The Expert's View with Michael Novinson

Application Security & Online Fraud , Cloud Security , Fraud Management & Cybercrime

Palo Alto's Biggest Bets Around AppSec, SecOps, SASE & Cloud

From Medical IoT Security to AppSec Testing, Here's Where Palo Alto Is Going All-In
Palo Alto's Biggest Bets Around AppSec, SecOps, SASE & Cloud
Image: Michael Novinson

Staying one step ahead of both threat actors and competitors is a tall task for Palo Alto Networks given the breadth of its cybersecurity portfolio.

The Silicon Valley-based platform security vendor has committed to having not only an expansive set of offerings across network security, cloud security and security operations but also best of breed features and functionality in each of the technology categories where it chooses to play. Keeping pace with pure-play competitors and emerging threats requires investments of both an organic and inorganic nature.

"We have taken a fundamentally different approach," Palo Alto Networks chairman and CEO Nikesh Arora said Tuesday. "We want to be an evergreen cybersecurity company. We want our customers to believe that, if a security problem happens, Palo Alto Networks will build the capability required, integrate it and give it to me so I don't have to look elsewhere."

Product and intelligence leaders spoke with media attending Palo Alto Networks' Ignite '22 in Las Vegas about the latest developments in the threat landscape and major product investments the company has made across its portfolio. From single-vendor SASE and defending supply chains to application security testing and safeguarding medical devices, here's where Palo Alto Networks is placing its biggest bets.

Social Engineering Bests Technical Smarts

The success Lapsus$ and Oktapus enjoyed in 2022 with cheap and technically unsophisticated attacks speaks to the power of insider threats, social engineering and a lack of proper controls, says Ryan Olson, vice president of threat intelligence for Palo Alto Networks' Unit 42 team. Lapsus$ realized that it could access the networks of the most sophisticated companies in the world simply by paying an employee.

"That is terrifying to anyone from an insider threat perspective," Olson says. "You might have a company with 10,000 employees, and if any one of them is offered a relatively small payment, the otherwise mature controls you have might not matter."

As a result, Olson says Lapsus$ was able to compromise the biggest companies in the world and access their source code, steal money and launch ransomware attacks. Then in August, Olson says, the Oktapus campaign targeted 135 organizations including Twilio and Cloudflare by impersonating an Okta multifactor authentication process and successfully stole 9,600 credentials and more than 5,000 MFA tokens.

"It costs nothing other than the cost of registering a domain and it's not technically sophisticated, but they took advantage of the fact that there wasn't a good control in place on people's phones," Olson says. "There wasn't a firewall or something to block access to the malicious login page.

Building Data Processing for Machines

Palo Alto Networks has evolved its data processing framework from building technology for humans and adding automation on top to starting with machines, using analytics and automation, and then having humans assist the machines, says Gonen Fink, senior vice president of Palo Alto Networks Cortex. Data collected from the company's new XSIAM offering isn't readable by humans given all the telemetry it incorporates, he says.

"When you build it this way, you get the right data, the right stitching and the right understanding of the data foundation," Fink says. "You could also achieve the consolidation of all the tools that you have in your environment."

Having all of this data functionality delivered through a single product with a single user interface and a single back-end means that analysts need to undergo much less training, Fink says. In order to refine the product that eventually became XSIAM, he says Palo Alto Networks worked with select clients to ensure it delivered the right security outcome and used it in its own infrastructure as a SIEM replacement (see: Palo Alto CEO: 'SIEM Needs to Be Eliminated and Replaced').

"Having one product that gets huge amounts of data and uses that data by machine provides much more effective work in a single flow," Fink says. "Automation is built into the flow. Analytics is built into the flow. And then humans just needed to sit on top of that and figure out how they'll do stuff if the machines don't decide."

Why Single-Vendor SASE Is Best

Palo Alto Networks supports multivendor SASE deployments in which companies combine their SD-WAN platform with SSE technology because certain customers demand it, says Kumar Ramachandran, senior vice president of product and go-to-market. But when customers opt for multivendor SASE, he says, they lose between 30% to 50% of their SD-WAN functionality since the traffic engineering for SaaS access gets very poor.

Clients often are tempted to make their own evaluations around what's best of breed for SD-WAN and then seek to combine it with best of breed SSE, but when firms get SASE from multiple providers, they lose the active capabilities across all the connections, he says. Gartner named Palo Alto Networks one of six leaders in SD-WAN and a challenger in SSE behind leaders Netskope, Skyhigh Security and Zscaler.

When customers opt for unified SASE with Palo Alto Networks, organizations get not only get full benefits of the SD-WAN technology but also integrated management, integrated policy and the ability to dynamically react to what's happening in the cloud, Ramachandran says. Single-vendor SASE makes policy enforcement much easier than taking a mix-and-match approach, he says.

Securing the Supply Chain

The advent of microservices-based architecture has resulted in customers building more modular architectures in which a single monolithic application often has 100 microservices, says Ankur Shah, senior vice president and general manager of Palo Alto Networks' Prisma Cloud. Each of those microservices uses its own tools and technologies, Shah says, and some use CircleCI or Jenkins while others use a different code depot.

"As customers are modernizing their applications, the software supply chain is getting incredibly complex," Shah says. "There are lots and lots of tools and technology. That means there are lots of ways to make mistakes."

Palo Alto Networks' $250 million acquisition of Cider Security will provide instant visibility into how many code repositories and CI/CD tools are in a customer's software supply chain, Shah says. He also says Cider's technology allows for the remediation of any identified security issues with the single click of a mouse (see: Nikesh Arora on Palo Alto's Approach to Supply Chain Defense).

"Palo Alto Networks and Prisma Cloud will lead the way in terms of what supply chain security ought to look like once Cider Security is integrated with the platform," Shah says.

Getting Into Application Security Testing

When Palo Alto Networks entered the web application and API protection market two years ago, the company knew it needed a different approach to compete with the likes of Imperva and Akamai, says Palo Alto Networks Prisma Cloud CTO Ory Segal. The company decided to tailor its web and API security offering to the modern, new, cloud-native applications that were currently being developed, Segal says.

Segal believes Palo Alto Networks can provide unmatched value in the application security testing space by focusing on the modern, cloud-native applications that are currently being developed. Specifically, he says traditional static application security testing tools aren't designed to scan microservices applications that are scattered and distributed since they don't understand how the different microservices are connected.

As a result, Segal says, the traditional SAST scanning tools can't model how data flows between microservices since that only occurs in runtime. The legacy offerings in this market don't know microservices are designed to speak with one another until execution actually occurs. As a result, traditional application security testing tools are unable to find vulnerabilities in microservices. Segal says.

"With the information that we have, we can actually do that," he says. "We can do the static analysis part. We can combine the results together with the runtime information from Prisma Cloud Workload Protection to create an application security testing solution that is fit to work with modern cloud-native applications."

Safeguarding Medical Devices

Palo Alto Networks introduced a medical IoT offering this month that uses automation and machine learning to understand all devices and detect and identify more than 95% of all devices in a company's healthcare infrastructure within 24 hours, says Anand Oswal, senior vice president of network security products. Once an organization knows what devices it has, the right level of segmentation policies needs to be applied.

Oswal says the company's medical IoT product blocks all connections by default as part of its zero trust strategy and requires justification before two devices can talk with one another. Since new machines are coming on all the time, Oswal says Palo Alto Networks automates the segmentation rules and policy creation to avoid excess manual work for the healthcare organization's security team.

Adversaries frequently use unpatched vulnerabilities on medical devices to get onto the network and either move laterally or establish a command-and-control connection from that device to exfiltrate data. With Palo Alto Networks, Oswal says, organizations can unlock real-time, in-line monitoring of their medical IoT devices.

"You don't need additional point devices to understand what's happening on the network," he says. "You automate your workflows and simplify operations into much easier outcomes for healthcare organizations. It's simple to monitor, more secure and easy to use."



About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.