Prisma Cloud Further Extends Host and Container Security

This post is also available in: 日本語 (Japanese)

Prisma Cloud Now Secures Apps with the Industry’s Only Integrated Web App Firewall (WAF), API Security, Runtime Protection and Bot Defense Platform

We’re proud to announce our next set of developments for workloads for Prisma Cloud, which will help to bolster host and container security for our customers.

At Palo Alto Networks, our team is committed to delivering comprehensive Cloud Workload Protection capabilities across the cloud native continuum – securing hosts, containers and Kubernetes, and serverless functions – both at runtime and across the application lifecycle.


Industry-Wide Need for Integrated Tools

Integrated and comprehensive platforms are essential as cloud native adoption continues to grow. In the 2020 Cloud Native Computing Foundation Survey, CNCF shared that:

  • Container usage continues to rise: Use of containers in production has increased by 300% since 2016, up 84% just in the last year.
  • Kubernetes is more mainstream than ever: A full 91% of CNCF respondents report using Kubernetes, with 83% of them using Kubernetes in production.
  • Serverless adoption continues: 30% of respondents reported using serverless technologies in production today.
  • CI/CD technologies are essential to cloud native users: More than 80% of respondents use CI/CD pipelines in production.

In search of efficiency, organizations are adopting a mix of cloud native architectures, combining them with various pipeline technologies and integrating them into rapid release cycles. However, they are often stitching together multiple, single-purpose security solutions to protect these stacks – creating operational burdens and security gaps.

The latest Prisma Cloud enhancements for Cloud Workload Protection allow DevOps teams to continue building and deploying their workloads and applications rapidly, while helping security teams deliver comprehensive protection.


An Integrated Approach for Web Application and API Security

In our Prisma Cloud 2.0 launch, we unveiled our Web Application and API Security (WAAS) module for discovering and protecting web applications and APIs running across clouds, delivering customizable OWASP Top 10 protection, API security and runtime protection. By delivering these capabilities from a single dashboard integrated with our Defender unified agent framework, security teams can quickly and easily deploy and enable protection for cloud native applications.

To demonstrate the module's potential, our product team ran an internal benchmark analysis against other leading solutions. The team measured the rate of false positives and negatives by running a rich arsenal of real-world attack payloads against a set of over 200,000 legitimate web transactions.

Detailed in a new whitepaper, our team showed that our web application firewall (WAF) capabilities outperformed six competing solutions. The Prisma Cloud module has the highest precision rating at 99.3%, which measures the ability to avoid false positives and false negatives. It also has the lowest false positive rating at just 0.02%.


Adding Bot Risk Management and Advanced DoS Protection

The screenshot shows bot protection controls inside Prisma Cloud. Top of screenshot reads "Edit WAAS app." Bot protection controls can cover known bots, unknown bots, active bot detection and user defined bots.
Figure 1. Bot protection controls inside Prisma Cloud

In addition to unveiling our benchmark test results, we're releasing new robust WAAS capabilities, including:

  • Bot protection: WAAS customers can manage web bots and decide how to handle access for different bot types. Users have customizable visibility and protection covering known bots, unknown bots, and user-defined bots. Each setting can be applied to specific applications as chosen by the security team.
  • Advanced DoS protection: WAAS now includes the ability to defend against application layer denial-of-service (DoS) attacks by applying rate controls.
Web application and API security: The screenshot shows aggregated WAAS events in Prisma Cloud.
Figure 2. New aggregated WAAS event details


Host Security: Custom Compliance Policies

Though container and Kubernetes adoption continue to rise rapidly, hosts or cloud VMs are still central to cloud infrastructure strategy. Whether an organization has adopted a lift-and-shift approach to move workloads to the cloud or is leveraging VMs to run a containerized stack, security teams need to protect these workloads. This includes having continuous vulnerability management and compliance, runtime protection (file integrity monitoring, log inspection, custom runtime rules), access control and forensics.

With our new custom host compliance policies, users can implement security policy compliance checks for these protections via Bash scripts to cover host operating systems, orchestrator configurations or runtime checks.

Host and container security in Prisma Cloud: The screenshot shows an example of a host custom compliance policy UI. The top of the window reads, "Edit Hosts file exists."
Figure 3. Screenshot of Host custom compliance policy UI


Container Security: Enhanced Kubernetes Cluster Awareness and CRI-O Compliance Checks

Kubernetes Cluster Awareness

As security teams monitor and protect a growing and constantly evolving set of Kubernetes environments, using Kubernetes-native constructs to map rules and policies, and view runtime audits saves them time and energy. In our latest release, Prisma Cloud improves how teams can leverage Kubernetes cluster names across the platform.


Monitor/Runtime; Incident response; Active; Cluster; Incident Reverse Shell - the options selected in the screenshot show an example in Prisma Cloud of security incidents filtered using cluster definitions.
Figure 4. Security incidents filtered using cluster definitions

Teams can use cluster names to map environments and policies or view runtime environments and audits. Examples include:

  • Segmenting Radar views to specific clusters.
  • Viewing image scan results by cluster.
  • Building and mapping policies across environments by cluster.

The screenshot above shows how security teams can use clusters as a filter for viewing security incidents in Incident Explorer, so they can quickly diagnose an incident, review kill chain data and see a timeline view.


CRI-O Compliance Checks

As CRI-O continues to emerge as an open standard for container runtimes, DevOps and security teams will want to ensure they have the proper security policy compliance checks mapped to this technology.

Now, Prisma Cloud maps 25 specific compliance checks to CRI-O across containers, images and host configurations. Within the compliance rules editor, users can quickly and easily select these pre-built mappings in the dropdown menu, as highlighted in the screenshot below.

Prisma Cloud CRI-O compliance policies: Create new compliance rule, Compliance actions. The selected options can help organizations enhance host and container security.
Figure 5. Screenshot of new CRI-O compliance policies


Additional Key Features

Our latest release includes enhancements across our platform:

  • Defender scale: Support up to 10,000 Defenders for each console or project.
  • Intelligence stream enhancements: For air-gapped or disconnected environments, the Compute Edition console now automatically manages and distributes intelligence stream data.
  • Base layer vulnerabilities: Segment vulnerability findings against application-layer vulnerabilities.
  • Grace periods: Vulnerability grace periods can now be aligned to vendors' fix dates.
  • Native image vulnerability results within Harbor: For Harbor registry users, Prisma Cloud now delivers vulnerability results directly within Harbor, as well as our application.

All the features above are available today in Prisma Cloud Compute Edition with general availability in Prisma Cloud Enterprise Edition by early-February. To learn more, join us at our 2021 Virtual Summit on Jan. 26, “Building a Scalable Strategy for Cloud Security.”