Palo Alto SOAR, four common working scenarios

Companies are facing more and more difficulty in dealing with the exponential increase in the volume of security alerts that need to be investigated. Manual processing is time-consuming and requires a large part of the specialized departments’ activity. Palo Alto SOAR (Security Orchestration, Automation, and Response) eliminates this shortcoming by correlating indicators of compromise with contextual information and automating remedial measures. Datanet Systems is an authorized Palo Alto partner and may provide all the needed services to implement a SOAR system.

Over 90% of security teams are currently focusing their efforts on improving incident response capabilities by developing orchestration and automation capabilities. (1) The reasons are obvious: the 125% increase in the volume of attacks (2) generates an explosion in the number of alerts to be processed by the Security Operations Center (SOC). Manually managing such a volume – which exceeds 11,000 alerts per day for some large companies (3) – is difficult due to limited human resources and non-integrated security solutions, accessing isolated sources of information further complicating the situation.

SOAR, a versatile acronym

SOAR Systems (Security Orchestration, Automation, and Response) can be, in this context, the answer that SOC teams need, as such solutions are specifically designed to provide rapid, effective responses to security events by:

  • Orchestration – SOAR connects the security functionalities of several security systems, aggregates and correlates the information provided by them, delivering to SOC teams notifications, detailed analyzes, alerts, and actionable information.
  • Automation – SOAR eliminates repetitive activities and manual operations, automatically managing certain aspects of security incidents and several routine operations of the company’s IT security team. Through predefined response scenarios, the SOAR system applies action sequences (Playbooks) specific to certain risk categories, increasing the efficiency and speed of application of remedial measures.
  • Reporting and visualization – using SOAR systems, SOC benefits from an intuitive and efficient way to identify, correlate, sort, and document the way security incidents take place, as well as the stages of response processes and their results.

Palo Alto SOAR, recommended by Datanet

Cortex XSOAR, the system delivered by Palo Alto and recommended by Datanet specialists, stands out as the first SOAR platform in the industry that unifies security incident management, automation of response measures, and management of threat information sources.

It is an important differentiator, as in most cases SOC teams rely only on isolated sources of information to gain visibility into threats and to detect potential risks. The standard SOAR platforms aggregate multiple data sources, but without delivering the contextual information and automation needed to act quickly.

To overcome these limitations, Cortex XSOAR natively integrates its own Threat Intelligence Management technology that unifies the aggregation of threat information with scoring systems – to assess and prioritize the level of criticality of incidents – and methods to automate response and remediation measures by applying automatically predefined action suites (playbooks).

Thus, the SOAR system in Palo Alto quickly detects critical threats by adding contextual information about internal incidents to data on aggregate threats from external sources. In turn, the automation achieved through the use of playbooks increases the speed and efficiency of the processes of correlation, verification, deduplication, analysis, and management of millions of compromise indicators (IOCs) collected.

 

Usual working scenarios with Cortex XSOAR

Palo Alto SOAR facilitates the detection of security incidents, the prioritization of alerts, and the automatic application of appropriate measures. Here are some of the most used applications:

  • Phishing attacks – Cortex XSOAR identifies potentially risky emails and launches a playbook that automates the execution of repetitive tasks, such as sorting and isolating affected end users, extracting and checking compromise indicators, identifying false-positive alerts.
  • End-user malware infections – the SOAR system extracts data from terminals and enriches it with information from external sources, analyzes it by cross-referencing files/hashes, sends notifications to the SOC team, automatically launches the playbook for measures presets, such as access blocking, quarantine, restoration.
  • Failed login attempts – after a predefined number of failed login attempts, Cortex XSOAR automatically launches a playbook to assess whether authentication attempts are legitimate or not, queries users, analyzes their responses, and verifies password integrity, then allows or blocks access.
  • Vulnerability management – the SOAR system automatically collects information about vulnerabilities that it enriches by accessing external sources such as CVE (Common Vulnerabilities and Exposures) and aggregating contextual information, calculates the level of critical vulnerabilities that it subsequently reports to the SOC team for investigation and remediation.

Added value by collaborating with Datanet

Using work scenarios such as the above, companies can increase the speed of remedial action by up to 90% and reduce the number of incidents investigated by 75%. However, the presented scenarios represent only a small part of those provided by Cortex XSOAR. The SOAR system from Palo Alto comes with over 680 automatic playbooks, which local companies can use to adapt to their own requirements by using Datanet services.

Our specialists can ensure the integration of Cortex XSOAR with more than 700 applications and products from other hardware and software manufacturers. The services delivered by Datanet allow the personalization of both playbooks and dashboards and reports, to simplify investigation processes, increase visibility and improve the support provided to SOC teams in decision making.

For further technical and commercial information about Cortex XSOAR as well as the services delivered by Datanet Systems, please contact us at sales@datanets.ro.

______________________

1 – The State of SOAR Report 

2 – Triple digit increase in cyberattacks: What next? 

3 – „How SOAR Is Transforming Threat Intelligence