Professional Documents
Culture Documents
Protection Overview
Cortex XDR™ provides best-in-class endpoint protection to block known and
unknown malware, exploits, and fileless attacks. Safeguard your endpoints
from never-before-seen attacks with a single cloud-delivered agent for
prevention, detection, and response.
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 1
Adversary strategies have evolved from simple malware dis- WildFire Threat Intelligence
tribution to a broad set of automated, targeted, and sophisti- In addition to third-party feeds, Cortex XDR uses the intelli-
cated attacks that can bypass traditional endpoint protection. gence obtained from tens of thousands of subscribers to the
This has forced organizations to deploy multiple products Palo Alto Networks WildFire® malware prevention service to
from different vendors to protect against, detect, and respond continuously aggregate threat data and maintain the collec-
to these threats. Cortex XDR brings powerful endpoint pro- tive immunity of all users across endpoints, networks, and
tection together with endpoint detection and response (EDR) cloud applications:
in a single agent. You can replace all your traditional and
1. Before a file runs, the Cortex XDR agent queries Wild-
next-generation antivirus agents with one lightweight agent
Fire with the hash of any Windows®, macOS®, Linux,
that shields your endpoints from the most advanced adver-
Android®, or Chrome® OS executable file, as well as
saries by understanding and blocking all elements of attacks.
any DLL or Office/Microsoft 365™ macro, to assess its
Although attacks have become more sophisticated and com- standing within the global threat community. WildFire
plex, they still use basic building blocks to compromise returns a near-instantaneous verdict on whether a file
endpoints. The primary attack methods continue to exploit is malicious or benign.
known and unknown application vulnerabilities as well as
2. If a file is unknown, the Cortex XDR agent proceeds with
deploy malicious files, including ransomware. These can be
additional prevention techniques to determine whether it
used individually or in various combinations, but they are
is a threat that should be blocked.
fundamentally different in nature:
3. If a file is deemed malicious, the Cortex XDR agent auto-
• Exploits are the results of techniques used against a system
matically terminates the process and optionally quaran-
that are designed to gain access through vulnerabilities in
tines the file.
the code of an operating system or application.
• Malware is a file or code that infects, explores, steals, or Local Analysis via Machine Learning
conducts virtually any behavior an attacker wants. If a file remains unknown after the initial hash lookup, the
• Ransomware is a form of malware that holds valuable files, Cortex XDR agent uses local analysis via machine learning
data, or information for ransom, often by encrypting data, on the endpoint—trained by the rich threat intelligence from
with the attacker holding the decryption key. global sources including WildFire—to determine whether the
Due to the fundamental differences between malware and file can run. By examining thousands of file characteristics in
exploits, effective prevention must protect against both. The real time, local analysis can determine whether a file is likely
Cortex XDR agent combines multiple methods of prevention malicious or benign without relying on signatures, scanning,
at critical phases within the attack lifecycle to halt the execu- or behavioral analysis. The model is built on a unique agile
tion of malicious programs and stop the exploitation of legit- framework, enabling continuous updates to ensure the latest
imate applications, regardless of operating system, the end- local prevention is always available.
point’s online or offline status, and whether it is connected to
an organization’s network or roaming (see figure 1).
WildFire Inspection and Analysis
In addition to local analysis, Cortex XDR can send unknown
files to WildFire for discovery and deeper analysis to rapidly
Malicious Must prevent known and unknown
malware from infecting endpoints
detect potentially unknown malware. WildFire brings together
files
the benefits of independent detection techniques for high-
fidelity and evasion-resistant discovery that goes beyond
Online/ On-network/ legacy approaches. Among these techniques:
offline off-network
• Static analysis is a powerful form of analysis, based in the
Software cloud, that detects known threats by analyzing the charac-
vulnerability Must prevent known and unknown teristics of samples prior to execution.
exploits exploits, including zero-day exploits
• Dynamic analysis (sandboxing) detonates p reviously
unknown submissions in a custom-built, evasion-
Figure 1: Malicious files vs. exploits resistant virtual environment to determine real-world
effects and behavior.
Stop Malware and Ransomware • Bare metal analysis uses a hardware-based analysis
environment specifically designed for advanced threats
The Cortex XDR agent prevents the execution of malicious files that exhibit highly evasive characteristics and can detect
with an approach tailored to combating both traditional and virtual analysis.
modern attacks. Additionally, administrators can use periodic If WildFire determines a file to be a threat, it automatically
scanning to identify dormant threats, comply with regulatory creates and shares a new prevention control with the Cortex
requirements, and accelerate incident response with endpoint XDR agent and other Palo Alto Networks products in seconds
context. Known and unknown malware, including ransom- for most new threats, ensuring the threat is immediately
ware, is subject to multiple preventive technologies. classified as malicious and blocked if it is encountered again.
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 2
Scanning for Dormant Malware Behavioral Threat Protection
The Cortex XDR agent performs scheduled or on-demand Endpoint attacks often comprise multiple events that occur in
scans for malicious Office/Microsoft 365 files with macros, the system. By itself, each event appears benign as attackers
executable files, and DLLs to remediate these without the use legitimate applications and operating system functions to
malicious files being opened. achieve their goals. Strung together, however, they may repre-
sent a malicious event flow. With Behavioral Threat Protection,
the Cortex XDR agent can detect and act on malicious chains of
Behavior-Based Protection events that target multiple operations on an endpoint, such as
network, process, file, and registry activity. When the Cortex
Sophisticated attacks that use multiple legitimate applications
XDR agent detects a match, it executes a policy-based action,
and processes for malicious operations have become more
such as block or alert. In addition, it reports the behavior of the
common, are hard to detect, and require deeper visibility to
entire event chain up to the console and identifies the actor that
correlate malicious behavior. For behavior-based protection
caused the activity chain. The Cortex XDR agent can also quar-
to be effective, including identification of malicious activity
antine files that were involved in malicious flows. Behavioral
occurring within legitimate processes, it’s critical to under-
Threat Protection is ideal for protecting against script-based
stand everything happening on the endpoint. The Cortex XDR
and fileless attacks.
agent enacts behavior-based protection in a few different ways.
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 3
WildFire feeds known threat information back to the Cortex XDR agent
TR
WF
ROP
✖
Heap Heap
EXE
spray Utilize OS spray
functions
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 4
Kernel Exploit Prevention insiders cannot misuse credentials or escalate privileges. For
The Cortex XDR agent prevents exploits that use vulnerabil- additional credential theft protection, Cortex XDR can c ollect
ities in the operating system kernel to create processes with endpoint events, profile behavior, and detect credential-based
escalated, system-level privileges. It also protects against new attacks to eliminate hard-to-find attacks.
exploit techniques used to execute malicious payloads, such
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 5
Extending Prevention Beyond Windows console. When a security event occurs on your Linux server,
Environments it collects forensic information you can use to analyze the
Although native security has grown among major operating incident further. The Cortex XDR agent on Linux operates
system vendors, such security remains focused on its own OS, transparently in the background as a system process. When
creating fragmented protection, policies, enforcement, and you install it on a Linux server, it automatically protects any
visibility. Organizations need to be able to apply security rules new or existing containerized processes regardless of how the
across a mixed environment from a single screen as well as container is deployed and managed.
protect against a range of threats, from basic to advanced.
Through the Cortex XDR console, organizations can control
default and custom security policies across Windows, macOS,
Device Control for Secure USB
Linux, Android, and Chrome OS endpoints with confidence Access
that multiple methods of protection are keeping their systems
USB devices offer a variety of benefits, but they also introduce
safe from attack.
risk. When users unwittingly connect malware-laden flash
Cortex XDR for Mac drives to their computers or copy confidential data to backup
disk drives, they expose their organizations to attack and data
Cortex XDR secures macOS systems against malware and loss. Advanced attackers can even infect seemingly innocuous
exploits with more than just “checkbox” security. The Cortex USB devices such as keyboards and web cameras with malware.
XDR agent uses multiple methods, such as local analysis, The powerful device control module included with C ortex
WildFire inspection and analysis, Gatekeeper enhancements, XDR allows you to monitor and secure USB access without
trusted publisher identification, and administrator override needing to install another endpoint agent on all your hosts.
policies, to block malware. To prevent exploits, the agent You can assign policies based on Active D irectory® group and
blocks kernel privilege escalation and exploitation techniques, organizational unit, restrict usage by device type, and assign
including JIT and ROP as well as dylib hijacking. read-only or read/write policy exceptions by vendor, product,
The Cortex XDR agent prevents attackers from bypassing the and serial number. The device control module allows you to
macOS digital signature verification mechanism, Gatekeeper. easily manage USB access and gain peace of mind that you’ve
This mechanism allows or blocks the execution of applications mitigated USB-based threats.
based on their digital signatures, which are ranked in three sig-
nature levels: Apple System, Mac® App Store®, and D evelopers.
It extends Gatekeeper functionality to enable customers to Host Firewall and Disk Encryption
specify whether to block all child processes or allow only those
with signature levels that match or exceed those of their parent
to Protect Endpoint Data
processes. With integrated host firewall and disk encryption capabilities,
you can lower your security risks and address regulatory
Cortex XDR for Android and Chrome OS requirements. The Cortex XDR host firewall enables you to
The Cortex XDR agent prevents known malware and unknown control inbound and outbound communications on your
APK files from running on Android and Chrome OS endpoints. Windows endpoints. Additionally, you can apply BitLocker®
It enforces your organization’s security policy as defined in the encryption or decryption on your endpoints by creating
Cortex XDR console. The security policy determines whether disk encryption rules and policies. Cortex XDR provides full
to block known malware and unknown files, upload unknown visibility into Windows endpoints that were encrypted using
files for in-depth inspection and analysis, treat malware as BitLocker and lists all the encrypted drives. With host firewall
grayware, or perform local analysis to determine the likelihood and disk encryption, you can centrally manage your endpoint
that unknown files are malware. You can also allow trusted security policies from Cortex XDR.
signers to enable unknown, signed apps to run before the
Cortex XDR agent receives an official verdict for the app.
Simple Endpoint Security
Cortex XDR for Linux
Management
The Cortex XDR agent protects Linux servers by preventing
attackers from executing malicious ELF files or exploiting With an intuitive, web-based user interface, Cortex XDR helps
known or unknown Linux vulnerabilities to compromise end- your administrators quickly coordinate and protect your orga-
points. The agent also extends protection to processes that nization with out-of-the-box, day-one capabilities, without
run in Linux containers. The Cortex XDR agent e nforces your sacrificing your complex environment’s need for control and
organization’s security policy as defined in the Cortex XDR customization.
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 6
Figure 6: Cortex XDR dashboard
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 7
Cortex XDR
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 8
Coordinated Enforcement Cortex XDR Endpoint Agent
The integrated suite of Palo Alto Networks products delivers The endpoint agent consists of various drivers and services,
greater security value than isolated components. Whenever but it requires only minimal memory and CPU usage—512
a Palo Alto Networks NGFW sees a new piece of malware, MB RAM and 200 MB disk space—to ensure a nondisruptive
or whenever an endpoint sees a new threat, protections are user experience. Once it’s deployed on your endpoints, your
made available in minutes to all other Palo Alto Networks administrators have complete control over all Cortex XDR
NGFWs as well as endpoints running the Cortex XDR agent, agents in your environment through the Cortex XDR console.
requiring no administrative effort, whether it happens at 1
a.m. or 3 p.m. Tight integration between your network, end- Cortex XDR Management Console
points, and clouds enables a continually improving security Cortex XDR is a cloud-based application designed to mini-
posture and provides coordinated enforcement to protect mize the operational challenges associated with protecting
you from zero-day attacks. your endpoints. From the web-based Cortex XDR console, you
can manage endpoint security policy, review security events
WF as they occur, identify threat information, and perform addi-
300M
New malware
samples detected by
WildFire monthly tional analysis of associated logs.
WILDFIRE ANALYSIS
WF
WildFire Malware Prevention Service
Of malware detected
45% by WildFire is never
seen by VirusTotal
Cortex XDR can send unknown malware to WildFire. Based
Static Machine learning Dynamic Bare metal
on the properties, behaviors, and activities a sample displays
THREAT INTELLIGENCE
during analysis and execution in the WildFire sandbox, Wild-
Threat intelligence
Fire determines a verdict for the sample: benign, grayware, or
shared across endpoint,
network, and cloud
malicious. WildFire then generates signatures and makes these
NETWORK ENDPOINT CLOUD globally available in seconds, allowing other Palo Alto Net-
works products to recognize the newly discovered malware.
Figure 9: Faster alert triage and
incident response with Cortex XDR
On-Premises Broker for Restricted
Centralized Logging Across the Platform Networks
To surface evasive threats and prevent attacks, your organi- The on-premises Broker Service extends C ortex
zation must be able to perform advanced analytics as well as XDR agents to devices that cannot directly
detection and response on all available data. Security appli- connect to the internet. Now, agents can use
cations that perform such analytics need access to scalable the Broker Service as a communication proxy to
storage capacity and processing power. the Cortex XDR management service, receive
Cortex Data Lake is a cloud-based storage offering for the the latest security console, and send content to
context-rich, enhanced network and endpoint logs Palo Alto Cortex™ Data Lake and WildFire without having
Networks security products generate, including those of to directly access the internet.
our NGFWs, Prisma Access, and the Cortex XDR agent. The
cloud-based nature of Cortex Data Lake allows you to collect
ever-expanding volumes of data without needing to plan for Cortex Data Lake
local compute and storage. Cortex Data Lake is a scalable, cloud-based log repository
Cortex XDR uses Cortex Data Lake to store all event and inci- that stores context-rich logs generated by Palo Alto N etworks
dent data it captures, ensuring a clean handoff to other Palo security products, including those of our NGFWs, Prisma
Alto Networks products and services, such as AutoFocus™ Access, and Cortex XDR agents. The cloud-based nature of
contextual threat intelligence, for further investigation and Cortex Data Lake allows you to collect ever-expanding volumes
incident response with endpoint context. of data without needing to plan for local compute and storage.
Cortex by Palo Alto Networks | Cortex XDR Endpoint Protection Overview | White Paper 9
System Requirements and employs various tamper-proofing methods to prevent users
Platform Support
and malicious code from disabling protection or manipulat-
ing agent configurations. The agent’s lightweight structure as
The Cortex XDR agent supports multiple endpoint types— well as incredibly low CPU utilization (less than 0.1%) and I/O
desktops, servers, industrial control systems, virtual desk- ensure minimal disruption, making it ideal for mobile work-
top infrastructure components, virtual machines, and cloud forces, critical infrastructures, virtual desktop infrastructure,
workloads—across Windows, macOS, Linux, Android, and and cloud environments.
Chrome OS operating systems. For a complete list of system
Eliminate Security Silos by Connecting End-
requirements and supported operating systems, please visit
points to a Security Platform
the Palo Alto Networks Compatibility Matrix webpage.
The integrated suite of Palo Alto Networks products delivers
greater security value than isolated components. Whenever
Cortex XDR Benefits for Endpoint a Palo Alto Networks NGFW sees a new piece of malware,
Protection
or whenever an endpoint sees a new threat, protections are
automatically made available in minutes to all other Palo Alto
There are many advantages of utilizing Cortex XDR to protect Networks NGFWs as well as endpoints running the Cortex
endpoints. Here is a summary of each key benefit. XDR agent. Tight integration between your network, end-
points, and clouds continually improves your security posture
Stop Real-World Threats with Proven and provides coordinated enforcement to protect you from
Validation zero-day attacks.
In multiple third-party tests, including the MITRE ATT&CK
Provide Rapid Detection and Response
framework, Cortex XDR had the broadest coverage among all
vendors evaluated. On its own or as part of the Palo Alto Net- The Cortex XDR agent sends all event and incident data it
works suite of products, Cortex XDR stops targeted, sophisti- captures to Cortex Data Lake, supporting detection, investi-
cated threats like ransomware without relying on prior threat gation, threat hunting, and response. Cortex XDR speeds alert
knowledge. By minimizing endpoint infections, security teams triage and incident response by providing a complete picture
can significantly reduce the time they spend analyzing poten- of an attack, including root cause, and stitching together the
tial infections and reimaging endpoints. sequence of events. Cortex XDR detects and contains threats
quickly and applies the knowledge gained to continually im-
Protect at Critical Phases of the Attack Lifecycle prove your security.
Cortex XDR offers the most completed endpoint protection
available, allowing you to replace all your traditional and
next-generation antivirus agents with one powerful, light-
Learn More About Cortex XDR
weight agent. Because the Cortex XDR agent does not depend Check Out Cortex XDR in an Investigation and Threat
on signatures, it can prevent zero-day malware and unknown Hunting Hands-On Workshop
exploits through a combination of prevention methods from
Ready to go deeper? Try out Cortex XDR yourself, from your
the kernel level on up, rather than trying to stop an attack by
office, without the risk of running malware in your environ-
focusing on specific threats. Proactive scanning lets you dis-
ment. During a three-hour virtual hands-on workshop, you’ll
cover and remove latent threats before they run. By prevent-
boost your skills and learn how to stop sophisticated attacks.
ing attacks early in the attack lifecycle, security teams reduce
Click here for our schedule and more information.
endpoint infections and minimize the likelihood of attacks
moving into the data center and throughout the organization. Chat with the Team
Take the discussion to the next level: Set up a meeting with
Reduce Infrastructure Costs and Operational your Palo Alto Networks account team or trusted reseller.
Complexity
Cortex XDR is a cloud-based application that provides s
ecurity
parameters for administrators on startup, protecting your
organization from day one by default. The Cortex XDR agent
3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 cortex-xdr-endpoint-protection-overview-wp-062320
Support: +1.866.898.9087
www.paloaltonetworks.com