Cybersecurity Innovation Starts Here

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

please welcome president Amit Singh Oh [Music] LaVon Vinicius Pandya welcome everybody to Barcelona and ignite 2019 excited to see people here friendly faces in the audience it's been a year since I joined the company exactly a year ago and I thought what I do is share with you feel my observations but also share with you the strategy the investment strategy we have for Palo Alto Networks let's start with the changing nature of threats every day you know you see it in the press yesterday the UK Labour Party got attacked with a big DDoS attack last week a large Italian Bank massive disruption to business to elections to a physical security to the electric grid to academic institutions it's everywhere whatever data exists and the stakes continue to rise recent attack on a bank in the United States caused a two billion dollar drop in market value for the company two billion dollars in one day academic institutions a few weeks ago is a front-page article in The New York Times massive loss of intellectual property because research is being stolen by threat actors the new law that's gonna pass in California GDP are here in Europe massive fines if you lose consumer data and the hardest part about our jobs your jobs in this industry is the bad guys have to be right just once we have to be right 100% of the time incredibly difficult and challenging I think the second part of what you know it's a massive shift is the journey to business transformation led by cloud computing is now mainstream everything is changing about we build products what we use open source how we deploy products using frameworks automatically the kind of controls or lack of controls that we have in the deployment process I was actually talking to a few CS or like we used to have code reviews and check-in processes and pretty rigorous not to say that we don't have those anymore but there's an agile methodology in place which actually puts tremendous pressure tremendous pressure on DevOps and the security infrastructure that's supporting the expansive nature of the surface we have to protect people are using all sorts of different techniques whether it's you know native lift and shift of products to the cloud or rebuilding it in containers or server less technology to give them more leverage the perimeters shifting where what used to be the edge which way you could control it quite nicely within your data center is out to mobile devices branches and elsewhere we have way too many solutions I met this client a few weeks ago I don't think they're in the audience and I actually won't say who they are two hundred and twelve different vendors no vendor left behind that they had as part of the network we joke about it but the fact is it makes it very very hard to operate that infrastructure every one of these products has alerts you have to manage them you have to patch them you have to integrate them you have to have skills around all these solutions as an industry we actually have done a poor job bringing all of that together and providing insights to our clients and that's something that makes your jobs I think a lot more challenging and lastly look there's just not enough talent 3 million jobs according to the New York Times by 2021 you know this is a great industry for us to be in but it's hard to recruit for how to retain people how to manage this infrastructure and so across all of these trends you know I think we need to rethink and reinvent cybersecurity actually take it to the next level and I thought I would I'd share with you just a few ideas and approaches that we are considering in the company to actually make your jobs a little bit easier there's massive investment we're an investment mode at Palo Alto Networks just to give you one statistic over the last year our engineering capacity is up 50 percent 5-0 50 percent massive investment going on in the company and a few themes that we're looking at the lens through which we're looking at as we make these investments first trying to make our products more integrated more integrated so you have to do less of the work okay second build automation as a core principle across the infrastructure that we provide you to handle the complex environments and frankly the security posture you need to deploy you're not going to be able to put human talent against a increasingly automated and an enemy that's using machines we need to figure out rule sets and optionality there you can deploy through automation and the last thing intelligence intelligence been too built into our products so it's self-healing intelligence built into they cape released so you use machine learning to use data as your friend so you can find patterns and identify unknown threats before you one of those incidents that unfortunately puts you on the front pages of the local newspaper and we're doing this fundamentally in three categories let me just spend a few minutes on each one the first securing the enterprise the core business that the company was founded on physical firewalls and integrated cloud delivered subscriptions that keep you updated all the time against the threats that we identified we have taken that capability and actually expanded it to virtual form factors with virtual firewalls so you can have resiliency can deploy them in your cloud infrastructure and deploy it at the edge or deliver it as a service deliver it as a service on the cloud in a new category that I'm very excited you'll hear later about it called sassy a new Magic Quadrant with our friends at at Gartner that we are proud to be leading this allows you just great capability to take all the investments you've made in rules but and deployed anywhere you want in the form factor of your choice for your mobile networks for your branches so you don't have to help in all that data back to the data center yet you can manage and operate all of that from the same management console giving you tremendous tremendous flexibility we're excited that in this area firewall as a platform we want to continue to deploy additional subscriptions just like we did with wildfire just like we did with many other capabilities so you can deploy things like SD ran DLP and many other creative capabilities in the future like IOT the second area that we are tremendously excited about is the investments we've been making in securing your journey to the cloud as I mentioned expansive area fast moving lots of deployments going on and we want to build the best in class sweet irrespective of how you choose to deploy whether it's native code whether it's containers whether it's serverless technology whether it's one cloud whether it's multi cloud or hybrid cloud we have the entire suite and we actually the leading company in this area to help you in your journey for cloud transformation and you'll hear later on today some exciting announcements of how we're bringing the latest technology between twist lock and red lock together the third area that we excited about securing your future ái driven autonomous security using data analytics and automation we spend a lot of energy bringing our endpoint product traps firewalls combined that into a single data model and be able to use machine learning against it to find those hard to find unknown threats and that's why we won the mitre about we're very proud of that fact and now we're actually expanding this you'll hear later on from near and ly into non Palo Alto data sources very excited about that launch today and then finally how to mate how to made so much of what we do using products like de misto so you can apply run books you can apply best practices and create automation in your infrastructure so you don't always have to bring human talent to an increasingly machine driven fight so those are the three investment areas for us securing the enterprise securing the cloud through a Prisma set of products and securing the future with cortex and we're seeing tremendous adoption tremendous adoption across the industry a large healthcare company deploying it across 30 countries taking and consolidating a hundred and twenty different solutions down to a few creating great value by actually taking their research assets putting them behind these capabilities so they can protect them automating the sock using our API unfortunately a large engineering consulting company that it was hit by ransomware last year you know we actually landed a team deployed the traps agent deployed the firewalls integrated that data and actually showed them how they can prevent zero-day attacks they're in a much better cyber security posture as a result of that and lastly in transportation and logistics large French multinational company basically taking the firewall capability that they already have deployed and extending it to the edge of the network so you can you take all that mobile users all that mobile traffic the 3,000 locations that they have and deploy the same capability that they had on the data center as they move out to the edge and I'm actually excited that in this forum in this community many of these clients are here to share with you their journey as to what they went through they're deploying these capabilities inside their own enterprises thanks to many of you here we're proud and humbled to be the number one cybersecurity company in the world by revenue by customer base across 65 countries as you can see with 71 percent of the global 2000 users our products every day and we're very proud of the CSAT scores and all the JD Powers Awards we've run for exemplary service so much of it is not just product anymore since we are delivering these as software and cloud delivered form factors and right here in Europe we have over 20,000 customers and a part of over a thousand employees that are resident here to help support you every day so we have a great event you're gonna have a lot of fun here you're gonna learn a lot you connect you'll share best practices we have 2,500 folks registered thank you for all of you for showing up if eighty-four breakout sessions this is what you've always asked for give me more detail take me you know inside the products lots of hands-on labs and as you can see an incredible panel of speakers we are proud to actually have these clients come in and tell you not just about the products because they're just part of the story it's about everything they have to do to make cybersecurity work for them and all the partner speakers and frankly thank you to many of our sponsors for making this event possible see bakbox entity and all the folks that have made incredible investments in our partnership together so I just want to say thank you thank you for showing up thank you for being part of this community thank you for supporting palo alto networks we take this responsibility as a partner very seriously we're just trying to make the world a little bit safer every day and to tell you more about the technology underneath everything else please welcome the CTO finder founder the third adjective I'd say is proxy killer the fourth adjective I'd say is a connoisseur in incredible t-shirts near Zook [Music] [Applause] [Music] okay thank you a meet hello everyone okay still sleeping I'm the jet-lagged one and you're sleeping come on hello okay maybe some some questions to make it interactive first a simple question who's here today anyone here today about 10% of you okay maybe another question who has a CRM solution in their company only our CIO come on who has a CRM okay this is not going to work okay who has more than one or two CRM solutions one of you two of you I don't know why but okay who has more than one or two HR solutions few of you who is using more than let's say a handful of network infrastructure vendors whew who has more than 20 cyber security vendors all of you right this is the way the industry looks every time there is a problem there is another patch and other solution coming out and just doesn't make sense Amit said that you know we're the largest vendor in the industry last fiscal year we did almost three billion dollars in revenues that's in 100 billion dollar industry you won't find any other industry where the leading vendor has three percent market share just doesn't happen only in cyber security it happens and this is the outcome okay the outcome is just something that doesn't make sense I'm manageable and and you know sometimes I go back and try to think how we got to this point and you know maybe maybe let's go back 25 years ago so for those of you remember let's get a little bit geeky here 25 years ago firewalls were ACLs access lists embedded in routers anybody use them 25 years ago yeah quite a few of you but then they kind of didn't work right because you had to allow and I'm getting really geeky here okay you have to allow all packets that didn't have a scene on them right basically all established TCP connections had to be allowed not that secure and then applications started to change they became more dynamic applications like FTP remember FTP where all of you had to open everything coming from source port 21 remember that yes yes very secure right because nobody can fake a telnet connection coming from port 21 and you know didn't work and we needed a solution so the first solution the first go-to solution at least of the network security industry is a proxy so we put up a proxy the proxy will take some of these connections break them add a lot of latency and very few applications would be supported in this case FTP but it kind of kind of worked but then more and more applications came out and it just didn't work really well so what did I have to do I had to step back and say ok first two boxes one network location doesn't make sense let's try to do it in one in second there has to be a better solution than just breaking the TCP connection and the better solution became known as stateful inspection right which created we created about 20-25 years ago and then that was great but then applications kept changing applications started developing vulnerabilities because it wasn't just basic web browsing and SMTP that's been around forever an FTP and telnet more and more applications usually running on top of port 80 came out became more and more vulnerable and we needed something to deal with that vulnerabilities so first game ideas of course ideas didn't work really well because they only created more problems because you had to deal with what they did so I had to create the first IPS in the world find that worked and then more and more applications started running on port 80 and we had to do something with that in port 80 so what do we do great we put a proxy and then that's what we do every time we have a problem that we can't figure out a solution because nobody's willing to step back and think about it that's okay but then more and more things have to be put on the network like sandbox is a network based anti-malware and i don't know behavior analytics probes and and more and more so we had to step back and look at this and say ok how do we how can we take all of that without putting just everything in one box and calling it a UTM how can we just take a step back and find a fundamental fix for this and the answer of course was let's create something that understands all applications and applies all these different security checks against all applications as a subscription service and we called it the next-generation firewall and the next-generation firewall came as hardware then a software then as a service delivered from the cloud but that's what the next-generation firewall did and as you can see there is a constant fight between those who just want to add more and more and more and more solutions to solved or to plug another hole and those the few of us that are willing to step back and invest number one CPU cycles in our heads and number two the money that it takes to build the right solution and today I want to talk about yet another situation that's brewing where the industry is suggesting that we need to make things over complicated because there are different things that are happening and we need to plug holes and suggest something that I think is much better ok this time we're going to try to do it before everybody here buys the new solution and all the different solutions to plug the holes and give you the opportunity to do the right thing from the get-go so what's happening yet again is the change in applications ok remember 25 years ago it was applications becoming dynamic 15 years ago or over the next following 10 years until 15 years ago it was applications becoming vulnerable an application starting to run on the same port and now the challenge is that whereas in the past things look like this right we had a data center a corporate data center but their on premise or co-located and we had our network security stack in front of it and the internet and then because applications were sitting in the corporate data center we used IP VPNs like MPLS VPN s or whatever in order to access those applications and we had a few mobile users so we deployed an on-premise remote access solution maybe it was part of the firewall maybe it was a separate one to support our mobile users and things were simple today the challenge is that applications are moving to the cloud first they started moving to SAS then we started deploying corporate applications in the public cloud and this just doesn't make sense anymore it doesn't make sense that our branch office traffic will go through our corporate data center and then from there go out to the Internet into our SAS applications and into our public cloud deployed applications it doesn't make sense that the mobile users will take the same path as well we need something better so the solution let's plug the holes right so what what what we're starting to see the industry suggesting that we do is first let's take of the mobile users right what do we do to solve the mobile user issue what do we deploy a proxy right so the first thing we do is we deploy a proxy for the mobile users you know there are different different solutions for that so so deploy proxy for the mobile users and then for the branch offices that we want to connect directly to the Internet we have the challenge of the internet not being reliable enough we can't count on latency we can't count on Jeter we can count on packet drop and so on so we'll use a technology called SD well right so SD one basically instead of buying one internet connection you buy two internet connections from two different vendors and you do something to measure the different network parameters on both links you can buy more by the way and then you choose the best route or the best interface to put or your packets on and you just hope that this decision will be the right one throughout the entire way which is never the case so so what happens with sd1 is number one once we do that we have a security challenge our traffic doesn't go through our security stack in the data center anymore which means that either we deploy our security stack in each branch office which is usually very difficult to do so what we do is we deploy a subset of it or sometimes we deploy almost nothing and stick our head in the ground and just you know hope that the bad guys don't know that their branch offices are not connected directly to the internet kind of like allowing poor 2421 source port to get into our network right but the other challenges are there is that the performance is not reliable I'll explain that in a second why the performance of sd1 is not as reliable as you might think it is and that leads to increased complexity so the reason the performance is not reliable is because when you have two links and you start measuring the network parameters on them that really works well in the what we call the first mile or the phrase first for you hops right the first few routers or I think hear you say Reuters right so that works okay but then after a few hopes things started going a little bit bad because you don't really know which path the packets are going to take the paths are changing all the time and then lastly if we go if we're going to SAS applications or cloud applications the the peering at the end you just don't know where the peering is really going to go out from so the performance of SD want for those of you have tried it already you know is it's not that great and can't really replace an IP VPN so what ends up happening for those that go with SD one is that you end up building your own IP VPN essentially what you do is you put hubs in different places around the world usually there will be two to four in the United States quite a few in Europe and you'll put some in Asia and if you have offices in in in Africa you'll put in Africa and and and so on and I mean some one would be Antarctica I think in Australia but but then but then and then you connect those different hubs with your own private click that you buy from different providers around the world depending on on the region and then you buy your own peering into the SAS applications and the public clouds that you care about and different branch offices will connect to different hubs based on where they are and this becomes much more complicated and much more expensive than IP VPNs ok and we still haven't solved the security issue so now you have to take your security stack and deploy it in all branch offices or you take the security stack and you deploy it where you deployed your hubs and the complexity is just unbelievable so rather than taking an existing situation and trying to change it so that it works so you put a proxy for the mobile users and you use sd1 for your branch offices what we think needs to happen is you take a step back you look at the challenge that you have and you try to find the right solution even if you have to build it from scratch which in this case we didn't have to but just that that's what you do you have to find the right solution for for the right problem and and we think that they the right solution for for this is to to build the private network a worldwide private network an IP VPN network and then allow onboarding that network from using different methods either IP say IPSec or sd1 from the branch using IPSec or SSL for remote users you can even connect your partners to this through IPSec or SSL or or or client list SSL what's called SSL VPN that network has to have the right peering into all the different size applications and all the different cloud providers that anyone that is using that network might might use of course it needs to have links back to your corporate data centers where you still and will probably for a very long time have applications and most importantly this purity stack has to be embedded inside that network so both the security stack for securing your network traffic what you have to Dan your data center as well as Gatsby for securing access to SAS applications with all the different subscription services that you have in in in your on-premise security stack today okay so that's it it looks simple it actually is simple once you deploy it I'm not saying that it's a simple to build it but once you build that you've built the right solution you build and private network if the private network has enough pops around the world let's say a hundred or more than a hundred such that no matter where you're trying to onboard the IP the IP VPN with a few hopes you'll be there and then from there of course things are guaranteed then performance is going to be pretty much the same as the traditional MPLS based IP VPN only in that here you have much better access to SAS applications and cloud applications and you've consolidated all your access needs remote users branch offices partners traditional data centers cloud data centers and SAS into one system with complete security built in ok so that's the solution we are proposing we're not the only ones proposing it like like am it said a couple of months ago Gardner published a paper titled sassy that's how you pronounce this SASE secure access services edge in which they talked about very very similar concepts what they talked about is the convergence of security and networking with all these different features which by the way as you probably know as our customers we provide all of them in our firewalls or in our Kaz be and and those that we don't we we might announce today will say actually I think the press release is out already so we announced right and we will talk about it later and and all of that converging to one system so so we believe in that gardeners believe Gartner believes in and I think that it's more in this you know for the last 25 years everything since I started my career in the cybersecurity industry when I was 5 I've been hearing this rumor that the networking vendors are going to kill the standalone cybersecurity vendors because why why would you want to buy a standalone security solutions when you can buy it embedded in your routers in your switches and your networking and so on and it hasn't happened it hasn't happen because security turned out to be more important than networking and nobody was willing to give up the the level of security they were getting from the standalone security vendors - in order to - for the convenience of running security inside the network I actually think that the days were net security and networking converge are coming I just think that it's not going to be the security vendors that are going to get the short stick here okay I think the networking vendors are the ones that are going to suffer from these convergence and the value of the networking vendors and the need for independent networking vendors would probably be reduced especially for one especially for branch offices of course in data center as well because of the cloud we'll see what remains of them when this happens ok so I have a simple job my job is to draw things like this on whiteboards when I draw it on a whiteboard it looks a bit more complicated in this but I just draw it on a whiteboard and then someone else goes and builds that it's great it's it's a system you convert whiteboards to - to solutions it's very complicated it's it takes hundreds of people and it takes many many months if not a year or more and the person that's doing all of that is our chief product officer Lee Clary so I would like to invite to stage now in order to tell you how do we do this ok [Music] good afternoon how's everyone doing all right yes near near near draws on the whiteboard goes on vacation for a year comes back says hey look at that we built something so yes there's a lot of people behind what we build though near did an excellent job is setting up the the market need the dynamics the the evolution and even setting the stage for the vision for how to how to approach this how do we how do we solve this in the right way and of course translating that into products that is Prisma access Prisma access is the industry's most comprehensive incapable secure acts of service edge and today we're actually doing a lot of product announcements here at our at me ignite show and we're gonna start with actually a whole series of announcements around how we're expanding prism access to be even more capable around the networking side the security side as well as the management side and it's really these three areas that make up prism access in our sassy solution and we're going to start on the network the network is really important the network is effectively that user experience and having a really good network and network connection isn't very important for enabling the users connect to the applications as quickly and as reliably as we possibly can really trying to replace and even up level what they used to get with MPLS services so I'm going to start with something that we actually rolled out a couple months ago but it's really important to describing how we approach this with the best possible capabilities and that is at the end of July and early August we upgraded the network component of Prisma access to include over a hundred locations around the world over 70 countries are included in that list this is important this is the once we on board the connection can we do that as close to the user or the branch office as possible and then from there can we leverage that global network in order to have the best possible transit to the ultimate destination weather destinations in the data center in the cloud SAS applications etc so with prism access we have over a hundred locations globally for onboarding and connecting across a private network for optimal transport now near describe though a really important requirement which is how do we best get traffic onto this network and so with that the first new capability we're announcing here at amia that has been hinted at a little bit is SD win with Prisma access we will now be able to extend to include a secure SD LAN solution for that last that first mile onboarding into Prisma access this is integrated will be able to provide ease of onboarding ease of configuration will talk about the integrated management plane later high performance and end now you may wonder how is it that we were able to just do SD when isn't this like a whole market isn't there whole company's that are formed to do this the reality is with pan OS we have had a lot of the core capabilities required to do SD lan for a very long time this is lies capabilities are the foundation of being really good at network security but we did have to extend those capabilities and that is how we're able to go from being the absolute best at network security to being the absolute best of secure SD win leveraging that foundation and adding the additional capabilities required on the SD LAN side for choosing the right link monitoring the path failing over as needed tying that to the our understand of the applications tying that to understanding of the network and everything else so this is one side of the how do we make sure that there is end-to-end network optimization the other side of this is handing off from prism access in our network to the applications that you're trying to get to and to the best of my knowledge we are the first vendor to offer SLA x' service level agreements for that connectivity to a number of SAS applications we're starting with some of the leading SAS application the world will extend this over time well where we are actually putting our money where our mouth is and we are offering an SLA because we're so confident in our ability to deliver fast handoff to the SAS applications all right think about so if you combine these three things together you take Sdn which is optimizing the first mile onto the network that middle mile which is far longer than a mile it's like thousands of miles having a proprietary best-in-class network plus SL A's for the last mile handoff to the SAS applications which are some of the most critical business applications users trying to get to gives us that end and network optimization delivered as part of the service now as near said it's not just about the network it's not just about providing connectivity we have to secure it and ideally we need to secure that with the absolute best enterprise-grade security now of course with our foundation this is very core to what we do and prisoner access has offered some of the best security capabilities since it was brought to market a couple years ago I've been working on that we've been extending it in just this past weekend we upgraded Prisma access for all of existing customers and got it ready for any new customer coming on board with additional capabilities we've added DNS security it is exciting it's ok we added DNS security this was first rolled out on our hardware and virtual form factors earlier this year now available in Prisma access undergo in more detail on that later today but this is really taking hold amongst our customers it's a great security service and for the first time we're offering DLP in an inline security form factor natively built-in to Prisma access and of course xgr being able to collect the data from prism access to perform analytics detection and investigation response workflows so a very broad set but also a very deep set of enterprise class security services built natively into prism access so let me talk just a little bit on the DLP this is new so we've had this on Prisma SAS for the api-based SAS security for a couple years now in just a couple months ago we upgraded that with a whole new set of patterns and analytics and and DOP capabilities in order to make that even better and what we rolled out this past weekend is ability for that same engine to be applied to in line traffic with Prisma access consistent policy management consistent visibility consistent detection capabilities now applied to both in line as well as API to the SAS applications that is obviously available now for Christmas ass because it's been available for a couple months it's available in a evaluation modem prism access initially we'll be rolling out and expanding that and making it production grade here in the coming months so really excited about the expanding security services that go hand-in-hand with the expanding networking capabilities of prism access one more area management as Amit described having a single control plane across all form factors is incredibly valuable and panorama has been able to provide that we use the plug-in architecture in order to make that possible where we can have consistent security across all form factors hardware virtual and Prisma access as a service but we also just rolled out and are publicly announcing for the first time here today the ability to have a cloud-based management solution for Prisma access you think about this and many of you have asked for it Prisma access is a cloud-based solution and you would love to have a cloud-based management framework to go with that this prism access management plane is designed very much as a cloud service and is designed very specifically to model the workflows required for Prisma access so now you all have the option of either panoramas or going with the native cloud management solution for Prisma access built directly into the service it's super cool it's modern and it's designed for the workflows of Prisma access and when you take all of that together both what we had plus what we just announced this is what it looks like this is what the most comprehensive secure access service edge looks like all of these security capabilities all of these networking capabilities an integrated control plane for management across all of that truly incredible capability all right that's how we use the cloud to deliver this security let's talk about how we secure what runs in the cloud itself ok more and more applications are being deployed in the cloud I'd be employed public cloud consumed from the cloud etc how do you secure that it's not actually that easy unless you use the right solutions but a lot of us I think hoped it would be really easy a lot of us hoped that by running an application the cloud it would just be inherently secure they wouldn't have to do anything just by running in the cloud is somehow natively picked up intrinsically magically whatever word you want to use just magically picked up security doesn't work that way there is a shared responsibility model the cloud service providers provide security for their infrastructure but everything you run in the cloud you are responsible for and it's a lot and to make it even a little more challenging when you think about what an application looks like when it's developed for the cloud in many cases it's broken apart into different micro services and these different micro services are often deployed across different technical stacks and so an application in the cloud actually has these different components running a different tech stacks how do you secure that well as a starting point what security do you need to provide there's a lot you basically have to do all of the same things you do for an application running your data center but now you have to do in the cloud so the form factor changes the approach changes but what you have to do ultimately is actually very similar but then you need to make sure you can apply it across all the different technical stacks you need to apply it for portions running as virtual machines and you apply it for portions running as containers for service functions for path services and so in a similar way to what Nero was mentioning history has a habit of repeating itself sometimes so what is the security industry done to approach this well somebody came along and said well I think I can do vulnerability management on VMs and if someone came along I said well I think I can do that for containers and someone else said well I think I can do workload security for VMs and pretty soon we end up with this mess in all that complexity the 212 vendors that Amit mentioned all of a sudden they all end up in the cloud providing point solutions for different aspects of this problem I don't think we can let history repeat itself I don't think this is going to work in the club and for that we built prism a cloud a cloud native security platform designed for the cloud to protect applications in the cloud it will provide all these different capabilities they will provide these capabilities across all different technical stacks virtual machines containers server lists path services across the full-si ICD pipeline they will then apply that across different cloud environments public cloud private cloud hybrid cloud multi cloud as consistently as possible so that in one place you can get a full cloud security suite that can understand your entire application and provide security for it even in applications developed using this multiple text decks now we've we've talked about this before so what's new well for those of you paying attention back in July we acquired two companies we acquired twistlock which was from our perspective the leading container security company out there we acquired pure sac which was the technology leader for service security now most of you have probably been thinking about container security is sort of front center to a lot of folks many of you probably haven't started even thinking about serverless security but this was our approach to get ahead of the next need that you're gonna have because very few cloud native applications are being developed these days without some amount of service capability as well so we acquired these two companies in July and we told you we're going to integrate them into prison and a lot of people said well she's that's it's gonna be a lot of work how long is it gonna take are you sure you can do it integrations are hard we've seen this before and sometimes things never get integrated probably guessing where this is going right so in a couple weeks we are going to have the twist lock container security capabilities and the pure SEC serverless security capabilities integrated together and then integrated into Prisma cloud so five months after acquisition we will have both products integrated into Prisma cloud as we continue to expand the capabilities of our cloud security now what are you looking at on the left hand side you see Prisma cloud you see the different capabilities the different effectively different tabs within Prisma cloud and what it offers what you're seeing is a new Prisma cloud compute security tab and with that it lands on what is called radar this is twist locks capability for how it visualizes connectivity between all the different nodes of applications and from that visibility you can start to see alerts you can see how your policy is set etc so this you're showing natively built into Prisma cloud is a new pane of glass for container and surrealist security right there very cool now one last piece of cloud security VM series inline security is still very relevant in public cloud environments it's also relevant in private cloud hybrid cloud multi-cloud VM series runs on what at this point must be the most extensive set of hypervisors in the planet and it continues to get better and better and better we not only expanded the multi cloud support we've continued to expand the automation capabilities bootstrapping dynamic provisioning automation is super important in the cloud VM series has a ton of different integrations for that and again it keeps expanding and earlier this year we announced a new plug-in architecture for VM series that allows us to more rapidly deliver new capabilities and adapt to changes in public cloud infrastructure and this has also been super super beneficial to our customers it allows us to adapt to their needs much more quickly and not have to wait for next major releases we had our first we call XF our release a few months ago that added a bunch of capabilities outside of the normal cycle it integrates with the next panelist release so a lot of really good stuff happening with VM series as well to help round out the capabilities of securing public cloud overall though what you are seeing from us and what you will continue to see from us is an execution on this strategy which is being best-in-class at the core cloud security requirements that you have for how to secure an application running the cloud being best-in-class at these different capabilities but importantly integrating them together into a single platform under Prisma cloud to make it really easy to consume these capabilities across your full tech stack and CI CD pipeline alright now we're going to shift gears and a shift gears I'm going to invite near backup on stage if this yes there we go near [Music] Oh Thank You Lee so I'm back here to talk a little bit about cortex right we talked about Prisma which is our journey to the cloud solutions both access because applications are moving to the cloud and securing the cloud because applications are moving to the cloud cortex is about securing the future and what we mean by securing the future is mostly around the security operation center which needs to go through a major change in order to be able to support even what's happening today but certainly what's coming in the future and it's the automated attacker right the attackers are becoming more and more automated so we have to change the way things work in the security operation center it's because data is becoming more and more important in our lives in many different areas security as well so this security operation center has to be more data-driven versus guess works or whatever they do today and it's also the move to the cloud that is driving a change in the security operation center and that's because in the traditional data center when new applications had to be deployed and they needed access to the outside they needed access to different applications or two different components in the data center like data bases and storage and so on the developers of the applications always had to come to the security group get down on their knees and beg you to open the right access usually with the firewall and that's something that usually the network team if they like it we do right I'm exaggerating of course in the cloud world in the public cloud world it doesn't work like that there is no single control point where you can control everything that's happening in the cloud and the mode is more trust and verify you put guardrails these are things that the cloud developers have to be within but inside there there's a lot of freedom and there is a set of rules that they need to follow there isn't really a way to enforce those rules and the way it works is you trust them to follow the rules but you need to verify and when you trust and verify it's not the network security team and it's not that security engineering team that's doing that it all falls on the shoulders of the security operations team of the sock because whenever something is not verified it's their job to go and deal with that and all these things together are changing the way the security operation center works whereas today the way they work is just not scalable you know we're talking about 175 this is an average that we're seeing across our customer base 175,000 alerts per week right you don't have enough people to handle that so today it's more of a guesswork off we should probably handle these alerts and note these alerts these alerts come from more than 30 different products right up to 200 different products and are very difficult of course to imagine eyes and in an end and in get context and that also leads to about average four days of time to investigate an attack so even there if there is a data breach and you know about it immediately which usually you don't it takes still four days to investigate it figure out what happened and start the recovery process and you just cannot continue like that and it's going to get worse and worse and worse with the things that I described just now so what's the issue the issue is that today at the core of the Security Operations Center we have something called a seam security incident and event management which is a technology that doesn't do any security incident and event management you do that elsewhere right anybody's doing incidental event management in their sin no one right they just don't do that they collect logs they collect logs from network devices and network security devices from endpoint agents from servers from applications and whatever you want to push in the same it will take those logs don't have a lot of information for making decisions you do have some rules you can have some rules especially around the alerts that the sim collects in order to decide which alerts to handle and which alerts not to handle and these are usually not the best rules in the world it's very hard to do that with weed rules and there are some rules also to try to figure out about new attacks and a lot of the work is just manual something happens you look at it you send a security analyst they investigate and they figure out how to deal with it which really results in a reactive response and reactive investigation a very long time passes between the time something happens until until you can react to that and if we double click into it a little bit more this is kind of the same architecture today right I'm not going to get into it it's it's more or less like like like this but more importantly because the seem just collect logs doesn't collect any data so it can't really do any meaningful analytics what we're seeing with what the industry really knows how to do well is many vendors being created in different verticals and different silos to overcome that so specifically seems don't collect data from inputs they collect logs from endpoints if the a point end point found a virus the sim will know about it but the sim doesn't collect data in order to be able to detect things that the endpoint or whatever is running on the endpoint hasn't been able to detect so since sims don't do that what are we going to do we're going to create a new industry we're going to call it the EDR endpoint detection and response industry we're going to over fund it with hundreds of millions of dollars create multiple companies that spend $2 to sell one great and they're going to collect data from the endpoints into a separate data Lake into their own data Lake and then they're going to use raw maybe machine learning in many cases they will offer also a managed service a managed hunting service where they put humans on the data the humans look for attacks on your behalf and then if they if they find an attack whether using rules using AI using humans they're going to generate an alert because the sim doesn't have enough alerts yet and in some cases they're going to have the endpoint block the attack that's not enough we need to do something in the network we need to put something in the network to collect data from the network because firewalls don't really collect enough data so a new industry called the NTA the network traffic analysis industry has been created they ask you all to put sensors all in order across your network they will collect deep data from the network into yet another data Lake process that data weed rolls machine learning humans whatever if they find something bad right they're going to send an alert to the same so you have a little bit more work to do or more alerts to ignore and rarely they are able to go back and make modifications to to the network and the same thing is happening with public cloud and the same thing is happening with SAS and the same thing is happening with IOT so you want to secure i/o T's no problem there are multiple vendors out there that will be happy to sell you a set of sensors to deploy across your network collect that data into yet another data leak process that data and if they find something they'll tell you about it and in rare cases they'll be able to to stop it this cannot continue okay now this is not the first time I show this slide actually showed this slide a year and a half ago ignite of last year in the u.s. in Anaheim California right next to Disneyland and and back then it was just after we bought a company called sector which is an EDR company I said EDR is dead so why did you buy DD our company well I said it our is dead because this doesn't make sense and we bought an Indian company in order to integrate the ad our company with the NT a company that we acquired before company called light cyber and with cloud company security companies that we acquired like red lokan and evident and in adders and end which now we also acquired an IOT security company and and so on and build what we think is the right solution which is collect all the data from all these different sources into one place not necessarily one data Lake but one place process all that data together not put the blinders on and just process endpoint separately from network and so on the attacks happen across the entire infrastructure so process the data from the entire infrastructure together and if you find something bad you respond back to the entire infrastructure and back then we said we're going to call this XDR why XDR because it's anything X anything detection and response not just endpoint detection and response or Network detection and response and so on it's anything detection and response and we announced that that we're going to build the XDR product and and we did and we delivered XDR to the market and guess what with the help of some analysts the copycats came right which is great so an analyst from Forrester immediately agreed with us and said yeah XDR is the way to go edie or doesn't make any sense and all of the sudden everybody has XDR or almost everybody which is great it's validating that EDR doesn't make sense an MTA doesn't make sense and doing those things in silos don't make sense and if everybody's saying that this is not the way to go then it's probably not the way to go and now you know there's the question of who does that best and you know you'll evaluate the products and and you'll figure that out so it's great that the industry is now standing behind the concept of collecting all the data into one location processing it together and responding back to the entire infrastructure ok so that's what cortex are XDR is is about now cortex in general and there are other things inside cortex is about number one not collecting loads but collecting what we call good data meaning data that be used for computer-based software based analytics that's good data it's not any data I don't need to know that the file will drop something if I will drop something all the analytics in the world is not going to help you to drop it because it's already dropped you don't need to know that there's something bad you don't need analytics to know that something bad happened okay so we don't need that but we need good data we need data that can be useful for analytics then rather than using rules we need to do machine learning based analytics and and some human based analytics as well and whatever we come up with we need to automate and that's what cortex is about the result of that is very quick response to incidents which is fully automated and and we become proactive all of the sudden something happens very very quickly thereafter the system figures out that it happened in response to it automatically ok so that's what cortex is about it has two parts to it today the first part is cortex XDR which is more which automates really three three things cortex XDR automates hunting using analytics it will hunt for attacks that traditionally humans will so that the humans can hunt for attacks that machine analytics cannot hunt for it automates investigation or at least a big part of the investigative process and it automates the consolidation of alerts or Alert reduction it can take many different alerts and consolidate them into single incidents so that's cortex XDR and there is also the misto which is part of cortex and that's this or SOA our security orchestration automation and response system which collects or takes this meaningful data and automates the process of enriching it running play books against it and making modifications to anything in the infrastructure that needs to be modified in order to deal with an attack again this together create the XDR sorry the cortex family of products and here the results so far I'm I'm proud of the results but certainly I'm not going to to sleep at night until we show much better results so what we're seeing so far with cortex XDR is 50x reduction in the number of alerts meaning on average we will take 50 alerts and convert them into an incident and the second thing that we see is that investigations are eight times faster because of the automation of big parts of the investigative process and then with the misto we're saying 95% reduction in the number of alerts that humans have to touch meaning 95% of the alerts are being handled automatically which allows security operation centers to switch to a mode where all alerts are being handled most of them automatically some of them with humans and those that need to be handled with a human involved are 90% faster so you get 10x the capacity of your humans in the sock to handle alerts and they only need to handle 5% of the alerts versus today these are amazing results but by no means the end this is just the beginning we're going to get much much better than this okay and to tell you a little bit more about how and and what is it that we do I'd like to call Lee back to stage thank you all right awesome so we take what your said I I try to I have to try to simplify things my own brain i simplified down to what you see here step 1 prevent everything you can possibly prevent that is known to be bad that's a good first step it's not complete because it'll still be stuff you have to detect but prevent as much as you can then use collect as much data perform analytics to detect things that weren't prevented outright facilitate a as automated as possible response to those so prevent detect respond automate so to do that one of the key components is xgr near mentioned changing the industry and and having the industry start to follow us today we are announcing xgr to Dido so this this has been an incredible release a lot of effort behind making it possible it'll be available early December timeframe we want to take this opportunity to share with all of you the exciting work we've been doing a lot of components to this what I boil it down to three pieces the first is we we rebuilt and extended the portion of XDR that connects with endpoint protection I'll describe that in a second second is we delivered a completely reimagined built from the ground up local analysis engine for preventing malware and third we have opened XDR up to third party data well describe each of these three in a little more detail because they are all very important handsomest XDR so first as many of you probably know when we first launched XDR earlier this year we we had this great data collection analytics investigation response component and one of the most important data sources for this was endpoint and so we bundled traps with XDR bundle traps traps had TMS for managing it this is a good solution but the first component of of this XD are 2.0 release is that endpoint protection is now fully integrated into XD are there is now an XD our agent for endpoint protection and the management of it is natively part of the XD our management UI and integration with XD our second we delivered an endpoint protection module for device control heard from any of you this is something that you would like it like to see natively built-in to this new xgr to doto framework the first of what I expect to be many additional endpoint modules that can simply be enabled and plugged into the xgr framework and third in the process of rebuilding the management UI we went we took a look at the top 25 feature requests from all of you for TMS and we said you know what I think we can address those as well so the vast majority of the top 25 feature requests that all of you had have also been addressed as part of rebuilding this management UI infrastructure into xgr so that's the first piece second piece local analysis so local analysis is really important it takes place in the pre execution phase when a user clicks to open up an application and before that application is executed local analysis happens local analysis also has the unique benefit of being something that can run both when the endpoint is connected to the Internet as well as this point is completely offline and we took this capability and we completely reimagine it from the ground up achieving based on our measurements at least a 10x improvement in accuracy that is just incredible and based our initial testing best-in-class across the industry so how do we do it a lot of work went into it but I'll summarize it in three pieces starting at the bottom it's all about having the right data leveraging in particular all of the data that wildfire collects but then extending that with some third-party sources as well we are able to build a fantastic and broad set of curated data about known bad and known good this is the data this used to train the local analysis engine so the broader that data set is the better the results are going to be second we went through an extensive process of evaluating hundreds of thousands if not millions of different file attributes to figure out which are the most accurate in predicting whether a new file has never been seen before is good or bad and we selected from that the right set of file attributes that we would use and then the third piece is we found a way to solve one of the challenges in local analysis and that is the frequency of upgrading the training models we can upgrade and update this training model basically as fast as we want to we can easily do it every day if we needed to do it every week that is really important as we see changes in the attack landscape it allows us to adapt very quickly to changes so really it's a combination of all three of these that really allowed us to achieve the results that we're seeing with this new engine and third and might be the only time that you see me have a slide with some of these vendors on it not sure we'll have more of these look in the effort to become the foundational platform of choice it does mean that we will be integrating with other companies out there sometimes those those companies will be partners of ours and sometimes they might be competitors of ours but we recognize that many of you do have heterogeneous environments instead of simply saying it's okay to have blind spots no we're gonna take that data in we're gonna use it to provide the best analytics and outcomes we possibly can a week and a half ago we added the first of these vendors cortex XDR is now collecting checkpoint alerts and logs and using those for analytics and investigation and response and as part of the December release of xgr to dido the other vendors you see here will also become part of cortex XDR so in addition so in addition to our own good great data sources we're now collecting data from other from other sources and we'll be extending that over time you know it's funny when we acquired de misto back earlier this year one of the main questions I got from folks was are you going to maintain the open connections with de misto are you going to maintain these third parties even when those third parties might be competitors of yours I said oh absolutely we're gonna do it and I don't again I've said it again I said it again it was really important as foundational to the value of the product and I think everyone wasn't quite sure whether we were gonna really maintain that commitment instead we're extending that commitment across other products including HDR and our customers are recognizing it to xgr has really taken hold since we released it earlier this year this is a case where cortex as well as many of the other components and product from Health Networks are protecting the entire state of North Dakota it's not often do you have the opportunity to protect an entire state and this is a customer that's been very involved in our approach and the capabilities with building out and helping to drive the direction and you can see the value that they're getting out of it now there is a certain amount of automation that's built into XDR but the real automation platform is of course with Dennis toe and to missus supports a wide range of automation use cases many of these are what would fall under the broad definition of soar some of these even extend beyond that definition of soar and we are seeing incredible traction across our customers that are adopting de misto in order to achieve ever greater amounts of automation the future of cybersecurity simply cannot rely on massive amounts of manual effort there are not enough people in the world that could be hired let alone trained to do all of this we have to compliment the people effort with the automation effort and do misto is that platform for automating more and more and more of what the sock needs to do just to set an example for this simple use case how many of you received IRC feeds from some external source my guess is a hundred percent of you now you might not think of it as an IOC feed maybe to see it as as news maybe some of you have more built-up sock operations where you're receiving multiple IOC feeds indicators to compromise for those of you wondering what the acronyms and what do you do in most cases you have some sock analysts and maybe multiples of them whose job it is is to review the IOC feeds and try to pick apart what is useful do some manual matching manual queries against your logs and see if you have any matches if you have matches then you have to go investigate those and ultimately provide some report some summary report of what you did with that feed that day because many of these feeds are updated on a daily basis that is that is crazy that just can't be the way that this works and so this is just one of hundreds of examples where do misto can fully automate that process and end with a playbook just one example of hundreds where we can automate highly manual work and achieve much much much better outcomes in just a couple months ago we updated de misto version 5.0 add a number of new capabilities as you see here and probably the most important one is actually not even listed here which is the ability to collect telemetry data for how demister was being used which play books are being used which integrations are being used what is the outcome was the PlayBook able to run to completion fully automatically why would we want to know this because all of you want to know it when she want us to be able to tell you which play books our most valuable which integrations worked the best and we're starting to get that telemetry data and you'll start to see the benefits as customers of de mis tow we were able to give you more insights into how to get the most out of this platform now we start off talking about the cloud talk about the future I want to come back though and talk about securing the enterprise because there is and continues to be just amazing opportunities to continue to innovate and expand what we're able to do in the enterprise near showed this slide the very beginning this multiple form factors for security the hardware form factor where we started expanding into virtual form factors and as a service that is one area where we continue to put a lot of focus in securing the enterprise's is giving you that flexibility to consume it in whatever way you want to and in most cases a combination of these different form factors and just as importantly if not more importantly enabling you to consume even more security services on top of those form factors consistently this is something that we have always been very focused on as a company started with threat prevention and URL filtering it extended with global protect it extended with wildfire most recently this year dns security and actually maybe most recently will be announced 40 minutes ago with SD wanne and it's going to continue to extend IOT security with the announced acquisition in actual actual actual acquisition of a company called Xing box two spoke with an IOT and we have ideas and we're starting to work toward probably five to ten more security services it can be delivered consistently across these different form factors this is to greatly simplify the consumption of security would also provide much greater integration of those capabilities as well so I want to talk about two of these in particular just to show what is possible with this approach so DNS security announced earlier this year incredibly simple yet incredibly powerful now the simple side of this is that with this new attache subscription that was just released about nine months ago we've gone from the first three months of collected of analysing about 500 million DNS requests three months after that we about quadrupled that and now we're at a point where about over six and a half billion DNS requests have been analyzed with the service that's in just the first nine months you can see the trajectory for how fast and easy and simple it is to consume this and take advantage of it now there's the easy part of DNS security then there's actually the hard part who can see the hidden animal who thinks it's the the ibex no those aren't the hidden ones it's the leopard so there's a simple side edea security but there's the powerful side of DNS security which is effectively trying to find the really well hidden stealthy attacks attackers are starting to understand the DNS is a great Avenue for both delivering attacks as well as exfiltrating data after they've successfully compromised a network or a host so yes we have to block known bad domains we even do analytics to be able to predict the next domains and block those we then identify the hosts etc we do all of these pieces this is what you would expect but we do something else that's really really important which is ability to detect and prevent tunneling over DNS and just about a month ago we wrote a blog it's very interesting reading we have timer unit 42 team did this on attack called X hunt this was detected and prevented using the dns security service now what was interesting about this attack it was very very clearly professional and/or nation state level it was specifically using DNS tunneling for both infection as well as data exfiltration we analyzed it the part of the attack was completely intermixed with valid DNS but when really analyzed it you could actually pick out the pattern of the DNS tunneling you see here five DNS queries spread across ten minutes of time that's the level of patience that attackers have at least advanced attackers have this was targeted this was targeted at specific companies and organizations with a new approach that hadn't been seen before Indiana security was able to detect and prevent that attack because of the approach that we take with DNS security how we analyze the data the machine learning models in the speed at which we can accurately detect tunneling over DNS allowed us to accomplish that we've analyzed this with other solutions as well our ability to do currently were about sub minute detection speed for Deanna's telling we've analyzed other solutions some of them don't even do this at all and some of them take days to detect tunneling we are sub minute in continuing to get faster the second security service I want to highlight for you today is around IOT the enterprise IOT I believe is becoming a massive problem from a security perspective IOT devices are showing up all over the place we often talk about this as consumer IOT my favorite example is connected cows it's a real example you can look it up later if you want but in the enterprise badge readers security cameras printers some of us handling the most sensitive data of the enterprise simply connected typically unpatched typically full connectivity and no one thinks anything of it that is starting to change because attackers are starting to think about this they are starting to say hey look there's all these devices on the network they're unpatched they have full connectivity it's a great target no one's know was paying attention to him I'm gonna use them to breach the network ina used them to spread laterally this is not a secret that I'm telling you right now something has to be done about this and it's for this reason we went out we scoured the market we took a look at what everyone was doing in this space and we identified a company called Xing box that we believed was taking the best approach to securing IOT they primarily use machine learning to both detect and analyze IOT devices this is important with the with the number of devices in the rate of change signatures just can't be relied upon to scale and be fast enough that detecting and understanding new devices they primarily use machine learning to do this both visibility as well as analyzing the behavior of these devices take that and build workflows that help you keep these devices up-to-date and patched but then also integrate with third-party systems in order to make the appropriate policy changes that need to take place and why bring this up in this section is because we're actively working toward making this more and more integrated into our different form factors for network security you can expect us to continue to focus on areas like this as well as others as we build out these security services as integrated components of network security and so with that we finished by talking about securing the enterprise new advancements that we've been making and will continue to make there where the two big announcements in cloud security prisoner access as the expanded Sasi solution and Prisma cloud expanding with the integration of twistlock and pure sec or container and serverless capabilities and we talked about cortex and secure in the future with xgr 2.0 and all of the great new capabilities that we're bringing in as part of this solution innovation is certainly alive and well at health networks and so with that I'd like to say thank you very much for being here with us this week I hope you learned a lot meet a lot of people have some fun in the process enjoy Barcelona and with that thank you [Applause]

Info

Channel: Palo Alto Networks

Views: 12,390

Rating: 4.8938055 out of 5

Keywords:

Id: 4dU7dIfQ0Ic

Channel Id: undefined

Length: 89min 24sec (5364 seconds)

Published: Wed Nov 13 2019