Palo Alto Networks makes five enhancements to Prisma Cloud to eliminate blind spots and reduce false positives

The changes, which are focused on the Prisma Cloud’s Cloud Security Posture Management module, primarily deal with long-standing issues that the industry has not addressed well because they are difficult.

True Network Exposure

Palo Alto Networks has announced five new capabilities that strengthen the Cloud Security Posture Management [CSPM] component of their Prisma Cloud platform that provides cloud-native security.

“We are really excited about this launch,” said Ankur Shah, VP of Product Management for Cloud at Palo Alto Networks. “It has been in the works for close to a year. Our vision from day one was to provide a more holistic view from a security standpoint, because unlike the old days where security teams could take a whack-a-mole approach, with many different platforms for different tasks, cloud levels the environment. Now we are launching a major milestone in this journey with five new capabilities to eliminate dangerous blind spots for our customers, while reducing alert fatigue.”

The Prisma Cloud platform consists of four integrated modules: CSPM; Cloud Workload Protection; Cloud Network Security; and Cloud Infrastructure Entitlement Management.

“When we launched our cloud native security, these four pillars were our stake in the ground,” Shah sad. “Today’s enhancements are around enhanced capability on CSPM – that first pillar.”

The first enhancement is what Palo Alto Networks calls True Network Exposure. The problem it is looking to solve is a lack of end-to-end visibility into the network leading to tons of time-wasting false positives. True Network Exposure provides end-to-end network path visibility between any source and destination, to remove alerts from sources that provide zero actual danger to the network.

“The problem with cloud networks in the ‘CSPM 1.0 era’ is that they generate alerts for any overly permissive security group, even if they are workloads that are not publicly exposed, and maybe are not even accessible on the Internet,” Shah indicated. “Our visibility allows us to calculate net effective permissions, to not create false positives.”

Shah said that this problem became widespread in the industry as an outgrowth of doing the easy thing in threat assessment.

Ankur Shah, VP of Product Management for Cloud at Palo Alto Networks

“The easy thing to do is look for certain patterns, which creates the false positives, and in our industry, you tend to copy what works, so the problem became widespread,” he noted.” Solving this problem was not easy, because you have to show the entire network path and end-to-end routes. This has been in development for over nine months, to overcome this technical hurdle.”

The second new enhancement is Visibility-as-Code. The problem it addresses is that cloud service providers release and update hundreds of new services for their platforms each year, a pace which CSPM providers cannot keep up with. When organizations use these new services before their CSPM solution supports them, security blind spots are the result. Visibility-as-Code lets Prisma Cloud support new cloud services in days, to close these blind spots.

“Everything as code is a general industry trend, and we are following that here, but we also have placed a stake in the ground on Visibility-as-Code,” Shah said. “We support the five largest cloud providers. That’s between 20,000 and 30,000 engineers who build services. I have a lot of engineers, but they can’t keep up with that. Visibility-as-Code lets us ingest cloud services programmatically behind the scenes.”

Network Data Exfiltration Detection is the third capability.

“By detecting either unusual traffic patterns or communication with malicious IPs, a lot of CSPM players tell you only that your windows and doors are open and that someone broke in,” Shah said. “We look at network flow data, ingesting a trillion logs on a weekly basis, to provide a comprehensive view, using machine learning and threat intel feeds.”

While the problem has attracted well-funded startups, Shah said the approach Palo Alto Networks is able to take is fundamentally different because of the scale at which they operate.

“This is a scale problem,” he noted. “The feature itself also isn’t the be all and end all, as it is complemented by adding additional insights – the rest of the CSMP stuff we already do.”

Next comes Anomalous Compute Provisioning Detection, which is an anti-cryptojacking capability. It identifies the provisioning of an abnormal number of VMs, which is often caused by cryptojacking or resource misuse.

“This is really an extension of what we are doing with Network Data Exfiltration, but is focused on a specific type of breach,” Shah indicated. “Back in 2017, when we launched our cryptomining policy, there was a lack of interest because bitcoin prices were low. That has changed, and now we see a lot of cryptomining incidents taking place.”

Finally, customizable object-Level scanning for AWS S3 has been introduced, a quick modification to a recently introduced capability. In January, Palo Alto Networks introduced the ability to scan objects in S3 buckets for public exposure, sensitive data, or malware.

“We introduced this originally to detect sensitive data, because customers don’t know what their developers are storing in S3,” Shah said. “Now in order to save on network costs, we are building a more intelligent scanner, so that rather than scan petabytes of data, customers can do a la carte scanning, scanning just specific buckets for sensitive data to save on costs and time.”

Shah said that doing this is something of a chore, because the cloud providers don’t make it real easy to do. He also noted that the plan is to expand this to other clouds going forward.