The Palo Alto Networks Cortex team has been on a mission to radically transform the cybersecurity industry, starting with the SOC. Today, customers who want to detect identity-related attacks must rely on disparate, siloed products, such as user and endpoint behavior analytics (UEBA), insider risk management, endpoint-based identity threat detection and response (ITDR), etc. However, relying on disjointed approaches only gives a partial view and often results in poor security outcomes, alert overload and time wasted on triage. The Cortex portfolio provides a unified solution for the modern SOC, designed to empower security analysts to take control of their threat landscape. Backed by powerful machine learning (ML), data analytics, artificial intelligence (AI) and automation capabilities, Cortex provides SOC teams with the tools they need to proactively protect their organizations.
A New Approach to Identity Threat Detection and Response
On March 6th, 2023, we introduced the latest AI and ML data-driven innovations throughout our Cortex portfolio. This new advancement for Cortex furthers the mission of consolidating fragmented point solutions. The new AI-native Identity Threat Detection and Response (ITDR) module will lead the way, expanding Cortex® XSIAM™ and Cortex XDR with advanced UEBA and ITDR capabilities, while replacing the need for standalone point products.
ITDR module enables customers to ingest user identity and behavior data while deploying state of the art AI technology to detect identity-driven attacks within seconds. The module further strengthens XSIAM’s ability to consolidate multiple security operations’ capabilities into a unified, AI-driven security operations center (SOC) platform.
Compared to the endpoint-based ITDR offerings in the market today, this new module leverages multiple data sources – endpoint, network, cloud, single-sign-on, identity – and it incorporates advanced UEBA functionality to detect post-breach compromised accounts and insider threats, in addition to credential theft attempts.
By taking a comprehensive understanding of the organization's risk posture and the ability to monitor and analyze user behavior to identify potential threats, organizations can significantly reduce their exposure to identity threats and malicious insiders, and better protect their assets and reputation. In addition to yielding stronger security outcomes, ITDR further reduces complexity in the SOC by tightly integrating identity analytics into a unified SOC platform, replacing the need for multiple point solutions. ITDR is available to all Cortex XSIAM and Cortex XDR customers.
Read more for a deeper understanding of the New Identity Threat Detection and Response (ITDR) module.
What’s Next in Cortex
The ITDR module is just one of the many new and exciting advancements the Cortex portfolio offers. There are many more innovations and feature releases coming to Cortex.
Cortex XSIAM 1.4
Cortex XSIAM is our autonomous security platform designed to transform the SOC with data-driven detection using AI and ML models, as well as integrated native automation investigation and response capabilities. Many new capabilities can be found within XSIAM 1.4:
- Identity Threat Detection and Response Module – Gain protection against covert identity threat vectors, like compromised accounts and insider threats.
- Simplified Search Options – Simplify the creation of queries. Now receive a guided experience through the query creation, without the need to learn the syntax of XQL or be familiar with specific datasets.
- Customized Alert Layouts – Tailor custom layouts to specific alerts to enhance the investigation experience. Add new custom alert fields for robust mapping and visibility.
Cortex XDR 3.6
Cortex XDR collects, stitches and analyzes data to detect and investigate threats in real time. XDR strives to be the best product to prevent attacks, detect unknown attacks and investigate them as quickly as possible.
- Identity Threat Detection and Response Module – Gain protection against covert identity threat vectors, like compromised accounts and insider threats.
- Native Simplified Automation – Increase productivity with new automation capabilities in XDR for routine tasks, like endpoint response, incident management and external communication.
- Forensics for macOS – Expand forensic analysis, evidence gathering and compromise assessments to macOS endpoints.
- SmartScore Visibility – Utilize our new Explainability section and get the most out of SmartScore to gain deeper visibility into the primary factors that have contributed to the incident score.
- NGFW Direct Data Ingestion – A new integration, providing a flexible way to onboard and ingest NGFW and Prisma Access data directly into XDR.
- New Security Protection Modules – Enhanced protection and detection capabilities with three new modules in XDR to prevent malicious behavior:
- Malicious Device Prevention
- UAC Bypass Prevention
- XDR Anti Tampering Protection
Cortex XSOAR 8
Cortex XSOAR improves speed and efficiency by automating attack response actions. XSOAR 8 delivers all the great capabilities of XSOAR, but with new and improved performance and user experience, plus cloud-native support for SaaS deployments.
- Enhanced performance, stability and scalability with an auto-scaled, cloud-native environment that grows according to the customer's needs under new SaaS deployment.
- A unified, enhanced user experience and user management across all Cortex products, as well as deployment as you expand your Cortex portfolio.
- New support for MSSP SaaS deployments.
Cortex Xpanse — Active ASM
Cortex Xpanse shifts from a reactive to proactive attack surface management (ASM) to shrink the attack surface by automatically finding and fixing exposures before attackers can exploit them. In the new Expander 2.1, you’ll find improved risk prioritization using incident scoring and several new automated-remediation playbooks for Active ASM.
- Risk Scoring – Security teams can now use the auto-calculated risk scores based on threat and exploit intelligence to better prioritize and proactively secure your attack surface.
- Active Response Module – Security teams can use our new, automated playbooks to not just find, but actively fix their attack surface exposures to proactively reduce security incidents:
- RDP Servers
- Insecure OpenSSH Servers
- Unencrypted FTP Servers
- Telnet Servers
- Insecure OpenSSH Servers
- SNMP servers
- Asset Attribution Explainers – Expander 2.1 will also feature improvements to asset attribution explainers with asset tags (provided versus discovered) and confidence labels (very high, high, medium, low) to help reduce mean time to detect (MTTD) and mean time to respond (MTTR).
CTA #1 - Learn more about these new features. Watching the Cortex Innovation Keynote with Lee Klarich and Gonen Fink from Symphony 2023 on demand.
As your preferred cybersecurity partner, Palo Alto Networks Cortex products are here to serve you no matter what your organization needs. We are dedicated to bringing our customers the best solutions on the market, to not only solve your existing security problems, but to innovate and revolutionize how you work, so you can focus on the issues that matter most.
CTA #2 - Stay up to date on the latest innovations from Cortex. Sign up for our newsletter.