SOC Transformation

XSOAR & Cortex XDR

Jacobo Resnikov
Cortex Manager LATAM
Reasons for transformation?
• Board Directive for Risk Transformation
• Data Breach
• New CISO, CIO, CEO
• MSSP insourcing/outsourcing
• Cloud transformation initiative
• Budget/technology refresh cycle
• Created by you!
• Platform play:
• EPP > EDR > SOAR
• SOAR > Better EDR
How SecOps must transform to reduce risk
EFFICIENCY

MTTR/MTTD
& RISK

Maturity
Low High
Medium
(Reactive) (Proactive)
Detection RULE-BASED CORRELATED RULE-BASED ANALYTICS-BASED

Context LOG AGGREGATION SILOED DATA COLLECTION INTEGRATED RICH DATA

Automation NONE PARTIAL FULL

3 | © 2019 Palo Alto Networks. All Rights Reserved.

Today’s current operating model

ALERTS IN 1000’s

100’s SIEM
TIER 1 >8m
APPLICABILITY

10’s TIER 2 >2h-2w

D&R TOOL
APPLICABILITY
1’s TIER 3 >2h

4 | © 2019, Palo Alto Networks. All Rights Reserved.

NEW OPERATING MODEL

ALERTS IN 1000’s

100’s SOAR
KNOWN AUTOMATED / T0 >0-2m
APPLICABILITY

TRIAGE 33%

TX XDR TOOL
UNKNOWN 10’s HUNT 33%
APPLICABILITY
ADAPT 33%

5 | © 2019, Palo Alto Networks. All Rights Reserved.

Reinventing SecOps with Cortex

Prevent everything you Everything you can’t Automate response

can prevent, detect and get smarter with each
and investigate fast incident

6 | © 2019 Palo Alto Networks. All Rights Reserved.

Cortex XDR , XSOAR and AutoFocus

Threat Intelligence

Good Data Standardize Processes

Manage Cases

Analytics Incident

Collaborate and Learn

Alert Aggregation
Automate Response
Prevent and Investigate Respond
 Data Analytics Alert Agg. Inc. Mgmt Auto/Orch Response

8 | © 2015, Palo Alto Networks. Confidential and Proprietary.

Customer personas and goals

● Prevent data breach & reduce risk

Budget CISO ● Cut operating cost
Holder VP InfoSec ● Modernize SOC technology stack

● Simplify and speed detection, inv. & response

Technical ●
Decision SecOps Dir. Reduce alert fatigue and triage time
Maker ● Reduce time spent on repetitive, manual tasks
● Reduce attrition, improve efficiency and knowledge

● Simplicity and ease-of-use

User/ SOC analyst
Infrastructure Engineer ● Leverage the products they already use
Influencer Architect ● Automate and orchestrate across any
product
Cortex pitch
● Prevent costly data breaches
Budget ● Adopt a comprehensive product suite with cutting-edge
CISO
Holder VP InfoSec technology
● Enable a proactive SOC that constantly improves

● Unify detection, prevention, investigation,

Technical automation, and response
Decision SecOps Dir. ● Convert alerts to incidents with automation and
Maker analytics, reducing load across all analysts by 50x
● Automate & orchestrate manual, repetitive tasks

User/ SOC analyst

Infrastructure Engineer ● Cut investigation time by 8x
Influencer Architect ● Reduce alerts requiring human review by 95%
Key competitive differentiators

Integrated solution for Complete context for Boost ROI of existing

SecOps all use cases investments

Create efficiency with a Gain context across known Handle more alerts, faster
comprehensive product suite and unknown to speeds with more clarity across all
for prevention, detection, validation, enrichment and existing tools
response, and automation resolution

11 | © 2019 Palo Alto Networks. All Rights Reserved.

Value proposition

Reduce Mean Time to Detect Automate Manual Tasks and Become a Proactive
and Respond Known Use Cases SOC

Reduce workload by 50X by Improve operational Reduce security risk and

maximizing prevention, detection, efficiency across cost, free analysts to work on
response & automation SecOps by 90% the unknown and apply
learnings forward
KNOWN VS UNKNOWN
Known use case
Playbook orchestration across products

End-to-end incident management

spoof@uhealth.com Real-time collaboration

Incident created

Traps Detect across network, endpoint and cloud

Simplify investigations to reveal root cause

Next-Generation
User click Firewall Incident created Hunt for threats and adapt defenses

Unknown use case

Objection Handling
Q. Are you trying to be a SIEM?
R. Do you like SIEMs for Triage, Investigation and Response?
A. No. We shift all triage, investigation and response use-cases from the SIEM
We give you the answers to all the questions generated
Demisto takes those alerts and drives them to action across your product stack.

R. Do I need Demisto, Cortex XDR, more agents, and NGFW?

S. How much do you want to transform your SOC?
B. You can start with either Demisto or Cortex XDR for EDR
Without our good data, you fall into the SIEM trap

S. I’m going to spend a lot of time creating playbooks

S. Really want to keep doing repetitive manual work?
B. Playbooks require no-low coding, are visual and modular
Time you put in means you will never have to do that task again
SALES PLAYBOOK
Training Presentation
XSOAR for SOC

15 | © 2019 Palo Alto Networks. All Rights Reserved.

MARKET OPPORTUNITY
• Market/Category Description
• Enable security teams to manage, investigate, and respond to alerts in a
standardized and scalable manner across their product stack.

• Focus Areas
• Phishing, user access, incident response, IOC enrichment, case management

Security Orchestration,
Automation, and Response • Market Convergence/Longevity
(SOAR) • Convergence of SAO, SIRP, and TIP.
Market Size in 2024*: • Market growth due by breadth of use cases.
• Future expansion driven by both product and content.
$1.791B • Flexible product that enables user-created content.
• OOTB content packs for specific use cases.
15.6% CAGR

Link: https://www.marketsandmarkets.com/Market-Reports/security-orchestration-automation-response-market-176584778.html

16 | © 2019 Palo Alto Networks. All Rights Reserved.

WHO’S THE BUYER

CISO ● Long response times lead to increased risk.

Budget ● Looking for quantifiable returns on investment.
Holder CIO ● Struggle with high turnover, overworked employees.

● High alert volumes not compatible with human review.

Technical SecOps team / ● Spend too much time switching between products and UIs
Decision SOC team during incident response.
Maker ● Perform repetitive, manual tasks that take time away from
investigation and hunting.

● Product and team silos lead to fragmented processes and

User/ IT/Network roadblocks.
Influencer team ● Security is often at odds with connectivity/uptime.

17 | © 2019 Palo Alto Networks. All Rights Reserved.

WHO’S THE BUYER – KEY MESSAGES

● Automation and orchestration reduces MTTR.

CISO
Budget ● Remote execution of commands across products gets more value
Holder CIO from existing investments.
● Reduce risk by handing time back to teams for investigation.

● Playbook-driven triage resolves false positives, reduces

Technical SecOps team alerts that require human review.
Decision ● Playbooks and War Room minimize console switching.
Maker ● Automation takes care of repetitive tasks and leaves deeper
investigations, hunting for the security team.

● Playbooks automate data collection across teams to avoid

User/ IT/Network roadblocks.
Influencer team ● Demisto integrates with tools that are common across
teams, automating information transfer so that all teams
are on the same page.

18 | © 2019 Palo Alto Networks. All Rights Reserved.

BEFORE SCENARIO
SIEM

Ticketing
Email

Disparate alert sources

Data
Action
n
t io
Data Ac

Da
Lack of defined process
ta
Security Analyst Ac EDR
tio
Threat Intel n
Repetitive and manual actions

Firewall Admin
Lack of product interconnectivity

IT Team DevOps

19 | © 2019 Palo Alto Networks. All Rights Reserved.

VALUE PROPOSITION

Deploy repeatable, Gain SOC visibility with Coordinate actions

automated processes for any case mgmt. that can adapt across your product
security use case to any security alert stack and teams

• Reduced MTTR • SLA confidence • Increased ROI

• Reduced alert volume • Improved capturing • Enhanced productivity
requiring human review of metrics • Time for proactive ops

20 | © 2019 Palo Alto Networks. All Rights Reserved.

LEADING QUESTIONS AND ACTIONS
Leading question
• Do you have a dedicated SOC?
• How many SecOps people?
• Are your processes defined today?
• How do you respond to alerts today?
• Are you able to measure and report on
SOC performance?
• Have you already heard of SOAR?
• Have you deployed SOAR?
21 | © 2019 Palo Alto Networks. All Rights Reserved.
Expected answer
No defined SOC/less mature SOC:
• Not enough people
• Difficulty in collecting and analyzing data
across tools
• Ad-hoc tasks and processes
• No time/ability to capture metrics
More mature SOC (either has ticketing
already or wants to change)
• Haven’t heard of SOAR.
• Know about SOAR but don’t have it.
I have SOAR but am looking to change.
How to respond
Push the case management pedal:
Demisto can be your central security
ticketing system, codify processes (even if
manual at first) and pave the way for
eventual automation to accelerate your
SOC’s maturity.
Push the SOAR pedal: Value of
automation integrated with case mgmt
enabling you to manage and respond to
alerts from one console.
Standard Demisto value prop.
Focus on Demisto differentiators rather
than overall value of SOAR.
AFTER SCENARIO
Alert Sources

SIEM Vuln. Mgmt. Email Cloud Alerts

All alerts flowing into one console

Ingest

Standardized, enforceable processes

Security Analyst Automated high-quantity actions

Playbook Orchestration

Cross-product coordination

Point Products Other Teams

22 | © 2019 Palo Alto Networks. All Rights Reserved.

METRICS

01 Reduced weekly alerts requiring human review by 95% (from 10,000 to 500) by deploying playbook
that automatically resolved false positives.

02 Reduced MTTR for phishing incidents from ~3 days to 25 minutes.

03 Automated ~30% of all incidents and saved time equivalent to 1 FTE.

04 (MSSP) Saved ~53 hours per month using Demisto phishing playbook and machine learning. This
time is now being spent in proactive activities and decision-making.

23 | © 2019 Palo Alto Networks. All Rights Reserved.

KEY COMPETITIVE DIFFERENTIATORS

Unified SOAR Unstructured Open, extensible,

platform investigation support customizable

Tightly integrated case Use War Room (both chat and Integrations, incident types
management, orchestration and CLI), leverage machine and layouts, playbooks,
automation, collaboration. learning insights to conduct dashboards can all be
real-time investigation. customized.

24 | © 2019 Palo Alto Networks. All Rights Reserved.

IN THE WEEDS BUT IMPORTANT

Demisto ‘Work Plan’

No other SOAR tool provides a live task-

by-task visualization of playbooks

Simplifies task management and

troubleshooting

25 | © 2019 Palo Alto Networks. All Rights Reserved.

IN THE WEEDS BUT IMPORTANT

Demisto mobile application

First SOAR tool to have mobile

application

On-the-go case management

● Task/incident assignment
● Dashboards
● Basic incident actions

26 | © 2019 Palo Alto Networks. All Rights Reserved.

 OBJECTION HANDLING
OBJECTION RESPONSE
We are not a Palo Alto • XSOAR is vendor-neutral by nature.
Networks shop.
• Open, extensible integration network with 350+ products (more being added) including Palo
Alto Networks competitors.
• SDK to create custom integrations.
Isn’t this what my SIEM • XSOAR both complements and supplements the SIEM.
already does? • Complements: While the SIEM aggregates raw data into alerts, Demisto ingests alerts and
drives them to response across your product stack.
• Supplements: SIEMs are just one of the many alert sources for XSOAR. XSOAR playbooks
can also respond to phishing alerts, vulnerabilities, cloud alerts, etc.
No time to create and • XSOAR has an OOTB collection with 100+ playbooks and more added twice a month.
maintain playbooks • XSOARplaybooks are easy to create with a visual editor, UI-driven data manipulation,
nesting.
• We also provide PS support if needed.

27 | © 2019 Palo Alto Networks. All Rights Reserved.

 O RE Journey of an IOC
F
Assets End users

BE
Alert sources
Who is using this IP
address? Email

SIEM IT Industry peers

admin
News/Blog
How bad is it? Threat actors use 1.1.1.1 To
attack!

Endpoint Detection
And Response
Manual response
Are we
IP 1.1.1.1 impacted?
CSO
Malware Manual response
Security analyst Analysis

Manual response
Internet access

Spreadsheet
Ticketing system

Manual response
Manual response

Bad IP 1.1.1.1 SIEM Firewall

admin
External threat
intel feeds Tools
Network topology

Threat
Which policy is
Threat intel analyst
blocking this IP
platform Research
address? Firewall
Who is behind
it?
Reports

28 | © 2019 Palo Alto Networks. All Rights Reserved.

 ER
T Journey of an IOC with Cortex XSOAR
AF
Alert sources 350 + Integrations

Bad IP 1.1.1.1
Orchestration &
Automation
XSOAR

Automated playbooks

Unify threat feeds with

incident alerts
External threat Security Threat Ticketing IT Firewall CSO
intel feeds Enrich every tool and analyst analyst System Admin Admin
process

Take automated action

with confidence Real-time collaboration | Case management

29 | © 2019 Palo Alto Networks. All Rights Reserved.

Cortex XSOAR Threat Intel Management use cases

AF

Indicator Whitelist Incident Enrichment Automated AutoFocus

Prioritization Administration Threat Hunting Integration

30
30 || © 2020
2019 Palo
PaloAlto
Alto Networks.
Networks, Inc.All
AllRights Reserved.
rights reserved.
Cortex XSOAR Threat Intel Management key takeaways

Take full control of your Unify external threat intel Make smarter decisions Act fast and with precision
threat intel data data with internal incident with enrichment and via automated playbooks
alerts prioritization

31 | © 2019 Palo Alto Networks. All Rights Reserved.

 Thank you

Jacobo Resnikov
jresnikov@paloaltonetworks.com

32 | © 2019 Palo Alto Networks. All Rights Reserved.