Palo Alto Networks has released next-generation firewall (NGFW) software that integrates machine learning to help protect enterprise traffic to and from hybrid clouds, IoT devices and the growing numbers of remote workers.\nThe machine learning is built into the latest version of Palo Alto's firewall operating system\u00a0\u2013 PAN 10.0 \u2013\u00a0 to prevent real-time signatureless attacks and to quickly identify new devices\u00a0\u2013 in particular \u00a0IoT products \u2013 with behavior-based identification.\n\nNGFWs include traditional firewall protections like stateful packet inspection but add advanced security judgments based on application, user and content.\n\u201cSecurity attacks are continually morphing at rapid pace and traditional signature-based security approaches cannot keep up with the millions of new devices, running a variety of operating systems and software stacks coming on the network,\u201d said Anand Oswal senior vice president and GM at Palo Alto. \u201cIoT devices, which are growing exponentially, exacerbated that issue because they have so many of their own different agents, patches and OS\u2019s it\u2019s impossible to set security policies around them.\u201d\nOswal said the ML in its new NGFW uses inline machine-learning models to identify variants of known attacks as well as many unknown cyberthreats\u00a0 to prevent up to 95% of zero-day malware in real time. As it collects telemetry information from the network and combines it with existing Palo Alto data, the firewall can learn behaviors, recognize trends and recommend appropriate security policies, Oswal said.\nIn addition, PAN 10.0 features over 70 new features, including the ability to more fully deploy decryption, prevent DNS attacks and support Transportation Layer Security 1.3.\nSupporting ML is key to staying ahead of the threat curve, experts said.\n\u201cIt is very important for us to apply ML when you start collecting huge amounts of data about your network,\u201d said Sreeni Kancharla, vice president and CISO of Cadence Design Systems, an electronic design-automation software and engineering-services company speaking at the Palo Alto PAN 10 introduction. It\u2019s important to get a faster response time to threats without making the security environment more complex, Kancharla said.\nSupport for IoT security\nOn the IoT front PAN 10.0 supports a subscription service that targets IoT systems.\n\u201cIoT devices present unique challenges for security teams. They are connected to an enterprise\u2019s central network, yet they are generally unmanaged,\u201d Oswal said. \u201cFor the most part, they are also unregulated, shipped with unknown or unpatched vulnerabilities, and often their useful life exceeds their supported life.\u201d\nOswal noted that a recent Palo Alto Unit 42 IoT threat report that said 57% of IoT devices are vulnerable to medium- or high-severity attacks, and 98% of all IoT-device traffic is unencrypted. Unit 42 is the vendor\u2019s threat-research arm.\nThe IoT service is based on cloud-based IoT discovery, identity and security technology Palo Alto bought with Zingbox last year for $75 million.\u00a0\n\u201cWe have enhanced Zingbox\u2019s technology with Palo Alto Networks App-ID technology [which identifies applications traversing the firewalls], letting it automatically discover new IoT devices, assess risks and convert the learnings into policies that secure IoT,\u201d Oswal said.\u00a0\nProtecting Kubernetes\nPAN 10.0 also hones in on protecting another hot enterprise technology \u2013 Kubernetes containers.\u00a0 A containerized version of the NGFW called the CN Series, is aimed at protecting container-based resources.\nAccording to Palo Alto, the package includes container-protection technologies acquired from Twistlock, and microsegmentation capabilities from Aporeto. The CN Series offers Layer 7 visibility into container traffic and offers vulnerability protection to inbound, east-west and outbound traffic. In addition, URL filtering can be used to prevent cloud-native applications from connecting to potentially malicious websites or code repositories.\u00a0\nCN-Series can deliver NGFW protection no matter where apps are hosted.\nIn an on-prem data center, this can be Kubernetes or Red Hat OpenShift. In a public cloud, protection includes Kubernetes and Red Hat OpenShift, but also Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS), and\u00a0 Amazon\u2019s Elastic Kubernetes Service (EKS), according to Palo Alto.\nPAN-OS version 10.0 is expected to be available in mid-July and can be delivered as software, an appliance or a cloud service.\u00a0 It is also part of Palo Alto\u2019s overarching cloud-based security package, Prisma, which includes access control, advanced threat protection, user behavior monitoring and other services that promise to protect enterprise applications and resources.