Prisma Cloud Introduces Out-of-Band Web App and API Security

Monitor Web Apps and APIs without Impacting Application Performance

New capabilities in the latest release help simplify cloud security with greater visibility across applications, infrastructure, workloads and identities. There’s no question that adopting the cloud has become a key focus for organizations, today. In order for companies to increase competitiveness, they put the cloud application at the heart of the digital transformation. However, the nature of the cloud poses security risks. Organizations build cloud-native web applications and APIs exposed to the outside world. In a recent study by Forrester, 39% of external attacks are web application exploits, making it the most common form of external attacks.

Businesses adopt inline Web Application Firewalls (WAF) and point API Security tools to block threats; however, security teams are challenged with sometimes sacrificing application performance for increased protection. They end up turning off security tools to keep applications running.

Last year, Prisma® Cloud became the industry’s first cloud native application protection platform (CNAPP) to offer inline Web Application & API Security (WAAS), including best-in-breed WAF, API security, bot defense and denial of service (DoS) protections.

Today, we’re thrilled to introduce out-of-band WAAS into Prisma Cloud to help address web application vulnerabilities and unsecured APIs that can lead to multimillion dollar security incidents without worrying about application performance impacts. Our customers now have the flexibility to choose how they want to secure their critical applications (inline or out-of-band) from a single solution.

Prisma Cloud is also enhancing visibility across infrastructure, workloads, identities and applications to combat security blind spots in public-cloud and multi-cloud environments.

  • Out-of-Band Web Application & API Security (WAAS): Prisma Cloud provides security teams the flexibility to choose between inline and out-of-band deployments to fit your environment's requirements. Monitor web apps and APIs in minutes without impacting performance.
  • Multi-Cloud Graph View for Cloud Infrastructure Entitlement Management (CIEM): Discover over-privileged accounts and understand access risk across multi-cloud environments. Prisma Cloud now provides a graph view of the net effective permissions across AWS, Microsoft Azure and Google Cloud.
  • Multi-Cloud Agentless Cloud Workload Protection: Extending visibility into an organization’s cloud workload and application risks across Azure and Google Cloud, in addition to AWS, to complement existing agent-based protection.
  • DNS-Based Threat Detection: Surfacing malicious activity and anomalous behavior in cloud environments without changing DNS infrastructure. Prisma Cloud Threat Detection now leverages machine learning (ML) and advanced threat intelligence to identify bad actors hiding in DNS traffic.
  • MITRE ATT&CK® Alert Prioritization: Enabling security teams to filter and prioritize risks and incidents based on the industry’s most widely adopted framework.

Out-of-Band Web Application and API Security

As modern cloud native web applications and APIs become prevalent, application security and development teams recognize the need for a modern web application and API security solution. At times, development teams may not want security deployed inline because it can impact the performance and availability of web apps or APIs. Meanwhile security teams are unable to monitor web apps and APIs running in environments without agents deployed.

Prisma Cloud’s WAAS module now offers out-of-band web application and API security for flexible deployment options that can fit your security requirements. Customers can now discover risks and protect web apps and APIs in minutes without deploying agents inline. This is extremely useful for those web applications or APIs that are critical to the business or sensitive to latency, where customers would rather not introduce a proxy in-line. Security teams can gain insights into all risks facing web apps and APIs, without impacting application performance.

Out-of-band WAAS policy
Out-of-Band Web Application and API Security

Cloud Infrastructure Entitlement Management: Support for Google Cloud Environments and New Graph View of Effective Permissions

In the most recent Cloud Threat Report, Unit 42 researchers analyzed 680,000+ identities across 18,000 cloud accounts and over 200 different organizations. They found that 99% of the cloud users, roles, services and resources were granted excessive permissions, which were left unused.

Security teams require comprehensive entitlement discovery and permission-rightsizing capabilities to help identify and remove over-privileged access across multi-cloud infrastructure.

Screenshot preview of the Investigate page, showing sources, granters and destinations.
Graph visualization demonstrates access activity and net-effective permissions across multi cloud.

Prisma Cloud adds new Cloud Infrastructure Entitlement Management (CIEM) innovations to help our customers better address growing access risks:

CIEM Support for Google Cloud: Gain visibility into entitlements and enforce permission rightsizing across Google Cloud environments, in addition to AWS and Azure.

Graph Visualization Across Clouds: Reduce the time to discover entitlements and access risk using a simple graph visualization across AWS, Azure and Google Cloud environments.

Multi-Cloud Agentless Cloud Workload Protection

As cloud adoption continues to accelerate, we want to work with our customers to help their security teams address visibility and security concerns for their cloud workloads by providing them with added flexibility. Customers are looking for quick visibility into their security posture without having to deploy agents. Agentless workload scanning is an additional, complementary solution in Prisma Cloud that simplifies our approach to visibility across cloud workload assets, in addition to our agent-based protection.

In our Prisma Cloud 3.0 announcement in November, we announced support for Agentless Security to scan running and stopped hosts on AWS for vulnerabilities. Now we are extending visibility into an organization’s cloud workload and application risks across Azure and Google Cloud, in addition to AWS, to complement existing agent-based protection. In addition to vulnerability scanning, it will include compliance scanning across standard benchmarks, custom compliance support, proxy support and much more. Agentless scanning is an additional, complementary solution in Prisma Cloud that simplifies our approach to visibility across compute assets, in addition to our agent-based protection.

Screenshot of scan accounts in cloud accounts onboarding.
Agentless Account Config in Prisma Cloud.

Threat Detection: Surface DNS Threats in AWS Environments without Changing Cloud Network Infrastructure

According to IDC, 87% of organizations suffered a DNS attack in the past year, and 23% of DNS attacks were due to cloud misconfigurations. There are numerous threat detection solutions on the market to find DNS based threats; however, many tools are a disparate assortment of open-source feeds to address unique threat vectors.

Prisma Cloud Threat Detection can now surface DNS-based threats in AWS environments. This new functionality analyzes DNS query logs from Amazon Route 53, then applies ML and advanced threat intelligence to help identify DNS attacks, such as domain generation algorithms (DGA) and crypto mining tactics. This capability is currently limited to GA and allows customers to detect threats trying to exploit their networks on AWS without changing their DNS infrastructure.

Screenshot of cryptomining domain request activity.
DNS query flagged for suspicious crypto-mining behavior.

Alert Prioritization Using the MITRE ATT&CK for Cloud Framework

Cloud Security Posture Management (CSPM) solutions are known to alert against cloud misconfigurations, and some tools prioritize alerts based on proprietary algorithms. While these tools appear to be simple and innovative, the prioritization tactics require organizations to change their security operation workflows.

That’s why Prisma Cloud now prioritizes alerts based on MITRE ATT&CK – the industry’s most widely adopted framework. With Prisma Cloud, risks and incidents, such as cloud misconfigurations and detected threats, are mapped to tactics defined by MITRE ATT&CK for cloud. Now organizations can effectively prioritize alerts, address risk, and respond to incidents using a framework that natively fits into their security workflows.

Screenshot of alerts overview, showing coverage, severity, top incidents and risks.
Filtering alerts to only techniques found in MITRE ATT&CK “Initial Access” tactic.

See the Latest Prisma Cloud Capabilities for Yourself

If you want to learn more about these new capabilities and see Prisma Cloud in action via a product demonstration, then check out the resources below:

Out-of-Band WAAS

Graph Visualization for CIEM

Multi-Cloud Agentless Cloud Workload Protection 

If you’re a Prisma Cloud customer who is interested in learning more, reach out to an account representative for more information.