What’s Next in Cortex: New Innovations for Security Operations
Staying ahead of today’s threats requires SOC transformation fueled by AI and automation. The latest innovations for the AI-driven Cortex platform continue to deliver better, faster, and more efficient security operations designed to help analysts stop cyberattacks in real-time. Here’s what’s new:
- XSIAM 2.4: General availability of support for third-party EDRs to bring the power of XSIAM to traditional endpoint security tools, as well as more robust data access controls and support for MSSPs.
- XDR 3.12: Improved deployment efficiency, threat prevention, and endpoint hardening.
- Xpanse 2.7: New automations and active response enhancements.
- XSOAR 8.8: Simplified automation in security operations.
XSIAM 2.4: GA of Support for Third-Party EDR Tools to Modernize Traditional Endpoint Security
XSIAM 2.4 continues to push the envelope, offering new capabilities that deliver unrivaled flexibility and control for security operations. Key highlights include:
Third-Party EDR Support
Customers can transform their SOC with the platform’s advanced investigation and detection capabilities with their existing EDR tools, by ingesting raw event data from CrowdStrike, SentinelOne, and Microsoft Defender. Additionally, customers can adopt XSIAM without deploying Cortex XDR agents, easing the transition from costly, complex, and outdated SIEM and EDR tools as their legacy contracts expire.
Enhanced NGFW Integration
Teams can get full visibility across their entire infrastructure with an enhanced NGFW integration process for comprehensive analysis of network data. Now, customers can add Palo Alto Networks NGFWs from multiple Customer Support Portal (CSP) accounts as data sources to Cortex XSIAM.
Customers with multiple CSP accounts can connect all of their accounts into a single Cortex tenant ensuring the completeness of their data and also leverage the capabilities we offer through our native connector. This feature is also available in XDR 3.12
Role-Based Access Dataset Views
This new role-based access dataset view allows granular access control for data, ensuring least privileged access, even within a dataset. Using this new capability, administrators can now configure a dataset view to limit user access to a subset of a dataset, and grant access only to specific pre-applied filters. The same view then can be leveraged across the product – in dashboards, correlations and more.
Flexible Licensing Model for Multi-Tenant Enterprises and MSSPs
The new licensing model simplifies the on-boarding process for managed security service providers (MSSPs) and multi-tenant enterprises. Organizations can now purchase a pool of licenses and allocate them to child tenants on demand directly from the Cortex Gateway. This feature is designed to accelerate onboarding and streamline license management without needing to engage Palo Alto Networks. This feature is also available in XDR 3.12
XDR 3.12: Improved Deployment Efficiency, Threat Prevention, and Endpoint Hardening
Cortex XDR, a Leader in the 2023 Gartner Magic Quadrant for Endpoint Protection Platforms (EPP) revolutionized endpoint security by pioneering the Extended Detection and Response (XDR) category, with Cortex XDR the only offering to achieve 100% prevention and detection with NO configuration changes in the 2023 MITRE ATT&CK Evaluations.
Our latest Cortex XDR 3.12 and Cortex XDR Agent 8.6 continue to revolutionize the endpoint protection market with new advanced security capabilities, including improved deployment efficiency, threat prevention, and endpoint hardening. These new features are also available in XSIAM 2.4.
- Streamlined Linux Operation Mode: XDR 3.12 makes deploying on Linux systems smoother than ever. A new automated fallback to userspace mode ensures that XDR continues to operate even when kernel mode is unavailable, maintaining protection without disruptions.
- AI-powered PowerShell Examination: XDRallows security analysts to block, quarantine, or report on malicious PowerShell scripts using AI-based analysis.
- Bluetooth Device Control: XDR now offers granular control over Bluetooth devices, including both Bluetooth Classic and Bluetooth Low Energy. This new feature helps prevent unauthorized data transfer over Bluetooth channels, blocking potential attack vectors and limiting connections to only authorized devices.
Xpanse 2.7: New Automations and Active Response Enhancements
Cortex Xpanse, the leading Attack Surface Management (ASM) platform, takes visibility and control of your external attack surface to the next level with the Expander 2.7 release:
Scanning Enhancements
Traditional ASM tools often focus on a limited range of ports, missing potential exposures.. Cortex Xpanse now scans all 65,000 ports, as well as 50+ additional protocols for the entire global IPv4 address space. Once a service is found, Xpanse continues periodic scanning until it becomes inactive, ensuring ongoing visibility into your attack surface. This expanded scanning improves detection of insecure services running on non-standard ports, such as SSH, and helps uncover hidden risks running on unusual ports.
New Usability and Feature Improvements
In addition to the new scanning enhancements, Xpanse 2.7 will provide security teams with rich data and intuitive tools to prioritize and address risks effectively, such as:
- Expanded Protocol Detection: In addition to scanning all 65,000 ports, Xpanse is also adding support for 50+ new protocols. These include torrenting, IoT and OT protocols, cryptocurrency, and many vendor-proprietary protocols.
- Enhanced Services XQL Dataset: Leveraging Cortex’s powerful XQL query language, Xpanse and XSIAM customers are now able to access detailed CVE information, expanded geolocation data, and additional service classification details, providing unparalleled context for informed decision-making.
- Intuitive Alert Management: New widgets in the Alerts Overview Dashboard allow customers to track trends, filter alerts, and gain valuable insights with just a few clicks, streamlining workflows and facilitating rapid response to critical threats. You can also access up to a year of alert data for comprehensive historical analysis.
- Remediation Reporting: Stay informed with the latest threats automatically pulled from the Threat Response Center into the Remediation Report. This feature enables seamless sharing of new threat summaries with stakeholders, ensuring organization-wide alignment and collaboration in the fight against cyberthreats.
- New attack surface rules and tests: With over 860 attack surface rules, 220 attack surface tests, and ongoing enhancements to integrations and cloud support, Xpanse remains at the forefront of ASM technology, providing organizations with the tools and insights they need to secure their ever-changing attack surface.
XSOAR 8.8: Simplified Automation in Security Operations
Our latest release Cortex XSOAR 8.8 focuses on providing new features and automation to enhance your experience and simplify your journey toward automating security operations.
New Multilayer Indicator/Incident Relationship Canvas
The new visual tool provides SOCs with visibility and collaboration capabilities during incident investigations and threat hunting, eliminating the need for external tools. SOC analysts and threat intel analysts can now create and share dynamic attack diagrams, visualize key security incidents, link indicators of compromise, and maintain static snapshots to streamline and centralize threat intelligence and incident investigation.
Excluding Enrichment of Indicators
New indicator enrichment controls enable analysts to gain better control over IOCs and optimize system performance. Analysts can choose to enable or disable enrichment calls, allowing you to conserve system resources when dealing with known indicators.
New Guard Rails Page
The new Guard Rails page lists performance-related errors and warnings during incident ingestion, investigation, and response, helping analysts ensure a stable environment by detecting and preventing actions that can cause major performance degradation or instability. The Guard Pails page indicates when an incident or indicator size exceeds predefined service limits and may affect performance.
Cortex XSOAR Content Packs and Integrations
- CrowdStrike Falcon: The CrowdStrike Falcon integration now supports the CrowdStrike Raptor release.
- Prisma Cloud v2: The Prisma Cloud v2 now enables automated IAM key management via a new set of commands. Administrators can programmatically create, list, and delete access keys directly from XSOAR.
- Atlassian Jira Service Management: The new Atlassian Jira Service Management integration leverages the Jira Assets plugin to directly automate asset and inventory management through XSOAR.
- Check Point Harmony Endpoint: The new Check Point Harmony Endpoint integration introduces extensive command support for the platform’s endpoint detection and response capabilities. Administrators can now automate key tasks like retrieving IOCs, managing rules and remediation jobs, initiating scans and responses, collecting forensic data, and more directly from XSOAR.
- Thales CipherTrust Manager: The new Thales CipherTrust Manager integration allows automating key management and certificate tasks directly from the CipherTrust Data Security Platform. Users can now programmatically add users to key user groups, create and manage encryption keys and certificates, and integrate these operations into existing security workflows and responses.
- Sigma Indicator Type: Added a new indicator type, which is part of the Sigma content pack.
- Unit 42 Threat Brief – Fighting Ursa: This playbook handles Unit42 Threat Brief – Fighting Ursa. The playbook will:
- Collect, extract, and enrich indicators
- Perform indicator-based threat hunting
- Suggest relevant migration