This blog originally posted on December 20, 2023.
Always Innovating in NetSec Series: Innovations across NG-CASB, IoT/OT, Adv URL & SWFW
Welcome to the Nov-Dec 2023 edition of Always Innovating in Network Security from Palo Alto Networks. We have had a busy couple of months and as we enter the holidays, we bring you a combined blog covering new innovations from both November and December. In this edition we cover a broad range of innovations - from NG-CASB for Prisma SASE, to IoT/OT Security, to Adv URL Filtering and finally to Software Firewalls. So, grab a hot chocolate and dive into these innovations.
- Innovations in NG-CASB for Prisma SASE - We recently released the following innovations for NG-CASB for Prisma SASE, and we covered them in the session titled “Cover Your SaaS With Next-Gen CASB and AI-Powered DLP” at SASE Converge 2023.
- Security for Interconnected SaaS - All-new security for interconnected SaaS protects your critical SaaS apps from risky or unintended third-party plugins and permissions with continuous scanning and audit of all connections, integrations and plugins to avert unwanted access and to protect sensitive data. We provide visibility into 3rd party plugin vendors, permission scopes, number of active users, installation date and other attributes that can be used to assess the risk of integrations and plugins. Access can be immediately revoked for problematic plugins to minimize risk to apps and data. For more details refer to this blog post.
- Shift-Left for Data Security - We are introducing a “shift left” approach to data security for SaaS by continuously monitoring data security posture, enabling data security administrators to take a proactive approach to securing data at risk. By taking a shift left approach for Data Security, organizations get end-to-end visibility into where data is most at risk with a unified Data Risk Explorer that enables users to drill down into sensitive data impact and breach likelihood across the organization based on location, data profiles, applications, instances and control points. In addition, we are making it even easier to accurately identify the sensitive data specific to your business with the power of AI and ML. Our DLP classifiers now feature over 100+ predefined document-type detectors and leverage the latest LLM technology to help further drive unparalleled accuracy. In addition to our new built-in ML-based document classifiers, administrators can now train custom ML models with their unique and proprietary documents to help ensure that our DLP is able to identify and protect their most sensitive data accurately. This capability can be used to discover and protect financial, legal, scientific and business documents such as pay stubs, employment contracts, legal intake forms and more that are unique to your organization. Customers can confidently rely on best-in-class data detection standards such as EDM, OCR, IDM, ML and Natural Language Processing classifiers to reduce the workload on security teams by alerting end users to data incidents in real time with user-led remediation. For more details refer to this blog post.
- Innovations in IoT/OT Security
- Integrated Device-ID and policy management: With PAN-OS 11.1 COSMOS, we introduced integrated IoT/OT device visibility and Device-ID based policy management within Strata Cloud Manager and Panorama. These enhancements bring IoT/OT security into the mainstream network security workflow by enabling firewall admins to get IoT device visibility, behavior insights, create policies and enforce them all within a single management UI.
- Quicker time to asset visibility: With this release, we provide a new capability which enables existing NGFWs to gain visibility into IoT/OT devices on the network without requiring complex network topology changes. SNMP Query (now available natively on PAN-OS) allows the NGFW to query the network infrastructure to gain the IoT device MAC and IP binding information making device discovery and identification simpler and faster. Read more here.
- Extending IoT/OT support across new deployment use cases with private 5G/4G cellular networks and CN-Series: We now extend IoT/ OT asset visibility, risk analysis, anomaly detection and policy recommendations to deployments with private 5G/4G cellular networks and containerized environments using CN-Series.
- IoT/OT Risk & Vulnerability framework updates: Vulnerabilities on IoT/ OT assets are ever increasing and patching is not always possible. Additionally, not all vulnerabilities have the same severity, threat likelihood or impact and therefore do not represent the same level of risk. This is where you need a multidimensional, risk-based vulnerability prioritization methodology. The new RiskVuln feature takes base vulnerability metrics (e.g., CVSS Score/ Severity, Vulnerability type, Attack vector), threat metrics (e.g., EPSS score, Exploit kit availability, APT usage), impact metrics (e.g., Asset criticality, Impact on Integrity or Confidentiality or Availability) and protection options (e.g., Threat Prevention Coverage, Patch availability) to provide a comprehensive, multidimensional prioritization that can be used to plan remediation actions effectively.
- Scanning Activity Innovation in Advanced URL Filtering - Attackers scan or probe the network using URLs with malicious parameters to discover vulnerabilities and/ or execute targeted attacks. Scanning-based attacks can lead to significant financial loss to the owners of the hosts generating the traffic. Vulnerabilities detected via scanning can lead to subsequent exploitation through credential theft, remote code execution or data exfiltration. The presence of malicious scanning traffic serves as an indicator of compromise. Advanced URL Filtering introduces a new detection to identify Scanning Attacks in real time. AURL offers continuous coverage for emerging URLs used for scanning attacks and helps customers identify and isolate infected hosts. For more details refer to this blog post.
- Innovations in Software Firewalls
- VM-Series Auto-scaling with Session Resiliency GCP/AWS - We are pleased to announce auto-scale support with Session Resiliency in VM-Series deployments in AWS/GCP. By using a Redis database to sync sessions, organizations can both auto-scale their firewalls to keep up with business demand while maintaining session continuity in case of a disaster event. To learn more, click here.
- CN-Series Support with IoT - We are pleased to announce the integration of the CN-Series with IoT/OT security subscriptions. This support enables customers to achieve comprehensive Layer-7 visibility and protection within their Kubernetes clusters, ensuring enhanced insight into their applications as they ingest and interact with IoT device data to carry out business-critical tasks. For more information, check out this link.
- OVN CNI Support with CN-Series - We are excited to announce CN-Series’ support of the Red Hat OpenShift OVN CNI. Customers can use the CN-Series NGFW in OpenShift environments for comprehensive Layer-7 inspection with security policies defined through Kubernetes labels. To learn more, check out this link.
And with that, we wrap up what has been a great year for us (and we hope it has been for you too). If you missed our recent Always Innovating blogs, here are links to the October, September, and August editions. Here’s wishing you a very Happy 2024!
