The network and security operations center (NOC/SOC) at the Black Hat USA Conference serves the critical role of ensuring that the conference's entire network is running smoothly and efficiently, as well as detecting and responding to any security threats. Black Hat can be an attractive target for threat actors looking for the infamy associated with disrupting the conference or stealing personally identifiable information (PII) from attendees.

To thwart attacks from both internal attendees and external actors, Black Hat partners with a select group of cybersecurity organizations. Each partner serves a different function to provide solutions that work together to establish and defend a stable and well-protected network. For example, Black Hat features some of the top training in the world with students eager to try out the latest attack techniques on live targets. In addition, Palo Alto Networks Next-Generation Firewalls (NGFWs) isolate that activity from the rest of the network.

Trusted Partner of Black Hat

As a trusted partner, Palo Alto Networks has officially supported Black Hat 18 times over the last six years at their conferences around the world. At this year’s Black Hat USA, we are providing three functions within the NOC/SOC:

1. We will provide network firewall services, including full layer 3 dynamic routing, proper network segmentation/isolation and protection of the Black Hat owned infrastructure from any network-based attacks.
2. We’ll collaborate with other vendors to provide threat hunting and threat context of traffic to help the NOC team determine appropriate courses of action.
3. We will exclusively provide the NOC with security orchestration, automation and response (SOAR) with a wide range of automation and integration with the different products used by the NOC.

A significant portion of the Palo Alto Networks products portfolio is used to provide these services. Cortex XDR provides visibility and reporting for threat hunters and NOC guests. Our PA-5280 NGFWs will be deployed in High Availability, protecting Black Hat owned systems and internal infrastructure. The firewalls also provide network App-ID visibility and CDSS alert profiles on the entire network.

Our threat hunters will leverage dedicated NGFWs enabled with the CDSS suite:

• Advanced Threat Prevention to detect network attacks, defend against vulnerabilities, detect malleable C2 and zero day SQLi, as well as CMDi attacks.
• DNS Security to identify bad Domains and detect threats, which leverage DNS as a vector.
• Advanced URL to identify malicious URLs and detect threats, which leverage HTTP(s).
• Advanced WildFire to identify malicious files.
• IoT security to identify the target/source device types used in incident response prioritization.

All the NGFWs and services will be monitored using our Panorama Network Security Management M-300. Panorama also provides log access to threat hunters, including other vendor’s teams.

Cortex XSOAR is key to the NOC automation workflows and integrations with the other products supporting the Black Hat team. XSOAR is connected to the other partners operating in the NOC, such as Artista, the wireless LAN vendor. It is also paired with threat intelligence from Palo Alto Networks and the other vendors in the SOC. XSOAR playbooks are used to automatically provide context and enrichment to any incidents that occur, then progress the incidents to investigation and closure.

XSOAR also changes automation processes based on how the Black Hat infrastructure is segmented. This means incidents originating from training classrooms are treated differently and with lower priority compared to live attacks sent from the internet towards the external perimeter of the environment or the registration network, which are a much higher priority.

Black Hat’s Infrastructure Is a Target

As one of the largest cybersecurity conferences in the world, Black Hat has some of the most talented researchers attending and speaking about their projects, who oftentimes highlight new attack techniques and vulnerabilities. Over the years, we have seen attendees immediately test these attacks on the network. They even attempt to attack fellow attendees or the conference infrastructure. This is an excellent example of what organizations face today: Attackers don't need much time to find ways to abuse a software bug. The conference focuses on the learning and education of advanced attack and defense techniques. With the partners in the NOC, this can happen without being disruptive to all the attendees, effectively protecting Black Hat from itself.

The Palo Alto Networks threat hunting team is in the NOC, actively reporting credible threats to the Black Hat team, specifically attacks against the registration and internal infrastructure. Based on this threat intel, the Black Hat staff is able to leverage a Cortex XSOAR slack integration to instantly block bad actors through address tagging on the firewall. The team works in close collaboration with the other NOC partners: Arista, Cisco, Corelight, Lumen and Netwitness.

To see this NOC team in action, the Black Hat NOC will be streamed live via the conference Twitch channel, or you can visit and tour the NOC on-site. With the help of partners like Palo Alto Networks, Black Hat is able to provide a strong network and security infrastructure that allows attendees to focus on learning and networking without worrying about their cybersecurity.

For more information about Palo Alto Networks cybersecurity solutions and its support of the Black Hat NOC, visit our Booth #1332 and watch the live feed of the NOC during the conference.

The post Palo Alto Networks Secures Black Hat from Itself appeared first on Palo Alto Networks Blog.

Let’s explore the relationship between LLMs and cloud security, discussing how these advanced models can be dangerous, as well as leveraged to improve the overall security posture of cloud-based systems. Simply put, a large language model (LLM) is an artificial intelligence program designed to understand and generate human language. It is trained on vast amounts of text data from the internet, learning grammar, facts and reasoning abilities. With this knowledge, an LLM can answer questions, generate text and even hold a conversation with users. Examples of LLMs include OpenAI's ChatGPT, Google’s Bard and Microsoft's new Bing search engine.

As cloud computing continues to dominate the technology landscape, it has become more important than ever to ensure robust security for the services and data residing in the cloud. The development of large language models (LLMs) has shown great promise in enhancing cloud security.

Risks of LLM

As revolutionary as the LLM technology can be, it is still in its infancy, and there are known issues and limitations that AI researchers have yet to conquer. These issues may be the showstoppers for some applications. And, like any tool accessible to the public, LLM can be used for benign, as well as malign purposes. While generative AI can produce helpful and accurate content for society, it can also create misinformation that deludes the content for consumers.

Risky Characteristics

Hallucination

LLM may generate output that cannot be grounded by the input context or the knowledge of the model. It means that the language model generates text that is not logically consistent with the input, or is semantically incorrect but still sounds plausible to a human reader.

Bias

Most LLM applications rely on pretrained models because creating a model from scratch is too expensive for most organizations. However, there is no perfectly balanced training data, and thus every model will always be biased in certain aspects. For example, the training data may contain more English texts than Chinese texts or more knowledge about liberalism than conservatism. When humans rely on the recommendations from these models, their biases can result in unfair or discriminatory decisions.

Consistency

LLM may not always generate the same outputs that are given the same inputs. Under the hood, LLMs are probabilistic models that continue to predict the next word based on certain probability distributions.

Filter Bypass

LLM tools are typically built with security filters to prevent the models from generating unwanted content, such as adult, violent or proprietary content. Such filters, however, can sometimes be bypassed by manipulating the inputs (e.g., prompt injection). Researchers have demonstrated various techniques to successfully instruct ChatGPT to generate offensive texts or make ungrounded predictions.

Data Privacy

By design, LLM can only take unencrypted inputs and generate unencrypted output. When a proprietary LLM is offered as a service like OpenAI, the service providers hoard a large amount of sensitive or classified information. The outcome of a data breach incident can be catastrophic, as seen in the recent account takeover and leaked queries incidents.

Malicious Usages

Misinformation and Disinformation

With their advanced language generation capabilities, LLMs can create convincing, but false content. This contributes to the spread of fake news, conspiracy theories or malicious narratives.

Social Engineering Attacks

Malicious actors can weaponize LLMs to create sophisticated social engineering attacks, such as spear phishing emails and deep fake content.

Intellectual Property Infringement

LLMs can be used to generate content that closely resembles copyrighted or proprietary material. This poses a risk to organizations that rely on intellectual property to maintain a competitive advantage.

Offensive Tools Creation

Generative AI has been used for auditing source code and writing new code. Researchers demonstrated it could also write malicious code like ransomware. There are also reports showing that cybercriminals use ChatGPT to create offensive scripts.

LLM Use Cases in Cloud Security

However, if used correctly, LLM can also be leveraged to improve cloud security.

Automating Threat Detection and Response

One of the most significant benefits of LLMs in the context of cloud security is their ability to streamline threat detection and response processes. By incorporating natural language understanding and machine learning, LLMs can identify potential threats hidden in large volumes of data and user behavior patterns. By continuously learning from new data, LLMs can adapt to emerging threats and provide real-time threat information, enabling organizations to respond quickly and efficiently to security incidents.

Enhancing Security Compliance

As regulatory frameworks continue to evolve, organizations face the challenge of maintaining compliance with various security standards and requirements. LLMs can be used to analyze and interpret regulatory texts, allowing organizations to understand and implement necessary security controls easily. By automating compliance management, LLMs can significantly reduce the burden on security teams and enable them to focus on other critical tasks.

This is extremely relevant to compliance-heavy products, such as Prisma Cloud, and even more relevant when the customer managing the product is trying to comply with certain regulations.

Social Engineering Attack Prevention

Social engineering attacks, such as phishing and pretexting, are among the most prevalent threats to cloud security. By utilizing LLMs to analyze communication patterns and identify potential threats, organizations can proactively detect and block social engineering attacks. With advanced language understanding capabilities, LLMs can discern the subtle differences between legitimate and malicious communications, providing an additional layer of protection for cloud-based systems.

Improving Incident Response Communication

Effective communication is a critical aspect of incident response in cloud security. LLMs can be used to generate accurate and timely reports, making it easier for security teams to understand the nature of incidents and coordinate their response efforts. Additionally, LLMs can be employed to create clear and concise communications with stakeholders, helping organizations manage the reputational risks associated with security breaches.

Prisma Cloud and AI

LLM, AI and ML aren’t strangers to Prisma Cloud. We are currently leveraging those technologies to improve our customers’ cloud security in several ways. For example, Prisma Cloud provides a rich set of machine-learning-based UEBA anomaly policies to help customers identify attacks launched against their cloud environments. The policies continuously inspect the event logs generated from the activity of the existing subjects in each environment and look for any mischievous activity.

Prisma Cloud is committed to being at the forefront of technological advancements, enabling us to anticipate and proactively address emerging threats and risks in the era of generative AI. We persistently leverage the power of AI to streamline security operations, identify novel threats, and efficiently close security gaps. Recognizing the limitations and risks of generative AI, we will proceed with utmost caution and prioritize our customers' security and privacy.

The post LLM in the Cloud — Advantages and Risks appeared first on Palo Alto Networks Blog.

A Trusted Partner in Network Edge Security

As organizations look to consolidate fragmented security solutions, NESaaS has become a strategic focal point of IT. At its core, NESaaS includes three key capabilities: Secure web gateway (SWG), cloud access security broker (CASB), and Zero Trust network access (ZTNA).

The recent IDC NESaaS MarketScape report recognizes Palo Alto Networks for our completeness in features, robust support for third-party solutions and consistent performance. As IDC points out, we provide our customers the opportunity to “set security policies once across nearly any security stack/deployment model” while delivering optimized, end-user experiences.

Prisma® Access, our flagship NESaaS solution, offers enterprises scalable and effective cloud-delivered security across all users, devices, applications and data. It combines powerful firewall as a service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB) and ZTNA 2.0 powered by machine learning (ML) and artificial intelligence (AI) into a single, converged solution. With centralized management and advanced threat intelligence, organizations gain enhanced visibility and control over their network traffic, dramatically reducing the risk of data breaches and data exfiltration.

What’s more, Prisma Access is built in the cloud and scales elastically across a multi-cloud network backbone. Leveraging the combined infrastructures of the leading hyperscale, cloud providers allows Prisma Access to deliver low latency and exceptional performance, backed by industry-leading SLAs.

Redefining Secure Access with ZTNA 2.0

As traditional perimeter-based security approaches have become increasingly inadequate in protecting today’s hybrid environments and hybrid workforces, interest in and adoption of ZTNA has skyrocketed. Our outstanding performance in the IDC ZTNA MarketScape report underscores our leadership in delivering effective ZTNA security.

Prisma Access protects the hybrid workforce with the superior security of ZTNA 2.0, connecting all users and all apps with fine-grained access controls while providing behavior-based, continuous-trust verification to dramatically reduce the attack surface. It secures all apps with deep and ongoing security inspection without compromising performance or user experience. In addition, it provides consistent visibility for access and data across the entire enterprise.

In the recent ZTNA MarketScape report, IDC highlighted the flexibility of our ZTNA 2.0 capabilities and deployment models. This allows Prisma Access to “adhere to the most diverse set of end-customer requirements,” while also recognizing our continued investment in delivering “frequent advancements,” as well as our robust feature roadmap. With Prisma Access, our customers are able to seamlessly adopt a Zero Trust approach from a “single, unified product”.

Transform Your Security with a Recognized Leader

We believe this news reaffirms our commitment to designing and delivering best-in-class cybersecurity solutions, like Prisma Access, to help organizations safeguard their applications, users, data and networks without compromise. By delivering a comprehensive and fully integrated cloud-delivered security platform, we help organizations achieve the resilience and trust required to securely transform and embrace today’s digital world.

Download the IDC NESaaS or ZTNA MarketScape report, today, to learn more about why Palo Alto Networks is the right partner for your secure digital transformation.

The post A Leader in IDC’s 2023 NESaaS and ZTNA MarketScape Reports appeared first on Palo Alto Networks Blog.

FY23 Program Recap

When we looked at our data at the start of FY23, we noticed the partners who had branched out beyond firewalls were growing the fastest. Our guidance to partners: If you want to make more money, sell more, grow more, have more opportunities to deliver services – sell the rest of the portfolio.

On the whole, Palo Alto Networks has become much more prescriptive to partners about how they can drive services, creating solutions that provide deep value for our customers. This has included efforts to help partners with building a services practice based on their partner type. We are also providing guidance about how partners can bundle together multiple solutions and compete more effectively with single-function point products from other vendors. We have been heavily focused on teaching our partners how they can drive those solutions and how they complement each other.

Now that we are seven months into our rolling launch, let’s do a quick program enhancement recap.

• December – We unveiled our first Market/Industry Proficiency, granting partners recognition for having 5G capabilities.
• January – We unveiled our Partner-to-Partner initiative, offering Solution Providers the ability to address customer demand for managed services without the upfront SOC cost.
• February – We launched our new Solution Provider Path requirements and new product specializations: Hardware Firewall, Software Firewall and Cortex XSOAR.
• March – We integrated the Authorized Training Partner (ATP) and Certified Professional Services Partner (CPSP) Programs into the NextWave framework as specializations.
• April – We disclosed the Distributor Path requirements.
• May – We unveiled a 5% specialization discount boost for Hardware Firewall and Software Firewall Specializations.
• June – We launched the MSSP Path requirements along with the first two MSSP Proficiencies for Cortex XSOAR and Prisma SASE.

During Q3 we also launched NextWave Rewards – our new incentive and promotion management tool designed to make it easier for partners to learn about and claim incentives.

FY23 Partner Incentives

With the end of FY23 just a few weeks away, we are in the home-stretch for some of our global partner MLP incentives. If applicable, partners should be sure to take advantage of the following incentives that will be coming to a close on July 31, 2023.

• Finish Strong – The Close Out Q4 incentive will reward partner sales reps with 50 thousand NextWave Rewards Points. The Hardware Boost incentive rewards partner sales reps with 15 thousand NextWave Rewards Points.
• Cortex Competitive Crush – Cortex partners can take advantage of this promotion if their customers replace a competitive endpoint security solution with Cortex XDR. Partner sales reps and SEs will be rewarded for closing out Cortex deals.
• Diamond 2-2-3 Rebate Promotion – The enhanced Diamond Innovator Rebate allows top partners to be rewarded for selling ML Powered PA-Series Next Generation Firewalls and cloud-delivered security services.

A Look Ahead Into FY24

Now that our FY23 partner program enhancements are full-steam ahead, FY24 is going to continue focusing on the value partners bring and increase partner support.

Customers need cyber experts to help them solve their security challenges, and we rely on our partners to be the trusted advisors they need. In FY24 we will continue to lean on our partners more to help make these customer transformations happen. Our partner ecosystem is the key catalyst, enabler and amplifier of our ability to deliver solutions that protect our digital way of life.

There has never been a better time to become a NextWave partner. If you’re already a partner, the enhancements and incentives addressed above are clearly laid out in the partner portal, as well as captured in our Breakaway 1=5 blog series. Be sure to check out both to learn more.

The post Closing out FY23 — Breakaway 1=5 appeared first on Palo Alto Networks Blog.

With digital transformation accelerating, protecting the modern network has never been more important. From connected enterprises, to the internet of things (IoT) and the critical infrastructures supporting the world, today’s network is the lifeline of the global organization. To keep pace, modern enterprises must turn to Zero Trust as the way forward, to see and secure users, apps and data anywhere — from headquarters to branch offices, from data centers to the cloud, as well as the mobile workforce.

With this in mind, Palo Alto Networks is proud to announce INTERSECT ‘23: Network Security Summit, a free 1-day virtual conference created for network security thought leaders and professionals.

The path to Zero Trust is not well understood. Cloud and network security professionals get frustrated because they don’t know where to start and don’t have a step-by-step roadmap to implement complete Zero Trust for their entire organization. In fact, getting to Zero Trust is nearly impossible without a consolidated security strategy or platform.

Announcing the INTERSECT Network Security Summit 2023

At INTERSECT ‘23, we’ll share our vision for the future of network security and how organizations can enable growth and innovation by securing new initiatives and digital transformation; reduce risk by defending against ever-evolving, ever-expanding threats; and embrace simplicity by driving efficiency and effectiveness through cybersecurity consolidation.

Security experts will share best practices for implementing foundational Zero Trust components, then dive into designing a Zero Trust architecture for hybrid workforce, hybrid cloud and IoT deployments. Attendees can listen in on keynotes, a fireside chat and best practice sessions from their peers and Palo Alto Networks thought leaders in security and IT. They will also have the opportunity to get hands-on experience in various workshops, diving deep into how to implement Zero Trust and gaining experience using hardware and software firewalls, security services, SASE and IoT deployments.

Best Practice Sessions

• Build a Complete Zero Trust Foundation for Your Network Security
  • Learn how to secure your users and devices, accessing any app while protecting your organization from emerging threats and intelligently managing your network operations. Get a roadmap to implementing complete Zero Trust in a world where artificial intelligence is your ally.
• Secure the Hybrid Workforce & Branch Offices with Complete Zero Trust
  • Learn how to secure your hybrid workforce while enabling the best end-user experience with ZTNA 2.0 and SD-WAN.
• Secure the Hybrid Cloud with Complete Zero Trust
  • Learn how to intelligently secure your hybrid and multi-cloud environments with software firewalls, and protect your applications’ communications, interconnection and data transaction traffic from modern to sophisticated cyberthreats.
• Secure Every Connected Device — from IT to OT — with Complete Zero Trust
  • Learn how to see and secure all your connected devices with our IoT/OT security solution, and hear from an expert industry analyst on the importance of IoT security, as a former CISO and OT practitioner.

Connect with us on a journey to achieve Zero Trust for your modern organization, where we share best practices, strategies and innovative new techniques to tackle these challenges.

Register now to improve your security strategies and accelerate your journey to Zero Trust.

The post INTERSECT Network Security Summit 2023: Where Insight Meets Innovation appeared first on Palo Alto Networks Blog.

We recently announced that Accenture and Palo Alto Networks have partnered to deliver joint secure access service edge (SASE) solutions that enable organizations to improve their cybersecurity posture and accelerate business transformation initiatives.

As enterprises need to keep up with a growing hybrid workforce, SD-WAN deployments and multicloud adoption, the implementation of new technology and services has to be thoughtful. By combining Accenture's expertise with Prisma SASE, customers can leverage new management resources, services and technologies to accelerate their SASE transformation.

Distributed Workforce and Fragmented Security Driving Investment in SASE

Organizations today must enable the flexibility required by the modern workforce without compromising on security and user experience. Traditional security and networking solutions rely on an outdated architecture that backhaul user traffic to data centers. This centralized approach results in higher costs and latency to the end user experience, as well as inconsistent security policies and capabilities.

Many organizations are turning to SASE for a consistent and scalable way to provide secure connectivity everywhere. A recent customer survey conducted by Foundry, on behalf of Palo Alto Networks and Accenture, reveals the three most important benefits of SASE — increased optimized performance, increased IT staff effectiveness and threat prevention, and risk reduction.

Complete Your SASE Transformation with Palo Alto Networks and Accenture

Together, Palo Alto Networks and Accenture deliver a comprehensive managed SASE solution that tackles the challenges organizations face today. By combining the strength of the largest global systems integrator with the industry’s most complete SASE solution, enterprises worldwide can propel their business transformation forward, benefiting from enhanced network performance and consistent security policies and implementation.

At the core of this offering, Prisma SASE brings together cloud-delivered security and next-gen SD-WAN into a unified platform to secure all apps and users irrespective of their location. Prisma SASE consolidates multiple point products, including ZTNA, Cloud SWG, CASB, FWaaS and SD-WAN, making it easy for organizations to reduce the fragmentation of security and networking tools. Additionally, the solution provides uncompromised performance backed by leading SLAs, while the industry’s only SASE-native ADEM helps ensure an exceptional experience for your end users.

The Palo Alto Networks and Accenture partnership enables customers to design and implement Prisma SASE with the benefit of outsourcing management and maintenance to a trusted partner. Through this partnership, enterprises will be able to take advantage of three new services offered by Accenture to accelerate their SASE adoption:

• SASE Diagnostic and Advisory Services help businesses reimagine their network security architecture and expedite cloud adoption.
• SASE Implementation Services help organizations unlock digital transformation opportunities and define a smooth path to Zero Trust.
• SASE-as-a-Managed-Service includes an end-to-end offering with Prisma SASE, Zero Trust network access (ZTNA 2.0) and cloud-managed wide-area networking (WAN).

Together, we offer an easy path for customers to embark on their SASE transformation journey by enabling them to understand their network security landscape. By harnessing industry-leading networking and security capabilities, enterprises can take advantage of solutions that provide the superiority of ZTNA 2.0, simplified operations and an exceptional user experience.

Read our recent press release to gain insights into our strategic partnership with Accenture, and discover more about how Accenture and Palo Alto Networks jointly deliver an AI-powered Prisma SASE.

The post Accenture Teams with Palo Alto Networks to Bolster Zero Trust Security appeared first on Palo Alto Networks Blog.

This launch further expands the advanced capabilities of the entire Cortex Portfolio when it comes to AI and machine-learning capabilities. The latest features found in Expander 2.2 will help organizations better prioritize and remediate attack surface risks by utilizing real-world intelligence and AI-assisted workflows. Organizations can now effectively manage and shrink their overall attack surface by proactively identifying and responding to internet emergencies and detecting vulnerabilities before they become a major threat to an organization. These new active attack surface management capabilities provide security teams with advanced visibility and intelligence that is needed to make informed and powerful remediation decisions quickly and effectively.

XSIAM 1.5, this new release boosts enhanced playbook incident context, as well as more advanced automation capabilities and use cases for playbook development via the Playbook Playground. You can now also leverage the new high-availability cluster for the Broker VM – a critical data collection component – or utilize the comprehensive health monitoring of all the data sources you collect, which is available in both XSIAM 1.5 and XDR 3.7.

Learn more about the newest features now available across the Cortex Portfolio below and sign up for our newsletter to stay up to date on the latest innovations from Cortex.

What’s Next with Cortex

Cortex XSIAM 1.5

Cortex XSIAM is designed to provide a powerful data-centric foundation for the largest and most advanced environments. As data is a primary element of the Cortex XSIAM strategy, it is critical to ensure that data ingestion is highly reliable and continuously monitored, which is exactly what you’re getting with this new Cortex XSIAM 1.5 release.

• Data Ingestion Health – Expanded data health offers security engineering visibility into significant health issues. The granular health metrics provide visibility into the data pipeline, as well as out-of-the-box health alerting capabilities. Health alerts are currently in beta.
• Broker VM High Availability (HA) – Customers can safeguard their Broker VM deployment by creating HA Clusters that provide redundancy of specified Broker VM components in one or more clusters.
• Playbook Incident Context – This enhances the investigation and response process, and improves incident management with cross-alert, playbook decision-making. This new feature offers to run playbooks on alerts while accessing incident-level information.
• Playbook Playground – Allows easier playbook development without impacting production environments by running a playbook in a sandbox environment.
• Multi-Tenancy – This supports multi-tenancy through a new parent-child deployment option to address the unique requirements of distributed organizations with multiple Cortex XSIAM tenants.

Cortex XDR 3.7

The latest Cortex XDR 3.7 release delivers new features and enhancements, including improved identity threat visibility, enhanced built-in automation tools, and bolstered endpoint protection. These new features will make it easier than ever to manage forensic investigations while reducing operational overhead. Additionally, you can now ensure streamlined Broker operations using high-availability architecture.

• eXtended Threat Hunting (XTH) Module – Delivers analytics-driven detection capabilities that empower security teams to prevent threats faster and detect effectively with more precision.
• Broker VM High Availability (HA) Cluster – Customers can safeguard their Broker VM service by creating HA Clusters that provide redundancy of specified Broker VM components in one or more clusters.
• Identity Threat Module (ITDR) Enhancements – Customers can broaden their ITDR investigative capabilities with added asset and role exposure.
• Simplified Automation Enhancements – Expands simple automation actions with forensic-related actions and configurable thresholds of additional response.
• New Security Module for IIS Protections – Improve customers’ detection and protection coverage capabilities with the new module for early detection of threats targeting IIS-based applications.

Cortex XSOAR 8.3

The new Cortex XSOAR 8 delivers all the rich automation capabilities of XSOAR, but with new and improved performance and user experience, plus cloud-native support for SaaS deployments. This latest 8.3 release is focused around enhancing the new platform, which is also relevant to other Cortex products.

• New Platform level enhancements – Enhanced role-based access control (RBAC), user-group management and incident navigation.
• Content Pack enhancements - Simplify and enhance existing packs focusing on Palo Alto Networks product integrations with XSOAR, XSIAM and ITDR playbooks.
• XSOAR 8 migration - Continued focus on migration of hosted customers to XSOAR 8 SaaS, with new licensing options for SaaS customers.

Cortex Xpanse — Expander 2.2

In the new Expander 2.2 release, we’ve improved our active-risk prioritization features from our 2.1 release by adding in a new Cortex Xpanse Threat Response Center, which will allow teams to learn about the latest threats and identify the organization’s public-facing exposures. It will also help security teams manage and proactively resolve risks. Additionally, we’ve added several powerful augmentation features that automatically enrich an incident to aid analysts in the investigation and provide faster response using our newly advanced AI-powered incident investigation capabilities and playbooks.

• Threat Response Center – Improves zero-day response and prioritizes exposures that matter, using Risk Scoring and the Threat Response Center.
• Incident Risk Scoring – Security teams can now use adaptive risk scores based on threat, and exploit intelligence to better prioritize and focus efforts on the exposures most likely to be attacked.
• Security Rating Dashboard – Organizations can assess their security health and hygiene, track risk trends over time, compare their ratings with industry peers and reduce cyber insurance premiums.
• AI-Powered Exposure Resolution – Improves attack surface remediation using AI-powered playbooks, including the new Remediation Path Rules, Onboarding Configuration Wizard and Active Response Content.
• Business Unit Management – Organizations can exert more control over their distributed attack surface by transferring assets between business units.
• Integration with Prisma Cloud – Reduces the cloud attack surface by gaining visibility into unknown and unmanaged cloud assets, using Prisma Cloud for comprehensive cloud security and central policy enforcement.

Register for our Cortex Xpanse Webinar, “Risk, Curated: Dynamically prioritize attack surface risks with the latest Xpanse” on August 30th, 2023. Learn more about the new Expander 2.1 and 2.2 features, as well as an inside look at the latest 2023 ASM Threat Report.

The post Cortex Leads New Ways to Introduce AI-powered Capabilities appeared first on Palo Alto Networks Blog.

Using WildFire in 2021 to analyze malicious files, our threat research team discovered a 73% increase in Cobalt Strike malware samples compared to 2020. The speed, volume and sophistication of modern malware attacks has made them more difficult to detect. This, paired with the agility of the cloud, gives rise to a heightened — and formidable — state of risk.

The Gap Between Risk and Reality

Enterprises can’t afford to leave the frontlines and backdoors open to risk while taking weeks to deploy security products. They want better out-of-the-box security from tools, according to the cloud-native security report mentioned above. Efficiency, after all, becomes paramount with a shortage of skilled security professionals. Teams need the ability to set up cloud security in a few clicks. Organizations need actionable insights on day one from the solutions they rely on.

Agentless Workload Scanning

Today, we’re excited to announce that Prisma Cloud agentless workload scanning is now backed by Palo Alto Networks Advanced WildFire, the industry’s leading malware scanning engine. Advanced WildFire is a cloud-delivered service that uses ​patented machine learning detection engines to identify 99% of known and unknown malware. It allows security teams to leverage advanced malware analysis for containers and hosts in runtime, without having to deploy agents.

In addition, this release includes other advancements:

• Agentless vulnerability and compliance management for Windows host machines on all three major cloud providers
• Extension of Cloud Workload Protection capabilities to five additional compute operating systems
• Continuous examination of API changes and usage to detect unwanted changes or API risk

Agentless Workload Malware Scanning

Container images, running containers and virtual machines may contain malware, such as cryptominers or viruses. For example, Unit 42 found 30 malicious images in Docker Hub with cryptominers that had been pulled 20 million times. While many organizations turn to sandboxing solutions for malware analysis, these solutions affect user productivity and are slow to predict verdicts.

Two years ago we started offering a native integration with Advanced WildFire for advanced malware analysis for containers and hosts in CI/CD pipelines and in runtime. We’re now extending this functionality to our agentless deployment options for hosts, VMs and container machines.

Users can scan their workloads for malware with a platform that provides flexible deployment options to fit their environments’ needs. Agentless workload scanning for known malware via Advanced WildFire is widely available. Support for zero-day malware detection is expected later this summer in SaaS Edition.

Agentless Workload Scanning Extended to Windows

Organizations often just want visibility into their cloud workloads and applications. About 18 months ago, we released agentless scanning to provide visibility into an organization’s cloud estate. This feature complemented existing agent-based protection. At the time, Prisma Cloud was the only code-to-cloud CNAPP with support for the three major cloud providers — Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP).

In this release, we’re extending agentless capabilities to support 2016-2022 Windows Host machines on all three major cloud providers, supplying security teams with greater flexibility on how to engage cloud workload protection. Users can now gain visibility into vulnerabilities and compliance across Linux and Windows-based cloud workloads for AWS, Azure and GCP — without having to deploy agents.

• Agentless Scanning Demo

Broader Support for Additional Operating Systems

As the number of cloud workload services increases, customers are leveraging platforms that best suit their applications’ needs. But security teams are unable to secure cloud workloads if their existing solution doesn’t support the operating system. This leaves a potentially damaging gap in their cloud security strategy.

Prisma Cloud offers the broadest coverage for cloud workload protection, supporting over 30 different operating systems. We’re now extending our cloud workload protection capabilities to five additional compute platforms: Windows Server 2022, Oracle Linux, RHEL 9, TalOS Linux, CBL-Mariner, and Rocky Linux.

API Change Detection

API attacks and abuse have been top-of-mind for most organizations. Prisma Cloud provides complete API discovery, risk profiling and real-time protection for all APIs as a part of its Cloud-Native Application Protection Platform (CNAPP).

The State of Cloud Native Security Report showed that 38% of respondents are committing new code daily. Snapshot-based API scans only provide security teams with point-in-time visibility, leaving them blind to API changes that create unwanted risk. Security teams need an approach that tracks API changes for efficient investigation.

Prisma Cloud continuously monitors APIs for changes that lead to unwanted risk. As development teams make frequent changes and updates to APIs, security teams now have visibility into these changes and the potential risk they might pose to the application at runtime. They can use this information to add protection to the endpoint or share information with their development team to remediate risk.

• API Change Detection Demo

Learn More

To learn more about the latest enhancements to Prisma Cloud, request a free trial.

The post Agentless Workload Scanning Gets Supercharged with Malware Scanning appeared first on Palo Alto Networks Blog.

Meanwhile, ransomware gangs increasingly target data theft for extortion and harassment. Vice Society, one such gang, has attacked at least 137 school systems and local governments since 2021. In one school district attack, Vice Society published student mental health records, demonstrating that no one is off limits.

Driving Factors of Cybercrime

Many factors drive the rise in cybercrime. Threat actors are motivated and use new, AI-driven technologies, which are readily available on the internet and make it easy to attack individuals and organizations.

At the same time, interconnectivity and the shift to remote and hybrid work expose individuals and businesses to threats at home, where they might not have adequate protection. As these working models bring an increasing number of cyberthreats to our doorstep, the average American home faces 100+ cybersecurity threats each month.

The Challenge for Business and Government

According to Palo Alto Networks’ “What’s Next in Cyber” report, almost half of North American C-level executives plan to dedicate a quarter to half of their cybersecurity budget to hybrid workforce security. While the U.S. government makes strides advancing Zero Trust, state and local organizations face unique challenges that make adoption difficult.

Helping the workforce adapt to a work-from-home lifestyle doesn’t just mean daily check-ins. The technology that makes remote work possible must be secured in new ways, requiring a new and modern approach to cybersecurity. While trust among coworkers is vital, effective cybersecurity requires a healthy degree of suspicion. Team building and trust exercises have their place. But when it comes to technology, we must maintain a “trust no one” mentality.

Remote Learning, Diverse Workforce Development Opportunities

Remote work requires a sea change in how we think about education and workforce development. A capable and diverse workforce with problem solving and project management skills will be in demand as Zero Trust security and similar innovations create career roles that didn’t previously exist, such as the Zero Trust architect.

To help states accelerate adoption of Zero Trust practices, our industries must embrace and prepare the new workforce. Federal leaders set examples with Zero Trust that our state, local and business leaders must follow. If successful, they’ll not only keep the economy and people safe but also support the development of a next-generation tech workforce.

In Support of Next-Gen Professionals

We see the ways to qualify for jobs changing, with employers hiring more credential and certificate program graduates and companies tapping into new and diverse talent pools. Palo Alto Networks helps state and local governments and educators develop and train the next generation of cybersecurity professionals for the new Zero Trust workforce.

The Palo Alto Networks Cybersecurity Academy is helping to develop the next generation of cyber-informed educators by assisting schools to deliver modern, real-life education about cybersecurity.

The Cyber A.C.E.S. Program, or Activities in Cybersecurity Education for Students Program, empowers students ages 5-15 to have safe online experiences. Our partnership with Girl Scouts of the USA led to a cybersecurity curriculum and corresponding first-ever Cybersecurity Badge. Together, these programs, among others, set the stage for young adults to move into cyber roles when they graduate.

With other programs, like our SE (Systems Engineering) Academies and Cyber STARS, a collaboration with the Thurgood Marshall College Fund, we focus on supporting and guiding college students and recent graduates.

For current cybersecurity professionals, Palo Alto Networks Beacon provides access to on-demand learning about cybersecurity and the Palo Alto Networks portfolio. The Beacon portal provides comprehensive courses on everything from cybersecurity fundamentals to advanced threat hunting and incident response.

Contact your Palo Alto Networks account executive to learn more.

The post Zero Trust: The Key to a Hybrid Workforce appeared first on Palo Alto Networks Blog.

Cybersecurity is different from many industries in that we’re not simply competing with each other. We’re actually trying to stop evil. Threat actors are damaging national security, halting hospital operations, threatening people’s livelihoods and more. All of us in the cybersecurity industry share a mission to stop the attacker, and so the days of not collaborating with each other are long gone.

The ongoing commitment of Palo Alto Networks to the CTA stems from this knowledge. While public policy changes matter, government alone can’t form all the relationships needed to defend against threat actors. The private sector must realize the need and give up the idea of looking bad or good individually, focusing on overall detection across the industry. There’s no joy in seeing a competitor suffer a major zero-day that leads to worldwide exploitation. No one company can truly realize their maximum potential without collaborative efforts to reduce the prevalence and impact of global cyberattacks. Of course, we can each set ourselves apart with how we use the threat intelligence we share, offering our customers sophisticated product features and services.

Threat Intelligence Sharing Success Stories

Over the past few years, events such as the attacks on SolarWinds and Colonial Pipeline or the Log4j vulnerability inspired a new emphasis on operational collaboration. With attackers taking up and putting down infrastructure very quickly these days, both public and private organizations recognize the need to work together so we can move as quickly as possible to make progress against cyberthreats.

And specific to the CTA, an early win came in response to the WannaCry outbreak, when within hours, the CTA kicked off an internal collaboration process. This joint effort sped up analysis by 24-48 hours per member, allowing needed protections to be put in place within a key timeframe.

Currently, we’re seeing a massive benefit of information sharing in Ukraine. I don’t believe organizations have ever shared information to this level in the history of cyber – and the coordination explains why we haven’t seen more harmful impact from cyberattacks, which could have intensified other forms of damage in the region.

Closer to home in the U.S., Unit 42 Senior Vice President Wendi Whitmore’s participation in the Cyber Safety Review Board alongside other leaders from government and industry is one example of public and private collaboration.

The Vision and Sharing Model of the CTA

I’m thrilled to be joining the CTA’s board because of the organization’s focus on fostering sharing between companies that would otherwise compete. I deeply value its vision – which started as a handshake agreement between two cybersecurity CEOs over a cup of coffee in 2014 – and am proud to be part of a neutral organization that encourages all companies to work together to make people safer.

A big part of what I like about the CTA is the commitment to ensuring that all members participate in sharing. Everyone must share and meet a minimum sharing requirement. The organization doesn’t allow free riders or pay-to-play – you give information in order to receive it. What we do share needs to be actionable, and sharing is done in a structured format that includes contextual information – increasing the value of what is shared and the ability of members to build real-life protections based on the information.

CTA members hold each other accountable as well. If we find a vulnerability in each other’s security software, the organization provides a healthy, productive way to coordinate with each other.

The sharing platform has evolved over the past seven years, incorporating industry standards like STIX/TAXII, Kill Chain and MITRE ATT&CK. The CTA typically shares “about 11 million observables per month… with an average of three pieces of context per observable.”

Palo Alto Networks maintains a strong presence across all functions of CTA governance, from the board on down to committees and working groups including Membership, Algorithm and Intelligence, Policy and Standards and others. We continue to walk the walk and spread the word on how an organization like the CTA can be successful and why it matters.

Get Involved in Coordinating Threat Intelligence

There is still work to be done, and we can’t do it alone. Please feel free to reach out to me, Michael Sikorski, for further information on how Palo Alto Networks has benefited from and why we continue to move forward with the CTA mission. If you’d like to join our ranks, the CTA would love to hear from you!

The more we coordinate, the stronger we will become. I envision a future in which we use the force multiplier of thousands of coordinated threat intelligence analysts and cybersecurity professionals to push back the tide of threat actors.

The post We Can’t Do It Alone: Sharing Threat Intelligence Makes Everyone Safer appeared first on Palo Alto Networks Blog.