A systems engineer (SE) successfully demonstrates NGFW managed by Strata Cloud Manager (SCM) to a company. In the resulting planning phase of the proof of value (POV), the CISO requests a test that shows how the security policies are either meeting, or are progressing toward meeting, industry standards such as Critical Security Controls (CSC), and how the company can verify that it is effectively utilizing the functionality purchased.
During the POV testing timeline, how should the SE verify that the POV will meet the CISO's request?
Correct Answer: B
The SE has demonstrated an NGFW managed by SCM, and the CISO now wants the POV to show progress toward industry standards (e.g., CSC) and verify effective use of purchased features (e.g., CDSS subscriptions like Advanced Threat Prevention). The SE must ensure the POV delivers measurable evidence during the testing timeline. Let's evaluate the options.
Step 1: Understand the CISO's Request
* Industry Standards (e.g., CSC): The Center for Internet Security's Critical Security Controls (e.g., CSC 1: Inventory of Devices, CSC 4: Secure Configuration) require visibility, threat prevention, and policy enforcement, which NGFW and SCM can address.
* Feature Utilization: Confirm that licensed functionalities (e.g., App-ID, Threat Prevention, URL Filtering) are active and effective.
* POV Goal: Provide verifiable progress and utilization metrics within the testing timeline.
Reference: Strata Cloud Manager Overview (docs.paloaltonetworks.com/strata-cloud-manager); CIS Critical Security Controls (www.cisecurity.org/controls).
Step 2: Define SCM Capabilities
Strata Cloud Manager (SCM): A cloud-based management platform for Palo Alto NGFWs, offering dashboards (e.g., Best Practices, Feature Adoption) and custom reporting to monitor security posture, policy compliance, and subscription usage.
Security Lifecycle Review (SLR): A report generated via the Customer Support Portal (not SCM) analyzing traffic logs for security gaps, not real-time POV progress.
Dashboards and Reports: SCM provides prebuilt and customizable views for real-time insights into policy effectiveness and feature adoption.
Reference: SCM Dashboards and Reports (docs.paloaltonetworks.com/strata-cloud-manager/dashboards-and- reports).
Step 3: Evaluate Each Option
A). Near the end, pull a Security Lifecycle Review (SLR) in the POV and create a report for the customer.
Description: The SLR analyzes 7-30 days of traffic logs, providing a retrospective security posture assessment (e.g., threats blocked, policy gaps).
Process: Near POV end, upload logs to the Customer Support Portal (Support > Security Lifecycle Review), generate, and share the report.
Limitations:
SLR is a point-in-time analysis, not a real-time progress tracker during the POV timeline.
Requires post-POV log collection, delaying feedback.
Doesn't directly show feature utilization progress or CSC alignment in SCM.
Fit: Misses the "during the POV timeline" requirement; better for post-POV analysis.
Reference: Security Lifecycle Review Guide (support.paloaltonetworks.com, requires login).
B). At the beginning, work with the customer to create custom dashboards and reports for any information required, so reports can be pulled as needed by the customer.
Description: SCM allows custom dashboards and reports (Monitor > Dashboards or Reports) tailored to metrics like policy compliance (CSC alignment) and feature usage (e.g., Threat Prevention hits).
Process:
At POV start, collaborate with the CISO to define metrics (e.g., "Threats blocked by ATP" for CSC 6, "App- ID usage" for feature adoption).
Configure custom dashboards in SCM (Dashboards > Add Dashboard > Custom).
Set up scheduled or on-demand reports (Reports > Custom Reports).
Enable the customer to monitor progress throughout the POV.
Benefits:
Real-time visibility into policy effectiveness and feature use during the timeline.
Aligns with CSC (e.g., blocked malware events) and shows subscription ROI.
Empowers the customer to verify results independently.
Fit: Meets the CISO's request fully within the POV timeline.
Reference: SCM Custom Dashboards (docs.paloaltonetworks.com/strata-cloud-manager/dashboards-and- reports/custom-dashboards).
C). Near the end, the customer pulls information from these SCM dashboards: Best Practices, CDSS Adoption, and NGFW Feature Adoption.
Description: SCM provides prebuilt dashboards:
Best Practices: Assesses policy alignment with security standards.
CDSS Adoption: Tracks subscription usage (e.g., ATP, URL Filtering).
NGFW Feature Adoption: Monitors features like App-ID or User-ID.
Limitations:
Waiting until "near the end" delays visibility, missing ongoing progress tracking.
Prebuilt dashboards may not fully align with CSC or specific customer needs without customization.
Fit: Useful but incomplete; lacks proactive setup and real-time monitoring throughout the POV.
Reference: SCM Prebuilt Dashboards (docs.paloaltonetworks.com/strata-cloud-manager/dashboards-and- reports/prebuilt-dashboards).
D). At the beginning, use PANhandler golden images that are designed to align to compliance and to turning on the features for the CDSS subscription being tested.
Description: PANhandler is a tool for managing Skillets (configuration templates), including "golden images" for compliance (e.g., NIST, CIS benchmarks).
Process: Apply a Skillet at POV start to configure the NGFW with compliance settings and CDSS features.
Limitations:
Configures the NGFW but doesn't verify progress or utilization during the POV.
No reporting or dashboard integration for the CISO to track results.
Fit: Sets up the environment but doesn't meet the verification requirement.
Reference: PANhandler Skillets (github.com/PaloAltoNetworks/panhandler).
Step 4: Select the Best Approach
B is the strongest choice:
Proactive: Starts at the beginning, ensuring metrics are tracked throughout the POV.
Customizable: Tailors dashboards/reports to CSC (e.g., threat detection for CSC 6) and feature use (e.g., ATP events).
Verifiable: Enables the customer to pull reports as needed, meeting the CISO's request within the timeline.
Why not A, C, or D?
A: SLR is retrospective, not real-time, missing the "during" aspect.
C: Prebuilt dashboards are helpful but delayed and less flexible than custom options.
D: Golden images configure but don't verify progress or utilization.
Step 5: Verification with Palo Alto Documentation
SCM Custom Dashboards: Supports real-time, tailored monitoring (SCM Docs).
SLR: Post-analysis tool, not POV-progressive (Support Portal Docs).
Prebuilt Dashboards: Limited customization (SCM Docs).
PANhandler: Configuration-focused, not reporting-focused (PANhandler Docs).
Thus, the verified answer is B.