Palo Alto has launched the third generation of its Cortex XDR solution. This release expands Cortex to the cloud and targets cloud and identity-based threats. According to Palo Alto, Cortex 3.0 will: “give organizations the holistic analytics needed to protect against increasingly sophisticated cyberattacks.”
Tim Junio, senior vice president of products, Cortex at Palo Alto Networks, said: “Palo Alto Networks created the extended detection and response (XDR) category in 2019 — understanding that only by integrating data from across all security sources can we detect complex threats accurately, prevent attacks automatically, and investigate them much faster. We’ve been innovating against that mission ever since.
“With our third-generation XDR solution expanding to cloud and identity analytics, Cortex XDR 3.0 has taken a large step towards being the most comprehensive platform for the SOC to protect endpoints, entities, assets, workloads, and critical data.”
What is in Cortex 3.0?
Cortex 3.0 is aimed at SecOps teams, which is evident in the five key features that Palo Alto is calling out in this release. In brief, they are:
Cortex XDR for cloud allows SOC teams to extend detection, monitoring and investigation into cloud environments. XDR 3.0 integrates Prisma Cloud and third-party cloud security data with non-cloud endpoint and network data sources. It now spans both on-premises and multi-cloud environments.
Cortex XDR Identity Analytics enhances the user behavior analytics capabilities of XDR. It allows it to detect malicious activities and insider threats by collecting and analyzing an extensive set of identity data.
Cortex XDR Forensics module brings the Palo Alto Unit42 forensics tools to Cortex XDR customers. The XDR Forensics module provides the ability to gather historical evidence from compromised systems. It is an area often overlooked when dealing with an attack.
Cortex XDR Incident Management Interface provides security analysts with a comprehensive story of an incident in one place. All data is mapped to the MITRE ATT&CK framework.
Cortex XDR Third-Party Data Engine offers customers the ability to ingest, normalize, correlate, query and analyze data from virtually any source. Data can be correlated with threat activity and tagged with MITRE ATT&CK tactics, techniques and procedures. It will help security teams get a more detailed picture of adversarial movement.
Junio has written a blog providing more detail on some of these features. What is not clear is how some of the integration will be done. Palo Alto is releasing additional integrations with other tools in the market but is this enough? Will SecOps teams have to resort to APIs and write their own automation to integrate and normalise data? None of this is clear from the product data that has been released at the moment.
Enterprise Times: What does this mean?
This latest version of Cortex XDR with support for cloud and identity-based threats is overdue. It is a surprise that it has taken Palo Alto this long to bring these elements together, and now that it has, will it deliver? Based on the success of previous versions, the answer is likely to be yes, but only time will tell.
Perhaps the most interesting part of this release is the addition of the Unit42 forensics module. Too many organisations focus on remediation and getting systems restored when an attack happens. What they forget is that forensics is a key part of any successful recovery.
It provides a better understanding of the root cause of the incident. It also ensures that lessons can be learned and defences strengthened. For law enforcement, it also provides critical links between attacks and attackers. Without this, it can be hard to provide the right evidence to secure any prosecution.