5 New Machine Learning Capabilities From Palo Alto Networks

Innovating At The Speed Of Machines

PAN-OS version 10.0 ushers in the world’s first machine learning-powered next-generation firewall to proactively assist in stopping threats, securing IOT devices and recommending security policies. The new operating system introduces a containerized form factor for the firewall and extends more visibility and security to unmanaged IoT devices without needing to deploy additional sensors, the company said.

The Internet of Things (IoT) market is expected to reach 1.1 trillion devices by 2026, and more than 70 percent of organizations are expecting to run containerized applications by 2023, said Karl Soderlund, senior vice president of worldwide channels. Customer demand is driving almost all partners to look at IoT security and container security, and the company wants to help with training and enablement.

Solution providers will need to qualify and discover these opportunities around IoT and container security, and might find they’re interacting with more of a DevOps buyer rather than a network security buyer, he said. The new offerings provide partners with a good opportunity to deliver managed services and professional services, particularly as it relates to implementation and pre-sales consulting, he said.

From the industry’s first next-gen firewall for Kubernetes to gaining visibility into never-before-seen devices, here are five new products and features in PAN-OS 10 that leverage machine learning to keep customers safer.

5. Clustering and Signature Updates

New high-availability clustering capabilities in PAN-OS 10.0 is a best-of-breed feature intended to maximize availability for customers and simplify management for partners, according to Soderlund. Availability is essential to providing partners and customers with strong and secure defense, Soderlund said.

Meanwhile, Palo Alto Networks is introducing zero-delay signature update protection, resulting in a 99.5 percent reduction in systems infected, according to the company. The company said it was already leading the industry in reducing the reaction time for threats from days to minutes.

4. New Decryption Features

Encryption is getting more complex every day, and Soderlund said partners and customers alike must have the ability to break that down and figure out how to best secure their environments. Decryption has been a major area of focus for Palo Alto Networks as a “table stakes” way of simplifying security for customers, according to Soderlund.

The new decryption capabilities in PAN-OS 10 are based on enhancements and extensions to the 12-year-old decryption technology found in the company’s next-generation firewalls, according to Palo Alto Networks. The new features enable more customers to fully deploy decryption and include support for the new TLS 1.3 standard, the company said.

3. In-Line Malware And Phishing Prevention

PAN-OS 10.0 leverages machine learning to make sure organizations are staying one step ahead of bad actors, according to Soderlund. As attackers use machines to automatically morph attacks, Palo Alto Networks said signatures become less valuable in preventing these attacks.

Network security products previously only used machine learning models for out-of-band detection, but Palo Alto Networks said its next-generation firewall now uses in-line machine learning models to help prevent previously unknown attacks.

The company’s new cloud-based system is used to train and tune machine learning models to detect both known and unknown variants of real-world attacks the company is seeing in the wild that affect customers, As a result, Palo Alto Networks said it has observed up to 95 percent of unknown malware that previously required cloud-based detection now being blocked inline without hurting performance.

2. Discover And Protect Unmanaged IoT Devices

Palo Alto Networks’ acquisition of Zingbox last fall enhanced its visibility into never-before-seen devices to help detect new anomalies and vulnerabilities, Soderlund said. The company’s new IoT security offering is delivered as a subscription off the company’s firewall and recommends security policies to organizations to ensure any identified anomalies or vulnerabilities are addressed, Soderlund said.

Zingbox has been integrated with Palo Alto Networks’ App-ID technology to detect unique IoT devices and provide guidance on how to protect them without requiring additional sensors or equipment, Soderlund said. The offering doesn’t require manual fingerprinting techniques, the counting of IoT devices for licensing or any other product for enforcement, according to Palo Alto Networks.

The offering will allow security teams to start reclaiming unmanaged IoT devices on PA-Series hardware appliances, VM-Series virtualized firewalls as well as the company’s Prisma Access network security service. The tool competes with siloed IoT security products by delivering unmanaged device discovery, protection and enforcement in places where there are no existing firewalls, Palo Alto Networks said.

1. Containerized Version Of Firewall For Kubernetes

Over the next three years, Soderlund said most organizations will be running multiple containerized apps in the production environment. The new CN-Series is a containerized version of the company’s firewall that helps network security teams ensure they’re compliant in container environments, and enables security at DevOps speed by speeding up the integration and provisioning process, he said.

Kubernetes is red hot right now, and Soderlund said Palo Alto Networks wanted a containerized form factor as part of their firewall to ensure both security and compliance. The CN-Series firewalls leverage deep container context to protect inbound, outbound and east-west traffic between container trust zones along with other components of enterprise IT environments, according to Palo Alto Networks.

The CN-Series can be used to protect critical applications against known vulnerabilities as well as both known and unknown malware until patches can be applied to secure the underlying compute resource. Applications are protected with the CN-Series in on-premise data centers like Kubernetes and RedHat OpenShift as well as the Kubernetes service from each of the big public cloud providers, the firm said.