Palo Alto Cortex XDR vs. Microsoft XDR
eXtended Detection and Response (XDR) is becoming the standard for unified security management, combining data from multiple tiers of the IT environment and enabling detection, investigation and response in one convenient interface. All major security vendors have announced XDR offerings, but it can sometimes be unclear what each solution provides, and whether they are “real” XDR solutions or just an integration of existing technologies.
Two vendors that undoubtedly offer a robust, technologically mature XDR platform are Palo Alto and Microsoft. In this article, I’ll briefly review each of these solutions and its architecture, to help you understand which is a better fit for your organization.
What is Palo Alto Cortex XDR?
Palo Alto’s Cortex XDR solution offers cloud-based and on-premise endpoint security capabilities, including incident tracking, records management, root cause analysis, and malware protection. The platform provides comprehensive visibility by aggregating data from various sources, including endpoints, networks, and cloud environments.
Cortex XDR analyzes the data, looking for attack techniques and behaviors. It can block malicious executable files, malicious software (malware), ransomware, and exploits. The platform can also help determine the root cause of threats to optimize triage and incident response. This capability enables responders to adapt defenses in real-time.
The platform can integrate with SIEM systems and many other security applications. It provides a management service console that displays security events and helps teams analyze associated logs.
Cortex XDR provides APIs that enable integration with third-party services or apps. Once the APIs are configured, Cortex XDR can ingest alerts and perform alert stitching and investigation. It lets you manage incidents in an automation or ticketing system, editing and reviewing the incident’s status, assignee, and various details. You can also use APIs to retrieve endpoints’ information, perform responses directly on endpoints, and create installation packages.
Cortex XDR Architecture
The architecture of Cortex XDR is designed with a data layer situated between Cortex XDR and data sources like endpoints and clouds. The data layer includes Cortex Data Lake, a cloud logging service that correlates and aggregates logs across different log sensors, and derives timelines and event casualty. Cortex XDR consumes data from this data lake.
Image Source: Paloaltonetworks
A Cortex XDR deployment may use all or some of the sensors. Here are all the components included when using the full set of sensors:
- Cortex XDR—this solution provides visibility into all data residing in the Cortex Data Lake. Cortex XDR includes a single interface that provides various capabilities, including alert investigation and triaging, remediation, and defining policies.
- Cortex Data Lake—this cloud-based logging service centralizes the collection and storage of logs across various data sources.
- Analytics engine—this security service uses network data to detect and report on post-intrusion threats automatically. The engine identifies normal behavior on the network and uses it as a baseline to detect anomalous behavior.
- Next-generation firewalls—these on-premises and virtual firewalls help enforce network security policies in various locations, including campuses, cloud data centers, and branch offices.
- Prisma Access (formerly GlobalProtect)—this service helps extend firewall security policies to remote networks and mobile users. It can forward traffic logs to Cortex Data Lake for analysis by the analytics engine, which can push alerts on abnormal behavior.
- External firewalls and alerts—this functionality enables Cortex XDR to ingest traffic logs from external firewalls by other vendors like CheckPoint. Once the data is ingested, the analytics engine can raise alerts on abnormal behavior. Cortex XDR can also ingest alerts from external sources for additional context into incidents.
What is Microsoft 365 Defender (XDR)
Microsoft 365 Defender is an enterprise suite that provides pre-breach and post-breach capabilities. It centralizes and coordinates threat prevention, detection, investigation, and response across multiple components, including emails, identities, applications, and various endpoints.
Security experts can use this suite to correlate threat signals across sources, determine the full impact and scope of a threat, and identify the point of entry and affected components. In addition to providing these insights, Microsoft 365 Defender can perform automatic actions to block an attack and self-heal affected endpoints, user identities, and mailboxes. Several vendors provide a Microsoft SOC that offers managed security services based on Microsoft 365 Defender.
Here are key features of Microsoft 365 Defender:
| Microsoft Defender for Office 365 | Provides threat prevention, detection, investigation, and hunting capabilities for protecting Office 365 resources like email accounts. |
| Microsoft Defender for Endpoint | Offers endpoint protection consisting of post-breach detection and automated investigation and response. |
| Microsoft 365 Defender | Automatically analyzes threat data across various domains and displays a picture of the attack on a single dashboard view. |
| Microsoft Defender for Cloud Apps | A cross-SaaS and PaaS solution that offers visibility, data controls, and threat protection for cloud apps. |
Microsoft 365 Defender APIs can automate security workflows according to advanced hunting tables and a shared incident. Here is how it works:
- Combined incidents queue – helps you group together the full attack scope and impacted assets under the incident API to focus on the critical information.
- Cross-product threat hunting – lets you create custom queries to analyze raw data collected across multiple security tools. You can use this feature to leverage all knowledge across the organization to find signs of compromise.
- Event streaming API – enables you to ship real-time alerts and events in a single data stream while they occur.
Microsoft 365 Defender Architecture
This diagram illustrates the high-level architecture of Microsoft 365 Defender.
Image Source: Microsoft
The diagram above illustrates:
- XDR—provides capabilities including a unified incident queue, automated response to stop attacks, self-healing of compromised devices, user identities, and mailboxes, cross-threat hunting, and threat analytics.
- Use Microsoft 365 Defender—secures your organization against malicious threats posed by email messages, malicious links, and collaboration tools. Microsoft 365 Defender collects signals from these activities to protect incoming emails and attachments end-to-end with included Exchange Online Protection (EOP).
- Microsoft Defender for Identity—collects signals from servers running Active Directory Federated Service (AD FS) and on-premises Active Directory Domain Services (AD DS). These signals protect your hybrid identity environment, preventing threat actors from using compromised accounts and moving laterally across the environment.
- Microsoft Defender for Endpoint—collects signals from endpoints and protects your organization’s devices.
- Microsoft Defender for Cloud Apps—collects signals from your organization’s cloud apps, identifies sanctioned and unsanctioned cloud apps, and protects your environment’s data flows.
- Azure AD Identity Protection—evaluates risk data based on a dataset of billions of sign-in attempts to Microsoft services. Identity Protection evaluates the risk of each sign-in to your environment and evaluates Conditional Access policies to determine whether to grant or deny account access.
Palo Alto Cortex XDR vs. Microsoft XDR
Palo Alto Cortex XDR and Microsoft 365 Defender are two leading XDR solutions by highly respected vendors. Both have a similar architecture—Cortex has a set of connectors to Palo Alto security solutions such as Prisma Access and Palo Alto EDR, while 365 Defender integrates with the set of Microsoft security solutions, including Microsoft Defender for Endpoint and Microsoft Defender for Identity.
The key difference is that Palo Alto brings its considerable experience with firewalls. It provides a robust NGFW offering that integrates smoothly with its XDR. Microsoft does provide NGFW capabilities as part of Azure Firewall Premium, but it does not have a comparable on-premise solution, and cannot match the depth and maturity of the Palo Alto offering. Because network monitoring is a crucial part of the data for XDR, this means Palo Alto provides a more robust ecosystem to support XDR security.
I hope this will be useful as you evaluate the best solution to support your next-generation SOC.
