What XDR

Is and Isn’t
Kasey Cross, Palo Alto Networks
What You’ll Learn

?
Why XDR? XDR The XDR How to Spot Q&A
Requirements Bandwagon a Fake

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
 Why
Why XDR?
XDR?

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
 Too many siloed tools
4 | © 2020 Palo Alto Networks, Inc. All rights reserved.
 Too many alerts and
complex investigations
© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Traditional Approaches to Security Aren’t Working

51% 78% 207

Days

of security professionals are of security analysts say each Mean time to identify
not satisfied with their security alert takes 10+ (MTTI) a breach
ability to detect attacks minutes to investigate

"2021 State of SecOps Report," Forrester Consulting, "The Impact of Security Alert Overload," CriticalStart, 2021, "2020 Cost of a Data Breach Report," Ponemon Institute
© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
How

Identity Device/Workload Access Transaction

And then came

Enforce least-
Validate users using Scan all content for
Verify users’ device privilege user access
strong malicious activity
integrity to data and
authentication and data theft
applications

XDR
© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
 XDR Requirements

9 | © 2020 Palo Alto Networks, Inc. All rights reserved.

1. Cloud-Delivered Detection and Response Across All Data

XDR

Data Lake

All Data
2. Behavioral Analytics Based on Profiling Behavior Over Time
HTTPS

SS
FTP H

Exfiltration
SMTP
HTTPS

Behavioral analytics Profiling of 2 weeks+ Crowdsourced

across multiple types data to baseline analysis to improve
of data activity accuracy
3. Automated Stitching of Data for Cross-Data Analytics & Insights

Network data

Two (or more) logs were

generated from two
different points of view.

One unified and

clear “story” in XDR

A user did one thing: accessed a website. Endpoint data

12 | © 2020 Palo Alto Networks, Inc. All rights reserved.

4. Deep Understanding of Endpoint Data for Root Cause Analysis

ENV21\Sauron
XDR alert 2

ROOT
CAUSE

12

chrome.exe 7zFM.exe cmd.exe powershell.exe wscript.exe

Clicks on URL in Downloads 7zip file 7zip runs *.pdf.bat *pdf.bat file creates Virtual Attempts C2 connection
phishing email file in zip basic script for Windows
script engine

1 2 3
See the entire chain of Instantly understand Get full context including
events with one click the root cause threat intel in one view
4. Advanced Investigation, Hunting and Forensics Capabilities
Incident Management
Intelligent alert grouping, Powerful Queries
scoring, workflows and Search for attack tactics
MITRE ATT&CK mapping with XQL Search

Hunting & Pre-defined and

Fast IoC Searches
Investigation
Hunt for IPs, hashes, Custom Rules
domains, and files 400+ rules for MITRE
ATT&CK coverage

Threat Intel Forensics

Verify attacks with Gather rich evidence, even
malware verdicts if no agent is installed
during the incident
5. Flexible Response Options

Isolate hosts, Block network

quarantine on traffic through firewall
endpoint integration

Security Analyst Compromised Host

Access endpoints Orchestrate

with DirectTerminal with SOAR Tools

Directly connect to
Sweep across hosts in real Execute scripts on one or
endpoints for granular
time to find and delete files more hosts
custom actions & forensics
6. Prevention

16 | © 2020 Palo Alto Networks, Inc. All rights reserved.

LET’S GET ON THE XDR
BANDWAGON!

17 | © 2020 Palo Alto Networks, Inc. All rights reserved.

 XDR vs. NDR/NTA – What do
What the Heck Is Open XDR? organizations truly need to stay safe?
June 8, 2021 July 7, 2021

SIEM vs. SOAR vs. XDR: Evaluate the Extended detection and response
differences (XDR): Which solution is best
September 14, 2021 May 26, 2021

XDR defined: Giving meaning to The Differences Between

extended detection and response Open XDR vs. Native XDR
May 3, 2021 August 11, 2021

Why Artic Wolf’s CTO Says XDR

XDR, SIEM, and the Future SOC
Is the Problem
April 27, 2021 September 8 2021

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
SIE
M
 How to
Spot a
Fake

20 | © 2020 Palo Alto Networks, Inc. All rights reserved.

1. What is the vendor proposing?

Disparate Point A Strategic

Solutions Approach
Spot a fake

● 1. Detection across a single data source – or no ability to protect unmanaged devices,

cloud assets, SaaS applications
● 2. Shallow out-of-the-box understanding of data, especially endpoint data (blocking out
SIEMs)
● No ability to automatically stitch data together for analytics and insights
● No reduction in number of siloed tools ( a loose integration of different detection and
response tools is not XDR)
● No reduction alerts though incident management

22 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Our Approach to XDR
Holistic threat prevention, detection and response

Block endpoint attacks with

proven NGAV

Detect stealthy threats by

applying cross-data analytics
to rich data

Lower costs by improving SOC

efficiency and avoiding siloed
on-prem tools
Comprehensive Threat Prevention, Detection and Response

Endpoint Threat Full Visibility & AI- Accelerated Advanced Threat Coordinated
Prevention Driven Detection Investigations Hunting Response

Block endpoint attacks Find stealthy threats with Quickly analyze attacks Uncover hidden threats Swiftly contain fast
with a proven, lightweight the solution that achieved by grouping alerts into with a powerful XQL moving threats across
next-gen antivirus agent the best combined incidents and viewing querying language key enforcement points
MITRE ATT&CK detection rich investigative
& protection scores context

Machine learning and

NGAV Incident management XQL query language Search and Destroy
analytics

Correlation, IOC & BIOC Root cause analysis & Integrated threat
Host firewall Script execution
rules cross-data insights intelligence

Rogue device discovery Live Terminal for direct File block, quarantine,
Disk encryption Managed Threat Hunting
& asset management endpoint access removal, device isolation

Device control Vulnerability assessment XSOAR integration

© 25
2021| Palo
© 2020
Alto
Palo
Networks,
Alto Networks,
Inc. All rights
Inc. Allreserved.
rights reserved.
Proprietary and confidential information.
 Cortex

● XDR for cloud ● Identity Analytics (UEBA)

● “Ingest, query, correlate ● Forensics Module
anything” data engine ● Redesigned Incident Workflow

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Cortex XDR: Strong track record with third-party testing

Highest combined prevention and A Strategic Leader in the 2020 AV- A Leader in The Forrester Wave:
detection in MITRE ATT&CK Round 3 Comparatives Endpoint Prevention Endpoint Security SaaS Q2/2021
& Response Report

27 | © 2020 Palo Alto Networks, Inc. All rights reserved.

 Questions?

28 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Thank you.
How Palo Alto Networks Makes Zero Trust Actionable

USERS APPLICATIONS INFRASTRUCTURE

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Securing Applications With Zero Trust

Identity Device/Workload Access Transaction

Validate developers, Enforce least-

Scan all content for
devops, and admins Verify workload privilege access for
malicious activity
with strong integrity workloads accessing
and data theft
authentication other workloads

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
Palo Alto Networks for the Zero Trust Enterprise

Identity Device/Workload Access Transaction

Network Security Platform

Zero Trust for
Enterprise IAM Cortex XDR Prisma Access, NGFW, Cloud-Delivered
Users Security Services

Enterprise IAM Cortex XDR

Zero Trust for Prisma Cloud & Software Firewalls
Applications Prisma Cloud
Cloud-Delivered Security Services

Zero Trust for Network Security Platform

Enterprise IAM
Infrastructure Prisma Access, NGFW, Cloud-Delivered Security Services

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
What is Zero Trust?

A strategic approach to
cybersecurity that secures an
organization by eliminating implicit
trust and continuously validating
every stage of a digital interaction.

© 2021 Palo Alto Networks, Inc. All rights reserved. Proprietary and confidential information.
 Cortex XDR Agent Protection

Pre-Execution Cloud Post-

Execution

Reconnaissance Technique-Based Kernel Threat AI-Driven WildFire Malware Malicious Ransomware Behavioral Threat
Protection Exploit Prevention Protection Intelligence Local Analysis Analysis Process Protection Protection
Prevention
Prevents Blocks exploit Protects against Prevents known Prevents Detects advanced Stops script-based Blocks Stops attacks by
vulnerability techniques used to exploits targeting threats with intel Unknown threats unknown threats threats ransomware analyzing chains of
profiling used by manipulate good or originating from gathered from endpoint events
exploit kits applications the kernel WildFire

On and Offline Scheduled and On- Cross-Platform

Protection Demand Scanning Protection

34 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Automatically Detect Attacks with Machine Learning and Analytics

Attack Detection Algorithms

Command Lateral
Malware Exfiltration
& Control Movement
Endpoint

Entity
Network Current Time Peer Profile
Behavior Profile Profile • Device Type:
• Past user activity workstation, server,
• User activity • Peer profile of user
• Past device server type
• Device activity and device activity
Cloud activity • User Type: admin,
standard user

Identity
Profiling Engine
Palo Alto Networks
& Third-Party Data
Profile behavior & detect anomalies
indicative of an attack