Palo Alto releases PAN-OS 11.0 Nova with new evasive malware, injection attack protection

Palo Alto Networks has announced PAN-OS 11.0 Nova, the latest version of its PAN-OS software, featuring new product updates and features. These include the Advanced WildFire cloud-delivered security service to help protect against evasive malware and the Advanced Threat Prevention (ATP) service, which protects against injection attacks. The cybersecurity vendor also revealed new web proxy support and enhanced cloud access security broker (CASB) integration with new SaaS security posture management (SSPM) capabilities.

In a press release, Anand Oswal, senior VP network security at Palo Alto Networks, said that the new version of Nova is now able to stop 26% more zero-day malware than traditional sandboxes and detect 60% more injection attacks. The updates are the latest in a series of security releases from Palo Alto in 2022.

Malware growing more evasive, injection attacks a top web app security risk

Malware has evolved to become highly evasive and increasingly sandbox-aware. In May, researchers at cybersecurity vendor Proofpoint analyzed a remote access Trojan (RAT) malware campaign (Nerbian RAT) that used several advanced evasion techniques to target global organizations. These included anti-analysis and anti-reversing capabilities. New sandboxing techniques are needed to help mitigate more sophisticated and evasive malware, Palo Alto stated. The new Advanced WildFire service has therefore been designed to introduce new capabilities such as intelligent run-time memory analysis combined with stealthy observation and automated unpacking to stay hidden from malware and defeat advanced evasions, according to the vendor.

Injection attacks that push malicious code into systems by exploiting unpatched vulnerabilities in software continue to pose significant threats to organizations. They remain one of the top attack threats on the OWASP Top 10 Web Application Security Risks list, whilst BreachLock’s Annual Penetration Testing Intelligence Report 2022 listed SQL injection and cross-site scripting errors (XSS) as the bane of security teams, accounting for more than a third of the critical risks found in web applications.

Palo Alto said its enhanced ATP service reimagines the intrusion prevention system (IPS) with inline capabilities for stopping zero-day injection attacks, using ATP deep-learning models built on high fidelity telemetry data across tens of thousands of exploited vulnerabilities over the last decade.

Web proxy support, SSPM among new security features of PAN-OS 11.0 Nova

In addition, Palo Alto has introduced features designed to improve organizations’ cybersecurity and resilience. The first is new web proxy support for customers who need to run explicit proxies in their network due to architecture or compliance requirements. The latest Nova version can now use natively integrated proxy capabilities for Palo Alto Networks’ next-generation firewall to help secure web and non-web traffic, allowing customers to deploy and centrally manage consistent network security across locations, branches, and mobile users, Palo Alto stated.

Next are new SSPM capabilities to help find and eliminate misconfigurations in 60-plus enterprise SaaS apps via native Palo Alto Networks Next-Generation CASB integration with Nova and Prisma SASE. This delivers support for near-real time data protection in modern collaboration apps and suspicious user behavior detection. This helps to protect sensitive data in modern SaaS apps from compromised accounts and insider threats, the vendor claimed.

Last are more proactive Palo Alto Networks AIOps features that help reduce misconfigurations that can lead to security breaches, Palo Alto stated. Launched earlier this year, AIOps now guards against violations of best practices and enables remediation of inefficiencies in security policies before committing changes, helping organizations strengthen defenses against cyberattacks, it added.

In a statement, John Grady, ESG senior analyst, said that as attackers continue to develop new ways to evade traditional defenses, security teams struggle to defend organizations with point solutions that are complex to deploy and operate. “Palo Alto Networks PAN-OS 11.0 Nova addresses these critical challenges by stopping zero-day threats in real-time, simplifying security architectures, and improving cyber hygiene.”

Palo Alto said PAN-OS 11.0 and most of the security services – which will be compatible with previous versions of PAN-OS – will be available in November.