Palo Alto Networks CPO On Debut Of Cortex Cloud: ‘A Game-Changer In Cloud Security’

The cybersecurity giant is ‘effectively merging two of our platforms’ to enable faster responses to threats and better outcomes for security teams, Palo Alto Networks’ Lee Klarich says in an interview with CRN.

Palo Alto Networks unveiled its new Cortex Cloud offering Thursday that unifies multiple cloud security tools across its portfolio, with the aim of simplifying security operations and dramatically improving response times to threats, Chief Product Officer Lee Klarich said in an interview with CRN.

Cortex Cloud is the successor to Palo Alto Networks’ Prisma Cloud offering, combining cloud detection and response from the vendor’s Cortex product line with cloud posture and application security capabilities from the Prisma CNAPP (cloud-native application protection platform), the company said.

In addition to “effectively merging two of our platforms” to reduce the effort needed to assess potential threats, Cortex Cloud also connects to third-party tools such as code scanners, Klarich said.

“Now we can be in a position to provide our customers with that comprehensive view of the cloud — both in the areas where we're providing those capabilities directly to them, and in cases where we integrate with other tools that [customers] already have — which is a game-changer in cloud security,” he said.

This is especially crucial because Security Operations Center (SOC) analysts typically must pivot between various tools just to understand the context necessary for determining if something is a real threat, Klarich said. “They just spent two hours getting the context necessary to [realize], ‘I have to do something really fast.’”

Palo Alto Networks has previously offered cloud detection and response (CDR) via its Cortex XSIAM for Cloud product, part of the vendor’s fast-growing XSIAM (extended security intelligence and automation management) platform.

A key benefit of Cortex Cloud — and of combining CDR with CNAPP capabilities — is that it provides SOC analysts with all of the necessary context “natively stitched and integrated together,” Klarich said.

As a result, when the SOC team sees an alert, “instead of it being a multi-hour investigation response, it becomes a couple-minute response,” Klarich said. “That's the difference between a breach and a non-event.”

Cortex Cloud will be available via Cortex XSIAM as well, according to Palo Alto Networks. The product will be available to customers later in Palo Alto Networks’ fiscal third quarter, which runs through the end of April, the company said.

For the company’s channel partners, meanwhile, Cortex Cloud enables new growth opportunities because it “puts our partners in a position where they can really emphasize their value-add — in system integration, consultative services, operationalization,” Klarich said.

Rather than deploying multiple different products for customers, Cortex Cloud is focused on enabling capabilities from all those products on a single platform, he said.

“As the partner, my value-add then is to make sure that's not just deployed — but actually is optimized and is fully operationalized,” Klarich said. “That up-levels the partnership aspects that we have in the community.”

What follows is an edited portion of CRN’s interview with Klarich.

What is different about Cortex Cloud, in comparison to how cloud security has typically been approached in the past?

Part of the importance is how this is architected [for] customer flexibility. For customers that want to adopt us around, say, cloud posture plus cloud runtime security — up until this launch, and really across the industry, those are really considered two separate product categories. What we've done is, by delivering these on the same platform, a customer who chooses to adopt those two capabilities can do so in a very tightly integrated fashion. We're basically using the Cortex platform as the foundation in order to break down these siloes between different personas of security experts in an organization.

The other direction might be, they have us in a SOC with XSIAM, they want to use us for cloud runtime — but they're not yet ready on the other parts of cloud security. So again, we wanted that to be an integrated experience for them. I think too many times there's this restriction of, “If you want to use X and Y, they're two separate products.” This allows us to provide that flexibility to customers.

I think it also means that from a partner perspective, it puts our partners in a position where they can really emphasize their value-add — in system integration, consultative services, operationalization — which always has to be delivered jointly with product and technology. And so this puts them in a better position to be able to really provide the services and the integration capabilities that [are] less about, “I can deploy five products for you” — and it's more about, “I have a single platform, and I can enable those capabilities.” As the partner, my value-add then is to make sure that's not just deployed — but actually is optimized and is fully operationalized. That's the other piece that I'm very excited about with Cortex Cloud — how that up-levels the partnership aspects that we have in the community.

Traditionally, CNAPP may not have been something the SOC would be utilizing. Have these capabilities become more relevant to the SOC in the current threat landscape?

Every piece has become relevant to every other piece. If you want to do end-to-end cloud security, there's an AppSec portion of that. These are all your scanners — SAST and SCA and secrets scanning and infrastructure-as-code, CI/CD scanning, etc. These are all the things that generally are part of an AppSec program. Then you have everything that’s part of a cloud posture program — CSPM, CIEM, DSPM, AI-SPM, vulnerability management. These are all [focused on], did I configure everything correctly? What vulnerabilities do I have? What do I need to patch? Then you have cloud runtime. These are all the ways that you're going to protect against active attacks — malware, exploits, identity-based attacks. Then you have the SOC. And the SOC is trying to make sure that any attack is detected, investigated and responded to — in as close to real-time as possible.

These are the four things, end-to-end, that are required for cloud security to work. Every one of those — if they can leverage the context of the others — gets better. If you scan in the development stage and you find that there is a vulnerability, do you fix it or not? If you know whether that application [with the vulnerability] is a public, internet-facing application with critical customer data — yeah, you're going to fix it. You might even prevent it from ever making its way into production in the first place. But again, with the context that it's a dev application that is not publicly facing, and it doesn't have any interesting data etc. — you might have a more-lax policy that says, “This is just a developer environment that I have a lower priority and a lower emphasis on.”

Could you share any further examples of how this might enable better outcomes on cloud security?

Let’s say I have an alert in the SOC that says there's a potential attack on my cloud workload. What does the SOC analyst do today? They pivot to a whole bunch of other screens that have more context. Some of that context is, what is that application? Some of the context is, how is that configured? Some of the context is, what vulnerabilities do I have that an attacker might be targeting? DSPM would tell it what data exists on that application. Today, the SOC has to pivot to all these other tools in the cloud to figure out the context, in order to go back to where they started and say, “Oh, this is a problem.” Well, they just spent two hours getting the context necessary to [realize], “I have to do something really fast.” If the SOC had all of that context natively stitched and integrated together — so that when they see the alert, they have all the context necessary, they have automated playbooks waiting to execute, to remediate and/or mitigate that issue — instead of it being a multi-hour investigation response, it becomes a couple-minute response. That's the difference between a breach and a non-event.

So what you're describing here is that you're unlocking a completely different set of outcomes through doing it this way?

That's right. We've had a lot of investment in cloud security over the last seven years — some of that through acquisitions and some of that organic investment. And we are leveraging all of that technology and the great people we have in that team. And all of that is fully leveraged, and now also fully integrated with this side of Cortex, where we can bring in the runtime and SOC capabilities and provide this in an end-to-end, seamless fashion.

We're leveraging the Cortex platform, which obviously has been designed for both first-party and third-party data integrations and automations for the cloud-only use case as well. For AppSec, this will allow us to integrate with third-party SAST scanners and even third-party SCA — where we have a capability, but not everyone uses ours. They might use someone else's [scanning tool]. By leveraging the Cortex platform, we can now ingest cloud security data from third parties and combine it with first-party [data]. And so now we can be in a position to provide our customers with that comprehensive view of the cloud — both in the areas where we're providing those capabilities directly to them, and in cases where we integrate with other tools that they already have — which is a game-changer in cloud security. Because everywhere that you have to pivot from one tool to another, that's context that is lost. It's an opportunity to automate that is lost, because now you're requiring a person to actually figure out what the relationship is between those different tools.

Ultimately then, you would say this isn't an approach that any competitors have taken with cloud security so far?

Agreed. And importantly, the different capabilities that I'm describing are all, in and of themselves, best-in-class and then integrated together. There have been attempts where companies that are really good at one thing, have tried to then integrate other pieces that are mediocre. And it just doesn't work. It doesn't work for an enterprise organization where they have business-critical applications running in the cloud. They have business-critical data that has to be protected. Every one of the individual capabilities needs to be best-in-class, and then integrated on the platform, or enabled by a platform.

I think what is particularly unique is, being able to be best-in-class at infrastructure-as-code and SCA on the AppSec side. Best-in-class on CSPM and CIEM and DSPM and ASPM on the posture side. Best-in-class on the runtime side — we just recently had results from MITRE validating our runtime protection capabilities. And obviously [best-in-class] in the SOC with XSIAM. What you're seeing in the market now are a lot of companies that are talking about platformization, and so there's a lot of noise. But when you go one level deep — and say, are all of the capabilities delivered from that platform best-in-class? — that is where you start to see significant differentiation. And then, are they best-in-class and integrated? Or is it just that they're co-located on a platform? So it's the best-in-class, integrated, [and] on a platform that makes us so unique.