Security Automation? from Check Point Software

page 211 "Consolidating servers within trust levels: Organizations often consolidate servers within the same trust level into a single virtual computing environment: ... ... ... This virtual systems capability enables a single physical device to be used to simultaneously meet the unique requirements of multiple VMs or groups of VMs. Control and protection of inter-host traffic with physical network security appliances that are properly positioned and configured is the primary security focus."

In cloud computing, there are three main service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each model defines the level of responsibility and control that the cloud provider and the cloud customer have over the cloud resources and services. The cloud provider is responsible for vulnerability and patch management of the underlying operating system in SaaS and PaaS models, while the cloud customer is responsible for it in IaaS model. In SaaS, the cloud provider delivers software applications over the internet and manages all aspects of the cloud infrastructure, platform, and application. The cloud customer only needs to access the software through a web browser or an API. In PaaS, the cloud provider offers a platform for developing, testing, and deploying applications and manages the cloud infrastructure and operating system. The cloud customer can use the platform tools and services to create and run their own applications. In IaaS, the cloud provider supplies the basic cloud infrastructure, such as servers, storage, and networking, and the cloud customer can provision and configure their own operating system, middleware, and applications. References: Cloud Computing Service Models, Cloud Security Fundamentals - Module 2: Cloud Computing Models, Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)

Examples of serverless environments include Amazon Lambda and Azure Functions. Many PaaS offerings, such as Pivotal Cloud Foundry, also are effectively serverless even if they have not historically been marketed as such. Although serverless may appear to lack the container-specific, cloud native attribute, containers are extensively used in the underlying implementations, even if those implementations are not exposed to end users directly.

A CI/CD platform is a comprehensive set of tools that help developers, engineers, and DevOps practitioners package and deliver software to the end users. A CI/CD platform automates the process of software testing and deployment, and enables faster and more reliable software releases. Jenkins is a popular open source CI/CD platform that supports a wide range of plugins and integrations to build, test, and deploy various types of applications. Jenkins can be configured to run on different platforms, such as Linux, Windows, or Docker, and can work with various version control systems, such as Git, SVN, or Mercurial. Jenkins can also orchestrate complex workflows, such as parallel or sequential execution, conditional branching, or parameterized triggering, using a graphical interface or a declarative syntax. Jenkins can help developers and DevOps teams achieve continuous integration and continuous delivery/deployment, by providing features such as:

•Pipeline as code: Jenkins allows users to define and manage their pipelines as code, using a domain-specific language (DSL) called Jenkinsfile. This enables users to store, version, and reuse their pipeline configurations, and to apply best practices such as code review and testing.

•Distributed builds: Jenkins can scale up or down to meet the demand of concurrent builds, by distributing the workload across multiple agents or nodes. This improves the performance and efficiency of the CI/CD process, and allows users to leverage different environments and resources for different stages of the pipeline.

•Plugin ecosystem: Jenkins has a rich and active community that contributes to its plugin ecosystem, which extends its functionality and compatibility with various tools and technologies. Users can find and install plugins from the Jenkins Plugin Manager, or create their own custom plugins using Java or Groovy.

•Blue Ocean: Jenkins offers a modern and user-friendly web interface called Blue Ocean, which simplifies the creation and visualization of pipelines. Blue Ocean provides features such as real-time feedback, interactive editing, branch and pull request support, and integration with popular chat platforms, such as Slack or Microsoft Teams.

Heap spray attacks exploit memory management vulnerabilities by injecting malicious code into a program’s heap to manipulate execution flow. Endpoint Detection and Response (EDR) platforms monitor memory and process behavior on endpoints, enabling the detection of such memory-based exploits through anomaly and behavior analysis. Palo Alto Networks’ Cortex XDR equips SOC teams with the tools to detect, analyze, and respond to heap spray and other in-memory attacks on company laptops in real time. EDR’s endpoint-centric visibility is crucial since heap spray attacks operate below network layers and often bypass traditional perimeter defenses.