Palo Alto Networks Extends Reach of Cortex XDR Platform
Palo Alto Networks this week updated its Cortex extended detection and response (XDR) solution to include support for additional cloud platforms as well as the ability to analyze identity data to surface potential threats.
XDR platforms are emerging as alternatives to security information event management (SIEM) platforms that primarily enable organizations to collect data that security teams can query as part of a threat investigation. In contrast, an XDR collects data from multiple sources that is then used to automatically surface potential threats without necessarily requiring cybersecurity teams to know what queries they should be crafting in an evolving threat landscape.
The latest update also adds forensic investigation tools that can be integrated with a wide range of third-party data sources. They provide the ability to gather historical evidence based on the user, file, application, browser and other activities occurring on compromised systems.
Tim Junio, senior vice president of products for Palo Alto Networks, said Cortex XDR 3.0 extends the reach of the platform beyond firewalls and endpoints as part of an ongoing effort to present cybersecurity teams with a more comprehensive analysis of the threats to extended enterprise IT environments. XDR 3.0, for example, now aggregates cloud host data, traffic logs, audit logs, data collected directly from the cloud as well as the Prisma Cloud security platform that Palo Alto Networks already makes available.
Junio also noted that identities are becoming a more crucial source of security data at a time when many employees continue to work from home. For all intents and purposes, Junio said, identities are now the perimeter. The best way to combat those potential threats is to identify anomalous behavior by identity as quicky as possible, Junio added.
Cortex XDR then provides access to an incident management interface that gives security analysts one place in which to track malicious artifacts, hosts, users and alerts in a way that is mapped to the MITRE ATT&CK framework. A Cortex XDR third-party data engine also makes it possible for cybersecurity teams to ingest, normalize, correlate, query and analyze data from virtually any source.
As both the volume and sophistication of cyberattacks increases, it is becoming more apparent that existing security tools are not able to keep pace. XDR platforms promise to reduce the amount of time required to identify attack vectors. Armed with those insights, it then becomes possible for overstretched cybersecurity teams to better prioritize their efforts.
It’s not clear to what degree XDR platforms will supplant SIEM platforms, or how long that might take to achieve. Many organizations, while frustrated with cybersecurity, are finding it challenging to determine precisely where to apply the additional dollars allocated to cybersecurity; there are simply too many options.
Junio said ultimately, the cybersecurity battle will be won and lost inside the security operations center (SOC). If security analysts are unable to identify threats in a timely manner, there is little chance an organization will be able to thwart them. After all, it’s not possible to defend against something that no one knows is there.
