3 min

Palo Alto Networks launches ASM for Remote Workers, a ready-to-use API integration of Cortex XDR and Cortex Xpanse. The introduction enables endpoint-based security monitoring of hybrid workers’ home networks.

ASM (Attack Surface Management) for Remote Workers is not a standalone tool, but a bridge between two of Palo Alto Networks existing security solutions: Cortex XDR and Cortex Xpanse.

To understand the significance of the introduction of ASM for Remote Workers, a grasp of its building blocks is important. Thus, we start with a look at Cortex XDR and Cortex Xpanse, beginning with the latter.

Xpanse for outside-in

Cortex Xpanse enables the monitoring of all internet facing assets in an organization’s environment. This translates to a factual overview of what data, applications and devices are (not) viewable or accessible from outside a business environment.

The solution uses this overview to scan for security threats. Remote Access Service, unsecured file-sharing services, legacy systems and vulnerable IT admin system portals are risk areas where Cortex Xpanse regularly finds and fixes threats.

XDR for inside-out

Cortex XDR is the second solution on which ASM for Remote Workers is built. The term, short for extended detection and response, is Palo Alto Networks’ answer to the demand for endpoint security. According to the organization, XDR stops advanced and fileless malware attacks with a comprehensive endpoint security stack. Through machine learning, the solution profiles the behaviour of current attackers and attack types, thereby pinpointing potential risks and providing complete visibility to an organization’s security professionals.

Different solutions, cohesive utility

XDR analyzes data and endpoints from the inside of the environment. The solution performs optimally when fed with the most sensitive device and network data. If XDR is configured flawlessly to consider relevant information and maintain visibility of endpoints, the solution is capable of perceiving more detailed information than the aforementioned Xpanse. ‘If’ is is the magic word. On the one hand, the flawlessness of security configurations regularly leaves something to be desired. On the other hand, endpoints are increasingly prone to moving between different networks, barring the sight of solutions such as XDR.

Suppose an organization relies exclusively on XDR for endpoint security. The watchdog loses track of the device from the moment the monitored endpoint moves outside the corporate environment, which can happen as soon as an employee works in a café or from home. Suddenly, XDR says much less about a device’s security and its applications, now functioning in an unknown network.

ASM for Remote Workers

The introduction of ASM for Remote Workers fixes the problem. The term describes a pre-built API integration of Xpanse and XDR. Using the integration, it becomes possible to use Xpanse on the remote environments where XDR-monitored endpoints can reside.

The integration was given way by a new feature in the release of Cortex XDR v3.0. Since the release, XDR can provide Xpanse data about endpoints outside an enterprise environment. Two conditions must be met to do so: the endpoint must have been encountered in the company environment at least once by XDR in the last 48 hours, and the IP address must be public.

In practice

Palo Alto Networks reports that a large U.S. financial services company has already deployed the newly available ASM for Remote Workers to monitor the home networks of hybrid employees.

Although the duration of the monitoring period is unclear, Palo Alto Networks states that ASM for Remote Workers succeeded in finding 56 open RDP (Remote Desktop Protocol) servers, 171 unencrypted Telnet servers and more than 1,000 unencrypted login pages.

Numbers are somewhat irrelevant, taking into account the missing period duration and exact organizational size. On the other hand, found vulnerabilities reference the risk types that ASM for Remote Workers can reveal in home networks.

Tip: DNS data is a gold mine, but integration is necessary