Endpoint Security Series: Palo Alto Networks

In this third installment of our Endpoint Security Series, we’ll be discussing another prominent name in the endpoint security space: Palo Alto Networks. 

Palo Alto Networks has been a market leader with one of the best performing and most visionary next-generation firewall platforms for the past 5-10 years. In early 2019, they released their Cortex XDR product suite which provides a unique platform to tie endpoint data, network data, cloud firewall, and identity data together. Similar to CrowdStrike and some other competitors, Palo Alto Networks also boasts an industry leading threat hunting team with their Unit 42 team.

Palo Alto Networks endpoint story started with their next generation antivirus and Endpoint Protection Platform (EPP) solution called Traps. Although Traps is now retired, some of the features have been rolled into the Cortex XDR suite. Palo Alto Networks has done an excellent job of taking a product that was sometimes overlooked and incorporating it into their full security solution.  Palo Alto Networks’ platform approach to security allows users to take advantage of the integration points between their premise firewalls and cloud security solutions with a robust EPP/EDR solution.  

Cortex XDR comes in two primary flavors: Prevent and Pro. Each come with optional feature add-ons to enhance your security posture. Cortex XDR Prevent is the entry tier and is a full endpoint protection/AV replacement with  machine learning and AI to provide protection against malware and fileless attacks. The lightweight agent can also control USB drives, Disk Encryption, and the host firewall from the Cortex XDR console. Optionally, you can add the Threat Intelligence feed to provide more context to your investigations.   

Cortex XDR Pro is a full Endpoint Detection and Response (EDR) solution. The Pro tier includes behavioral analytics and rule-based protections with the option to include the Threat Intelligence Feed, Managed Threat Hunting, and Host insights. The Pro tier provides the ability to feed data from endpoints, on premise and cloud firewalls, user identity  and Prisma Access VPN sites into the Cortex Data Lake. The Cortex Data Lake is a centralized cloud data collection point that brings all the data together in order to run advanced AI and machine learning to improve the accuracy of your security investigations and results.  

Unti42 released a Cloud Threat Report this past October. One of their three major takeaways was that Identity and Access Management (IAM) is a major problem for enterprises moving more resources into the cloud. They found that misconfigured IAM roles and lack of adherence to IAM best practices is a major security issue affecting many organizations. Integrating your cloud identity products into the Cortex Data Lake can help sniff out these issues.   

Why is collecting data from multiple sources important? All the data that is collected in the Cortex Data Lake is used to enhance detection of security incidents, improve tracing of malware, and better detect attacks through your entire network. This additional data also helps reduce the amount of time it takes to identify and respond to incidents and can substantially lower the amount of alerts your security team is presented withfreeing up cycles to remediate actual security incidents instead of chasing the ghosts of false positive alerts.  

Palo Alto Networks continues to be a visionary in the IT security space with their suite of Cortex products. The ability to collect data from the network, cloud firewalls,  identity sources, endpoints, and VPN connections is the biggest differentiator from Palo Alto Network’s EPP/EDR competitors. If you already have a large Palo Alto investment, Cortex XDR should be at the top of your list of products to evaluate when looking into an XDR platform. Even if you don’t have a large Palo Alto Networks footprint, the Cortex XDR solution can also collect data from Cisco, Checkpoint, and Fortinet firewalls.  

We still have a few more articles left in our series, so be sure to join us next week when we talk about one of the newer players in the endpoint space: Cynet.

About the Author: These posts are written by Jeff Schaefer, a Security Engineer at Vandis with extensive experience in endpoint security. Jeff has been in the IT industry for almost 20 years, familiarizing himself in all areas of infrastructure before focusing on security solutions.  Recently, Jeff has spent a great deal of time talking with technology manufacturers and doing independent research to give effective guidance to organizations around endpoint security strategies and initiatives.