What’s Next in Cortex — XSIAM for Cloud and Other Innovations

Apr 15, 2024
9 minutes

Tackling Diverse SecOps Challenges Simultaneously

Security operations teams are tasked with solving a variety of different challenges. They face the complexities of protecting growing and dynamic cloud environments; investigating and resolving security incidents quickly; proactively managing risks, preventing the next major breach; and so much more.

At Palo Alto Networks, we’re committed to helping our customers tackle all of these challenges with a unified AI-based security platform. With the latest release across Cortex products, we’re solving a diverse set of challenges in security operations, all at once.

  • XSIAM 2.2: Delivering XSIAM for Cloud to security operations teams.
  • XDR 3.10: Expanding beyond traditional endpoint security.
  • Xpanse 2.5: Confirming attack surface vulnerabilities for high-precision prioritization
  • XSOAR 8.6: Automating security operations from anywhere.
  • Unit 42 MDR: Delivering MDR for Cloud

XSIAM 2.2: Delivering XSIAM for Cloud to Security Operations Teams

Cloud security presents a distinct challenge since it is often performed separately from traditional security operations. Security operations teams commonly lack visibility into cloud-specific data, relying on security tools that weren't designed for the cloud. These tools commonly don't understand how applications are architected for the cloud, the unique aspects of cloud attacks, or what the SOC analyst needs to respond to in real time.

As organizations increasingly migrate to the cloud, bridging this divide between cloud and on-premises security operations becomes paramount to ensure comprehensive protection against evolving cyber threats.

XSIAM for Cloud

We’re tackling these problems with Cortex XSIAM for Cloud, which provides native cloud detection and response capabilities as part of the Cortex XSIAM AI-powered platform. It provides SecOps teams with a holistic view across their enterprise and cloud environments, and it leverages the same frontend, backend, AI and automation engines that made XSIAM so successful. For the first time, security teams have a purpose-built SOC platform for all SecOps’ needs, in both the enterprise and the cloud.

There are three innovations that underpin XSIAM for Cloud:

  • Comprehensive UI and Workflows: Within the same unified platform for enterprise security in Cortex XSIAM, SOC analysts can now utilize a new Cloud Command Center for complete visibility into cloud assets. This visibility enables security teams to identify and respond to cloud threats quickly.
  • An Expanded Security Agent: An expanded version of the Cortex XDR® Agent augments Cortex's best-in-class runtime security and threat protection with Prisma® Cloud's powerful vulnerability and security compliance management capabilities to deliver a complete Cloud Detection and Response solution. These new capabilities not only eliminate the necessity for two agents but also significantly enhance visibility while streamlining deployment and operations across the entirety of a security program.
  • Native Integration with Prisma Cloud: The new Prisma Cloud integration further enriches the capabilities delivered through the cloud SOC with broader context and security posture information about cloud assets for detailed incident grouping and more straightforward navigation.

Cloud Command Center in Cortex XSIAM

Cloud Command Center in Cortex XSIAMDave Gruber, Principal Cybersecurity Analyst at Enterprise Strategy Groups said:

Our research shows that 89% of SOC teams either play a major role or have complete ownership of cloud security operations. Yet current SOC tools often fall short in providing the level of visibility and context needed to support cloud investigations. The addition of native, cloud SecOps capabilities within Cortex XSIAM narrows this gap, enabling cloud and security teams to work more collaboratively to see, understand and mitigate attacks involving cloud resources.

XDR 3.10: Expanding Beyond Traditional Endpoint Security

Cortex XDR 3.10 builds on leading extended detection and response with enhanced capabilities that go beyond other traditional endpoint security solutions. Security operations analysts can now more effectively manage endpoint application vulnerabilities, defend against mobile device threats, streamline forensic investigations, investigate and respond to incidents in the cloud, all within one unified XDR solution.

Expanded Security Agent

As cloud adoption soars, it becomes increasingly clear that visibility and compliance, while necessary, are no longer sufficient for comprehensive cloud security. The dynamic and distributed nature of cloud services, combined with the rapid pace of change, introduced new challenges that demand more robust and proactive security measures. A single-agent solution that offers complete security coverage, including vulnerability management and compliance enforcement, that seamlessly integrates with existing security infrastructures to provide enhanced visibility into cloud assets and streamline SOC operations.

Available in both Cortex XSIAM and Cortex XDR, the expanded security agent was designed specifically for cloud environments, combining Prisma Cloud's powerful vulnerability and compliance management capabilities with Cortex's best-in-class runtime security and threat protection. SOC teams no longer need to navigate through multiple tools to understand what is happening. The new agent ensures real-time monitoring and response, collecting logs, metrics and events that are complemented by broad agentless telemetry and rich automation tools integrated into the existing cloud infrastructure. Collectively, these capabilities deliver a true real-time Cloud Detection and Response solution that would be impossible with agentless-only products.

Enhanced Vulnerability Assessment with Host Insights

Software vulnerabilities continue to be the top vector of compromise for security incidents, representing 38.60% of the initial access points in Unit 42 cases in 2023. Security teams need a way to inventory endpoint software, identify vulnerabilities, and patch them quickly.

With Cortex XDR 3.10, the Host Insights module now uses an enhanced vulnerability assessment engine to identify both OS-level and application-level CVEs. With this updated approach, customers can better prioritize and address vulnerabilities quickly, before they become a potential security issue.

Forensic Module v.2

When a security incident happens, analysts need a way to manage investigations effectively, preserve forensic artifacts and perform analysis to figure out exactly what happened. This process generally involves collecting forensic data with one tool and then analyzing it with a completely different set of tools. This slows down the investigative process with much manual work and administrative burdens like tracking evidence sources in a log.

With a completely revamped Cortex XDR Forensics Module, investigations just got a lot easier. This update significantly expands the Forensics Add-on, offering a unified solution for collecting, tracking and analyzing forensic data. Designed to align with user workflows and enhance ease of use, the module facilitates streamlined data collection, grouping and analysis without needing a secondary agent. Users can create and manage separate investigations, control custom access permissions, and hunt threats using historical artifacts.

Screenshot of Cortex XDR, the HR-Incident-GFitzgerald.
Cortex XDR Forensic Module v2

iOS Malware Profiles

Employees increasingly rely on their phones to check email, browse websites, and share information. They are facing a greater risk from phishing attacks, malicious websites and unauthorized app usage. As a result, security teams are tasked with protecting business data and systems on these devices. Cortex XDR protection for mobile devices has elevated iOS protection with two new security modules.

  • Safari Safeguard: This module provides BYOD users with a safer browsing experience and enhanced protection against phishing attacks and malicious websites.
  • Network Shield: For enterprise-supervised iOS devices, this module provides granular control over web usage. It allows for limiting network access to unsanctioned iOS apps, as well as automatic filtering of malicious URL access.

Unit 42: Delivering Managed Detection and Response (MDR) for Cloud

For customers who want to augment their new cloud security capabilities with managed detection and response services, Unit 42 now delivers 24/7/365 managed services for the expanded security agent. Our Unit 42 Managed Detection and Response (MDR) service offers a dedicated team of world-class analysts, threat hunters and researchers to investigate and respond to attacks on behalf of customers. This allows security operations teams to concentrate on more strategic tasks.

Xpanse 2.5: Confirming Attack Surface Vulnerabilities for High-Precision Prioritization

As our customers’ attack surfaces continue to grow, we’ve seen that traditional vulnerability testing is insufficient to secure their organization’s externally-facing assets. Conventional Vulnerability Management (VM) tools lack a comprehensive inventory of known and unknown external assets. This means that external vulnerability testing is incomplete as well as manual, and, consequently, infrequent.

Attack Surface Testing

To address this challenge, Cortex Xpanse has introduced Attack Surface Testing, which provides more comprehensive and automated vulnerability detection. Attack Surface Testing runs unintrusive, benign exploits with explicit user authorization to confirm vulnerabilities in the organization's services. It allows security teams to enhance scan frequency and coverage, perform service-specific testing without affecting network performance, and prioritize vulnerabilities more effectively.

Screenshot of Incidents reported on Cortex Xpanse Attack Surface Testing.
Tests run daily as part of Cortex Xpanse Attack Surface Testing (AST)

In addition to this, Xpanse 2.5 also has a host of other new capabilities to help organizations shrink and secure their attack surface. Read the latest Xpanse blog to learn more.

XSOAR 8.6: Automating Security Operations from Anywhere

Security automation is crucial to improving operational efficiency and driving faster and more complete security outcomes. In 2023, we introduced Cortex XSOAR 8, delivered as a SaaS solution to provide greater performance, scalability and reliability. However, customers that require on-premises deployments have not been able to take advantage of all of XSOAR 8's advanced automation capabilities, until today.

XSOAR 8 for On-Premises

We are pleased to announce that XSOAR 8 now supports on-premises deployments. New customers who require an on-premises deployment for policy or regulatory reasons can now take advantage of the latest features of Cortex XSOAR.

Cortex XSOAR on-premises is available as a virtual appliance designed for deployment within an organization's data center. This ensures that all customers have access to the advanced new platform and features of Cortex XSOAR 8, regardless of their deployment location.

The enhanced features and capabilities listed here are just the tip of the iceberg for what we’ve packed into this Cortex release across XSIAM, XDR, Xpanse and XSOAR.

To learn more about these and other innovations from Cortex, register to attend Symphony 2024. At this annual Cortex event, we dive into the latest threat trends and how we’re transforming security operations and threat protection.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.