Palo Alto Networks slashes false positives, remediation time, and budget with Cortex Attack Surface Management

• High false positive rates made prioritization difficult.
• Manual asset inventory updates led to slow operations.
• Lack of context made resolving vulnerabilities a lengthy, manual process.

The Cortex team partnered with the Palo Alto Networks Security Operations Center (SOC) to design, build, and deploy a replacement for the lacking legacy solution. To align with the SOC’s needs, the product had to offer 100% detection confidence, automatic daily testing for everything the Attack Surface Management module discovered, conclusive evidence of exploitability, full coverage for externally testable known exploitable vulnerabilities (KEVs), and quick response times for emerging vulnerabilities. The result was the new Attack Surface Testing capability—delivering above and beyond on every requirement.

A material reduction in business risk

By enabling Attack Surface Testing last year, the Palo Alto Networks SOC was able to discover and quickly remediate even more external services, “We’re constantly scanned by threat actors trying to exploit vulnerabilities on our massive cloud attack surface.” reports Matt Mellen, Senior Director of Security Operations. “Cortex Attack Surface Testing ensures that we’re staying ahead of them by taking the exact same approach.”

From false positives to trusted negatives

Because Attack Surface Testing actively attempts to exploit externally facing services, it has a much lower false positive rate than other technologies. “Attack Surface Testing has been invaluable for the identification of vulnerabilities that are challenging to confirm,” says Mellen. “Throughout our internal deployment, we have not found a single service incorrectly marked as vulnerable.” Similarly, because Attack Surface Testing runs benign versions of real exploits, results are almost 100% accurate and are supported with evidence of exploitation. In fact, negative results are now used to close out findings from other tools.

Faster investigations, earlier remediations

The high level of accuracy in Attack Surface Testing eliminates the need to investigate vulnerabilities or reach out to service owners. Instead, Attack Surface Testing gives the SOC the information it needs to unilaterally take decisive remediative action. As a result, the Palo Alto Networks SOC estimates that it’s saving three hours of investigation work for every vulnerability discovered by Attack Surface Testing. Time to remediation has been reduced from days to minutes.

Quick, decisive responses to emerging vulnerabilities

Cortex Attack Surface Testing routinely delivers high-confidence detections for emerging vulnerabilities before other tools. Because Attack Surface Testing tests run benign versions of real exploits and are supported by evidence, the Palo Alto Networks SOC can confidently take decisive action to quickly minimize the organization’s exposure to the most impactful emerging vulnerabilities.

Attack Surface Testing, which runs automatically every day, has increased the cadence of scanning at Palo Alto Networks. For the SOC, checking for new Attack Surface Testing findings is the first part of the daily proactive security workflow. Ultimately, the Attack Surface Management module in XSIAM is helping the Palo Alto Networks SOC seamlessly integrate attack surface intelligence with the rest of its workflows to secure its constantly changing attack surface.