Cortex is the next-generation of Palo Alto Networks’ Application Framework, with the ability to create a much deeper data lake and analyze it more effectively. The newly announced Traps 6.0 endpoint solution contributes to this, as it now gathers data like an EDR solution for the first time.
Palo Alto Networks has made a trio of related announcements, which provide a next-generation version of their Application Framework security platform, with Cortex. Cortex is also significantly more powerful than its predecessor. It leverages the first application provided for the Cortex platform, Cortex XDR, which integrates multiple elements of functionality, including EDR [Endpoint Detection and Response] in one place. The third part of the announcement, Traps 6.0, upgrades Palo Alto Networks’ endpoint security offering to improve its efficiency in being able to monitor a chain of events rather than a single event. It also now acts like an EDR solution, collecting more data for the Cortex platform.
Palo Alto Networks unveiled the Application Network in 2017, seeing it as a ‘game-changing’ cloud-based platform, to which both Palo Alto Networks and third-party developers would write new apps, which would in turn be consumed as cloud-delivered services.
“This is an evolution of the Application Network, in that it is a significantly improved version of it, and in fact a replacement for it,” said Gonen Fink, SVP, Behavioral Analytics, at Palo Alto Networks. “It is much more scalable. A couple of months ago, we extended our partnership with Google Cloud to run the Application Framework on the Google Cloud Platform to leverage their AI and analytics on top of our data store. It now allows us to scale massively to massive data sets.”
While the process of writing applications to the Application Framework was a slower process than anticipated, that same capability is present in Cortex as well.
“It’s the same idea,” Fink said. “The apps on the Application Framework now will migrate to Cortex. The same idea is also there that it is not just for us to innovate on, but third-party partners. The difference is that the amount of data we are now collecting on Cortex is greater, which make it more valuable for applications. There is also more emphasis on applications that we create ourselves.”
The first of these Palo Alto Networks applications, Cortex XDR, was unveiled at the same time as the platform, and Fink described it as a very big deal.
“We are really excited about this,” he said. “XDR is a first-of-its kind product that is going to change SOCs. We believe other apps will be added – some from Palo Alto Networks, some from third parties, and some from customers themselves – but XDR is a key application.”
Fink said that why Cortex XDR does is analogous to what Palo Alto Networks did in the firewall space when it was first created.
“Palo Alto Network started with a Next Generation Firewall that took different prevention technologies and provided an integrated platform with them that could do everything,” he stated. “It was all about integrating different technologies and making them cloud-enabled, and it replaced what was previously delivered by multiple different products. XDR does similar things in detection and response. This area has had multiple categories, each dealing with different aspects of IT infrastructure – EDR, network detection and response, user analytics, cloud-based analytics. Cortex XDR breaks down these data siloes in the same way that we once did with firewalls. The Cortex platform allows us to collect data from all of those elements. It brings all the data to one place, and stiches it together, in order to detect things that the tools could not always detect separately.”
Ultimately, while Cortex’s data lake capabilities are valuable, what Cortex XDR does is the real jewel in the crown here.
“Cortex is the infrastructure, but just collecting the data for itself is not a goal,” Fink said. “That’s why XDR is the first manifestation of this. It will allow us to detect more and investigate more. The Application Framework was a data lake, and the idea was that we would apply cloud-based computations on the data – not just provide alerts. Cortex is the evolution of that vision, with much more data on a much more scalable platform, and with a much richer application in Cortex XDR.”
A more familiar name, Palo Alto Networks’ Traps endpoint solution, is also part of this framework with its new 6.0 release.
“Traps is part of this solution, although it is an endpoint solution,” Fink said. “Two things tie it together. Palo Alto Networks is still believer in a prevention-first approach. Even if you can detect things on the network, great prevention is still a prerequisite for good detection and response, so everything that can be done there should be. One of the new prevention capabilities in Traps is Behavioral Threat Prevention – being able to monitor a process by looking at a chain of events, and not just a single event. We do this at the agent itself, and tie it into prevention first. It reduces the number of things that the SOC analyst needs to do manually.”
Traps is also now relevant here in its ability to contribute data to the data lake.
“Traps is now a significant sensor for the platform, as we have added new abilities to collect data that make the application much richer,” Fink said. “So Traps helps to prevent more and reduce manual work, and also collect more data. Traps was not in the EDR market before. It now contributes to a ‘super EDR’ with XDR’s ability to do things with the data.”
To support the initial rollout of Cortex XDR, five MSSPs will launch offerings that deliver round-the-clock threat monitoring, detection and response services to Palo Alto Networks customers. They are PwC, Critical Start, ON2IT, BDO and Trustwave.
Cortex Data Lake and Traps 6.0 are available now worldwide. Cortex XDR will be available on March 4, 2019.