The processing of security alerts, the identification of real risks, and their remediation consume more and more of the time and resources of the Security Operations Centers (SOC). Cortex XSOAR – Palo Alto’s platform for Security Orchestration, Automation, and Response – reduces by 75% the volume of incidents to be investigated in SOC and increases by 90% the speed of response to threats. The specific ways in which companies can achieve these results by using Cortex XSOAR were detailed in the webinar recently organized by Datanet Systems, Palo Alto’s strategic partner in Romania.
- Fast detection of real security incidents,
- Prioritization alerts according to their level of severity,
- Triggering automatic remedial measures,
are three major goals for any industry, difficult to achieve by organizations that still process incidents manually and respond to threats using isolated security solutions. The ways to remove these limitations using the Cortex XSOAR platform were presented and demonstrated during Datanet’s webinar “Effective management of security incidents using the Palo Alto SOAR system“.
Watch below the complete recording of the Datanet Systems webinar:
The XSOAR’s competitive advantages
Tudor Cristea, Regional Sales Manager Cortex Eastern Europe Palo Alto Networks, presented the competitive advantages of the XSOAR platform and how its components increase the speed and efficiency of threat response measures:
- Orchestration through playbooks – XSOAR allows SOC teams to respond to incidents quickly and scalable so that their activity is not affected by the volume of events to be processed. The platform’s orchestration engine uses hundreds of integrations with third-party security products and an extensive range of playbooks – logical organizations of action plans. XSOAR comes with hundreds of predefined playbooks for the most common work scenarios globally. “We have thousands of customers in all industries – both in the public and private sectors – and the accumulated experience helped us to continuously develop and expand the number of playbooks that can be used out-of-the-box or very easily customized, without the need to write code, in order to meet specific requirements“, explained the Palo Alto representative.
- Automation of remedial measures – Cortex XSOAR integrates a workflow automation engine, which ensures a fast and scalable response to incidents. The platform allows script automation and integration through Open APIs of the entire cybersecurity infrastructure, including network components (routers and switches).
- Coordinated response to incidents – the integrated Case Management module is responsible for analysis and reporting. The module includes customizable dashboards and reporting tools, useful especially in the context of new regulations (GDPR, NIS, etc.), a real-time communication engine (based on Slack), as well as “War Room” functionality, a virtual space where NOC members and SOC teams can collaborate, coordinating their actions to be fast and efficient in responding to attacks. All SOC Team Playbooks and actions are automatically documented – an immediate advantage when reporting is required.
- Threat Intelligence flows integration – “A fourth key component of the platform, which makes the SOAR platform in Palo Alto become «Extended SOAR», the XSOAR, is responsible for the integration and full control of the flows for all Threat Intelligence information used by an organization. All these feeds are unified, automated, and efficiently managed from a single interface, the same as the SOAR platform. Palo Alto was the first company in the market to introduce the Threat Intel Management component in the same interface“, also specified Tudor Cristea. XSOAR integrates its own Threat Intelligence stream, AutoFocus, but can include also other information feeds, free or with paid subscription.
What justifies the investment in the Palo Alto’ platform
Cortex XSOAR provides companies with a quick return on investment by addressing repetitive processes, defining them through playbooks, and automating them. Standardization of processes allows the elimination of manual work, and with the help of playbooks – predefined or customized – the incident response execution becomes modular and easy to run.
Another important benefit is the fact that the platform allows the development of automation measures for the entire IT infrastructure. For example, if a vulnerability management solution identifies a vulnerability, the remediation of that risk can be automated end-to-end through an XSOAR playbook – the platform executes all the processes, from opening a ticket in the Case Management module and automatically issuing an email alert, to executing predefined response measures, without the need for human factor intervention.
Such an approach unifies processes and workflows in SOC and increases the level of efficiency and responsiveness of operational teams, eliminating manual labor and stopping threats before they reach their purpose.
Also, through a large number of possible integrations – the Palo Alto ecosystem is one of the most advanced in the IT industry – and the various possibilities to automate response processes through playbooks, XSOAR facilitates the return on existing investments in security infrastructure, as well as improving the level of protection throughout the entire organization
Practical results and demonstrations
In order to show the benefits of the XSOAR platform, there were presented the Palo Alto SOC team results, operated by 8 specialists, as follows:
- Out of 1.5 trillion events analyzed over 90 days, 1.5 billion were automatically prevented;
- Of the remaining 1.49 trillion events, they were identified as legitimate and issued alerts for only 6,000 incidents;
- Of the 6,000 legitimate alerts, 5,200 were remedied automatically, without requiring the intervention of a specialist;
- The remaining 800 events were blocked and completely resolved, with no major security events being recorded.
In addition, Teodor Iacob, Systems Engineer Palo Alto Networks, presented how to achieve an effective management of the security incidents, underlining the added value generated by the integration of the platform with other security solutions: “Currently XSOAR benefits of over 600 integrations that facilitates the interaction with third-party solutions in the existing security infrastructure. These integrations are used as two-way communications, such as SIEM systems, to act on third-party systems, through Playbooks and automation, in order to respond to incidents or to send notifications and reports.”
The Palo Alto specialist performed a practical demonstration, exemplifying how a dedicated playbook can be allocated and customized for detecting and remedying a Phishing attack, one of the most common types of security incidents.
This demo can be viewed by accessing the full recording of the webinar “Efficient management of security incidents using the Palo Alto SOAR system“.