Always Innovating: Cloud Native Security for Azure, AWS & GCP

Always Innovating: Innovations in Cloud Native Security for Azure, AWS and GCP

Welcome to the September 2023 edition of Always Innovating in Network Security.

At Palo Alto Networks, we started our journey to simplify securing networks in the public cloud, with the launch of Cloud NGFW for AWS, and have continued to innovate with new features as well as complete offerings for additional public clouds. This month, we feature four new innovations that improve our customers’ ability to secure networks in the public cloud. We also share our latest in DNS Security, IoT security and SASE. Read on to see how we are always innovating to make our customers’ networks more secure every day.

1. Cloud NGFW for Azure: CLI/SDK/Terraform Integration

In August, we announced the general availability of Cloud NGFW for Azure, an Azure-native Palo Alto Networks next-generation firewall managed service that leverages machine learning to stop the most sophisticated zero-day attacks.

We are now excited to announce that customers will be able to use API/CLI/SDK, ARM and Terraform to manage their Cloud NGFW resources. Cloud NGFW is integrated with the native Azure API, CLI, SDK and Terraform Provider so it can be fully automated for Azure workloads. As a managed cloud service, there are no network virtual appliances to worry about and Palo Alto Networks takes care of scaling, resilience and software upgrades. With Cloud NGFW, customers can focus their time on security instead of managing infrastructure.

To get your free, 30-day trial, simply go to the Azure Marketplace listing. To see how pricing works, check out this easy, interactive pricing estimator. For more information visit our TechDocs and watch the demo video.

2. Multiple Panorama Support for Cloud NGFW for AWS

In our July 'Always Innovating' blog, we unveiled the integration of Cloud NGFW for AWS with Panorama. We are now excited to introduce Multi-Panorama Support to meet your governance model, regional presence and data residency requirements. You can now link your Cloud NGFW tenant with multiple Panorama appliances. From then on, you can configure and manage your Cloud NGFW resource with one of the linked Panorama.

For a quick video of Panorama managing Cloud NGFW for AWS, click here. Or, if you already know you want it, simply get started with your 30-day free trial.

3. DNS Security on Cloud NGFW for AWS

According to the Palo Alto Networks Unit 42 Threat Research team, 85% of malware abuses DNS for command and control attacks. Attackers establish reliable command channels that are difficult to take down or identify due to the significant volume of DNS traffic. As adversaries increasingly evolve their attacks, it becomes extremely challenging to secure your DNS traffic if you do not have the right solution in place.

Now offered as an additional security service for Cloud NGFW for AWS, DNS Security allows you to protect your VPC traffic from advanced DNS-based threats, by monitoring and controlling the domains that your VPC resources query. With Cloud NGFW for AWS, you can deny access to the domains that Palo Alto Networks considers bad or suspicious and allow all other queries.

To learn how to configure DNS security on Cloud NGFW for AWS please click here. You can also estimate costs quickly with our interactive pricing estimator, or simply get started with our free 30-day trial at AWS Marketplace and see how you can extend security from on-prem to AWS with ease. To keep up with our latest innovations, checkout What’s New in Cloud NGFW for AWS.

4. GCP Firewall Plus (Preview)
Last month, we unveiled the public preview of Cloud Firewall Plus at Google Cloud Next. In collaboration with Google Cloud, we now offer an enhanced option for next-generation virtual firewall deployment, streamlining and bolstering cloud security at any stage of your digital transformation journey.

Many organizations opt for cloud managed services due to their scalability and ease of use. In 2021, Palo Alto Networks and Google Cloud jointly launched a cloud-native managed service called Google Cloud Intrusion Detection System (Cloud IDS). This service enables customers to achieve on-demand application visibility and threat detection between workloads or containers in any Google Cloud virtual private cloud (VPC), supporting application protection and compliance objectives.

Cloud Firewall Plus extends the benefits of Cloud IDS by offering native inline security and real-time prevention that safeguards against advanced threats. It provides enterprise-grade security for east-west and north-south inspection and network security posture controls to enforce L3/4 and L7 security policies across or within organizations. Additionally, it features dynamic groups with exceptional granularity and flexibility, allowing users to choose the traffic to inspect without disrupting their Google Cloud network's current or future state. To learn more about Cloud Firewall Plus please visit the webpage.

5. (DNS Security) Real Time detection of Newly Registered Domains (NRD) - Newly Registered Domains (NRDs) are favored by threat actors to launch malicious DNS-layer attacks. In fact, Palo Alto Networks Unit 42 research found that approximately 62% of DNS requests to malicious domains happen within the first 10 days of those domains being registered. It is imperative to proactively block attacks using NRDs . To address the threat of malicious NRDs, Palo Alto Networks DNS Security has released a new detector to proactively detect malicious domains at their time of registration, blocking malicious domains even before they are used in attack campaigns with confidence. With advanced ML-based detectors, DNS Security can recognize key attributes that can identify whether a domain shares the same infrastructure and lexical similarity as other malicious domains from an attack campaign, or if they were registered in bulk. These insights along with our advanced machine learning techniques have enabled us to effectively and accurately block malicious NRDs. On average, the new detector speeds up our NRD detection by an average of 1.7 days and can prevent an estimated 70,000 additional malicious activities per week.

6. (IoT Security) Multi-Interface Device Support - IoT security introduced support for identification of multi-interface devices to provide an accurate asset inventory count and eliminate duplicate vulnerability instances. IoT Security also provides system-generated recommendations and an intuitive workflow to merge two or more single-interface devices into one multi-interface device. For more details on this new feature, refer to the section on creating Multi-interface Devices on TechDocs.

That wraps up the fourth post in our monthly series - Always Innovating in Network Security, bringing to you the latest innovations as soon as they become available. In this edition we covered our latest innovations, helping secure networks in the public cloud. If you would like to go back and read the last 3 editions, here are the links to August, July and June.