LIGHTCYBER

BEHAVIORAL
ANALYTICS
Prevent Targeted Attacks, Insider Abuse and Operationalized Malware
LightCyber integrates with Palo Alto Networks next-generation firewalls to
accurately detect and stop advanced attacks inside the network.

Protecting Internal Resources With Network-Centric Attack Prevention

LightCyber Benefits
• Security accuracy
• Prevent advanced attacks, including
­attacks that do not use malware or
known exploits
• Leverage on-premise machine ­learning
and continuously refined detection
­algorithms to avoid false positives and
false negatives
• Verify network attacks by analyzing the
endpoint processes that initiated them
• Operational efficiency
• Lower operating costs by reviewing a
low number of actionable alerts
• Automate investigations with user,
­endpoint and network information
• Eliminate external log storage and
­complex configuration
LightCyber behavioral analytics from Palo Alto Networks® enables
­organizations to stop active attackers and malware operating in the
network. With LightCyber, attackers have nowhere to run and nowhere
to hide. LightCyber leverages powerful behavioral analytics technology
to learn expected user and device behavior and spot anomalous activity
indicative of an attack. LightCyber’s network-centric model catches attacks
during every stage of the attack lifecycle, especially during the reconnais-
sance and lateral movement stages, which many other solutions miss.
Endpoint Analysis to Automate Investigations
Magna Pathfinder, an agentless endpoint interrogation service, augments
LightCyber’s network-centric attack prevention by providing endpoint
context to accelerate incident response. Magna Pathfinder automatically
identifies the executable on an endpoint that is responsible for an attack.
The Magna Cloud Expert System then analyzes the executable to deter-
mine if it is ­malware, riskware or a rare artifact. With Magna Pathfinder,
security analysts can save hours investigating compromised endpoints, and
instead quickly gain the endpoint context they need to remediate attacks.
Magna Detection Framework
LightCyber uses a powerful, pre-compute detection framework that
combines supervised and unsupervised machine learning to profile

• Integrated remediation DETECTORS DETECTORS DETECTORS DETECTORS DETECTORS

Command Lateral
& Control Recon Exfiltration Malware
Movement
• Block compromised devices by
­integrating with Palo Alto Networks ENDPOINT
next-­generation firewalls DATA Current Time Peer Entity
Behavior Profile Profile Profile

• Quarantine malicious users, hosts and

domains NETWORK
PACKETS Entity ID
• Stop unwanted processes with
­Malicious File Termination LOGS & nDimensional Profiling Engine
NETFLOW

Palo Alto Networks | LightCyber Behavioral Analytics | Datasheet 1

user and device behavior. LightCyber’s accuracy is driven by
the ­nDimensional Profiling Engine, which tracks over 1,000
­behavioral activities. Sophisticated and highly optimized
­detection algorithms analyze these profiled dimensions of
• Insider Abuse
behavior to detect anomalies indicative of attack.
• LightCyber uses supervised machine learning to finger-
print ­devices and quickly classify hosts, users and proto-
cols. With this information, LightCyber can differentiate
between different types of servers and devices, and then
apply ­different types of learned thresholds by device.
• LightCyber can incorporate known information about the
entity, such as the device type, the host’s history of network
activity, which protocols are commonly accessed on the
• Operationalized Malware
­network, and hundreds of other behavioral activities to
detect network attacks with precision.
LightCyber Prevents the Threats That Matter Most
LightCyber enables organizations to mitigate unknown
threats and root out attackers operating inside their
networks. L­ ightCyber f­ ocuses on hard-to-detect threats,
such as targeted attacks, insider abuse, operationalized
malware and risky user behavior.
• Targeted Attacks
• Risky User Behavior
Motivated and well-resourced attackers can find ways to
infiltrate enterprise networks – through techniques such
as social engineering, zero-day exploits and compromising
network infrastructure or IoT devices – and once inside,
they can wreak havoc. What separates advanced, targeted
attacks from more opportunistic threats is attackers’ ability
and willingness to dwell in, learn and exploit targeted
networks. This sophisticated and manual attack strategy
becomes their weakness once LightCyber is deployed.
LightCyber can easily detect the anomalous attack be-
haviors that attackers cannot conceal, even though these
anomalies may be invisible to traditional security tools.
Sometimes, employees intentionally cross the line and
conduct attacks or steal sensitive data. With their trusted
credentials and access, they can cause massive damage.
And since they will rarely utilize malware or other hacking
tools that might set off alarms, swift detection can be
a challenge with legacy tools. This is where LightCyber
comes in. LightCyber can quickly spot the anomalous attack
behaviors that occur when insiders turn malicious.
For a variety of reasons, ranging from polymorphic and eva-
sive malware variants to end users who inadvertently install
malware on their laptops when at home, malware continues
to make its way into corporate networks. By augmenting ad-
vanced threat prevention systems with behavioral profiling,
LightCyber quickly identifies the anomalous network traffic
generated by malware, identifies the endpoint processes
responsible for network attacks, and automatically provides
up-to-date threat intelligence on the processes.
Well-meaning, but reckless employees can expose orga-
nizations to undue risk. Whether they are sharing user
accounts, accessing their office computers from home
insecurely, or uploading company files to cloud storage
services, they may be inadvertently inviting attacks. Light-
Cyber helps organizations follow security best practices
by automatically monitoring employee usage patterns and
identifying potentially risky behavior.

LightCyber Deployment
LightCyber mitigates targeted attacks, malware and insider abuse as an easy-to-deploy network-based appliance. It does not
impact network availability or entail hefty logging or storage requirements, making protecting valuable resources effortless.

Microsoft
MAGNACLOUD
MAGNAPROBE
ON AWS
User Endpoints

TAP/SPAN/NPB

Core MAGNADETECTOR MAGNAMASTER

Headquarters Switch
MAGNAPATHFINDER

Remediation Email & SEIM LIGHTCYBER UI

MAGNAPROBE Reports
Remote
Office

Palo Alto Networks | LightCyber Behavioral Analytics | Datasheet 2

 Magna Detector
Available as a hardware or virtual appliance, Magna Detector inspects internal and outbound
­network traffic, and aggregates metadata from Magna Pathfinder and Magna Probe. Magna
Detector builds a profile of “normal” user and device activity by monitoring sources, destinations
and protocols, and learning over 1,000 attack dimensions. Based on these dimensions, it accurately
detects the anomalies indicative of attack.

Magna Pathfinder
Magna Pathfinder unlocks the full power of the LightCyber framework by ensuring endpoint context is
accurately and efficiently incorporated into attack detection. Pathfinder is an agentless software sub-
scription service that quickly uncovers the root causes of attacks and automates what would otherwise
be time-consuming analysis, dramatically improves the fidelity of findings, and saves security operations
hours of manual investigation.

Magna Cloud Expert System

The Magna Cloud Expert System augments LightCyber’s behavioral attack detection with threat
intelligence and malware analysis. This increases detection accuracy and provides detailed investigative
data ­associated with each attack to streamline forensics. The Magna Cloud Expert System applies
­multi-stage analysis of suspicious files uncovered by Pathfinder by comparing files against antivirus
hashes, analyzing them with a multi-engine antivirus scanner, and finally running them in a sandbox.

Magna Master
Magna Master provides consolidated management of multiple Magna Detectors and Probes across
an organization, and integrates with third-party security and identity services for one-click remedi-
ation. Supported capabilities include quarantine or isolation of compromised devices with a firewall
or Network Access Control (NAC), and account lock or reset with Active Directory. Magna Master
runs on the same hardware as Magna Detector in smaller environments, while the Enterprise
Edition can be deployed as a hardware or virtual appliance for larger environments and to enable
enterprise management features.

Magna Probe
Magna Probe is an optional hardware or virtual appliance that extends security visibility to multiple
sites or separate network segments. Magna Probe performs network inspection and metadata
extraction, then forwards aggregated metadata to a Magna Detector for full processing and attack
detection. Magna Probes are ideal for smaller network segments where an additional Magna
Detector is not warranted.

Magna Detector and Probe Overview

Magna
Magna Detector Magna Magna Magna Magna Magna Magna
Detector on AWS Detector Detector Detector Probe Probe-AWS Probe
Model D-150V D-150 D-300 D-500 D-1000 P-50TV P-50TV P-50T
VMware Amazon VMware Amazon
1U, 1U, 2U, 1U,
Form Factor Virtual Machine Virtual Machine
Full-Depth Full-Depth Full-Depth Full-Depth
Machine Image Machine Image
Gigamon Gigamon
Dedicated Visibility Up to 4 Dedicated Visibility
Capturing 3x1 Gbps 4x1 Gbps 1x1 Gbps
Physical ESXi Fabric or Extension Physical ESXi Fabric or
Interfaces (copper) (copper/fiber) (copper)
Port AWS VPC Cards Port AWS VPC
Flow Logs Flow Logs
Maximum
Effective 500 Mbps 500 Mbps 1 Gbps 2 Gbps 4 Gbps 500 Mbps 500 Mbps 500 Mbps
Throughput
Maximum
1,500 1,500 3,000 5,000 10,000 N/A N/A N/A
Endpoints

Palo Alto Networks | LightCyber Behavioral Analytics | Datasheet 3

Hardware Appliance Specifications

Model Magna Detector D-300 Magna Detector D-500 Magna Detector D-1000 Magna Probe P-50T
Management
1x1 Gbps (copper)* 4x1 Gbps (copper) 4x1 Gbps (copper) 1x1 Gbps (copper)
Interface
Max Power
233 W 316 W 431 W 200 W
­Consumption
AC Power Supply 460 W 460 W 600 W 300 W
Weight 25 kg 30 kg 40 kg 10.5 kg
Operating
32° to 104° F (0° to °40 C) 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C) 50° to 95° F (10° to 35° C)
­Temperature
Magna hardware products include next business day on-site support as part of Maintenance and Support or appliance
Hardware SLA
subscription contracts, for up to three years from purchase.

Virtual Appliance Specifications

Model Magna Detector D-150 Magna Probe P-50V

Minimum CPU Cores 8 4
Minimum Memory 32GB 16GB
Minimum Storage 500GB 50GB
Management Interfaces Admin Web UI, Palo Alto Networks Remote Support
Emulation Platform ESXi v5.1 and up

Extension Cards

Model 4x1C 2x10C 2x1F 2x10F

NIC N/A N/A SPF+ SPF+
Ports 4 2 2 2
Connector RJ-45 Copper 1G RJ-45 Copper 10G Fiber 1G Fiber 10G
(1000BASE-T) (10GBASE-T) (1000BASE-SX, 850nm, SR) (10GBASE-SR MM LC)
Cable Support CAT 5e CAT 6/6a N/A N/A

4401 Great America Parkway
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
of Palo Alto Networks. A list of our trademarks can be found at http://www.
paloaltonetworks.com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies.
lIghtcyber-behavioral-analytics-ds-071117

www.paloaltonetworks.com