Having been at Palo Alto Networks’ Ignite conference just two weeks prior I approached their presentation at Security Field Day Two with more than a little curiosity. Would they be making a surprise acquisition announcement, or maybe show off a new product? To no real surprise it was neither as Nir Zuk continued the messaging started at Ignite surrounding expanded cloud services accessed via a PANW next-generation firewall (NGFW) deployed in the customer’s environment. Services such as Wildfire which detonates potential malware in a sandboxed environment, DNS Security to block known bad domains along with ones found through predictive analytics, and URL filtering to classify sites by content and risk profile.
We were first given a demo of Panorama which acts as a single point of management for a customers NGFWs, and configuration of the cloud services consumed. The demo showed how Dynamic Address Groups and External Dynamic Lists can be combined with tags, internally defined or learned from VMware, to create self updating security policies targeting specific user groups.
The real meat of the presentation was on Prisma Public Cloud (formerly Redlock) whom PANW acquired in October 2018. Prisma Public Cloud makes use of provider APIs to passively analyze your (multi) cloud environment ensuring compliance with industry regulations and company specific security policies. When drift from specified standards or host vulnerabilities are detected the system can alert, or alert and automatically remediate the issue. It also has compliance reporting tailored to PCI, HIPPA, NIST and other standards to help ease the stress of audit time.
Then to wrap things up we were given teasingly quick demos of Cortex XDR and Demisto. Both of these products attack the problem of alert fatigue in different ways. The core of Cortex XDR is the Cortex Data Lake product which collects normalized data from Traps, GlobalProtect and your PANW NGFWs then uses AI and ML to quickly provide actionable information to your SOC team. During the demo Giora Engel demonstrated how a series of seemingly innocuous actions when looked at together at a higher level show the correlation of a malware attack. Demisto meanwhile is an automation platform consumes alert notifications from approximately 300 products via APIs, helping to correlate alerts and creating tickets in your existing ticketing platform. When a security incident occurs responding agents can collaborate within the platform to build a playbook for automating responses to future instances.