Palo Alto Networks, Inc. (PANW) Earnings Call Transcript & Summary

Hello, everyone. Thank you so much for taking the time to be with us today. My name is Abhi. I'm a Product Marketing Manager for Cortex Xpanse. And with me, I have Greg Heon, Senior Director of Product Management. And over the next 30 minutes or so, we're going to cover some of the incredible new capabilities in Cortex Xpanse. So if you have any questions as we go through these, feel free to put them in the Q&A box. We have a team of Xpanse experts waiting to answer them. In security, organizations are always able to figure out what happened after a major incident occurs. But why can't organizations figure this out before it happens? At Cortex, this is the question we're trying to answer. We do this by transforming the modern stock from being reactive to proactive. One way organizations can be more proactive is to have a current, complete and accurate view of their entire attack surface. Now this helps them proactively shrink their attack surface and secure their organization. However, hybrid work and the move to the cloud have created significant challenges for organizations as it relates to their attack surface. Organizations today have limited attack surface visibility, which, in turn, makes them unable to quickly react to zero-days. And insufficient context and the sheer volume of alerts leads to poor prioritization of risk. And ultimately, these large volume of alerts makes it difficult for security teams to fix issues on their attack surface. But with Cortex Xpanse, your organization can comprehensively discover all of the different assets on an attack surface so that you can see and monitor all of your assets exposed to the Internet. And with this visibility, your security teams can now quickly react to discover threats and vulnerabilities. And our risk-based prioritization capabilities helps you proactively manage risks to focus on high-impact areas. And on top of this, our automation-first remediation approach helps you actually shrink your attack surface with actionable context and automation. And we have been delivering all of this inside a solution that is safe and easy to deploy across any organization. And over the last 6 months, our team has been building up an incredible list of new capabilities across these key pillars of active attack surface management to help organizations like yours in your mission to shrink and secure your attack surface. And today, we want to share them with you. Where security is about both finding and fixing your exposures, both the known and the unknown, organizations can only understand their attack surface when they combine both best-in-class visibility and unify this across their entire environment. How are we helping them achieve this?

Yes, it's a good question. So Xpanse is Palo Alto Networks' attack surface management solution. And almost every CISO I talk to tells me that their attack surface has been growing in the last few years. We think, step 1, the foundation of it is inventory. And this is a problem we'd like to solve for our customers rather than giving them the tools to go solve it themselves. The first pillar we have in our product strategy tries to get at limited attack surface visibility. And we think the right approach here has got to be able to provide all of our customers with comprehensive attack surface discovery. If we do this well, their SecOps teams will be able to rely on Xpanse as a trusted source of truth for their Internet-facing exposures. And as your question hints at Abhi, we think of kind of 2 different sides of this. The first is what we're able to bring to the table independently, how comprehensive can we be from the outside in, doing reconnaissance like a sophisticated nation-state attacker. And then the second is about breaking down silos within the organization by unifying asset visibility. So over the last 6 months, we've been hard at work on both of those directions. On the independent discovery side, I have 3 features we're excited to tell the world about today with Xpanse. The first is discovery evidence, where we're explaining to our customers how we found what we found, including confidence scores and tags that explain when and how a customer goes about it or if we discovered it independently. The second is discovery into IPv6. 38% of websites are either DUO hosting in v6 or hosted solely in IPv6. It's a much harder technical problem to solve than scanning IPv4 , but we think it's important to provide visibility into the v6 environment. We're excited to announce that we do that now in Xpanse. And then lastly, we've invested heavily in ICS and OT discovery recently. So these are devices that should almost never be Internet-connected. When we find them, they're a really big deal for our customers, and we wanted to make sure we were current, complete and accurate in our discovery of those assets. On the other side, on unifying asset visibility, I'm excited to tell you all about unmanaged cloud. There's an integration with another Palo Alto Networks platform, Prisma Cloud, and the intent is to break down silos to show you what is and is not under Prisma Cloud management. So what we're doing here is we're integrating with Prisma Cloud, pulling in the asset inventory data that they have access to from the cloud that they're connected to. And we'll notice 2 things. The first is, if Xpanse is able to discover assets that are not onboarded to Prisma Cloud, then we'll call those unmanaged, and we'll make sure that you have the information you need to bring those cloud assets under management to onboard those cloud accounts into Prisma Cloud. The second is we are providing exposure data, the outside-in contacts on everything we're bringing out from Prisma Cloud. So using the unmanaged cloud integration, you can unify your asset visibility, seeing outside in exposures across discoverable and undiscoverable cloud assets. Now let me show you what that looks like in a demo. So jumping into the console and trying to showcase some of what we do for attack surface discovery, some of the new things we built. I want to start with attribution evidence. Here, we have some dummy data from a Google tenant. And in this case, we have very high confidence in a specific tenant server being attributed for 2 reasons. One is that we see Google's name in the registration. But two, and I think importantly here, we've seen content on a service that relates to the IP range registration. So in this case, we'd be seeing Google content and Google registration and the combination of those 2 gives us very high confidence. This multimodal discovery, where we're looking at many different pieces of evidence, gives us granular confidence ratings, ranging from medium to high to very high that are easily filterable in the UI. Second, I mentioned unmanaged cloud. So I want to show -- I show you all what it looks like at the top level at an overview dashboard. In this case, we call something managed if it's an asset that we are ingesting from Prisma Cloud and unmanaged if it's a cloud asset that we're not seeing from Prisma Cloud. So in the integration we have here, we see, for instance, that 4% of Google assets are not under management in this lab instance. So 96% of Google Cloud from what Xpanse can discover is under management, whereas AWS has a much larger gap. We find for most of our customers that they tend to start on the most critical alerts, and the managed ones are actually easiest for them to fix. And so they usually start there because they can go directly into Prisma Cloud with an asset identifier and go fix 100% of these really, really quickly. And we're pulling quite a bit of context in as well. So humping over into a unified inventory view, you can see we're -- here, we're in Prisma Cloud, resources and our cloud inventory. And if we hop up here to a safe view of active services, we'll let that run, and it'll pop up. And you can see as we click into one of these, for instance, this query dev server here, that we have asset attribution evident, Tier 2, right? So in this case, it's coming in through your Prisma Cloud integration, and this gives us confidence that it belongs to your organization as well as a whole bunch of identifiers that help you understand for this underlying instance: who owns this, how do I go fix it, what's vulnerable here. So it's just a little bit a quick demo of what we can do from a comprehensive attack surface discovery perspective.

That's great, Greg. But comprehensive attack discovery is a good first step. However, when there's an Internet-wide emergency like in the recent case of MobileIron or the MOVEit vulnerability, the [indiscernible] had to act very quickly. How does Xpanse help with handling these large-scale Internet-wide emergencies on top of providing best-in-class visibility?

Yes, it's a good question. More and more, we see evidence that attackers are hitting our customers at machine speed, right? And we're trying to find ways to take the human defense and have that be machine-speed defense, right? So we've been hard at work. We're working our data pipelines, making sure we can stream data from our Internet-wide scanning into Expander and shorten that time to as quick as possible. And on top of that, faster visibility, where it's even more current than ever before, we've been able to build a really exciting new workflow. So we call this the Threat Response Center. And the intent here is that for every stop-the-world Internet emergency, whether we're talking about PaperCut or the NetScaler ADC or MOVEit or the Barracuda Email Security Gateways, you name it, we're on it. We're going to have a dashboard that's dedicated just to that Internet emergency up in our product within hours. And that will have information about the threat itself, about the consequences of the exploit, the maturity of the exploit that we're seeing, any context we have on threat actors, but it will start to correlate it with your environment. So you'll understand can Xpanse detect any instances of this device or application on your attack surface. And then all the operational context you need to burn that down to 0, like who's breaking on it, how far are they in remediation, et cetera. So we view the response center as a per Internet emergency. You come, log in. Your first priority should be anything that's exposed to attackers, and we're giving you the tools you need to burn it down to 0. I'll show you what it looks like. Here we are in Cortex Xpanse on the Threat Response Center. In the Threat Response Center, our customers are able to understand which Internet emergencies. That is 0 days and large critical vulnerabilities are out there being used by threat actors and, I think most importantly, showed on their network. So while we have many threat response events, as you can see here, many of you are active. You can also notice how quickly we published these to the Ivanti Endpoint Mobile Manager, zero-day. It was published on July 25, the day that we learned of Norwegian authorities being hacked with the zero-day, and you can see that we continue to update them as we go. I'm going to click into active alerts and open the one that has real alerts today. This threat response event is for Microsoft Exchange from the Hafnium attack. This is an old Internet emergency, but we built this out back dating to make sure that our customers can understand the concept for the Threat Response Center. And in this case, we split the screen, which you can see is fully dedicated to the single Internet emergency into 2 key parts. At the top, we have more of the operational details. How many alerts are active? Who is working on them? What's the status of each alert for the instance they are part of? Are they still active? And are there other problems we see related to those underlying assets? Everything you need to burn it down to 0. And then at the bottom, we have something that you probably could find elsewhere. But we think it's important context. It is the threat summary, the consequences of the exploit, everything going on with it in the wild, how to fix it, related CVEs and the like, and then an easy path to jump right into the incidents you want to go work on. So all this in our mind is the information that our customers need on the first day of knowing that this vulnerability that this exploit is being used in the wild come into our product to understand what is it, how much do I need to care and am I personally exposed, is my company exposed.

The Threat Response Center is a really powerful feature, Greg. Thank you for showcasing that in a demo. It helps organizations quickly understand are they exposed and then what they need to do if they're exposed. However, most organizations at any given time are addressing several different exposures in their environment. In fact, our research indicates that a typical organization lacks visibility into roughly about 30% to 40% of the different assets they have on their attack surface. And given that the attack surface is very dynamic, how can organizations better prioritize in this environment, Greg?

Yes. It's a good question. And we try and make it as easy for our customers as possible. We do find the average enterprise we work with has far too many exposures for them to remediate everything at once, right? And so prioritization always is an important first step. The first thing I get to tell you about is incident risk scoring. So whenever we see whether it's the smallest hygiene problems or the most critical vulnerabilities, the first thing we look for is what asset is it on. And we like to group everything on the same asset together into what we call an incident. So we have many alerts into incidents. And then we apply a risk score that works out of the box with no configuration necessary from the customer on each incident. If you use it out of the box without customizing it or extending it in any way, it will focus your team on the assets that are most likely to be attacked. So that's information we're stitching in on the back end with exploit and threat intelligence, making it really easy for customers to understand if they want to get ahead of attackers and prevent security incidents. Those are the ones you want to start with, right, because this is the thing that's most likely to be attacked. We've also made it easy to add asset context in that explains to your teams and modifies the risk score, which assets are most critical. That focuses your team, not just on the likely-to-be-attacked assets but the highest-consequence assets. So all of that comes as part of incident risk scoring and, we think, gives our customers a really easy way to focus their analysts on the most high-risk incidents. The second thing we launched in the last 6 months is what we call a security rating. This, I think, will be a familiar concept to security teams because there are a number of very large successful vendors out there that sell these. But in our mind, we've got the highest quality data about your attack surface. We're extremely accurate in what we say is yours. And we have launched our own security rating that helps you understand how are you comparing against your peers. So for security ratings, we'll provide you with an overall score between 0 and 100, how secure you are as well as subscores for different subsets of your business. So for each business unit, you'll see a subscore, which cloud provider as well as each geography. We'll also give you the ability to benchmark against industry peers. So the purpose of the security rating is to make sure that at the programmatic level, you understand how much do I need to be prioritizing attack surface management versus some of the other requirements of my security organization. Now let's show you what that looks like in a demo. Welcome back to the Xpanse console where we're going to look at the security rating dashboard and incident risk scoring. Here you can see the security rating in a single easy-to-understand place. For this specific customer, they're doing well. They've got a 59 out of 100. And the biggest risk for them show of [indiscernible] in Google and AWS. We also compare this company to their industry and are able to highlight where the biggest risks are for them geographically. In this case, Russia looks really insecure. And comparing that to the U.S. and China, that seems like a good place to start. Continuing down, you can see that we break all of our customers up by business unit, right? And so in this case, the top-level company that we call [ Bandolay Demo 3 ] is more secure than the underlying subsidiary that we call [ Acme Supply Chain ]. Lastly, we break up the security rating by hosting providers so our customers understand which clouds they have problems in, whether it's the long tail of clouds, the big 3 that we see most of our customers have a large percentage of their assets in or whether it's on prem. The security rating dashboard is tended to give you a sense of how are you doing compared to your peers. Are you doing a good job overall managing your attack surface? But if we want to understand an individual risk, we can always click in. In this case, I'm breaking up an example for an insecure Microsoft Exchange server. You can see that we have grouped multiple alerts into the same -- at the same incident because they show up on the same asset. And if I click over into the Exchange server and then look at the risk, do you start to understand why we think this deserves such a high-risk score, 824 out of 1,000. In this case, we believe that we have high confidence in the vulnerability of what we're finding. So there are a number of CVEs that we think of as very critical, but that's not the only reason. We also look at EPSS score, the probability that this asset will be exploited. And then we're bringing in the intelligence. Like has it -- have we seen exploits for this specific vulnerability exploited in the wild? For those exploits, how mature is the exploit, right? Is it weaponized? Is there proof of concept? And then when was it most recently exploited? And you can see here at the date of the recording, that it was very recent. So all that is to say, there's a lot of risk pile up here, but we also consider other factors like the asset itself, right? So while we do see misconfigurations that add something to the score, the fact that this is a critical system with potential data loss because of the sensitivity of data that goes through Microsoft Exchange server also [ jumps ] up the score. All of this is stitched together into one incident risk score. And you can see going back to our incidents view that we sort by risk score. And so your analyst will always be working on those assets that are most important and most likely to be attacked.

That's great, Greg. As we mentioned earlier, discovery and prioritization, while extremely important, are mainly just parts of the solution. To be secure, an organization needs to actively resolve issues. And 6 months ago, Xpanse addressed this problem with the Active Response module, with both finds and fixes exposures on the attack surface. How has this evolved in the last 6 months?

We're really excited about how it's been evolving. We've been hard at work making sure that we can provide not just an attack surface discovery solution, which is why I think most of the attack surface management market is, but actually the attack surface management, right? We're putting the management back into ASM. And so we have 4 things we're really excited to highlight over the last 6 months. The first is we spent a bunch of time trying to make sure our customers can find service centers. So when you get an attack surface management alert, usually, it's from the outside in, right? So instead of understanding what the underlying asset is and who owns it, you get to understand the network interface. So you have RDP exposed on some public-facing IP address 1.2.3.4. It's really hard to understand what is the underlying asset, who do I talk to, to go fix that, do I want to fix it at the networking level or at the asset level. Lots and lots of questions there. And so the step 1 in our mind is go figure out who owns it. And that's something that used to be manual, require a lot of context switching for our customers. So they sort of -- well, they care [ about ] one tool so for their [indiscernible] to another. With the Active Response module as part of Cortex Xpanse, our customers now get all that functionality brought into -- or all their context, rather, brought into Expander. So we'll go and talk to every tool you have, everything you've integrated with us. Everything you've integrated Xpanse with will try and pull service center information and then rank them to show you the most likely service owner, the person that can actually talk to you to go fix what we find. So super excited about that as a step 1 because we think that's the most manual, hardest part of ASM is tracking down who owns this unknown asset. Second thing we've built is we've made our scanners taskable. So after we go automatically fix something for you, we'll go scan it again. We'll send a little request to our scanners and say, "Hey, make sure it's fixed. We think it's fixed now." And in doing so, we're able to verify remediation and close out the ticket quickly for you, right? So it's not just that you have fixes that you are sure you fix this. It's been verified. Third, automation path rules. So this is for the customers that are really starting to rely on the automation that Xpanse gives here. So if you find yourself always fixing automatically, pressing a single button in Xpanse, some subset of issues, this lets you set up Xpanse to just do that without you needing to click a button every time. So instead of saying, "Go fix this for me and AWS," or instead of saying, "Every time you see this, file a ServiceNow ticket," you can set up the rule that says, okay, in this scenario, I want you to file a ServiceNow ticket with this team or Jira ticket with this team. So the intent here is that Xpanse is able to help you manage your attack surface when your analysts aren't in the console, right, to make sure you're getting defended while they sleep. And then lastly, we've dramatically expanded our use cases. So when we first launched, we had just a small number of use cases. We have over 6x the number of use cases that we launched with now. So well over a dozen different types of attack surface exposures that we can automatically fix for you. And we've extended coverage across all major cloud providers. So you can find it in AWS, GCP and Azure, all of which works out of the box with the Active Response module. Now if you -- I mean let's show you what it looks like in a demo. Welcome back to the Cortex Xpanse console. Here, we're looking at the incidents view at a single RDP server incident. You can see here that we've actually grouped multiple RDP server alerts into the same incident, and that's because it's actually the exact same RDP server. So we saw it previously. When we stoped seeing it, it came offline, and then it showed up again. And because we understand that this is still the same underlying asset, we've actually grouped it into the same incident so that you, as an analyst, have all that history. I'm going to show you what the automation looks like. So in this case, the automation has already been running. And as soon as we saw the alert created, we started running this playbook and typical pull quite a bit in. So on top of understanding what RDP is and when we first observed it and how to fix it, we start running the playbook, and it thinks it's about 50% done. So when it started, it started looking in all the different places it could know something about RDP. And one of them was Google Cloud, where this RDP instance is hosted. And I was able to find a couple different potential service centers. So you can see we have some e-mail addresses we pulled out from Palo Alto Networks employees, all of whom were a big part of setting up this instance that clearly is a violation of security policy. In this case, we set this one up in a lab intentionally to show in a demo, but this is exactly the sort of information that a security team could use to understand who do I need to go talk to, to get this thing taken down. Here, we also find service accounts, internal IP addresses, important tag information like this is a development environment, and it's nonproduction, or suddenly, it seems less risky to go fix this, and a whole bunch of system identifiers. You can see about the VPC, the firewalls, et cetera. So what can we do from here? Well, a whole bunch. We want to send a notification e-mail. We can send it to those people that we've discovered. If we want to file a ServiceNow or a Jira ticket, that's easier to do, just single click. But I think the most compelling option here is automated remediation by restricting open ports. This is an option that we only show our customers if this is a nonproduction environment, if we have found the owners and if we have the ability to actually take the asset off-line. So in this case, because we're tied into GCP and we've been integrated into the customer stack, we're able to automatically change the firewall rules by applying network tags and, therefore, remove the RDP server from the public-facing Internet. I'm going to click out of this instead of fixing it and show you what it looks like to do a remediation path rule. So if you decided, for instance, that you always want to fix these things that you should always automatically remediate them, or you should always file a ServiceNow ticket, or your job is relatively programmatic when you see this, you do that. That's easy for us to encode, right? And so we've created this concept of remediation path rule where we can say, okay, RDP, right? And in this case, we're going to say, every time you see RDP servers and it is a development environment. And we can add to this, too, if we want to say -- and maybe we want to say, it's a service center identified is true. Then we can, for instance, say, automated remediation and click submit. And that's it. Now Xpanse will work for you and your team as you sleep. We'll just go fix it.

Those are some really powerful features, Greg. But can you give us an example of how security teams are using the Active Response module in some of the outcomes that they have achieved?

Yes, absolutely. We see a spectrum across our customers. For some of our customers, they're using Active Response much more for augmenting an analyst, right? So they are still going to pass a specific incident off to an IT team. Will they remediate it? But they're using Active Response to understand the service center, right? I mean it used to be highly manual for them. Now is automated, and maybe filing the ticket is automated, right? But the actual remediation itself is still a manual effort by a team outside security. We do have some examples where we see Xpanse actually going and solving the problem in runtime for the customer. And so what I mean by that is today at Palo Alto Networks, if I were to go into a dev environment in GCP and open up RDP to the world, the Palo SOX policy says I should never be allowed to do that. And because it's in dev, they're not particularly worried that are turning off the proverbial money pump for Palo Alto Networks, right? This is not a business-critical system. But it is something that opens the company up to cryptojacking or to ransomware. And so the SOX policy now is using Xpanse as soon as Xpanse sees that RDP exposed. It's going to take action from the Xpanse console running the automated remediation playbook and actually change the networking rules in GCP to take that asset off the Internet. So it's a fully automated, essentially in real-time way to fix and shrink your attack surface. So super exciting to see some of our customers using automation that extremely, defending at machine speed as attackers scale up, had they can do.

Indeed, they're actually using the Active Response module to shrink their attack surface. Greg, to truly shrink the attack surface, one of the things we mentioned earlier is that any ASM solution must integrate seamlessly into the SOX existing ecosystem of tools. Now Xpanse has already had several integrations. What are some new ways in which organizations can integrate Xpanse into the current workflow?

Well, we see a lot. We've supported integrations with the cloud service providers and VM providers for a while. We just launched a new Splunk technical add-on that we're very excited about. We know a number of our customers use Splunk and excited to support them as they do that. We did also refresh the Xpanse SDK. So anyone looking to create a custom integration with some sort of homegrown tool, easy for them to do that now. And then we've been expanding our list of supported integrations as well to make sure that whatever IT or security tools you're using, Xpanse fits right in. And you can get started on day 1 using Xpanse and being successful.

Thank you so much, Greg, for taking the time and walking us through some of the new capabilities inside Cortex Xpanse. And for those of you listening to us, if you'd like to learn more about any of the new capabilities that we've covered in today's call, please go into the Resources tab at the bottom left corner of your screen, and you should be able to find data sheets, our announcement blogs and other materials. And all of your questions are being answered by a team of Xpanse expert in the Q&A section. So if you have any additional questions, please feel free to put them in. Thank you.