Major enhancements were announced to the company’s Prisma Cloud and CASB  offerings, as well as a new specialization which will broaden the use of the Cortex platform.

Today, Palo Alto Networks is kicking off their Ignite21 digital cybersecurity event with the announcement of several major product updates. The one of most direct salience to partners is that the  Cortex platform is being strengthened with a new eXtended Managed Detection and Response Specialization, designed to make partners stronger in the areas of XDR that extend beyond the endpoint. A second big announcement is Prisma Cloud 3.0, their integrated cloud security offering, which with this release shifts security left to bring developers into the security protection cycle earlier. In addition, Palo Alto Networks unveiled their Next-Generation CASB [Cloud Access Security Broker] product, stating that existing CASB technology has too many gaps to protect hybrid organizations effectively.

“The trends we have been tracking involve a shift from working from home that’s starting to change to more of a semi-hybrid work environment,” said Lee Klarich, Palo Alto Networks’ Chief Product Officer. “There will be a new norm that is a hybrid workforce, where hybrid companies secure an increasingly cloud-focused infrastructure out of a realization that traditional approaches to cybersecurity aren’t going to work. Lots of point products that weren’t designed to work together don’t work in hybrid. I would argue that they never really worked at all.”

Klarich emphasized the importance of managing everything from a common platform, and how increasing levels of automation are needed to do this effectively, to securing cloud security as customers move to the public cloud or private cloud.

“The next big shift in cloud security will be embracing DevOps functions and making them part of the solution,” he said. “With Cortex, we are focusing on taking security data and understanding it from an analytics and ML perspective – how to prioritize those events and analyze them, ideally through automation – and if not, by SOC analysts so we can respond before anything bad happens. I would not underestimate the value of this. We as an industry have to embrace and get very good at using automation, particularly as 3-4 million cybersecurity jobs remain open. We are also looking to better equip partner organizations to do this as well.”

The Cortex news involves the launch of the first specialization for the NextWave Managed Service Program.

“Cortex is doubling down on our work with partners to ensure the full chain of value delivery,” said Tim Junio, SVP of Products, Cortex. “We are extending our  existing XDR, which provides managed SOC capabilities, to include new training and extended training for key partners.”

The new eXtended Managed Detection and Response [XMDR] program launches with four select trained partners: PWC; Orange Cyberdefense; Critical Start; and Trustwave.

“Where we are looking to go with this program, as we think about XDR as not just being just an endpoint solution, is that we wanted to work with partners to go beyond the endpoint data that we have natively stitched in XDR, including our next-gen firewall data and cloud data,” Junio stated. “The XMDR specialization will provide a dedicated team for partners for total XDR – not just endpoints – which will have better outcomes in terms of security, detection and response.”

To achieve XMDR specialization status, partner organizations must have Cortex XDR certified SOC analysts/threat hunters on staff, who are available 24×7. Partners seeking this distinction must also complete both technical and sales enablement and specialization examinations.

The Prisma Cloud 3.0 announcement shifts the Prisma integrated platform’s security left to developers, to significantly improving organizations’ entire cloud security posture by reducing security risk at runtime.

“There are several new and exciting things here,” said Ankur Shah, SVP of Products at Prisma Cloud. “One is our Infrastructure as Code security, which comes from our acquisition of Bridgecrew early this year. It is in beta today, and will be in GA in January. “What this does is helps developers discover problems earlier on in the pipeline.” IaC scanning and code fixes are embedded directly into developer tools across the development lifecycle.

Another innovation here is Agentless Security, which came through the acquisition of Twistlock, and now gives customers the ability to use both agentless and agent-based security in the same platform, with rules and results managed from a single UI.

“Agentless will give customers an easy option to augment their most secure agent-based approach,” Shah said. It will hit GA in January, starting with AWS.

Cloud Infrastructure Entitlement Management [CIEM], which had already been available for AWS, is now GA for Microsoft Azure. It makes permissions analysis more efficient, to handle over-permissioned cloud accounts, dormant permissions, and cloud identity issues.

“We have had support for this on AWS, and it has been very successful, so it is now GA for Azure as well,” Shah indicated. “This right-sizes the permissions, getting rid of too many people with too much access in the public cloud.”

Automated policy generation is now provided with Out-of-the-Box Rules for identity-based microsegmentation.

“This allows customers to auto-create policies and rules based on the system’s analysis of their traffic,” Shah said. “The platform will suggest rules based on the analysis of traffic.”

A new Adoption Advisor dashboard, which is in beta today, provides users with a guide to walk them through the process of using Prisma Cloud effectively.

“They want a coach to help them get operationalized,” Shah said. This is a simple dashboard to guide them through their operational journey to the product, which will make it all easy.

The initial release of Adoption Advisor covers Cloud Security Posture Management [CSPM] capabilities in Prisma Cloud with plans to expand to other areas of the platform in the future.

Finally, Rapid Risk Discovery reduces the time needed to identify and remediate misconfigurations by detecting event-driven configuration changes as they occur, in what will be an ongoing rollout until the goal is achieved.

“This deals with the time of how long it takes to detect a problem,” Shah said. “We have been implementing new techs to get that time to detect down into seconds. Now, within minutes we can detect a potential problem and the plan is to get it to seconds.”

Anand Oswal, Palo Alto Networks’ SVP of Products, Firewall as a Platform, introduced the event’s network security announcement, their next-generation CASB.

“Existing CASBs are incomplete and can’t protect today’s hybrid work environments,” Oswal said. “They provide incomplete visibility into applications and data, and only protect HTTP/S Web applications. They are also ineffective for collaboration apps, and slow to support new apps.”

Oswal noted as well that their data protection relies on old techniques, and only covers data and apps that go through a proxy, which means they miss 53% of threats. They also provide disjointed policies in different environments.

“What are we doing differently with this,” he asked. “This new CASB sees and secures all applications because it is now ML-powered, and in real time for the first time, so that it protects all users, not just proxy one, through a centralized console.”

This provides a unified set of policies across all control points and takes a security-first approach, rather than a compliance-first one. It will be available in January 2022.

Wendi Whitmore, SVP of Palo Alto Networks’ Unit 42, the company’s cybersecurity research arm, also provided an overview of their recent efforts dealing with the global threat landscape.

“We have over 200 threat researchers to operationalize new intelligence detections into our products as quickly as possible, which produces on average four new pieces of threat research a week,” she said.

To highlight the depth and breadth of Unit 42’s telemetry, Whitmore identified their detection of an espionage campaign leveraging Zoho’s ManageEngine, which impacted at least nine security-sensitive entities globally.

“This exploited a widely publicized vulnerability, and involved a suspected nation state attack on the Port of Houston,” she said.

Whitmore also indicated that Unit 42 has seen a recent 188% increase in cloud incident response cases.