WIXLIB

Table 2: Protect (PR)CategoryIdentity Management,Authentication andAccess Control (PR.AC):Access to physical andlogical assets and associated facilities is limitedto authorized users, processes, and devices, andis managed consistentwith the assessed risk ofunauthorized access toauthorized activities andtransactions.SubcategoryPalo Alto NetworksProducts andSubscriptionsPR.AC-1: Identitiesand credentials areissued, managed,verified, revoked,and audited forauthorized devices,users and processesPalo Alto Networks supports this requirement with User-ID onour Next-Generation Firewalls and Prisma Access, which canrestrict access to devices for only authorized users and furtherrestrict access to specific applications on those authorizeddevices. In addition, credential phishing prevention works byscanning username and password submissions to websitesand comparing those submissions against valid corporatecredentials.Next-GenerationFirewall, PrismaAccess,VM-SeriesPR.AC-3: Remoteaccess is managedPalo Alto Networks allows remote access to authorized usersand to authorized destinations via the use of Prisma Accessor GlobalProtect network security for endpoints. ThePrisma Access service helps you deliver consistent securityto your remote networks and mobile users. GlobalProtectextends the protection of our Next-Generation Firewallsto your mobile workforce. Security policies and full threatprevention are enforced consistently for remote access withno gap in coverage.Prisma Access,GlobalProtectPR.AC-4: Accesspermissions andauthorizations aremanaged, incorporating the principlesof least privilege andseparation of dutiesPalo Alto Networks supports management-access segmentation to enforce separation by functional or regional areas,as well as administrator-based commits in change controland the ability to revert individual changes as necessary.Panorama,Prisma Access,Next- GenerationFirewallPR.AC-5: Networkintegrity is protected (e.g., network segregation, network segmentation)In addition to securing Trusted Internet Connections (TIC)and data centers, Palo Alto Networks is addressing theincreasingly pervasive nature of lateral attacks and dataexfiltration techniques. Through network segmentation viaour Next-Generation Firewalls, we can further reduce theattack surface with a zone-based Zero Trust approach toprotecting sensitive information.Next-GenerationFirewall,VM- SeriesPR.AC-6: Identitiesare proofed andbound to credentials and asserted ininteractionsUser identity, as opposed to an IP address, is an integralcomponent of an effective security infrastructure. Knowingwho is using each of the applications on your network, andwho may have transmitted a threat or is transferring files,can strengthen security policies and reduce incident responsetimes. User-ID technology, a standard feature on Palo AltoNetworks firewalls, enables you to leverage user informationstored in a wide range of repositories.Next-GenerationFirewall,VM- SeriesPR.AC-7: Users,devices, and other assets are authenticated(e.g., single-factor,multi-factor) commensurate with therisk of the transaction(e.g., individuals’security and privacyrisks and other organizational risks)Palo Alto Networks provides support for MFA vendorsthrough application content updates. MFA vendor API integrations are supported for end-user authentication throughAuthentication Policy. For remote user authentication toGlobalProtect Portals or Gateways, or for administratorauthentication to the PAN-OS or Panorama networksecurity management web interface, you can use MFA vendors supported through RADIUS or SAML. Administratorsauthenticate to access the web interface, CLI, or XML API ofthe firewall and Panorama. End users authenticate throughCaptive Portal or GlobalProtect to access various servicesand applications. You can choose from several authentication services to protect your network and accommodateyour existing security infrastructure while ensuring asmooth user experience. If you have a public key infrastructure, you can deploy certificates to enable authentication without users having to manually respond to loginchallenges (see Certificate Management). Alternatively, orin addition to certificates, you can implement interactiveauthentication, which requires users to authenticate usingone or more methods.Next-GenerationFirewall,VM- Series,Prisma AccessNext-Generation Cyber Risk Management Brief5

Table 2: Protect (PR) (continued)CategorySubcategoryAwareness and Training(PR.AT): The organization’s personnel andpartners are providedcybersecurity awarenesseducation and are trainedto perform their cybersecurity-related duties andresponsibilities consistentwith related policies, procedures, and agreements.Data Security (PR.DS):Information and records(data) are managed consistent with the organization’s risk strategy toprotect the confidentiality,integrity, and availabilityof information.Palo Alto NetworksProducts andSubscriptionsPR.AT-2: Privilegedusers understandtheir roles and responsibilitiesPalo Alto Networks WildFire: U.S. Government cloud is ahigh-security malware analysis platform that is FederalRisk and Authorization Management Program (FedRAMP)authorized. This WildFire cloud environment is intended foruse only by US federal agencies that require a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. WildFiremeets NIST 800-53 rev4 Moderate requirements. PrismaCloud, Cortex XDR , and Cortex Data Lake have reached FedRAMP In Process status.WildFire, CortexXDR, Cortex DataLakePR.AT-3: Third- party stakeholders(e.g., suppliers,customers, partners) understandtheir roles and responsibilitiesThe Palo Alto Networks WildFire: U.S. Government cloud isa high-security malware analysis platform that is FederalRisk and Authorization Management Program (FedRAMP)authorized. This WildFire cloud environment is intended foruse only by US federal agencies that require a standardizedapproach to security assessment, authorization, and continuous monitoring for cloud products and services. WildFiremeets NIST 800-53 rev4 Moderate requirements. PrismaCloud, Cortex XDR, and Cortex Data Lake have reached FedRAMP In Process status.WildFire, CortexXDR, Cortex DataLakePR.DS-1: Data-atrest is protectedPalo Alto Networks can support the protection of data at restusing a Zero Trust approach to restricting access using theApp-ID and User-ID technology features of our Next- Generation Firewalls. Prevention of unauthorized access todata is a primary function of our platform. Additionally, toensure that snapshots and other data at rest are safe, PrismaCloud uses AWS Key Management Service (KMS) to encryptand decrypt the data. Prisma SaaS provides visibility intostored data and historical activities so you can explore andinvestigate them on demand. Because visibility also extendsinto the access logs, you can see who accessed your data andwhen, even if the users were external.Next-GenerationFirewall, PrismaCloud, PrismaSaaSPR.DS-2: Data-in-transit isprotectedPalo Alto Networks protects data in transit as it traverseseither the Trusted Internet Connection (TIC)/Gateways,data center, or network segments protected with ourNext-Generation Firewall using IPsec tunnels, User-ID,App-ID, Content-ID, and zone-based methods. Using ourPrisma Cloud technology, data in transit is also protectedusing a TLS connection at the Elastic Load Balancer (ELB)and secured between components within the data centerusing an internal certificate until it is terminated at the application node. This ensures that data in transit is encryptedusing SSL.Next-GenerationFirewall,VM- Series,Prisma CloudPR.DS-4: Adequatecapacity to ensureavailability is maintainedPR.DS-5: Protections against dataleaks are implementedPalo Alto Networks products may scale elastically in virtualenvironments and cloud infrastructure based upon actualworkload demands.Prisma Cloud,Prisma Access,Prisma SaaS,Cortex XDR,Cortex DataLake,WildFire,AutoFocus,VM-SeriesPalo Alto Networks employs a number of techniques acrosseach stage of the attack lifecycle to help prevent data frombeing exfiltrated from your protected network. In additionto blocking known malware and command-and-controldestinations by DNS or URL, we also inspect and can stoptraffic that violates data and regulatory compliance policies,credential theft due to phishing attempts, or attempts to hidethreats using encryption.Prisma Access,Prisma SaaS,DNS Security,URL ation Cyber Risk Management Brief6

Table 2: Protect (PR) (continued)CategoryData Security (PR.DS):Information and records(data) are managed consistent with the organization’s risk strategy toprotect the confidentiality,integrity, and availabilityof information.Information ProtectionProcesses and Procedures (PR.IP): Securitypolicies (that addresspurpose, scope, roles,responsibilities, management commitment,and coordination amongorganizational entities),processes, and proceduresare maintained and usedto manage protection ofinformation systems andassets.SubcategoryPalo Alto NetworksProducts andSubscriptionsPR.DS-6: Integritychecking mechanisms are used toverify software,firmware, and information integrityPalo Alto Networks provides checksum values (both MD5 andSHA-256) for all software downloads, including dynamicupdates, so that file integrity can be confirmed.Next-GenerationFirewall, PrismaCloud, PrismaSaaSPR.DS-7: The development and testingenvironment(s) areseparate from theproduction environmentPalo Alto Networks supports the requirements to keepdevelopment and testing environments separate using ourNext-Generation Firewall to segment traffic between zonesin order to restrict or completely deny traffic as required.Next-GenerationFirewall,VM- SeriesPR.DS-8: Integritychecking mechanisms are used toverify hardwareintegrityPalo Alto Networks products have been validated againstFIPS 140-2. Palo Alto Networks provides hardware FIPSkits that include tamper-evident seals and opacity shieldsinstalled as indicated in the NIST Security Policy. The multichip standalone modules are production-quality and containstandard passivation. Chip components are protected by anopaque enclosure. Tamper-evident seals are applied to modules by the Crypto Officer to prevent removal of the opaqueenclosure without evidence.See Palo AltoNetworksTechnicalCertificationsPR.IP-1: A baselineconfiguration ofinformation technology/industrialcontrol systems iscreated and maintained incorporatingsecurity principles(e.g. concept of leastfunctionality)Zingbox IoT Guardian automates the IoT lifecycle throughdevice onboarding, provisioning, security, management,and safe device removal. The Panorama management serverprovides centralized monitoring and management of multiple Palo Alto Networks Next-Generation Firewalls, providing a single solution from which you can oversee all IT/OTapplications and devices.Next-GenerationFirewall,VM- Series,Zingbox,PanoramaPR.IP-2: A SystemDevelopment LifeCycle to managesystems is implementedDevOps teams are challenged to deliver solutions as fast aspossible, without compromising on security, compliance,and quality of code. Prisma Cloud’s powerful CI/CD capabilities allow developers to see vulnerability status everytime they run a build, without having to run a separate tool.Security teams can set policies that act as quality controlgates. DevSecOps introduces a security-focused mindset andbest practices into traditional DevOps processes. Securitydecisions become an integral part of the workflow withoutsacrificing speed or slowing down development.Prisma CloudPR.IP-3: Configuration change controlprocesses are inplacePalo Alto Networks supports the implementation of a robustchange control process. Granular role-based administrator-level control and the ability to document and revertindividual changes allow precise control and restrictionof administrator capabilities as necessary to comply withchange control processes.Next-GenerationFirewall,Panorama,Prisma Cloud,Prisma AccessPR.IP-4: Backupsof information areconducted, maintained, and testedPanorama network security management supports the abilityto schedule or manually export up to 100 versions for eachfirewall. Configurations can also have scheduled exports toFTP or SCP servers to ensure backup integrity. Restores caneasily be tested and reverted as needed to comply with policy.PanoramaNext-Generation Cyber Risk Management Brief7

Table 2: Protect (PR) (continued)CategorySubcategoryPalo Alto NetworksPR.IP-7:Protection processesare improvedPalo Alto Networks threat intelligence products and serviceswork with technology partners and customers to automateidentification of known threats for all. Protections against allpreviously unknown advanced persistent threats and zero-dayattacks are automatically distributed to all customers in as fewas five minutes, ensuring that our platform is always learningand improving.Cortex XDR and XSOAR, simplifies deployment and reducesinfrastructure and operational overhead by leveraging AIbased continuous security operations.Information ProtectionProcesses and Procedures (PR.IP): Securitypolicies (that addresspurpose, scope, roles,responsibilities, management commitment,and coordination amongorganizational entities),processes, and proceduresare maintained and usedto manage protection ofinformation systems andassets.Products andSubscriptionsWildFire CortexXDR, AutoFocus,DNS Security,ThreatPrevention,Cortex XSOARPR.IP-8: Effectiveness of protectiontechnologies issharedAutoFocus provides instant access to the massive repositoryof Palo Alto Networks threat intelligence crowd-sourcedfrom the largest footprint of network, endpoint, and cloudintel sources. The combination of Cortex Data Lake andPanorama management delivers an economical, cloudbased logging solution for Palo Alto Networks Next-Generation Firewalls. Also, WildFire (FedRAMP) automaticallystops the latest threats targeting government agencies withreal-time data from the industry’s largest threat sharingcommunity.Cortex XDR,Cortex DataLake,AutoFocus,Panorama,WildFirePR.IP-11: Cybersecurity is included inhuman r esourcespractices (e.g.,deprovisioning, personnel screening)Palo Alto Networks supports the automation of HR activities using built-in features such as User-ID, which leverages account information stored in a range of enterprisedirectories. By taking advantage of security policies basedon individual user or account groups, we can automaticallyrestrict access to network resources based on account andduring HR deprovisioning.Next-GenerationFirewall,VM- SeriesPR.IP-12: A vulnerability managementplan is developedand implementedAs part of a comprehensive vulnerability management plan,Palo Alto Networks can automatically prevent threats usingthe latest threat intelligence. Cortex XDR provides full protection regardless of vulnerabilities by focusing on the exploittechniques today’s attackers use, as opposed to relying onstatic virus definitions that are ineffective against today’sdynamic attacks.As a core element of our cloud-delivered malware preventionservice, WildFire is a large distributed sensor system thatidentifies and prevents unknown threats, with tens of thousands of subscribers contributing to the collective community.With a combination of our NGFW and threat prevention subscription, you’ll be able to defend your network against bothcommodity threats—which are pervasive but not sophisticated—and targeted, advanced threats perpetuated by organizedcyber adversaries.Next-Generation Cyber Risk Management BriefNext-GenerationFirewall, ThreatPrevention,WildFire, CortexXDR8

Table 2: Protect (PR) (continued)CategorySubcategoryMaintenance (PR.MA):Maintenance and repairsof industrial control andinformation system components are performedconsistent with policiesand procedures.Protective Technology(PR.PT): Technical securitysolutions are managed toensure the security andresilience of systems andassets, consistent with related policies, procedures, and agreements.Protective Technology(PR.PT): Technical securitysolutions are managed toensure the security andresilience of systems andassets, consistent with related policies, procedures, and agreements.PR.MA-2: Remotemaintenance oforganizational assetsis approved, logged,and performed in amanner that prevents unauthorizedaccessPalo Alto NetworksThe Panorama management server provides centralizedmonitoring and management of multiple Palo Alto NetworksNext-Generation Firewalls and of WildFire appliances andappliance clusters. It provides a single location from whichyou can oversee all applications, users, and content traversing your network, so you can use this knowledge to createapplication enablement policies that protect and control thenetwork. Using Panorama for centralized policy and firewallmanagement increases operational efficiency in managingand maintaining a distributed network of firewalls.Products andSubscriptionsPanorama,GlobalProtect,Prisma AccessPanorama implements Role-Based Access Control (RBAC)to enable you to specify the privileges and responsibilitiesof administrators. The service supports Local Authentication that the firewall provides or External AuthenticationServices. The authentication also defines options such asKerberos single sign-on (SSO), multi-factor authenticationand SAML 2.0.PR.PT-1: Audit/logrecords are determined, documented,implemented, andreviewed in accordance with policyCortex XDR is the industry’s only prevention, detection, andresponse platform that runs on fully integrated endpoint,network, and cloud data. The combination of Cortex Data Lakeand Panorama delivers an economical, cloud-based loggingsolution for Palo Alto Networks Next-Generation Firewalls.The Log Forwarding app enables you to share your data withthird-party tools like security information and event management (SIEMs) systems to power use cases such as dataarchiving and log retention for compliance.PR.PT-2: Removablemedia is protectedand its use restrictedaccording to policyCortex XDR Pro can protect against removable media by restricting execution of files from such devices.Cortex XDR ProPR.PT-3: The principle of least functionality is incorporatedby configuring systems to provide onlyessential capabilitiesPalo Alto Networks supports this requirement with theNext-Generation Firewall, using zone-based controls toprovide network segmentation. By establishing Zero Trustboundaries that effectively compartmentalize differentsegments of the network, you can protect critical intellectualproperty from unauthorized applications or users, reduce theexposure of vulnerable systems, and prevent the lateral movement of malware throughout your network.Prisma Access,Next-GenerationFirewall,VM- SeriesPR.PT-4: Communications andcontrol networks areprotectedPalo Alto Networks can support the protection of communications and control networks by taking a Zero Trust approachto restricting access, using App-ID and User-ID on ourNext-Generation Firewall. Prevention of unauthorized accessto data and network segmentation are primary functions ofour platform that allow protection and isolation betweennetworks.Next-GenerationFirewall,VM- Series,Prisma AccessPR.PT-5: Mechanisms (e.g., failsafe,load balancing, hotswap) are implemented to achieveresilience requirements in normal andadverse situationsPalo Alto Networks firewalls and Panorama are capable of operating in both active/active and active/passive high availability modes of operation. In either mode, constant synchronization ensures both systems share the same configuration andstate in order to seamlessly continue operation in the eventof a system, link, or network failure. In active/active, bothfirewalls in the pair remai

How Palo Alto Networks Supports the CSF. Palo Alto networks aligns with the CSF's primary directive of enabling critical infrastructure operations to effectively iden-tify, manage, and reduce cyber risk. Rooted in prevention, the Palo Alto Networks product portfolio is natively integrated to counter cyberattacks before they manifest in an .