Palo Alto Networks Reimagines the Modern SOC With Intelligent Automation

Palo Alto Networks provided more details on Nov. 2 about its new integrated Security Operations Center (SOC) platform that the company said “harnesses machine intelligence and automation to radically improve security outcomes and transform the manual SecOps model.”

In February, the company said Cortex Extended Security Intelligence & Automation Management (XSIAM) turns widespread infrastructure telemetry into an intelligent data foundation to fuel best-in-class artificial intelligence (AI) and dramatically accelerate threat response. Built from the ground up as an autonomous security platform, XSIAM will disrupt the multibillion dollar SIEM category by offering a modern alternative that can stay ahead of today’s threat landscape, the company said at the time.

Noting that the company previously “teased it a little bit in February with a pre-announcement,” Lee Klarich, chief product officer at Palo Alto Networks, said during “The Modern SOC, Reimagined,” a virtual launch event Nov. 2 for the Cortex  XSIAM: “That kicked off a design partner program that’s been running for the last several months.”

“Today we’re here to formally and fully launch XSIAM to all of you, and I could not be more excited about what XSIAM means to the industry, means to cybersecurity, and means to how we’re going to revolutionize security operations,” he said.

Taking a step back to put this in context, he said: “The easiest way that I know to do this is to ask you a question. Have you ever wondered why it is that every time there’s a data breach, we as an industry are always able to figure out how it happened? Now that might not make complete sense, so let me add one more piece to this. Isn’t it odd that given we’re able to do that, that we’re not able to use that data in real time to detect and prevent these attacks from ever happening?”

That, he said, is “the question that I think we, the industry, need to solve,” he told attendees. “Now, to solve a problem, we have to understand the problem. So why is it that that challenge exists? I believe it can be summarized very simply. While there is a ton of data that is accessible after the fact, that data never actually comes together. It is collected and put into silos, and those silos do not come together in a way that allows the SOC analyst, the SOC in general, even machines and machine learning models, to be able to make sense of it.”

As a result, he said, “what you see here is basically the typical SOC being overrun by alerts, by time to investigate, by dwell time of the attack and all of this leads to a general outcome which is not very good. And it’s not the SOC’s fault. You’ve never been given the tools that can appropriately solve this problem.”

Therefore, he explained: “I believe it’s time to reimagine the SOC and specifically to reimagine the SIEM as something completely different and better: Just like we’ve done in network security, just like we’ve done in infrastructure and data centers moving to cloud, just as we’ve done with traditional endpoints moving to EDR and XDR, it is time to revolutionize the SIEM as well.”

It’s ‘Complicated’

Noting that he has been in this sector for several years, with multiple companies, Bruce Schneier, security technologist and guru, recalled: “Again and again, we found that the whole notion of a SOC, the notion of response, is complicated. A lot of companies can’t do it. When they can do it, they’re never doing it right. There’s technologies, it’s training, it’s crisis. This is really freaking hard. And no matter how much we try to help, it’s still really hard.”

Klarich agreed with him, adding: “There’s been a lot of work done over the last several years to try to bring automation to the SOC and multiple different companies and different approaches and I feel like … this is still an area that is challenging to get right and very few companies are truly getting it right.”

The problem that Schneier said he continued to have with all the attack detections is false alarms. “This is tough for a SOC analyst if you get alert after alert and they’ve been false alarms for the past four months. Every last one. The next one that’s real you’re not going to notice it. And so how do I use automation to limit what the analyst sees so they only see the things that their computer truly doesn’t understand?”

The computer, after all, “can’t tell if this is a real attack or you’re doing a software build…. But you probably do, or at least you know who to call,” added Schneier.

Today, AI “requires a lot of data” that Klarich said is “machine readable data, not necessarily human readable data.”

The product that in nearly “every SOC serves as the foundation is the SIEM but the SIEM was built 15-20 years ago,” Klarich pointed out, adding it was “built around this notion of how do we take human readable alerts and present them to a SOC analyst to look at, which is a completely different architecture and different construct than bringing in machine data for AI to process.”

At this point, he asked, “is it even worth trying to just incrementally patch something built and architected 20 years ago or are we in for a revolutionary approach to this?”

“My guess is revolutionary,” responded  Schneier. Back in 1997, the “big problem was you get all that data and you have to filter it down in multiple steps, filter it down from the network to the SOC, from the SOC to the human, and … if you’re doing some kind of machine analysis, you want all the data to get to the AI, to the machine learning system.”

It is important to keep in mind that AI systems “don’t think like people do,” Schneier pointed out. “AIs would rather have all the raw data,” he said, adding that it “sounds like it’s an easier job [to,] instead of multiple levels of filtering, just ship it all.” But he predicted there was going to be a “rethinking on what is shipped and what’s important.”

We now “have a lot of data on what attacks look like,” Schneier noted, adding: “If you have a SIEM company or [are] running any kind of instant response platform, you have data on the stuff that happened and whether it was an attack or not, what they did, whether it worked. There’s a lot there. I mean, it’s kind of sloppy, but remember, machine learning doesn’t mind sloppy.”

Therefore, he added: “I think we need to rethink the system, to give maximal data to the machine learning systems rather than minimal data to the human systems.”

Now there is “automation as a tool to help with that,” said Klarich, adding: “I suspect AI potentially can play a role in that as well.”

In response, Schneier said he was “quite optimistic on how AI can affect the attack-defense balance.”

Schneier went on to say that, with the current technology, “we’re expecting a lot: We’re expecting SOC analysts to be on constant alert, which is impossible; to respond in real time, which is impossible; to understand what’s going on immediately, which is impossible.”

Today, with the cloud and the size of networks, “the amount of data is going to change everything” also, said Schneier, adding: “We want to give humans the trickle and then give computers the fire hose, and it’s that interface between humans and computers that’s the one we need to get right.”

The way in which the industry things about incidents and incident response already changed between the early 2000s and 2014, Schneier noted.

“Here we are in 2022 … and, again, we’re going to have to rethink this,” according to Schneier. “Fundamentally that computer human linkage changes because the computers are changing and the same stuff that worked [a few years ago] doesn’t work well today,” he added.

Klarich called that a “fantastic summary of the challenge that the SOC is facing [and] the industry is facing in trying to address these challenges.”

The Solution

“Now it’s time to roll up the sleeves [and] talk about how we actually solve these monumental challenges,” Klarich went on to say. “I’ll tell you the good news up front. They are solvable but they’re only solvable if we take a truly new and different and innovative approach.”

“And that’s exactly what XSIAM has done,” he said, noting Cortex XSIAM goes a long way towards addressing the challenges.

It was important, he said, to turn “the entire approach on its head,” he said, adding: “If you think about how the SIM and in general, most tools in the SOC have been designed in the past, they [were] designed for the analyst to be the intake … and [focused] on human readable alerts. Well, that’s a tiny amount of the data that comes in. But when the analyst is the front end of this process, that’s all they can take in. And so the detection, the investigation, the analytics, the automation, all of that is built on this small amount of alerts coming in that have been pre-processed and pre-filtered and pre prioritized for the analyst to look at.”

And that, he said, was “not sufficient,” he said, explaining: “We have to flip this on its head, and we have to think of machines and automation and machine learning and AI being the front end of this process in feeding it massive amounts of data. And, based on that, then running our detection engines, running our investigation capabilities, running our response capabilities on top of those analytics and automation. And then the analyst is there to supervise this. They’re there to make the hard decisions. They’re there to look at the data that doesn’t make any sense. And so, in that model, you have to build a completely different foundation for a platform that approaches it this way. And so with XSIAM that’s exactly what we did.”

Palo Alto Networks “started with an assumption that we would have to collect huge amounts of data, intelligent data, useful data – not just alerts, not just logs, but going beyond that and pulling data from endpoints, data from the network, data from identity systems, data from the cloud,” he said.

“Using that as the foundation for analytics and as the foundation for analytics, it means we actually have to normalize it, understand it, stitch it together so that when our machine learning models and our AI models are processing it, they’re not processing it independently,” he said.

He added: “They’re processing it with [the] understanding of how it all relates to each other. Imagine how much more intelligent we can be if we can stitch events of a user connecting to an application and authenticating to a system, and then responding to a push notification and then changing their behavior with the application and downloading a file, connecting to a website, and connecting all of that together such that when we see a command indication of command and control, we have the full context to drive the detection, the investigation, and the response capabilities.”

At the same time, “across all of this, we have to think about automation [and] an automation-first mindset,” he pointed out. “And what this means is everywhere that something is happening manually, can we reimagine it to either be automated or use automation to assist a human function?”

We also must “think about this in a much more proactive way,” he said. “I think if you were to ask 10 SOC analysts my guess is nine out of 10, if not 10 out of 10, would basically describe their job as responding. They are responding to stuff – something bad happened [and] they’re trying to figure it out.”

He conceded “obviously that has to happen.” But he asked: “Can we do a good enough job with the analytics and the automation to actually free the SOC up to be more proactive, to actually start doing more threat hunting to make that actually a bigger part of the SOC analyst job even than the reactive work to start looking [at] attack surfaces proactively and thinking about how to patch things before an attacker even realizes that they might have an opportunity to take advantage of something that’s misconfigured, open, whatever it happens to be”?

Palo Alto Networks had to “make the proactive side of the SOC actually start to outweigh the reactive side of the SOC,” he said, concluding: “Only this way do we really get ahead of attacks. [Only] this way do we really start to have the SOC be a prevention capability, not just a respond to bad stuff capability.”