Cyber threats continue to increase in volume and complexity with threat actors developing new ways to avoid detection — including highly evasive malware. To help organizations outpace these evolving threats, Palo Alto Networks, the global cybersecurity leader, has announced PAN-OS® 11.0 Nova, the latest version of its industry-leading PAN-OS software, unleashing 50+ product updates and innovations. Amongst them are the new Advanced WildFire® cloud-delivered security service that brings unprecedented protection against evasive malware and the Advanced Threat Prevention (ATP) service which now protects against zero-day injection attacks.
“We’ve observed a significant increase in unique malware samples over the last year along with an increasing level of malware sophistication. A new approach is required to detect this advanced malware,” said Anand Oswal, senior vice president, Network Security, Palo Alto Networks. “PAN-OS 11.0 Nova is a leap forward in network security. It stops 26% more zero-day malware than traditional sandboxes; detects 60% more injection attacks; simplifies security architecture; and helps organizations adopt cybersecurity best practices. The bottom line is that Nova helps keep organizations one step ahead of attackers.”
Security against zero-day threats
Advanced WildFire: Modern malware is highly evasive and sandbox-aware. To solve this problem, sandboxes need to continuously evolve to thwart analysis-resistant evasion techniques. The new Advanced WildFire service builds upon its custom hardened hypervisor to introduce radical new capabilities, such as intelligent run-time memory analysis combined with stealthy observation and automated unpacking to stay hidden from malware and defeat advanced evasions. These new capabilities enable Advanced WildFire to stop more highly evasive zero-day malware than traditional sandboxes.
Advanced Threat Prevention (ATP): The enhanced ATP service reimagines the intrusion prevention system (IPS) with industry-first inline capabilities for stopping zero-day injection attacks. Injection attacks — one of the top attacks on the OWASP “Top 10 Web Application Security Risks” list — attempt to push malicious code into a computing system by exploiting unpatched vulnerabilities in software. Such malicious code executes remote commands that lead to data loss or full system compromise.
To protect against such injection attacks, ATP deep-learning models have been built on high-fidelity telemetry data across tens of thousands of exploited vulnerabilities over the last decade. Internal testing has shown that the enhanced ATP service detects 60% more zero-day injection attacks than traditional solutions miss.
Nova not only sets up the foundation for modern-day network security by continuously protecting against zero day threats but also raises the bar for how organizations can proactively improve cyber hygiene and simplify security architectures. In addition to Advanced WildFire and Advanced Threat Prevention, notable innovations in the Nova release include:
Simplified and consistent security
Web Proxy Support: For customers who need to run explicit proxies in their network due to network architecture or compliance requirements, Nova introduces natively integrated proxy capabilities for Palo Alto Networks NGFWs helping to secure web as well as non-web traffic. Now Palo Alto Networks NGFWs and Prisma® Access support web proxy, allowing customers to deploy consistent network security across campus locations, branches, and mobile users, all managed centrally.
Integration of Next-Generation CASB: Palo Alto Networks Next-Generation Cloud Access Security Broker (CASB), natively integrated with Nova and Prisma SASE, now includes all-new SaaS Security Posture Management (SSPM) to help find and eliminate dangerous misconfigurations in 60+ enterprise SaaS apps. Next-Generation CASB now also has support for near-real-time data protection in modern collaboration apps and suspicious user behavior detection, which helps to protect sensitive data in modern SaaS apps from compromised accounts and insider threats.
Stronger cyber posture
AIOps: Palo Alto Networks AIOps helps reduce misconfigurations that can lead to security breaches. AIOps, launched earlier this year, now processes 29B metrics every month across 50,000 firewalls, and proactively shares 24,000 misconfigurations and other issues with customers for resolution every month. With Nova, AIOps is even more proactive. AIOps now guard against violations of best practices and enables remediation of inefficiencies in security policies before committing changes, helping organizations strengthen defenses against cyberattacks.
In addition to all the PAN-OS software updates, a new set of 4th generation ML-Powered NGFWs bring these new capabilities to branches, campus locations, and data centers at up to 5x higher performance compared to the previous generation. The new hardware firewalls also bring the flexibility of fiber and Power over Ethernet (PoE) to small branches.
PA-445 and PA-415 for small branches: The PA-445 and PA-415 bring the flexibility of fiber and PoE ports to distributed enterprises and small and medium businesses. PoE powers downstream devices such as access points, IP cameras, and IP phones without the need for additional electrical circuits. The PA-445 and PA-415 also bring improved resiliency with dual power supplies and fanless cooling.
PA-1400 Series for large branches: The new PA-1400 Series offers up to 5x performance and up to 7x the session capacity compared to the previous generation. The PA-1400 Series is ideal for protecting large branch locations and small enterprise campuses, with support for PoE fiber ports.
PA-5440 for large campus locations and data centers: We are launching the highest-performing fixed-form factor in 2RU, the PA-5440. This platform offers 2x the performance of the previous generation PA-5260 and is ideal for protecting large campus locations and data centers.
“Attackers continue to develop new ways to evade traditional defenses, while security teams struggle to defend organizations with point solutions that are complex to deploy and operate,” said John Grady, ESG senior analyst. “Palo Alto Networks PAN-OS 11.0 Nova addresses these critical challenges by stopping zero-day threats in real-time, simplifying security architectures, and improving cyber hygiene.”
PAN-OS 11.0 and most of the security services will be available in November. New ML-Powered NGFW platforms will be available in December, and SSPM will be available on the NGFW platforms in January. Most security services including Advanced WildFire will be compatible with previous versions of PAN-OS.