Securing Your Digital Frontier: Navigating the Ever-Evolving Threat Landscape

Hello, and welcome to our webinar today. I'm John Tolbert, Director of Cybersecurity Research here at KuppingerCole. And I'm joined today by Paul Bertenshaw, System Engineer from Palo Alto Networks.

Hello, Paul. Hey, John, good to be here. Likewise.

Today, our topic is Securing Your Digital Frontier, Navigating the Ever-Evolving Threat Landscape. So a little bit of logistics info before we get going. We're in control of the audio. Everyone's muted centrally, so there's no need to mute or unmute yourself. We're gonna do a couple of polls throughout the webinar this morning, and we'll show the results and talk about them in the Q&A section at the end. And we'll have a Q&A section at the end. You can enter questions at any time in the Cvent control panel, and we will take those after the presentations.

And lastly, we have a recording list, so both the recording and the slides should be available for you to look at in just a couple of days. So with that, I'm gonna start off with an overview of attack surface management, and then I'll turn it over to Paul, and then we'll do the poll results and Q&A. So first up, what is attack surface management? How does it work? And what are some of the key features and trends that we see? We recently completed a leadership compass on attack surface management, so we have fresh research to talk about here. So what is it?

You know, it has a lot of different moving parts. It's a pretty fascinating area, I think, of cybersecurity, and it does a lot of different things. So I've tried to group them in four major top-level categories here. Number one is asset discovery and classification. As we often say in security, you can't protect something if you don't know it exists, so finding all of your assets is an important thing that ASM can do for you. And how does it do that?

It uses both passive listening, active probing, port scanning, network mapping, DNS enumeration, to find everything that's out there within your purview. And then they need to be classified. What kinds of instances are they? What kinds of machines are they? Are they IoT or OT devices? There's lots of different kinds of devices that every organization has, and many times they don't even know that they have them. The next big category is risk prioritization, and that's made up of several important parts too.

Once you know about your assets and kind of know what they are, you need to find out if they have vulnerabilities, check their configurations, and then probably most interesting here is being able to apply business context to the risk analysis. Yes, you may have a machine out there somewhere that's exposed, and it may have a vulnerability, but is it as critical as some of the other findings that you might see when running an ASM report? That's really what rolls up to be risk prioritization. Mitigation and remediation.

This is mostly about patch management, figuring out if the discovered devices are fully patched or not. Do they have all the OS and application updates? And then also configuration monitoring. Are they properly configured?

Lastly, from the administrative perspective, it's important to have dashboards and reports so that you can visualize what's going on and then have reports for different audiences. What an analyst needs to know might be different than what the executives need to know. And this can be a really good tool for executives so that they are aware of the cyber risks that are out there. So there are two major approaches to ASM, external ASM and cyber asset attack service management. External ASM is just what it sounds like, looking from the outside.

In many cases, to start one of these services, you go type in your domain name, and then it begins to go out and find and monitor all your subdomains, associated IP addresses, applications. It's even really good for certificate management. It can find certificates, understand the expiry dates, and help you keep on top of making sure they're renewed properly. Then there's also the vulnerability assessments I mentioned, and then application of business context for risk analysis.

Cyber asset ASM is kind of more of an, I know we don't use the word internal very much anymore, but it can be on-premise stuff. It can be things that are in private cloud, in your infrastructure as a service instances, SaaS. It can look for things that typically you would think of as part of your enterprise. And then you may already have a configuration management database, but you can import the information from there. It can further discover assets that you may have that you don't know about, but it can apply that additional layer of vulnerability analysis and risk prioritization.

So those are the two major types, but you know, ASM can do many, many other things. It can help with shadow IT discovery. It can help you find IoT devices that may not be in your CMDB. Organizations that are running operational technology or industrial controls may have a difficult time understanding what devices are on their shop or warehouse floors, for example. Cyberasset ASM can be good at helping to find that. Then there are things like dark web monitoring.

I'll get into a little bit more detail on some of these as we go through it, but dark web monitoring, brand protection, even things like threat modeling. Some of these solutions do breach and attack simulation. So that's sort of taking it to the next level, what the discovered vulnerability information is, and actually simulating an attack and getting you very concrete results about what your risks are and how to close them. And then lastly here, regulatory compliance.

Most of us have to comply with various regulations or align with security frameworks, and ASM can be really, really good at helping with that too. Since ASM is a security tool, you probably want it to be able to interoperate with other security tools that you already have. And I've listed some of the ones that I think are the most important.

ITSM, your ticketing system. Many ASMs come with some degree of case management built in, but sure is nice when you can have that piped into your ITSM system and tickets sent to the appropriate person and the appropriate person to do that. To the appropriate personnel to help remediate discovered issues. You may want to be able to integrate that with your SIM and even your SOAR. You may want to use third-party cyber threat intelligence. Most of these products come with their own threat intelligence feeds.

Some allow you to augment that and pipe in additional information from other cyber threat intel sources. You'd very likely want to be able to use your own IAM system to authenticate your admins and your analysts, or many of them allow identity federation so that you can log in from, your analysts can log in from your own domain and then go look at the ASM console. It's good to have information fed up from your UEM or mobile device management solutions. Many organizations have vulnerability management solutions in place today, and being able to connect that to ASM is very advantageous.

Same thing with things like PAM, Privileged Access Management, Cloud Infrastructure Entitlement Management, and even your Endpoint Security and XDR, it can be good to have that information be consumable by ASMs. So when we talk about vulnerabilities, there's a lot that comes under the category of vulnerability.

CVEs, the CVSS, that's pretty typical. Most ASMs support, you know, linking CVEs with discovered issues, but there's also, you know, Exploit Prediction Scoring System. There's the U.S. Census Known Exploited Vulnerabilities List, the National Vulnerability Database. Then there are other things like OWASP Top 10 issues that ASMs can look for. They can help you look for, like I said, missing patches or out-of-date, end-of-life software. Sometimes it's surprising.

When you do a first ASM run, you will find machines that have been out and exposed to the internet for years that everyone has forgotten about. So this will help you discover those and take them down if they're not being used or patched them at the very least. It can help identify missing controls. Maybe there's a machine that should be protected by firewall rules that isn't. And some can help you discover paths for unauthorized access or over-provisioned entitlements. And then misconfigurations. There can be things like services that are left on that shouldn't be.

So it can help you develop a list of what needs to be hardened. I mentioned dark web monitoring before. What do ASMs do here?

Well, this is one of the really interesting parts. They can help look for compromised credentials from your organization. If they're out there in the dark web, if user accounts have been exploited and are being sold, some of these services can alert you to that fact. Same thing with leaked or stolen intellectual property. That can be something you definitely wanna know about because obviously that means data is leaked. And then you need to go into incident response phase. It can look for leaked or stolen PII of your employees, your executives.

And some of these services look for passport info, passport photos, EIDs, driver's licenses. And it can be shocking to find out how much information about employees or especially executives can be found on the dark web. Some of the ASM solution providers will actually follow APT groups in their own communications channels, looking for what are they planning to do next. They do the same thing with cyber criminals. They look at cyber criminal forums, looking for the buzz on where cyber criminals are aiming to attack or maybe where they have.

This can give you really, really good intelligence about if you have a problem, how you can correct it even. And then lastly, they monitor malware and exploit trading forums. So they can help you know what specific malware kinds of threats, ransomware kinds of threats might be targeting your organization in the near future. Compliance, I won't read through all of these because there's a lot of different compliance frameworks and security frameworks.

But ASM can, in many cases, depending on the solution provider, can help you with specific compliance requirements around, let's say, the ISO series 27001 and 2, NIST Cybersecurity Framework 800-53 controls, and then even some more specific to technology domains or regional areas, things like HIPAA, healthcare in the US, PCI-DSS for credit cards globally, or things like USDOD-CMMC and FedRAMP. So let's pause for a moment and take a poll. Now that we've kind of given you a little bit of an overview about what ASM does, I'm curious how many of you already have an ASM solution in place?

So we've got three choices here. Yes, no, or not yet, but we are looking for ASM. So we'll pause for a moment, give you an opportunity to answer that. Okay. I'll assume it has popped up. So looking at what are some of the things that we discovered throughout our research cycle on ASM, well, it's still kind of an emerging field. It's still evolving. It is important, but I wouldn't say the feature set has been fully standardized. You'll find some solutions have pretty much everything that you might want in an ASM today already as part of their feature set.

Others are kind of building out additional functions. Some of the vendors don't provide all of this technology through in-house development. They're using OEM components, or many might rely on other products entirely. There may be like a case where a cyber asset ASM might rely on a third-party vulnerability management solution. That's just one example. Integrations with other security and IT tools are essential. It's important to be able to connect to systems, like I mentioned, ITSM, SIEM, for providing more comprehensive information through all of the systems that your SOC might utilize.

Some of these do dark web monitoring. Some don't. Some do brand protection. Some don't. Some of the vendors offer additional services on top of an ASM platform. They might do manual penetration testing or red teaming for an additional cost. And some do brand protection, and some do not just yet. What do we see in terms of trends in our predictions? I think EASM is very important today. And if it is not part of a web-facing organization, it's not as much of a part of a web-based security architecture than it should be.

And these feature sets, like I said, are growing, and I think they're eventually going to standardize on pretty much the full range of things that I've discussed. Brand protection, you'll sometimes see that referred to as digital risk protection by others. I think that will become increasingly important for EASM in particular. And where a vendor started off sort of can be an indicator of where their strengths are. Let's take an example of like maybe a CMDB that has moved into the cyber asset ASM realm.

They're probably going to be very strong with things like doing the asset discovery and classification. So just be aware of the history, and that also can help you understand where their particular strengths are. Eventually, I think EASM and CASM will probably merge because if I was a CISO or CIO, I'd probably want to buy one product rather than two, because some of the features are overlapping. It's just the approaches and some of the underlying technology that's different. So let's take another poll question. Which ASM seems most useful for your organization?

Is it the external ASM, which is focused on the outside in view of your organization, starting with a domain and then enumerating everything that can be found from there? Or is it cyber asset ASM where you're primarily considering your internal on-premise private cloud, that kind of assets? Or do you think both are important and you're looking forward to the union of EASM and CASM as well? So we'll pause for a moment there.

Okay, that's great, thank you. So as part of our leadership campus research, sort of expanding on these categories, these are the functional evaluation criteria that we looked at, asset discovery and classification, vulnerability monitoring and assessment, use of either their own vendor own or the ability to plug into third-party CTI. Digital risk, brand protection, remediation, and really remediation mostly at this point is identifying vulnerabilities, listing patches or changes to configurations that need to happen.

And in some cases providing really detailed guidance on how to do that, that's innovative and I'll get to that in a minute. And then overall attack vector coverage and the architecture and administration experience. So I'll quickly tell you about our leadership compass process. We identify a field, we find the vendors, we get briefings demo, talk to customers, give them a huge, huge technical questionnaire. And then we get that information back, we analyze it, we write up a draft, we send it out for fact check. And then once that's agreed upon, we publish it on our website.

We have nine major categories that we rate against for every product in the leadership compass. Security is about internal product security, not how much security it delivers to the end user, but is it using encryption? Does it have attribute-based access controls? Require strong authentication for administrators. Functionality, does it have all these things that we've been talking about? Integration, is it an integrated solution? Does it require multiple parts? How easy is it to deploy? Interoperability is about, does it support standards? Does it work well with other products?

Can you connect it to other things? Usability is about, in this case, what's it like for the administrator or the analyst to use? Then we look at things like innovation. Is it a leading edge product in the market or is it sort of playing catch up to everyone else? Market size, how many customers, how geographically distributed are they? Do they target all industries?

Ecosystem, how big is the support ecosystem? Does it cover all geographies? Do they have partners or consultants or system integrators that can help deploy it? And then lastly, financial strength. Is it a major public company? Is it a mid-stage startup? Is it an early-stage startup? These are things that many organizations need to know when they're going through an RFP process. So we have four categories of leadership, product, market, and innovation, and all that rolls up into overall leadership, and I'll show you the results right now.

Try to quickly walk through these, let you take a look at the graphics. You can see here the overall leaders are, in many cases, the big security stack vendors and very well-established ASM specialists. Product leaders.

Again, you'll see we're looking at things like the asset discovery classification, vulnerability assessment, CTI, brand protection, vulnerability and risk prioritization, remediation, attack vector coverage, and architecture. And you see we've got a good spread here across the quadrants. Market leaders.

Again, probably not too surprising. We have some of the large security vendors show up on top here, as well as some of the very well-established ASM specialists. There's a good range across all three sections here. I think this indicates this is a market that has a lot of room for growth. As I've said, technically, I think this solves a lot of problems, can help everyone from an analyst to an executive. So I think we're going to see a major uptake of ASM in the future. Innovation leadership. Just take a minute to call out the things that I found innovative this time around.

Those who do dark web monitoring, for example, those who provide full-service brand protection, those who have a very sophisticated use of AI for asset discovery and classification, and also risk prioritization. Being able to add that detailed business context can be facilitated by AI. The presence of advanced playbooks and other detailed remediation guidance. The number and quality of different kinds of connectors that are available to other tools in your IT and security infrastructure. Dedicated customer-centric threat intelligence. And then security certifications.

That can always be a good differentiator for a company that is mature. You know, if they've taken the time to get their ISO 27001, SOC 2, Type 2, and other pertinent certifications.

Lastly, I wanted to show you an example of one of our spider charts. This is where we rate those eight different categories. And here we're using Palo Alto as a representative. You can see they did very, very well in all categories. So I'm at the end of my time. I just wanted to remind you, if you have any questions, please feel free to submit them in the Cvent control panel. We will take them at the end. And with that, I would like to turn it over to Paul.

Thank you, John. So guys, my name is Paul Bertenshaw. I'm a Core Tech Systems Engineer Specialist here at Palo Alto Networks. For anybody who's less familiar with Palo Alto Networks and the way we departmentalize our products, Cortex is the brand associated with security operations tools.

Of course, of which one of them is Cortex Expanse, which is our attack surface management product. Today, I'm going to share, obviously, quite a lot of insight in terms of ASM generally. I am also going to share some details and information that I've picked up throughout my career, which now stems back 25 plus years in terms of IT security. So hopefully you'll find this interesting.

Again, as per what John's already highlighted, if you do have any questions, please do post them questions. I know there's some time at the end for Q&A, so we'll try to get to those at that point.

But now, let's get started. So this particular slide is something that resonates with me personally. I did mention that I was going to share some personal insights. For my SINs, I used to look after a large infrastructure for a gaming organization way back now. I'm dating back since I've left that organization around about 10 to 12 years ago. So appreciate that the landscape generally from a technical standpoint has changed quite considerably.

However, back then, things were beginning to change quite significantly at that point in history. But in general, the attack surface was relatively simple. And the reason for that is because everything was generally contained centrally within a data center. So what's changed?

Well, obviously, if we date back somewhere around 12, 15 years, that predates cloud generally. It predates remote working, or certainly large-scale remote working.

And then, of course, it predates a number of other sorts of IT and technical disciplines, IoT, for example, being one of the others. I said this resonated with me, and that wasn't just because of my age. It resonated with me because back then, looking after a large infrastructure, one of the many things that kept me awake at night was do I have my arms around everything that's happening on my attack surface? Do I know every single asset? At that point in history, we were just beginning to move things into the cloud. We were beginning to deploy SaaS applications.

We'd adopted agile development methodology. So, of course, what that meant was we had teams of developers all around the world developing in sprints, spinning up machines, and tearing down machines. And the simple reality is, is I was not confident that I had my arms fully around, and my team never had our arms around, everything that was happening from a perimeter edge perspective, or more rather an attack surface management perspective.

So, what does the attack surface look like now? Well, obviously, things have changed quite dramatically since the slide I showed you just previously, which obviously dates back maybe a decade in terms of how organizations organize their perimeter edge. And of course, there is no perimeter edge anymore. I guess the diagram that you see at the top of this particular slide was probably out of date at the point at which it was developed.

Obviously, there's probably a whole raft of other things that have been added since then. However, I think we can all agree that this particular slide or this particular diagram is a better representation of maybe what our attack surface looks like now.

Now, of course, heading into this presentation, like all technicians and network or security engineers, I obviously wanted to pull together some information, some statistical information. I'm very fortunate in the sense that I work for Palo Alto Networks. And of course, Palo Alto Networks does produce a wide and varied range of security research, and of course, publishes that research.

The piece of information that I wanted, whilst all three of the sets of information at the bottom of this slide are very relevant and very interesting, the one I would like to draw everyone's attention to and certainly caught my attention most was the one in the center. And that really kind of frightened me in the sense that, obviously, attackers utilize advanced capabilities. Attackers are becoming increasingly more sophisticated, which means that they're using increasingly more advanced tools.

And to have this printed in black and white in front of me based on active research, to say that we can confidently say that vulnerabilities are being scanned within minutes of them becoming vulnerabilities is really quite concerning generally. And it was quite startling, certainly for me, as part of the research I was doing. So we know the attack surface has changed quite dramatically from where it was to where it is now. We know attackers and threat actors are becoming increasingly more sophisticated.

We know that they're becoming increasingly more sophisticated, not only from a technology point of view, but they're becoming increasingly more organized with many being very much aligned to a nation state security apparatus. So what does this mean?

Well, obviously, it creates all sorts of challenges for defenders. And it kind of takes me back to the point in what I was making earlier, whereby some of the things that kept me awake at night and not having my arms fully around everything that was happening on my attack surface, so that, of course, what that did was it drove up the risk to our organization. And of course, it also created the more risk means less hair for me, ultimately. But ultimately, it means, from a threat actor point of view, it means that there's another vector for them to go on.

So we know there's limited attack surface visibility. There's just simply so much data involved.

Obviously, we've got a situation where security operation centers are already overwhelmed from an alert perspective. They're already overwhelmed from a data perspective. And of course, we've got alert fatigue in there as well.

Of course, what all that leads to is the prioritization of risk. It's very easy to overlook attack surface alerts in amongst a wide variety of other alerts.

And then, of course, those being deprioritized because maybe they're considered less important in some way. We're unable to react to zero days.

Now, that's obviously been a challenge for many years. And I think just about every organization has claimed or every vendor has claimed to have some sort of solution to that particular challenge and that particular problem. I don't believe there is a silver bullet out there, or certainly not one I'm aware of, of hopefully with the incarnation of AI and machine learning, perhaps things will change. But certainly, the best we can really hope for at this stage is defensive depth.

And of course, what we really want to do and what we're really trying to achieve at the moment is to, first of all, as soon as a zero-day event happens, is to detect it as quickly as possible and then remediate it as quickly as possible. And that's, of course, where Cortex Expanse, the product I'm talking about, comes into its own. And I will get into a little more detail on that.

And then, of course, it's difficult to act on security alerts. What I mean by that is, and what we mean by that, is even on occasion within organizations, once a vulnerability has been discovered, irrespective of whether that vulnerability has been exploited in the wild or not, it can take an awful long time for those vulnerabilities to be remediated. And that can be due to a whole number of reasons, bureaucracy reasons. It can be a wide variety of other things, change freezes, technology skillset limitations.

So we know that we've got a fairly significant challenge when it comes to our attack surface management. So how do we go about addressing this? How does Cortex Expanse address these challenges and address these issues? First of all, I think John articulated this perfectly in his slide deck. He set out exactly what an ASM is. From our perspective, we've naturally been part of Alto Networks and the innovative cybersecurity organization we are, and have always, always have been, and probably always will be.

What we've done is we've slightly recategorized the whole discipline of attack surface management. And what I mean by that is we have vendors out there, and I'm not gonna pick on any particular vendor or any particular product, and that's neither my style nor is it parallel to a network style. But of course, we have vendors who claim to do attack surface management in inverted commas, when in our interpretation of attack surface management, what they do is more attack surface visibility as opposed to attack surface management.

So we've kind of recategorized attack surface management into two broad categories or two broad buckets. And one is attack surface visibility, i.e. a product will go out and do some form of discovery to different degrees of success and attribute those assets to a given organization, again, to different levels of success. And of course, they will then perform some form of vulnerability scan on those assets and then present that information back to the customer. From our perspective, that's what an attack visibility tool is.

From our perspective, an active attack surface management product or tool will, in fact, go considerably further than that. Not only will we go through the process of doing the discovery and then successfully and very accurately attributing those assets to a given organization, we'll do that on a day-to-day basis. In addition to that, we will collate all of the information that we are sourcing.

And then, of course, what we will do is if, in fact, we do find vulnerabilities, we will introduce the ability to automate remediation of those visibilities through playbooks that we've introduced as part of Cortex Expanse. So from our perspective, it becomes much more of a cradle-to-grave process whereby not only do we do discovery of assets and find assets on a day-by-day basis, we will collate all of that information. We will use our own algorithms and machine learning to do all of that.

And then, of course, what we will do is we will overlay that with automation to remediate those vulnerabilities. And like I've said at the very bottom of the slide, we know the capabilities of attackers. We know the technologies and the tools available to attackers. From a defender perspective, we need to know more and have a better view of our attack surface than the attacker does. So how do we do that? We've talked a little bit already about attack surface visibility tools.

I've explained that I believe, or we believe, attack surface visibility is about finding assets and being able to attribute them to an organization, again, with different degrees of success. And then, of course, provide that information back to the customer with some vulnerability information and then kind of say, well, over to you, Mr. Customer. You now need to go ahead and address those. From our perspective, active attack surface management is all about remediation. It's all about going to the next stage. It's all about addressing those vulnerabilities through automation.

And, of course, as you can see at the bottom of this particular slide, we have, as part of our active response module, we have a number of capabilities introduced and a number of playbooks introduced as part of our attack surface management tool that'll help customers and enable customers to automate the process. So not only finding assets that an organization maybe didn't know about already, not only about collating all of that information accurately, but also doing something about it.

And, of course, ways in which we do that and enable people to do that really come from deep within our security portfolio, really. Ability to introduce playbooks is a direct reflection to one of our other products, Cortex XOR, if anybody's familiar with XOR.

And, of course, one of the real strengths of our automation capabilities is due to the maturity of the product and our ability to interact and integrate with third-party controls. So as an example, you can see here, we've made reference to AWS, Azure, and GCP. They're just three small examples of how we could maybe integrate with each of those technologies, reach into that technology, and automate processes from within that technology. So hopefully you can begin to see just how we're able to automate remediation processes.

As a very small example of what I mean, we've got an active ransomware prevention. We know that open RDP ports or open RDP servers remains a huge challenge. Our own unit 42 team have included it as one of the main vectors of attack for attackers deploying ransomware. So we've taken this and we provided an example of quite how, from an RDP perspective, we can address this particular issue using Cortex Expanse. So if you look on the far left-hand side, you can see we've found an asset. We've discovered an asset with an open RDP port.

And, of course, we've created an alert with an expander, which, of course, is Expanse. Now, the dotted red line indicates that this broadly is where an attack surface visibility tool would kind of end, and we'd be providing that information to the end user or the customer at that point, and then kind of walking away with our job done. From a Cortex Expanse point of view, we don't do that. We've got a playbook associated with RDP. And as you can see, the process then begins. That playbook is automated, it's executing, and then it's doing all sorts of different things.

So, for example, it's integrating into whatever IT tool and system is in use at the time. That could be Splunk, it could be ServiceNow. It's performing all sorts of AI abilities.

And then, of course, we're going through the process of request and permission to perform a remediation. And then, of course, we are closing the port by whichever means. That could be, you know, was reaching into one of them, three main CSPs. It could be something more simple. It could be as simple as updating a dynamic firewall rule list on a Palo Alto networked firewall, as an example. We're then confirming that that particular port has been closed, and we're validating that it's not responsive.

And then we're generating a summary report and pushing that out as part of the closure of that particular ticket. So that's an example, really, of one small example of how Cortex Expanse can address such a challenge.

Now, looking at what that means from a metrics point of view, from a metrics point of view, first of all, from an analyst's time to investigate, please bear in mind, I mentioned earlier in the conversation, or earlier in the presentation, I should say, we are very innovative as an organization from a Cortex point of view. We are very, very focused on saving analyst's time. Our view is if we save an analyst's time, security analyst's time, what that means is we're driving down the mean time to detection and mean time to resolution.

And of course, we're freeing up our security analysts to be able to do the things that realistically they could and should be doing. In this particular example I've given here, we've gone from over five hours or five hours to go through the investigation down to three minutes, which of course is a significant step up on five hours.

Now, in terms of the overall MCTR, in terms of resolution or remediation even, it can take over three weeks. And this comes about, these timings are taken using our own SOC, for example. And so we obviously use Cortex Expanse, and of course we're continuing to collect data. But this is an example of how a very large organization can get themselves into a tangle when it comes to performing remediation tasks.

Obviously, now that we've bypassed that process and we've made that particular automation process digital, then of course what we're able to do is reduce that down to five minutes, which again is a huge step forward, both in terms of protecting our infrastructure and our attack surface, but also the impact it has on our security analysts. Just a little bit, as we come towards the end of my presentation, just a little bit in terms of where Cortex Expanse is being used and what the noise that's being generated about Cortex Expanse is all about.

One of the key organizations or one of the key contracts that we've signed very recently is our work that we're doing with the US Department of Defense. Obviously, we work with a whole raft of top organizations. More and more organizations are obviously now seeing huge value in being able to reduce the risk to their organizations by eliminating as many or all of the vulnerabilities associated with their attack surface.

We're no longer making it easy for attackers and we are very quickly closing down those avenues or those vectors that threat actors have traditionally used as a way of finding their way into organizations. A little bit more about our DoD contract there. As you can see, the US DoD has a percent of the entire global internet from a naming point of view or number perspective. And as you can see, obviously, Cortex Expanse is looking after each and every one of those.

And then, finally, what we're just a very quickly, I should say, just a little bit more in terms of validation of the product. Very proud of our position within GigaOM. As you can see from the GigaOM radar reports, attack surface management, obviously, it was a very detailed review and, of course, not only did we come out as a leader, but more importantly, we also came out as an outperformer. So the product itself is performing extremely well. We're seeing record numbers of organizations adopt the product and the reason for that is as follows, ultimately, and this will be my last slide.

But really, Cortex Expanse at a see-saw's glance, this is really, again, dating back to some of my history, really. Some of the things I really disliked about security projects was the amount of time it took to gain any value from whatever product that might be. I've spent a lot of maybe the past decade working with scene-based technologies and I'm not picking on scene-based technologies or any given particular vendor, but unfortunately, they do have a bit of a reputation when it comes to being multi-month projects, if not multi-year projects, before full value is derived.

One of the things I really like about Cortex Expanse, and if I was obviously back in my position that I was in many years ago, I'd be very attracted to Expanse for all of the reasons that's displayed on the screen. And what they are is, there is no requirement for any hardware, there's no requirement for any software, there's no requirement for any firewall rule changes or deployment of agents. Cortex Expanse is a SaaS application. It sees what an attacker sees. It uses open source intelligence.

And then of course, using our own machine learning algorithms, our own AI, we are able to not only discover assets on a day-by-day basis, but we're able to attribute them accurately to organizations. And then of course, we are able to evaluate that information and then perform remediation actions on whatever vulnerabilities are found. And therefore, what we are doing is, we are closing down that risk window. We are closing down the area of opportunity for attackers. And of course, what that enables us to do is focus our efforts in other areas that perhaps need further assistance.

So now I'm going to hand back to John. Thanks, Paul.

Well, let's take a look at our poll results. Here's the first one. Does your organization have an attack surface management solution? More than half say yes. That's a good thing. Like I said, I think this is important technology that pretty much every organization needs as really a first line of defense in many cases. So half say yes, a quarter say no, and about 20% say not yet, but we're looking for it. Does this sort of match what your expectation would be, Paul? I think generally, John, yes.

I mean, that generally follows the same patterns we're seeing in terms of the conversations we're having with our customers. I think initially, we like our actions in security. And of course, ASM is a relatively new arrival. And obviously what that means is it normally takes organizations a little bit of time to fully buy into the benefits of whatever that is. And ASM was just really one of them. But now we're really beginning to see traction in the market. And we're hopefully going to see that 53% further increase.

Yeah, I expect it will. And like you were pointing out about the relatively short time to value on a solution like this, I mean, I think that's why it can be quickly adopted, especially the EASM kinds of products where they all are SAS delivered. And as a customer, you go out and type in your domain name and press enter, and it starts gathering information for you. So it can be much easier to adopt than like you were saying, something like SIM, which can be a multi-month, multi-year project. And there are other cybersecurity solutions that can take a long time too.

Whereas ASM, I think you can engage it and start getting results quickly, actionable results. So let's take a look at our next one. Which ASM approach is most useful for your organization?

Okay, that's a bit surprising. I guess everyone agrees that this is something you need both halves of it to really be maxable value. Any thoughts on this one, Paul?

No, I wasn't quite expecting it to be 100%, but yeah, I mean, I was expecting the lion's share of participants to say both. I think it really depends on the organization. What we're finding is lots of organizations have a vulnerability management approach already. So they have a vulnerability management system in place. Usually that'll be tied to some form of certification, whether that's ISO 27001, or whatever. And those organizations tend to want to keep it that way. And they see ASM as something completely separate.

And then of course you have the organizations who are quite keen to reduce down and consolidate their security tool stack and therefore want to merge those technologies together. It's certainly an interesting one. I don't think anybody in the marketplace has quite mastered it just yet.

Obviously, you've got a combination of traditional ASM vendors or EASM vendors trying to perform vulnerability actions. And you've now got the more traditional vulnerability vendors or vulnerability scanning vendors now trying to do EASM. So it's going to be interesting to see how it goes. Let's look and see if we've got any questions out there. ASM sounds like a complex set of services. Is it mostly for large businesses? I would say no.

I mean, yeah, large businesses should have it. But any organization that has a web presence, and I think that's almost everybody, can certainly benefit from that, especially just from the EASM perspective. Knowing what the risks are that your organization is facing. So I think it's great for mid-market and even SMBs. And like we've said before, it's pretty easy to engage it. So I think it's definitely appropriate for a wide range of company sizes as well as company types. Any thoughts on that one, Paul?

Yeah, I mean, I think first of all, we need, from an ASM point of view, look at the various teams internally who would get value from the ASM. And those extend far beyond the vulnerability management team.

In fact, when I present Cortex Expanse and when I present ASM generally, I try to move away from talking about vulnerabilities because it becomes just a conversation about vulnerabilities. The truth is, we have organizations that use Cortex Expanse for many different use cases. We've not really mentioned Shadow IT within this presentation. Shadow IT is a really big one that organizations can use attack surface management tools for. In addition to that, compliance, just maintaining compliance, maintaining corporate standards. We've got organizations who use it.

Going back to that Shadow IT one, I presented to a customer and they were very keen to take the product. Not even quite understand their use case when they were sort of describing it. And it turns out they're an organization that went through a huge amount of mergers and acquisitions. And what that meant was, the chances are there was Shadow IT happening within the organization. And they were able to spot that through the information that was being provided to them via Expanse. Things such as certificate issuers, things such as domain registrars.

If they had a corporate standard in terms of which certificate issuer they use and which domain registrar they use, and then suddenly they were seeing a significant increase and then suddenly they were seeing a spike in other areas and other vendors for those things. And of course, what that meant was, it was quite clear that they had Shadow IT operations happening and they were able to stop that.

So yeah, I don't think it's for just large organizations. If you have an internet-facing presence, then I think ASM is for you. We've got time, we'll take one more. This is interesting. It might apply to a lot of folks out there. Is having ASM now a prerequisite for getting cyber insurance? I can't say that I know for certain, but I think it would definitely be very helpful if you're looking to get cyber insurance because then you can have very up-to-date reports. You can show your insurer. Do you have any insights on this one, Paul?

Yeah, I think, I mean, from our perspective, what we've seen is from territory to territory, geography to geography, the requirement will be different. The one thing that we have seen right across the board is organizations from a central government perspective, the United States, the United Kingdom, for example, the information that they're providing, the recommendations and guidance, like, for example, here in the UK, we have the National Cyber Security Center who issues cybersecurity advice and guidance to the whole of the UK.

And one of the things that they've stipulated at the very top following the invasion of Ukraine, and of course, there was an uptake in threats in and around that period, they issued new guidance, and right at the very top or within the top five of the guidance was monitoring your internet footprint, knowing and understanding your internet footprint. And if I'm not mistaken, the US government has done something similar, and I'm sure right across the board, the same guidance will happen.

So whilst it may not be mandated wholly from a cyber insurance perspective, if you've got central national governments making and giving that recommendation and advice, it's certainly not gonna hinder your cyber insurance requirements. Yeah, that's a great way to state it.

Well, thanks everyone for joining us today. We're up at the top of the hour. Thanks to Palo Alto and Paul.

And again, these slides will be available in a couple of days. If you have any questions, feel free to reach out to us.

Thanks, Paul. Thanks, guys. Good to be here today. Have a good day.