Natively Integrated Security for Palo Alto Networks Ecosystems Cloud Delivered Security Services (CDSS)

February 13, 2023

As today’s cyber threats become more pervasive than ever, the “bad guys” are also growing more sophisticated than ever. We need to be constantly guarded against exploits and vulnerabilities—ready to defend against attacks—all while reducing risk. Enter CDSS, described by Palo Alto Networks as “All in one place and everywhere all at once.”

In this blog post, we will discuss the uses of Cloud Delivered Security Services (CDSS), how they work (including best practices) and what is new with these security subscriptions.

Palo Alto Networks CDSS licenses are available for purchase from Optiv Security based on individual customer need, à la carte. There are also cost-saving bundles that feature, for example, labs and HA pairs. Remember that each firewall in an HA needs to include identical licensing. Once purchased and applied to your firewall, you may verify that license is active under the device tab and the licenses node towards the bottom of the left side of the GUI (Graphical User Interface).

Image

Figure 1 - License Verification

How Palo Alto Networks’ CDSS Helps You

We will review the highlights of the recent changes to CDSS subscriptions so that you can better understand the value of these services and best practices for using them. Below is a comparative overview of the new CDSS offerings and an examination of how to leverage those services to protect your environments. You can utilize these services across the Palo Alto Networks ecosystem on various platforms, including Next-Gen Firewalls (NGFW), Prisma SASE (Secure Access Service Edge), Prisma Cloud, Cortex XDR and Cortex XSOAR.

Cloud Delivered Subscription Overview

Threat Prevention (TP and ADV TP) - minimum PAN-OS 10.2 for ADV TP

Threat Prevention (TP) has been part of the Palo Alto Networks Next Generation Firewall (NGFW) foundation from the beginning. This subscription is the essence of protecting your environment from commodity threats and APTs (Advanced Persistent Threats). Threat Prevention leverages signatures used by your NGFWs to protect against specific, known threats, including command and control (C2), malware and other exploits. A core principle of the NGFW is to combine Threat Prevention with App-ID and User-ID to create firewall policies that provide fine-grained protections for your network.

Advanced Threat Protection takes this to the next level, utilizing cloud services to provide inline machine learning for real-time protection from unknown threats. This is the most scalable solution to protect your environment, as you can stay up to date with new exploits not yet seen on the internet. The Advanced Threat Prevention subscription leverages all that is built into the standard Threat Prevention license. This allows your users to be protected without compromising the user experience.

DNS Security (DNS) - minimum PAN-OS 9.1 and Threat Prevention subscription

The Palo Alto DNS subscription is intended to be used at your internet gateway. With NGFWs, a DNS Security license provides inline protection for all DNS traffic in real time. Utilizing security policies on the NGFWs, you may customize your responses based on the DNS traffic type that fits your risk profile.

A DNS Security license provides cloud-based analytics that can predict and stop malicious domains instantly via your NGFWs. The machine learning engines can detect and stop new and unknown DNS threats, such as DNS tunneling and rebinding, as well as DGAs (Domain Generation Algorithms).

Known DNS threats are handled via the shared data in Palo Alto DNS Security cloud, utilizing data from Palo Alto’s own threat research and from all customers that deploy Cloud Delivered Security services, including WildFire, URL Filtering and additional third-party sources.

Advanced URL Filtering (ADV URL) - minimum PAN-OS 9.1 and 10.2 for real time web analytics

It is important to understand that the “Legacy” URL Filtering subscription is no longer available for purchase. Current subscription owners can continue to utilize URL Filtering as they have in the past until their license expires.

ADV URL utilizes the functionality of “Legacy” URL and includes real-time analysis when running PAN-OS 10.2 or later. This best-in-class web protection uses Palo Alto’s URL database of malicious URLs and the real-time, cloud-based, deep learning engine. This combination allows a NGFW to immediately detect and prevent new and targeted attacks.

ADV URL Filtering is intended to be at your Internet edge, as it protects you from malicious traffic requiring external connectivity, such as malware, phishing and C2.

WildFire (WF and ADV WF) - min PAN-OS 9.1 and a Threat Prevention subscription for WF, min PAN-OS 10.1 for ADV WF

WildFire was Palo Alto’s first cloud-based engine providing real-time, inline protection. This gave the ability to stop and prevent unknown, malicious traffic from entering an enterprise. The sandbox analysis provided by WildFire will help to prevent zero-day-attacks and APTs (Advance Persistent Threats), easing a business’ risk surface by providing prevention at scale.

Prevention is improved for all Palo Alto Networks customers, as the WildFire data is delivered within seconds to the NGFWs across the globe. This is all accomplished while utilizing cloud analysis and sharing with the inline machine learning modules on the NGFWs. Data shared with the WildFire cloud engine from your NGFWs, such as files and scripts, are all configurable.

Advanced WildFire absorbs all of what “legacy” WildFire utilized but goes deeper, including inline machine learning and automated protections. Updates include access to Intelligent Run-time Memory Analysis, which is a cloud-based advanced analysis engine. It complements existing engines already in use to detect and prevent evasive malware threats. Utilizing this cloud-based detection, highly evasive malware can be more easily targeted. Advanced WildFire also now includes integrations for management and reporting into AIOPs (Algorithmic IT Operations).

*Please note that prior to installing the new ADV WF license, you must first remove your expired WildFire license on the NGFW.

IoT Security (IoT) - min PAN-OS 9.1 (no device-ID and manual policy application), 10.1 for full support

Palo Alto Networks IoT subscription includes protections for Internet of Things (IoT), Internet of Medical Things (IoMT) and Operational Technology (OT) devices. IoT Security is meant to be deployed on the network segment where IoT devices exist, as well as on the Internet edge. These devices pose a large cybersecurity risk, as they are not trustworthy. But they are necessary for some enterprises to exist. These devices are rarely implemented or maintained by an organizational IT unit, let alone known and mitigated by security team—leaving a security gap that should be closed.

The IoT subscription uses machine learning to quickly identify IoT devices in real time. The IoT cloud engine then utilizes crowdsourced data to recognize anomalous activity for these previously unknown devices. This allows for a continuous IoT risk assessment that delivers trust-based policy recommendations to improve the organization’s security posture.

Now you can get visibility into devices that were once unknown and unprotected. The IoT subscription allows for best practice device segmentation to mitigate lateral movement to highly critical devices such as Domain Controllers.

SaaS Security Inline (SaaS) - min PAN-OS 10.1

Using SaaS Inline, you provide threat protection for your enterprise and users by blocking unsanctioned SaaS applications and risky user behavior via security policies. This SaaS visibility, along with policy recommendations and App-ID Cloud Engine (ACE), are the primary capabilities of SaaS Security Inline.

There are various flavors for SaaS Security Inline, from NGFWs only to Panorama Managed Prisma Access and, finally, Cloud Managed Prisma Access. These different scenarios provide multiple deployment and management options for you to choose from to meet your enterprise’s needs.

Enterprise DLP (DLP) - min PAN-OS 10.1 (or Prisma Access running ver 9.0.4)

Enterprise DLP is a new and improved integration of the Palo Alto Networks DLP service. Data is everywhere, and so are users who are at risk for data theft and compromise —which is why we needed a new way to think about enterprise data loss. Enterprise DLP is designed to be used with people, data and networks everywhere and anywhere. This comprehensive service covers:

Enterprise DLP allows for predefined and customizable data identification, which improve accuracy and reduce false positives. Leveraging machine learning in the cloud, sensitive data is automatically discovered using multiple detection methods. This continuous and consistent protection covers all points in your network, NGFW and SASE.

Final Thoughts

When reviewing the highlights to the new subscriptions, the major differentiator is that “Advanced” Threat Prevention and “Advanced” URL Filtering utilize inline Machine Learning (ML) via cloud analysis. The inline ML is a game changer, in that real-time traffic inspection occurs for protection against unknown threats in seconds.