KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Join experts from Kuppinger Cole Analysts and Palo Alto Networks as they discuss why automating as much as possible and providing information to enable analysts to make timely decisions should be a priority for SOC management. They will also explore the benefits of Security Orchestration, Automation & Response (SOAR) technologies.
Paul Simmonds, Fellow Analyst at KuppingerCole, will address the requirements of modern SOCs, highlighting the importance of automation and integration. He will focus on SOAR, discuss the top use cases and requirements of SOAR, and explain how it relates to other security technologies for a modern SOC such SIEM and XDR.
Amitabh Singh, Field CTO EMEA at Palo Alto Networks, will provide insights into Palo Alto Networks' XSOAR (eXtended SOAR) approach, its key capabilities, and its relevance to modern, highly automated SOCs. He will describe how XSOAR solutions can be used to augment existing SOCs or be used as a foundation for new SOCs, and how XSOAR relates to ASM, XDR, and XSIAM.
Join experts from Kuppinger Cole Analysts and Palo Alto Networks as they discuss why automating as much as possible and providing information to enable analysts to make timely decisions should be a priority for SOC management. They will also explore the benefits of Security Orchestration, Automation & Response (SOAR) technologies.
Paul Simmonds, Fellow Analyst at KuppingerCole, will address the requirements of modern SOCs, highlighting the importance of automation and integration. He will focus on SOAR, discuss the top use cases and requirements of SOAR, and explain how it relates to other security technologies for a modern SOC such SIEM and XDR.
Amitabh Singh, Field CTO EMEA at Palo Alto Networks, will provide insights into Palo Alto Networks' XSOAR (eXtended SOAR) approach, its key capabilities, and its relevance to modern, highly automated SOCs. He will describe how XSOAR solutions can be used to augment existing SOCs or be used as a foundation for new SOCs, and how XSOAR relates to ASM, XDR, and XSIAM.
So, good afternoon. My name is Paul Simmonds. I'm a fellow Analyst at KuppingerCole and it's my pleasure to introduce to you this afternoon Avatar Singh, who's the field ct, O E M E A from Palo Alto Networks. And we're gonna be talking this afternoon about cyber resilience through SOC automation. So without further ado, let's kick off. I'm going to do a, a short introduction.
He says, if I can get my, of what's going on this afternoon, you are centrally muted. We are controlling all the features, so there's no need to mute or unmute yourself. We got a couple of polls coming up, so be prepared to contribute to those. It will make our job a lot easier because we'll have a good idea of who's on the call and listening. And of course there is going to be a q and A session at the end of this webinar. You can enter your questions at any time. You should have a control panel on the go to webinar system.
You can enter your questions there and we will do our best at the end to answer them. And finally, we are recording this, and the recording and presentation will be made available to down for you to download in the next couple of days. So this is the agenda for today. You've got me for the first little bit with an overview of understanding the modern socks requirements. And then you've got Amab talking about the path to an autonomous SOC and the potential saw has to deliver value for your business, which is what it's all about, about at the end of the day.
So as I promised the first poll, so question is quite simple, just to give us an idea of who's on the call, whose business is running a soc. And your answers are pretty simple.
Yes, you run it in-house 24 by 365. Yes, you have some other form of sock arrangements.
There are, you know, you can partially or fully outsource. You can be doing it elsewhere with partners or actually three, no, it, the business thinks it costs too much. There's no perceived ROI and ultimately no business case. So the poll is open. I'm watching the numbers come in at the moment. We're running about a third, a third, a third at the moment, which is quite interesting.
Oh, now I'm that, yeah, we've got about half of you voted so far. Keep, keep pushing those vote buttons, please. We'll give you another sort of 20 odd seconds to get to get your poll in please. Thank you very much.
Okay, so the results are in looking at my screen here, the winner, believe it or not, is number three. No, it costs too much. No perceived ROI and no business case. So that's probably about as I would've expected. And a third of you say yes, we run it 24 by seven in-house with 22% selecting number two. So thank you very much for that. It certainly helps us in how we talk about and how we tailor this presentation for you. So let's kick off th this, this actually comes from an original presentation by my colleague John Tolbert, the definition and the need for a so for for soar.
So hopefully people are dealing somehow whether you have a sock or not with security instance. But the aim very much here of moving to soar and what we're talking about this afternoon is how we mitigate better. So the problem is, as you probably know from all the industry statistics, and you'll hear this from, from, you know, everybody, the vendors and us and et cetera, et cetera is typical meantime, to detect a security instant is six months. In other words, the bad guys have been inside your systems for typically about six months, which is quite concerning.
And once you discover them, it takes on average about two months to actually start, you know, to mitigate, to resolve that security instant. And if you crunch the numbers on a fairly, you know, on a decent sized security breach, then you're looking at about a total cost of four to 9 million. And that's before you get rid of the fact that you've, you know, lost lots of business confidence. Partners may have gone elsewhere, customers may have gone elsewhere because your stock, your value, perceived value, you're not a secure company to why do we want to do business with you?
So there is a real need out there to do what we do as security faster and hopefully from a business point of view quicker and cheaper. And we think SOAR has a place to play in that picture and ultimately so has these three functions. So can we orchestrate, can we automate, can we respond? And we'll be talking a lot more about this. So why soar? So SOAR is there to bring technology convergence. At the end of the day it's about workflow automation, it's about management and best practice. It's about utilizing best practice play, you know, what we call playbooks.
If you, if you are not operating a soc, then a playbook is basically the instructions, the standing operating procedure if you like, in which we respond to various alerts, instances, incidents or whatever occurs and normally carried out at a basic level by level one Analyst and then level two analysts and then level three analysts within your particular soc. And if you don't have a SOC that's going to be various teams within your business, whether it's the security team, whether it's the IT team who are or or actually your instant response team, which could include your management.
When it all goes horribly wrong, most people will have some form of security, instant plat platform, a SIM or a SIM depending on how you refer to it, which includes your vulnerability management platforms, your ticketing systems. And that might be, I said if you don't have a soc, that might well be your existing ticketing system in use by the IT department, the XDR systems, knowledge systems, alerts, reporting, et cetera, et cetera. And then finally, threat intelligence.
And threat intelligence is incredibly important because you need to understand what's hitting your business not only from the point of view of your particular business. I, I used to be the CISO at AstraZeneca and one of our biggest threats was the animal activists. So we had intelligence coming in on what they specifically were doing and targeting within the pharmaceutical world, but also the general instance that that are going on. So let's have a look at some of the challenges that that we have within our, within our particular businesses.
So the first one is this one and this is why it came as no surprise that people answered to number three. 44% of you answered three in the poll. The cost of operating is soc starving costs, recruiting good SOC personnel are, you know, they are incredibly expensive.
Once you've recruit, once you've recruited them, you know that's hard enough then you've got to retrain them and you've got to keep sorry, you've got to retain and also retrain your staff because obviously they need to be keep their skills up to date with the latest threats but also they need to be perceived as being loved so that they don't go to a competitor because it is a very, very competitive world out there. And the other thing is staff numbers.
If you look at what it takes to run a 24 by 365 operation, typically one head running 24 by 365 takes about five, four to five full-time heads make that work.
So just having a level one, level two, level three and a SOC manager plus on support staff, you could be looking at 25 to 30 full-time heads and it's interesting, I dunno why we're automatically advancing but 25 to 30 staff and you go to your your board and say look, we want to run a so and actually we need to run a sock and ultimately we need 25 potentially 30 full-time heads and your board typically will have a large intake of breath if nothing else. The next one is how you derive value from a sock. Because ultimately playbooks take time to develop and refine.
They are very immature in most socks when people put them in. You have information overload within a sock. Therefore actually trying to spot the English term is the needle in the hay stack. I dunno how much that gels with a, with an international audience but the British call it finding the needle within the haystack. And a lot of the time that's what we're trying to do as security people and SOC analysts.
They're trying to spot the real instance, the real in you know, instant of a bad guy trying to get into your system or code, trying to attack your system rather than just your staff doing something stupid. And obviously everyone's business out there has hundreds of products. So the time it takes to integrate all those products such that you get a full panier of information really takes time. And so you can be a year, possibly two years in on a standard SOC and you still haven't got the value that you promised the board when you went to them in step one.
The next one obviously is inefficient processes. So the problem is that if you are going to escalate to your level three SOC analysts such that you can take real action, there is a process in a an existing SOC today that you need to go through escalating from level one, level two, level three. And the problem is if the level one analysts miss it, guess what? It never gets escalated to level two, let alone level three. And that's quite often why even though companies are running a sock, they are still getting hit by the bad guys.
Again, reduce time to escalation. So how do you get that escalation faster, quicker, cheaper and immature playbooks if your playbooks are still immature, again that escalation process is not gonna happen. So ultimately what we're looking for the challenge is four, which is how we minimize instance, how we reduce the meantime to detect and the meantime to resolve.
And those should be some of your key performance indicators that you are using within your sock or if you don't have a sock because it's great information actually to go to your board with and say actually these are my current M T D D and MTTR figures and a SOC will help us bring those down. And then you can actually put a cost on that and ultimately your aim should be to automate responses wherever possible because that is ultimately how you are going to minimize instance and also as said, start hopefully spotting that needle in the haystack. So what does your SOAR deployment looks like?
So this is where we think SOAR is starting to go. Originally we'd have had, if you'd have seen these slides 18 months ago, you would've probably had SIM or SIM at the middle of this picture. And a lot of organizations out there are starting to say no actually SIMM is just part of it. Ultimately what we want at the heart of our sock is a saw implementation.
So you take your inputs from the security logs, you get API integration into saw from your simm, you get informed by your intelligence systems, you integrate your subscriptions to your intelligence feeds and ultimately you have a SAW console and that can be either be on-premise or in the cloud it, there are various ways of implementing it, but I said if you looked at this 18 months ago, seam would've been at the center. Now a lot of people have now put starting to put saw at the center of this and we'll hear about that in a second. So the solution automates possible feed everything.
It should saved everyone EV feed everything you have into soar. So the more information feeds you can get into soar, the better it can make decisions. And I said the aim is very much to get autonomous decisions, leverage best in class playbooks because actually 95% of what you are going to be doing in your SOC is going to be exactly the same as everybody else. Most exploits out there are what we sort of refer to as spray and pray. In other words, it's not targeted at your business.
The bad guys are spraying it out across multiple sources in the hope that that zero day that they're using HA or recent exploit hasn't been mitigated in your organization. So let's get it out quickly to as many businesses as possible, see how many hits we can get.
So again, leverage best in class playbooks, let's so automatically respond. It's all about minimizing the blast radius by minimizing your response times and ultimately at the point that you need to escalate it. The key thing here is your level three analysts, the one who are gonna make the decisions that this really is something that you need to react to and respond to that we necessarily haven't seen before.
You give them as much information as possible to make really, really fast decisions because delay by the time you get it to your level three analysts, it's already probably affecting your business. So what we're talking about today is based on this, this was a white paper that we published back in January, automating the soc, you can go and download it obviously from the website. We will give these to you at the end as well. These links and obviously the slides are going to be available, it's based on, on this. So the original leadership compass we did was in October, 2020 with John Talbert.
Obviously things are moving very F fast in the saw marketplace. So this January, the end of January, literally hot off the press almost our, our colleague Alejandro did an update to John's original work. So we have an issued an update document and again the link is there, you can go and download it with your cooking Cole subscription. I'll just give you one slide from Alejandro's document.
This is, this is what we regard as the overall leader slide, the headline slide if you like, within that document. And as you can see, friends at Palo Alto are right up at the, the top of that.
So it is, it's really nice to have them here today to talk about how they see saw within environments that they are working with and give you hopefully some real world experience. So with that I'm just about to hand over to Amab, but before that we are going to run a quick second pole. So here is your second pole if you are running a sock. And if you're not running a sock, I suspect your answer is by definition is number one. But the question is how automated is your sock? So one very manual, lots of feeds requiring level one Analyst interpretation and escalation.
And number two, we are partially automated. Playbooks help escalate to level two and level three, but could be faster and fine. We are automated and of course the caveat here is yes, we could always do better, but it's, we think it's fairly slick. So the poll is open, we will give you about 50 seconds to have your vote and I will watch the numbers come up. So currently the majority of you are, are sitting at number one?
Yeah, it's still remaining as the majority at number one, yeah, we're running about 70 30 at the moment. With, with number one, no one is voting for number three, interestingly, mind you, I guess that's why you are all here. So hopefully you're gonna get an awful lot out of this if no one is voting for, for, for for number three. So Paul is closed, so the results are in 63%. Number one, very manual, 38% of you are partially automated with playbooks escalating to level two and level three. And actually not too surprisingly num, no one voted for number three.
And again, I guess that's why hopefully you're all here today. So without further ado am welcome. It's Good afternoon. I think it thank and thank you Paul for the introduction and in fact thank you everyone for for for the poll questions and the poll answers. Cause that makes my life a lot more simpler because it and Paul did say it makes it is something that is to be expected. And I'm here actually to talk about how we should change some of the things. So I don't wanna talk about some of the things that, that were there. So I wouldn't talk about the standard slides.
I would talk about what exactly is the reality of the current operations and and the reason why most of, most of us actually awarded for option one and option two in the last fall that Paul did was just precisely that because the existing approach to security operations IST need a mess. We are reactive and it's not that we are not smart people, it's just that, that whatever information that we are getting, it's, it's highly filtered. It's a single source.
We, it's too many complexities in terms of how does it work. So if I'm actually to define the whole security operations in a slide, it would actually be more like this. It would show something that would be like, there would be too many alerts. There are too many tools, too little staff, too many silos. And I think some of those things are, are emblematic of the fact that things haven't changed for, for quite some time. So for instance, Phish alerts are as much of a problem today as they were 10 years back.
And I think it's because while the attackers can leverage automation to launch high quantity phishing attacks with clicker button, we still are actually trying to work on the alerts one by one and, and I think security teams are just not able to follow the right set processes while responding to these kind of alerts. So in a way they need to coordinate response across email boxes, thread intel, explanation, firewalls, ticketing and other tools.
And each one of those tools have different consoles, data conventions, contexts, which really makes it difficult for security teams to fill in the gaps while minimizing errors. So, so if that's the case, what is it that we should be doing in terms of managing it?
And I think, so solutions, as Paul said, were designed to address these challenges but because the first component of so is actually orchestration and this involves controlling and activating the security products stack from a central location and then the operative word out there is a central location and not multiple locations, that's one and through single pane of glass. So, and this is actually done through playbooks which are task based work workflows that are coordinated across people, processes and technology.
Now some of the people have asked me in terms of how the playbook work, I would say first of all a lot of the playbooks should be out of the box and there's then course it should be customizable, but it's not just how you are, how you are supposed to investigate an issue that or an an incident that's important in this case or whether if certain things have happened, you call up someone else to perform the remediation.
In certain cases, like if you really find a major alert, your playbook should be able to dictate that you should be able to isolate a single user or maybe even a vLab in case of, of a major issue. And that second component that defines that is automation, which is a subset of orchestration. So within solar automation involves finding those reputable tasks and executing them at machine speed, something that we know exactly is a big challenge. Those automation scripts and accessible product integrations really are needed to accomplish automation.
Final component response involves maintaining incident oversight as it gets through the lifecycle. Now within, so products this includes case management collaboration during investigation analysis reporting after insert closure.
So, so that, so I'm, I'm trying to actually differentiate the fact that when a security incident has happened, managing it has to be through a machine speed. It should not be that you are opening a ticket which is sent to an IT person who actually tries to respond to it. When business ops happen, it's actually something that happens right then and there because your playbooks dictate that if there is an a wheel end that needs to be isolated and it's an approved playbook. So there it's not a question of getting an approval then that does happen.
And then the final responses in terms of trying to understand what happened, get it in the forensics part of it and and doing it properly. So the next part that I would actually say is that we talked about the fact that you need to have integrations and that's something that I've always said when it comes to all of that your XO and something that Paul also alluded is that XO is, or so tools are now the center of universe as far as SOS are concerned.
So the 700 plus third party tools that are integrated with RX will really help us to do that because if you are not integrated with the third party tools, it gets really challenging to manage, manage the whole environment And, and one of the things that we also talked about is that it's still a very manual way that feeds have to be done through manually.
And I think I would actually argue that if your feeds are directly coming into the SOAR platform and it's ingesting those feeds automatically instead of manually, that takes care of that so that your tool should be able to ingest the feeds in an automatic fashion. So just how does SOAR lead to an auto autonomous?
So, and that's what I want to actually talk about in my next slide. So what needs to happen is that in this case with multiple integrations for the products and security actions, you have an automation on orchestration there you have a realtime collaboration because your investigative capabilities ensured that you have a virtual wall room WarRoom that you're managing incidents in the case management is through standardized processes and your threat into management is, dictates the repetitive tasks and actually make sure that what needs to happen happens clearly.
So that is something that I think is, is actually the mantra of managing that. So how do we actually differentiate some of those things around this? I think the first thing I'd already talked about is through multiple integrations or we actually said 700 plus integrations that ensures that users can use one console for alert ingestion, for enrichment and for response by collecting data across all the tools, we gotta be deploying visual pays.
So either out the box or in case once you've gone to the next level of managing, so to custom build pays that coordinate actions across people, products and infrastructures and and having those thousand plus automation actions across security tools really help to execute those repetitive tasks as machine speed so that you as analysts have more time to make decisions and investigate. Since we have talked about playbooks, it would also be good to talk about some of the playbooks that are existing and I'd like to talk about some of the playbooks that happen in our own stock.
So these are the many of the soft playbooks that are automating repetitive sauce in Palo Alto sort today. So if you don't, if you haven't seen an exo playbook, they would look like a flow chart. You can drag and drop these action bubbles to create if and statements and kickoff actions in other applications. And the visual interface is intended to allow everyone to build exo playbooks without having to write code. And that for me is important. So you can also have business analysts and people who understand the business contextual or business context for the organization also be a so Analyst.
So it's not that you should use you or not allowed to write code, developers can choose to use Python or Java if they have those skills, but that's not essential. So, so you have the right mix and balance of analysts and typically then the SOC clearly has more of level three analysts, which is where we need SOC analysts. We focusing on as against the standard life cycle of level one analysts who first for the first six months to one year of their job are doing logging and plugging tickets. So in the first column we have the top level playbook for each technology or request source.
Now this sets up the flow for the response playbooks and most of the analysis in the second column happens automatically. So we, for instance, we want to calculate the severity of the ticket based on information like who is the user or what is the post? We pull out the whole cts from various sources including ServiceNow where our IT teams maintain our cmdv and if we want to know that it's a end user endpoint or is it a critical application server or who's the contact for it, we get to know that. And then we also want to know if this is a privilege account or is it an exec?
And then all the indicators are run through threat internal sources from previous slides and results are added and we can even reach out to the bag of portex exam and some of the other rules for logs for specific cases. So this, so use case that we get a lot of value out is sending users an email asking for information about n alert. Now whenever I have a user's name involved in a security alert, I'm usually going to reach out to them and ask them if they were aware of the activity, do they recognize any of the files, what were they doing at that time?
Because the email is in sent user usually has the valuable feedback and they can apply to email, reply to email which comes to the ticket. So this is a departure from the past for many sort teams where the ticket might have not worked right away and by the time you're speaking to the user too much time has passed and they don't remember all the details about what they have encountered. See that's, that's an important part that we have kind of changed out here. Now one of the things is that once the analytics or analysis is done, one of the two things will happen.
If there is enough information to confirm containment or remediation actions are required, the playbook can proceed to those steps or if there is not enough information, the playbook would itself would insert prompt the Analyst for a decision on what to do next. And these breaks are completely customizable so you decide where the playbook should take action or break. And then we have built containment actions to be reversible. So in the event we accidentally do something that's in an unintended, it's easy to back out.
Like if you block an active record user you can shop that or you can unblock that. So, but at that point of time because you have your playbook say, so it's important that you block the users. So this having this foundation of playbooks in place with the kind of automation we are able to take, what are the lot of the repetitive tasks out? And I think that's, that's possibly the most important part in terms of having those flexibility of having the playbooks in place. So let me show in the next slide in terms of what has been the results of implementing some of those things out here.
So this slide better shows some of the benefits of automation and machine learning translates in terms of time savings. So one of the first automation use cases that we hired to build was responding to fishing rights. We know that's a standard use case in in in most of the sorts. Now we used to be an Office 365 customer for email, which of course we are no longer there because obviously is a big problem and is possibly one of the biggest challenges for security and compliance searches.
But if you are, you can actually take the time out, which will take about half an hour or more to gather all of those emails and get those thing out and reduce that to come two two seconds. Now the way it happens is that when the playbook receives an alert from Microsoft Proofpoint of one of the users, the playbook would actually request Office 365 to begin searching all the related emails. And then we then went on to automate the rest of the steps in the phishing response.
So everything from sending an email to the user to notify if they've been, they've fallen victim to a phishing email, if they've given away the credentials, we need to reset those credentials. That's an important part because you can't wait far too long that we might need to block the email center and if there's an attachment then we might need to submit that to wildfire and then, or in a sandbox to determine if it's malicious and then we wanna block any malicious links in that email. So this one use case initially saved a lot of work.
I mean I can estimate that by implementing this use case we're talking about 18 to 20 business days of work that's been taken up. The other one that I wanna talk about is about the next simulation firewalls, the investigation of command and control next generation firewalls. Now this was something that was clearly a big issue for us where we are feeding our network endpoint and cloud logs into it and the machine learning is applying context and stitching those alerts together.
So in this case, once we get alerts from network and endpoint and cloud, we switch those alerts through which yeah, and then it goes as far as drawing the visualization of the attack chain and all the hosts that are involved allowing the so to spend less time doing ANS and more focus on the containment and remediation. And I think that's the whole part about it. Can you focus more on containment and remediation?
So again, the the, the big part is we are saving an issue which would've taken probably better part of an hour or so, I mean three quarters of an hour. We are now able to do that in, in a few seconds and I think that's, that's the part that we need to start doing that, that having that it, it's not that it's, it's just a cost saving thing, it's also something that it really has an impact on efficiency and effectiveness and also how fast we are able to create the work done.
Some of the things that we know that we have talked about earlier in terms of how benefit beneficial it is from an ROI perspective, although these are the kind of use cases that determine the ROI of of OR or products. So that, that's another thing that brings me to the next part. All of us, almost every one of us have seen the left hand side of this chart. Anyone who's operating a stock or has an outsource shot will see this chart every month. X billion events coming out with X millionaire alerts, with some real alerts and finally certain incidents and how many major managed.
But as Paul said, it's not the left hand side that's important, it's a right hand side. How fast are you detecting those real incidents? How fast are you responding to the high analytics and how fast are you remediating that If you're detecting in seconds, responding in minutes and remediating in hours, that's, that's actually what your sock should be doing. And if you have that, you are showing the real efficiency of the so and effectiveness of the SOC to the principles and the right roi.
So in our case we are looking at close about 16 fts of automation savings every year and I think that's, that's the part that we need to be looking at from a value perspective of the value that's generated for us. And I believe that this is what we should be looking at in an overall basis on managing the overall effectiveness of the SOC in terms of doing it, managing it in a better fashion.
So how, what exactly is the cordex XO value? Well one is you gotta standardize and scale processes. So our playbooks really help you to co and enforce a process that's common across your security. These playbooks can be fully automated, fully manual or a combination of two with each scenario having its advantages with increased efficiencies. So you decide whether you wanna fully automate or fully keep it fully manual or a combination of two. This action alone reduced our weekly alerts from about 10,000 to less than 500. And I think that's, that's a huge change that you are able to do that.
So that's one value I would recommend everyone to look at your socks in terms of how many layers are you feeling right now and are you able to automate those alerts? And I don't think that without having the so platform anyone can alert software and as Paul said, increasingly organizations are now making so as the center of universe for soft.
So without automation it's gonna be almost impossible unless you have an army of analysts which approach is not possible cause you quite having people with that kind of expertise manager you have to go for automation and reduce the alerts from being fielded manually to manage automatically. And then the next advantage is the response times.
So even if you are manual, have a manual so there is gonna be a certain amount of time lag between the time a person can respond because that analytics have to happen now with the exor you can automate thousands of actions across your security products hand back time to you and Analyst for investigations and decision making. So these automations are can be, it's for example alert ingestion, data gathering response actions, updating information back to the point products this, all of those things that would be almost impossible to define them.
And I think this is where it gets really helpful for the organizations to deal with things that are not possible otherwise. The last part that I want to talk about is, is possibly the most important part in the return of investment for, for some, even though we say that it's coordinate actions across security products that have a process, process-centric view on how to respond a particular incident which is not tied to one product. So the playbooks give you a next view of a abstracted view of a process which makes it easier to replace one product with another than you need to.
So there's another upside there. If you are able to coordinate actions across security products, that's the only way you can actually manage zero day cvs because CVS are such that against soon to the environment. But then there are certain actions that are abnormal in nature by coordinating actions across security products and getting information across multiple sources in the right fashion.
Like network alerts that are coming in like endpoint alerts are coming in or the cloud alerts are coming in, you should be able to get a picture that something is not printed and this is what we actually saw when we were seeing the solar winds attack in our own sort, that we could see that something is not right and we were able to transfer that knowledge and insight into the sock and, and and and stop that from preventing further.
And I think this is something that we have been even working in some of the more advanced fiber products like the gases that having those kind of spyware products would actually keep on increasing more in future the way right now that these are available only the governments, we believe that technology will change so much that's easy that they will be available off the shelf or for anyone to use once once they're there because the G'S already out of the border.
And the only way to understand actions would be to coordinate actions across security products knowing what kind of alerts are coming in from fire, from firewalls, knowing how your endpoints are behaving and able to transfer your traffic into the right fashion and exo coordinating what kind of alerts are coming in over analytics.
So that is I think an important part that you are not just trying to manage existing kind of alerts with your SOC investments, you also gotta be proactive that your alerts will increasingly become lot more complex and if you do not have this kind of technology it's gonna be really hard for you to manage band socks in future. But that, I think that's all I wanted to share for this. So I would like to hand it over to you Paul to see if we are there now. Wonderfully insightful as always.
So the first question is from Dario who says if you want, if you want to start, sorry, I'm peering at my screen cuz I've got a big 4K screen and my eyesight is going, if you want to staff a sock with level one, level two, level 3 24 by 365, you still need a significant staffing. So what is the minimum you can scale down to using saw, in other words, what are you seeing out there for, for yourselves as Palo Alto?
Obviously you are using your own product but also the customers that you are working with, are they able to start scaling back particularly level one and level two and getting a return on investment that way? Good question Paul. So for for in our case, we of course have an added advantage that we have two Sox, one and Tel Aviv one in California, so that is kind of 12 hours away from each other.
So we, we do have the follow the sun approach but what we have also seen is that we don't get, we don't get our, we don't need a 24 by seven stock. We are able to manage through automation all the, our alerts easily without any challenges coming on. And that's what most of our customers are also seeing. Increasingly if they're not large corporations, which are, which are working around the globe, like in your case when you were working with AstraZeneca, they would definitely be working all around.
So they need to manage SOC in which case they would, they can actually have analysts in the local countries and then manage the local business hours. What we are seeing is that the kind of tool sets that we are talking about, you do not need to have SOC in one specific center.
So the days of having a huge room with, with those l e d screens and and seeing those alerts with those kind of monitoring the kind of things that you normally see in even now in, in Hollywood because you know that most of the movies are still having a lag that they would wanna see that then they see a cyber i big speed coming up that is no longer a must sync, a simple laptop is good enough for an Analyst to work and in which case you can pretty much hire the Analyst wherever you want.
But if you're talking about 24 by seven stock Analyst, I don't think we need to have that with the kind of automation that's built into the models because if you're, if you are for instance a location based entity, then your playbooks do take care of your off harbor challenges. Cause at the end of it, if they stopped the business at some certain point of time and quarantine a specific user even at one in the night, then that's the case. It would be, and and someone actually ask me what happens if they actually quarantine the CEO of the company at 1:00 AM in the night?
Then you could could ask where, what kind of playbooks have you set up on that? Cause if you have set up the playbook like that where if there is a security issue and you have quarantine a user even though that user and she's the CEO of the company, but I would, I would actually argue that's that's how you have defined your, your security playbook space on the risk analysis that you have done.
So, so defining playbooks is not, I say I would say divorced from the risk analysis that you would be doing and setting them up. But last in, in the end you do not need to have a 24 by seven sog, in which case you need about eight or 10 people to man them on 24 by seven basis and having night shifts in place. That's not anymore. That's good.
I mean that's interesting feedback certainly I think for the people on this call is that it does change the, the dynamic and the R o I calculation that you're going to go to the board with hopefully for all for the, our third of people who answered three to the, the first poll we did who said, you know, we don't have a sock at the moment so you know, maybe, maybe that's your answer. Go go straight to a sore solution.
So I suppose that brings us onto the next one, you know for all of those people who did answer number three to the first poll, which is is we don't have a sock cuz we can't justify it. If you are starting to sort of think yourselves as security people, yet we really should have a sock, should I go straight to a saw based solution and just based my entire architecture and my, my pitch to the board around implementing saw from day one, My answer to that is that you need to have couple of tools before you just have a soar in place.
So, so in the past for instance, let, let's use the, the same information that you gave in your slides Paul, in the past you talked about the fact that SIM would be the center of universe and even smaller organizations were implementing sim, which is why you saw the response in your first poll that we don't see any ROI and simply because of the fact that implementing SIM is a multi-year project with very few return very, very far less return on investment as far as cybersecurity is concerned.
Yeah, If you were to implement it, I would say the first and the most important part for a SOC would be to have an XCR feature in place because that's a starting point. The next part is then you actually implement an XOR on that.
What we are actually trying to talk about, and that's possibly out of the scope of this call, but we should be talking about it after and please feel to connect with me after the the webinar, we have introduced a product for specifically the organizations like this who are thinking about not going or not implementing so, but having a product which manages the whole environment on an end-to-end basis and we call it X IM which is send security incident automation management, what it does is it has out of the box playbooks and it actually gets alerts from endpoints network and, and gives you the holistic picture without having to implement the source solution on your own.
And now I would say for organizations that are looking at having employees, less than 25,000 people should definitely look at that as an option instead of trying to have a dedicated exor first solution. Okay. And so I suppose the next question I've got on my screen here and building I suppose on that is in terms of what you do with the, you know, particularly with the your socks, how much time has moved from doing tactical versus strategic soft work? Like proactive threat hunting? In our case, we are now doing only about 33% of the time as tactical work.
So that's something that we have done it. So we are doing a third of the time on tactical part, a third of the time that we are doing in terms of building new playbooks and a third of time in threat hunting.
Okay, yeah, interesting. As as whereas before most of the time you'd be sifting through those, those haystacks trying to find that needle. Correct.
Okay, so one very dear to my heart as I alluded to earlier is we, we used to have all sorts of fun and games with animal rights activists. How does a SOC perform manual repetitive tasks like checking intelligence feeds and where, where do those factor into this?
Well we, we fee, we have made a product in such a way that our product ingests the feeds directly. So third intel feeds are not something that we would be actually giving it to the Analyst or they have to manually put in RX or automatically ingestors feeds. So a simple example would be that if you're seeing in the environment a specific kind of malware that's that's there for malware, we all know that there is, that they all have to connect back to a specific IP address. If that's blacklisted, then that's restrictive. That information is already fed into Exor show.
So in case any of any of those ips within or organization start trying to communicate with any of those restricted ips, then an alert is automatically in the so, so you don't have to actually do that manually or structure that out manually. And, and that becomes an important part of the sort. A simple thing that I've always tried to explain to clients and I was talking to one of the largest automotive companies in Europe about this is that they wanted to understand how does it work?
And I said if you look at it at any given point of time, there are 15 billion indicators of compromise that exists out there and they keep on expanding to by a factor of about 10% every month or so. So there is no way you can actually build it on in terms of changing that. So you keep on building some old ones retired, so it's like churn.
So the only way you can do that is if your eggs so gets those kind of alerts directly from an external part because you can't just, you can't just have that threat hunting done manually cause there's no Analyst in the world who can handle that volume on an independent basis that that would just over the Analyst today. So we actually have that capability, there's those threat threat feeds are fed in and it's not just those, those thread feeds have to be from, from us. We also feed and threat threat feeds from virus total for that matter.
This is a Google company, we get feeds from Manion and from multiple services and those all get into the, so into the solar platform, which makes a life a lot more easier for the Yeah, and it's probably worth pointing out to people that there are industry specific feeds as well.
I mean I know, I know the banking, the, the banking industry certainly in the uk if if you hit one bank with a rogue IP about 10 milliseconds later, all the other banks have blocked it and, and there are, there are multiple feeds out there like that whether they're industry specific or whether they're actually being rolled up as a service. I think that's a good point Paul, that you're talking about because those industry specific feeds plus coordination with ncsc, respective NCSC within the countries becoming really good.
Now in Europe we are actually seeing collaboration with Anisa, so the European agency for security. So they are actually able to feed in the feed in all of those feeds to all the countries. Luckily that has also had no impact on UK as well. So the UK is still part of that. So there is a very strong collaboration in terms of from a Europe by perspective in terms of sharing those three between NCSC and giving each other insight more and more.
And that's actually becoming even more relevant because there is a huge amount of challenges that are there for critical infrastructure or critical companies that are in critical infrastructure industries. So those threat feeds are really important that to be shared and they have to get automatically into the stock.
Yeah, and I know the federal government in the US is talking about mandating some of this threat intel sharing. So, and the, there are big debates going around about the format that they're gonna be shared in and anonymization and all of that. But we see, we see these initiatives coming up time and time again from, from region regional governments, Europe, obviously the US federal government, et cetera, et cetera.
But there, there are big pushes to actually get those feeds out to people such that yeah we can automate better because I think as you've learned from, from your presentation particularly automation is the key to this. Good.
Okay, I'm just looking at my question. If you want a quick, if you wanna nip a quick question in, you've got a couple of seconds left. We talked about what we need to have in place.
Yeah, we, yes, we have one question. If you missed the beginning slides from both presenters and the recording, this is being recorded. So if you missed the beginning and particularly when we told you that slides were gonna be available.
Yes, they will be and the recording will be available. So if you missed any of it, you can go back and watch it. And normally that takes a couple of days to, to get out with the, the background people at KuppingerCole to sort of sort that out and get it on the website, but it will be available to you.
I'm just gonna wrap up with the, what we'd call in the UK parish notes, but any final thoughts before, before we leave you For, for me, I, I would say that for for for the folks who haven't actually implemented a SOC or haven't actually seen the value of an existing soc, an s XO tool is really important from, from, from, from making sure that you are managing threats proactively for most of our customers that we have seen, it's, it's not a question of if but when security challenges would be there, there is a huge amount of new kinds of challenges that are coming in.
I mentioned about threats like Pegasus in the presentation. These are no longer threats that people thought are relevant or can happen to others and not to us. I have seen a lot of those things specifically in the at, at the critical person and execs who are also facing those kind of spyware activities now.
So it's, it's important that we gotta be vigilant, we gotta, we have to implement. So tools like all technologies, it takes a bit of a time before you are mature enough to do that. So if you start managing with playbooks auto the box right now, in the next six months, you would actually be advanced enough to create dedicated specific playbooks for your company and for your industry. But the important thing is make sure that your soft is up and ready and doing it.
And if you don't have an soc you do have to invest into having an MBR services that actually provides you with those kind of capabilities. The benefit for MDR services, that's really important in this case and that's the cyber side, is once you have alerts coming in and you need to manage an security incident, the only way you can do that is to have the right kind of forensic capability.
And, and some organizations do not have to have that. So again, your so tools really helps you to bridge a lot of the gaps on an automatic fashion and also tells you what tools or what skills you need from an external PERS perspective.
So, so again, it's an important thing to, for you to see how to manage security on an end-to-end basis. Yeah, and it's, and it's a great point to finish with because I, it's not part of this particular webinar, but there is the bit beyond it because ultimately at the point that you do get breached, there is a whole raft that you have to have in place before it happens to you because it's no good doing it after the event. So you have to have your senior management briefed on what happens in the event of an incident.
You have to have your PR in place, you have to have your contracts in place with those third party companies. Said not part of this, not part of this webinar, it's a whole topic in itself, but just to say, you know, at the end of the day, as great as all these tools are, they're not there, you know, they're there to minimize the, the, the impact of you getting breached. The bad guys are out there and if the bad guys ultimately want to get in, chances are that they will, your job is to ultimately minimize and mitigate as fast as you possibly can and SOAR is a great way to do it.
So thank you very much. We've got about two minutes left. I'm just gonna do the, the parish notes as, as they say. So the first one is this, Casey Open Select, please go and use it. I'm sure you all know about this. So said with time to go. The one I really want to talk about he says is this, if you have not been to eic, I would thoroughly recommend it. It is obviously it was run during COVID as an online event. It has stayed as a hybrid event. I think we've got, Casey's got hybrid down to a really fine art. So if you can't make it in person then the hybrid event, please attend online.
But if you can, I would thoroughly recommend getting to Berlin. Great event. Lots of fantastic talks vendors, it, it's all the offline discussions that go on at those kind of events. So absolutely topics this year securing identities, identity of web three and the metaverse, that should be really interesting. Decentralized identity, one very close to my heart and a lot more beside.
So please, please, please register for that. Get along in person if you possibly can. I said I do it at the end. Here's a wrap up of all the related research that's out there. I said this, these slides are available so the links will be available to you. So there's the automating sort white paper, the leisure compass update, the bias compass and also the original paper going back to 2020.
So those are your pointers and obviously I'm sure you know what we do as, as an organization, but if, if this is your first webinar, then obviously research advisory and events and webinars are what we specialize in and it's very nice to have you as customers. So thank you very much. And with that he says, just leaves for me to say thank you very much for attending. I hope you enjoyed it. I hope you got lots of useful information out of it and good luck with implementing your soc.