The third generation of the XDR solution continues to expand XDR protective capabilities beyond the endpoint, with a big focus being on enhancing the ability to provide protection in the cloud.

Palo Alto Networks has announced enhancements to their Cortex XDR [Extended Detection and Response] solution. The big change is the enhancement of the ability of SOC teams to detect, monitor and investigate in the cloud. New integrations have also been added around third party analytics. A forensics module that had been used by the company internally is now being opened up to customers. A new XDR Incident Management Interface greatly simplifies the workflow to make it easier for analysts to work with. Finally, a new Third-Party Data Engine has also been added to allow customers to ingest, query, and analyze data from virtually any source.

The Cortex platform was originally rolled out in 2019 as a rebranding and repurposing of the Palo Alto Networks’ Application Framework initially created in 2017. Cortex XDR was introduced at that time as the first application for the platform, and it remains its core application, although the platform has been broadened with some new solutions that came through acquisitions. These include XSoar, which came with the Demisto SOAR acquisition, and Xpanse, which discovers and monitors attack-facing environments

“XSoar lets SOCs automate things humans would do over and over and over,” said Tim Junio, senior vice president of products, Cortex at Palo Alto Networks. “Xpanse is a critical aspect of any modern SOC, since you can only protect what you know about.

“We have also expanded the functionality of Cortex XDR considerably to go beyond endpoint first,” Junio added. “That matters, because what we want to do with XDR is make all high value data accessible from one console for protection and detection from threats.”

XDR for Cloud is a key part of this, adding the ability to integrate cloud host data, traffic logs, audit logs, data from both Palo Alto Networks’ Prisma Cloud product, and third-party cloud security data with non-cloud endpoint and network data sources.

“This significantly expands our coverage to the cloud,” Junio said. “We didn’t use cloud log data until this release. We would run XDR agents and provide EDR-like protection in the cloud and for Kubernetes hubs. The cloud would be covered with agents if customers installed agents. Now NTA [Network Traffic Analysis] is now part of this. It is able to capture flow data from cloud providers and run it through NTA.”

Junio thinks this is the improvement in this version which will matter most to channel partners.

“They will be interested in the expanded cloud functionality because of the push to commercial cloud functionality,” he said. “The security industry hasn’t yet figured out what cloud-centric SOCs should be like. Everybody’s is different. This creates issues of how to solve cloud problems for companies that don’t have 100 person SOCs. Because we have Prisma cloud and now this functionality, if they buy both products, that is the best cloud security they can get. But it still has to be managed, and that is what is interesting to channel partners.”

Cortex XDR Identity Analytics has been further enhanced with this release, to improve the XDR’s ability to detect malicious user activities and insider threats.

“We have added new native integrations with third party analytics, including new integrations with Workday, Okta, Active Directory and other data sources,” Junio indicated. We have also added new UEBA analytics to provide new detection methods. The 360-degree user view across these data sets allows seeing all the activity associated with the user.”

The Cortex XDR Forensics module is not new – but it’s availability to customers is.

“This is a forensic investigation tool that was developed by Crypsis, an incident response company that we acquired last year,” Junio said. “We have continued to use it internally in our Unit 42 security consulting group, and we decided to open it up to customer use.”

The XDR Forensics module allows gathering historical evidence such as user, file, application, browser and system activities from compromised systems to bring the full analytic potential of XDR to bear during incident response.

Junio emphasized that the module is not a core part of the platform, but a capability that costs extra to use.

“It is an upsell module,” he said.

Cortex XDR Incident Management Interface provides security analysts with a comprehensive story of an incident in one place, mapped to the MITRE ATT&CK framework, to help analysts handle incidents more quickly and completely.

“This is not a report, but a changed workflow which simplifies the experience.” Junio said. “One incident might have eight alerts, so it can get complicated for incident responders. We wanted to provide a simpler view while adding more data. This is more of an inbox-style interface. Before, you could have a 60-page incident report because we had so much information.”

The final enhancement is the new Cortex XDR Third-Party Data Engine, which provides the ability to ingest, normalize, correlate, query, and analyze data from virtually any source.

“We are offering customers an option to bring in any kind of data that they want for queries correlations and lightweight analytics,” Junio said. “It is not the same as native analytics. It gives customers opportunities to have those data available to them in the XDR console, like SOC analysts seeing across the enterprise when doing an incident response. It means that they don’t have to copy and paste from different sources.”