April 12, 2019

3 Major Things from Palo Alto’s 2019 SE Summit


Ryan Skally
Senior Security Architect

Another SE Summit is in the books and yet again Palo Alto Networks has knocked another event out of the park. There were a lot of new announcements in regard to software, hardware, integrations, cloud, endpoint, etc. I will be discussing all of the announcements and my thoughts on them.

Topics Covered:

  • Traps/Cortex XDR/Magnifier
  • Cloud
  • DNS Security

 

Traps/Cortex XDR/Magnifier

I think the largest announcement was Cortex XDR. Palo Alto Networks has gone through some changes in their philosophy about prevention only. They’ve realized that detection and response is a necessity too. But they’re looking to build more than just Endpoint Detection and Response like the rest of the industry that most security vendors are only focusing on one side of the house. Detection, Response, and Prevention are all needed to stop the sophisticated cyber-attacks that are prevalent today.

XDR all started with Palo Alto Network’s acquisition of an Israeli security firm, SecDo. With the SecDo acquisition and turning the product into XDR, they’ll be able to detect and respond in any area of the Palo Alto Networks Security Operation Platform (SOP). Palo Alto Networks is redefining how our customer’s security teams protect endpoints and hunt down and stop threats with XDR and Traps. XDR combines the current Magnifier product (User Entity Behavior Analysis) with new technology from the Secdo acquisition. XDR applies machine learning to automatically detect stealthy threats across network, endpoint and cloud data. XDR integrates tightly with Traps endpoint protection and response to collect rich data for threat hunting and investigations. This will all happen when Traps 6.0 is released. Some of the other feature sets.

 

New Features in Traps 6.0

  • Expanded Linux support
  • Container Security
  • Response Actions
  • Role-based access control
  • Email alerting & log forwarding.

 

New Data Collection in Traps 6.0

  • Process creation/termination events
  • Threads creation/termination events
  • Registry modification events
  • Image load events
  • Session log on/off & connect/disconnect information
  • File modification information
  • Network session information (5-tuple)
  • Endpoint events: time change and boot up

 

How the Data is Used in Traps 6.0

  • Full Attack and Casualty Chain
  • Persistence mechanisms and exfiltration attempts
  • Injection attempts
  • Stitching endpoint and network data together and using machine learning to identify suspicious flows

 

Cloud

Another focus that kept coming up during the event was everything cloud. I will spend a lot of time here with this one because there were a lot of announcements. First thing I’ll talk about is RedLock. This was another acquisition Palo Alto Networks made last October. It provides a few crucial security technologies for integrations into AWS, Azure, or GCP including asset inventory, config and compliance checking/tracking, network and host security, insider threats and compromised hosts open to the internet or trying to connect to malicious domains, C2 channels, etc.

The biggest announcement in regard to RedLock was they are combining the technology with Evident.io (yet another acquisition by Palo Alto Networks last March). Evident allows customers to use read-only access to the public cloud API. Evident securely collects data about cloud services and continuously performs checks against security best practices or custom security checks. This will uncover any potentially exploitable vulnerabilities. Evident delivers continuous, automated compliance audits and provides customizable one-click compliance reports.

Also, you can think of Evident as the Aperture DLP for Public Cloud in regards to cloud storage. With Evident, you can discover and classify data within containers and buckets; evaluate your exposure based on policy; auto-remediate publicly exposed data; and quarantine malware. Evident allows people to secure cloud storage buckets to remediate any issues with malware or publicly shared information that wouldn’t be. The great thing about it too is that you don’t need to be a current Palo Alto customer to enjoy the technology like some of the other technologies in Palo Alto’s SOP.

 

Cloud Roadmap

Speaking of Aperture and all of these Cloud Security Technologies, I’d like to discuss one of the roadmap items that piqued my interest. As you may know, Aperture is a subscription-based CASB built for DLP. What Aperture will become as Palo Alto Networks described it is an engine. The DLP capabilities of Aperture will be improved and then turned into an engine to be utilized across the SOP.

New Clouds Supported

VM-Series support for Alibaba and Oracle cloud

 

DNS Security

One of the things I didn’t like was Palo Alto’s new “DNS Security” subscription. I feel this is something that should’ve been deployed in their application framework vs individually deployed on all firewalls. Really, it’s not even DNS security. They are using DNS lookup to secure traffic, not securing DNS itself. It’s sort of a catch 22 and in my opinion, didn’t live up to the hype. Even Nir Zuk during the final day keynote said he wasn’t pleased with how it turned out. Take that how you want to.

 

Conclusion

It is great to see the platform continue to grow. There were many other changes announced, but just too many to put here. I would urge you to check out Palo Alto’s website to see more of the information from the conference.