Our blog and video series, “This is How We Do It,” offers a behind-the-scenes, candid exposé of how Palo Alto Networks protects its security operations center (SOC) using its own solutions. This series provides insights into a non-traditional SOC structure vs. a conventional four-tier model. It emphasizes adaptability, cross-training and automation with a shift toward a consolidated and integrated approach culminated in Cortex XSIAM, Palo Alto Networks AI-driven SecOps platform.
Hosted by Peter Havens, Cortex product marketing, these frank interviews detail specific use cases and challenges seen in security teams of any size:
Episode 1 features an interview with Devin Johnstone, SOC operations specialist, where he explains managing challenges, such as how the SOC handles a massive volume of daily security alerts, ingesting 56 terabytes of raw log data with over half originating from the cloud. He also shares how the company's philosophy involves cross-training its SOC team in various domains, with significant annual training budgets, and maintaining a nimble and engaged team that leverages technology for efficient coverage.
Through a combination of machine learning and human expertise, Devin and his team reduce the number of critical alerts that require attention. Every alert that enters the SOC undergoes some level of automation, with a goal to automate as many as possible, allowing the team to focus on proactive threat hunting. Devin emphasizes that automation complements their work and doesn't pose a threat to human analysts – their expertise lies in understanding the context of situations and thinking like attackers.
The second episode of "This Is How We Do It" dives into the inner workings of the SOCs, again with Devin Johnstone. He and Peter discuss the evolution of the Palo Alto Networks SOC, starting with just two managers and three analysts, yet has grown to 22 full-time employees today, emphasizing the importance of IT and security separation as organizations mature.
This episode also highlights the unique approach of Palo Alto Networks employing a red team for penetration testing and their collaboration with the SOC to improve defenses. It touches on the significance of artificial intelligence in cybersecurity and the ongoing concern of adversarial attacks. Additionally, Johnstone notes the rise of supply chain attacks and the company's commitment to protecting both itself and its customers from becoming gateways to widespread attacks, mentioning their Unit 42 Threat Intelligence team's role in monitoring threat activity.
In the third episode of "This Is How We Do It," Peter delves into artificial intelligence (AI) and machine learning (ML) with Billy Hewlett, the leader of the Palo Alto Networks AI research team, to explore how Billy and his team are pioneering the development of ML models to combat cyberthreats. Billy's journey in AI security began with his early experiences programming AI systems to protect gamers from trolls in popular video games, ultimately leading to his current focus on using machine learning to identify and thwart malicious activities, including malware and phishing.
The interview points out the exponential growth of malware, which has skyrocketed from around 85 million unique samples in 2012 to over a billion today, necessitating innovative approaches for detection and mitigation. Billy emphasizes the critical role of machine learning in analyzing web page content, images, URLs and other characteristics to identify phishing attempts and other threats at a massive scale that is beyond human capabilities. With the need to assess millions of potential threats daily, the interview underscores the indispensability of machine learning as a tool for effective security, where human experts alone would be impractical.
Furthermore, Peter and Billy discuss how Palo Alto Networks is optimizing machine learning for real-time threat detection in firewalls, minimizing memory usage and enhancing performance. By deploying lightweight models at the edge, swift identification and blocking of malicious activities without the need for extensive file analysis is ensured.
In the fourth episode, Peter interviews Kyle Kennedy, a senior staff security engineer, to examine the pivotal role of automation in the company's security operations. Kyle, who spearheads the automation program, recounts the challenges faced by security analysts before the advent of automation, where a flood of low-fidelity alerts lacking context would lead to laborious, manual work and alert fatigue. Automation emerges as a game-changer, streamlining incident resolution and delivering personalized insights, without seeking to replace human intelligence but rather to enhance analysts' capabilities and data quality. By enriching data and expanding data points, automation empowers analysts to make swift, informed decisions, accelerates incident resolution, and reduces the monotony of repetitive tasks.
The conversation also addresses the transition from complex code-heavy playbooks to a near-no-code automation framework, emphasizing the move from independent playbooks to modularized workflows. This shift enhances clarity, simplifies maintenance and fosters scalability, leading to more efficient automation and sustainable growth. Furthermore, they highlight the extensive integration capabilities and automation packs offered by Cortex XSOAR, along with a free Community Edition to assist users in starting their automation journey.
In the fifth episode of "This Is How We Do It," Peter interviews Isaac Krzywanowski, a staff security engineer, to discuss the intricacies of data pipelining and operational assurance within the company's SOC. Data emerges as the unsung “hero” of cybersecurity, with Isaac responsible for data pipelining and ensuring the SOC has access to timely and relevant information to identify potential threats.
The process of data ingestion takes center stage, encompassing the complex orchestration of collecting data from diverse sources, assessing its relevance, and mapping it onto the Cortex Data Model (XDM) to create a unified framework for effortless analysis. The discussion emphasizes the diverse array of data sources at Palo Alto Networks, ranging from firewall and endpoint detection data to cloud platform information and even unconventional sources like source code repositories.
The role of the Cortex XSIAM platform is pivotal, facilitating the collection of an astounding 50 to 75 terabytes of data daily in various formats from different vendors and partners. Isaac covers the significance of selecting key data sources and the critical practice of operational assurance, ensuring data reliability and rapid response to any potential data issues through real-time alerts and collaboration via the Slack platform. This comprehensive overview sheds light on the fundamental importance of data in cybersecurity and the meticulous processes that safeguard against digital threats.
In Episode 6, Peter sits down with Yoni Allon, VP Research, to explore the pivotal role of artificial intelligence (AI) in enhancing cybersecurity within the company's SOC and beyond. Yoni provides insights into how AI is leveraged to fortify security, addressing contemporary threats and transforming traditional approaches. Yoni begins by defining AI in the context of cybersecurity, emphasizing its capacity to adapt to new data and efficiently handle complex datasets, and distinguishing it from machine learning (ML). AI is highlighted as a powerful tool for analyzing and detecting potential threats that may otherwise go unnoticed. It's emphasized that AI operates not as a standalone solution but as a collaborative effort, combining the expertise of security professionals, data scientists and technology to create a balanced defense.
The interview further explores AI in action, focusing on anomaly detection and risk prioritization within the Cortex suite. Yoni explains that Palo Alto Networks employs supervised learning to improve anomaly detection precision, ensuring a more effective mechanism for identifying malicious activities. Risk prioritization with AI streamlines the investigative process, allowing security analysts to allocate their time more efficiently. The blog also emphasizes the importance of building trust in AI-driven decision making, with each AI model undergoing scrutiny from security experts and data scientists. The Cortex platform provides transparency into the reasoning behind AI-generated scores, enabling analysts to understand and validate the decisions made by AI.
Finally, the conversation includes the evolving landscape of large language models (LLMs) and their potential impact on cybersecurity. While LLMs offer promise in improving aspects like data loss prevention and phishing detection, they also raise concerns, as they can empower attackers to create sophisticated malware.
In the final episode of Season One of "This is How We Do It," Peter interviews Leeroy Perera, a staff security engineer, to talk about the practice of threat hunting and its crucial role in the organization's SecOps. Threat hunting, Leeroy emphasizes, goes beyond generic threat detection and response, focusing on crafting hunts that align with the unique requirements of Palo Alto Networks and safeguarding the company against threats specifically relevant to its environment.
Leeroy clarifies that threat hunting is a hypothesis-driven approach, starting with an idea about potentially malicious activity within the company's environment, which is then transformed into a query using the XQL query language within Cortex XSIAM. This query consolidates various data sets, including endpoint, network and identity data logs, refining the results into a manageable dataset rich with potential threats. This refined dataset is then passed on to security analysts who further investigate and identify potential threats. This collaborative process between threat hunters and analysts is crucial for effective threat hunting and also leads to the creation of custom detection and correlation rules to enhance threat detection capabilities.
Leeroy provides real-world examples of threat hunts, such as focusing on unsigned dynamic-link libraries (DLLs) communicating with new domains, which is highly suspicious. He also considers the behaviors surrounding code access and source code downloading, given how the involvement of Palo Alto Networks in software development. Cybersecurity practitioners can draw inspiration from this methodology to tailor their strategies to the unique needs of their organizations and ensure a proactive defense against evolving threats.
Thanks for watching and reading. Stay tuned for Season 2!