Palo Alto Networks SE Summit 2019 Las Vegas
Last week the SecureLink’ers Tom Fonteyn, and Linus Raes went to the Palo Alto Networks SE summit in Las Vegas. At this summit, Palo Alto Network’s system engineers are honored; and many technical updates and product information are shared as well as their vision and roadmap. In this blogpost, we will highlight the key takeaways of the summit.
Palo Alto Networks, so much more than just a firewall
Physical and virtual firewall appliances are still Palo Alto Network’s core business. However, with the addition of a full cloud security solution and a next-generation SOC, they are branching into new territory.
XDR – The Next Generation Security Operations Center
The current Endpoint Detection and Response (EDR), network traffic analysis (NTA) and security information and event management (SIEM) solutions implemented into existing SOCs infrastructure, provide a siloed security approach, which has many limitations.
Palo Alto Networks new XDR platform allows you to rapidly detect and respond to threats across your enterprise, spanning your network, cloud, and endpoints. It provides detection and response where the “X” stands for across any data source, be it network, endpoint or cloud and has a high emphasis on machine learning.
As founding father Nir Zuk put it: “it is time for a SOC driven by machines, helped by humans instead of the other way around.”
How it works:
- Rich data logs from the network coming from your Palo Alto Network firewalls – including UserID, AppID and more – are sent to the Cloud Logging Service.
- Starting the all-new Palo Alto Networks Traps 6.0 next-generation endpoint protection, client-side logs form the endpoints are gathered and sent to the same Cloud Logging Service. With the recent acquisition of Secdo, this endpoint data collection has dramatically improved and eliminated the need for separate probes (in the form of a Pathfinder vms), although for unmanaged devices this can still be leveraged.
- The Cloud Logging Service Application Magnifier is then used to correlate, match and enrich all data to investigate it for anomalies using advanced machine learning.
- The responses to identified threats can be automated to populate security policies on your firewall, or isolate the endpoint form your network using the Traps agent.
In a later stage, the Palo Alto Networks cloud security solution might get integrated as well to expand the XDR platform to its full form.
More information can be found here: https://www.paloaltonetworks.com/cyberpedia/what-is-xdr
Global Protect Cloud Service (GPCS)
The Palo Alto Networks GlobalProtect Cloud Service offers the complete security features of the Palo Alto Next-Generation Firewall but provided as a cloud-based service. The GlobalProtect Cloud Service can take over the role of the perimeter firewall for those business environments where only a minimal amount of traditional applications is served from the data center.
- The service is managed via the same Palo Alto Panorama management platform as the Next-Generation Firewall. Consequently, it is not necessary to bring together stand-alone solutions with a different management facility when securing the hybrid cloud.
- Mobile users, but also remote sites, can be adequately secured, without having to be redirected via their own data center.
- The traffic destined for the data center or another remote site can be delivered directly and securely. In other words, the service constructs a full-mesh IPSEC VPN with the necessary security segmentation.
- The service provides the same advanced protection as the Palo Alto hardware-based Next-Generation Firewall and VM-Series: GlobalProtect (SSLVPN), URL Filtering, Threat Inspection (anti-malware) and Wildfire (Protection against unknown threats). In other words, protection is not limited to web traffic (HTTP / HTTPS) or FTP, but also inspects and filters other protocols.
- Although the platform does not provide for the segmentation of IaaS (Infrastructure-as-a-Service) based workloads, it can be used seamlessly together with the Palo Alto VM-Series within IaaS environments, all managed from the same dashboard.
- The platform bundled its cloud-based logging service so that operational logs do not have to be copied to and stored within the customer datacenter for long-term retention.
At the SE Summit, we learned that the Global Protect Cloud Service will soon be backed by Google Cloud Platform, which means that there will be big increase in local (national) availability and bandwidth options. Global Protect Cloud Service can now also be directly integrated with popular SD-WAN solutions by means of API.
If you want to learn more, head over to https://www.paloaltonetworks.com/products/globalprotect/cloudservice.
At SecureLink, we are firm believers in leveraging cloud scale, automation and artificial intelligence to empower and extend our consultant’s in-depth knowledge of core security concepts. We are very enthusiastic about the precise strategy that Palo Alto sets out to deliver. Although the in-depth methods and security controls you use within your cloud environment may differ quite extensively from the on-premise datacenter, zero-trust dictates that you apply the same level of scrutinization (visibility & control).
Within public cloud environments, just monitoring your flow logs is not very useful, because of the agile nature. IP addresses are continuously re-assigned, and workloads can be started/stopped dynamically. The operational logging that most popular service providers output lacks enrichment and is difficult to interpret by a human security operator. We are also rapidly moving towards the adoption of more than one single public cloud (“multi-cloud”) and gaining the necessary security expertise, and detailed insight into every cloud environment becomes complex. Enter RedLock! RedLock is one of Palo Alto Networks most recent acquisitions.
Palo Alto RedLock is a security platform for multi-cloud IaaS and PaaS environments that is able to provide detection and response capabilities through API-based integration. It offers extensive compliance monitoring and security analytics. RedLock is a CMDB (Configuration Management Database) that offers a complete audit trail about what happens and changes within your cloud. It provides an abstraction layer and its very own RedLock Query Language (RQL) to perform joint analysis over multiple public clouds. The platform incorporates Palo Alto Networks anti-malware and DLP functionality and uses machine learning to detect unusual user and entity behavior (UEBA) against a constructed baseline. Within the near future, RedLock will also support out-of-box policies for managed container services.
For more information, please visit https://www.paloaltonetworks.com/products/secure-the-cloud/redlock.
During the SE Summit PanOS 9.0 was officially released. With a staggering more than 50 new features/updates, the latest PanOS release comes packed with new ways to secure your enterprise. This demonstrates that Palo Alto Networks still firmly believes in the need for next-generation firewalling at the core of your network.
Since we already posted an extensive blog about all new features of PanOS 9.0, we will not go into much detail here. More information can be found on this webpage:
We would like to point out the Legacy port based to app-id security policy converter since this is one of my favorites. This feature will help convert your old Layer 4 security rulebase into a more secure Layer 7 AppID aware rulebase, all from within the Palo Alto Networks firewall GUI.
As a bonus, customers with Panorama can leverage this feature without having to upgrade their firewalls. This new feature is based purely on logs, so solely upgrading your Panorama to 9.0 is enough to create better and improved security policies which can be pushed down to firewalls running a more stable PanOS version. Don’t wait to improve your security!
A final highlight in the PanOS 9.0 release presentation came in the form of the all-new DNS Security. This new feature will provide added security based on your DNS traffic to stop Command and Control traffic and other malware behavior utilizing DNS traffic. This cloud DNS proxy solution will be able to predict and block new malicious domains with the help of machine learning, identifying domain generation algorithm-based malware and neutralize DNS-based tunneling. Do note that this feature will come as a new subscription.
Palo Alto Networks Expedition Tool
During one of the many hands-on labs, they also showcased the power of the Expedition tool, which helped me confirm that this tool can help a lot of our customers get control over their rulebase.
The Expedition tool is available only for Partners and is the successor of the old Migration tool. It is still used for converting other firewall vendor policies into the Palo Alto Network platform, but it has become so much more. With the addition of Machine Learning capabilities, the tool can help customers clean-up of their security rulebase.
Most customers have some legacy security policies that are too broad but are afraid to restrict them fearing operational impact. Others might be migrating VLANs form their core routers to their Palo Alto Networks firewall but have no idea which security policy to enforce. With the help of Expedition, we can now build a rulebase from scratch, based on the traffic seen on the network. Guided by the business we can then validate these proposed security policies and begin building or improving a more secure configuration.
Palo Alto Networks Cyberforce Program
Last but not least, we want to mention the Palo Alto Networks Cyberforce Program. It is a partner recognition platform for elite partner System Engineers that Palo Alto Networks considers ‘best of breed’ and instrumental in protecting our digital life. The Belgian SecureLink team is very proud to have two colleagues with the highest Cyberforce accreditation possible!
As you can see, the Palo Alto Networks SE Summit was again a very useful gathering. The SecureLink Palo Alto Networks Experts are there to help you with all your questions and challenges.