Professional Documents
Culture Documents
Cortex SOC Transformation
Cortex SOC Transformation
Jacobo Resnikov
Cortex Manager LATAM
Reasons for transformation?
• Board Directive for Risk Transformation
• Data Breach
• New CISO, CIO, CEO
• MSSP insourcing/outsourcing
• Cloud transformation initiative
• Budget/technology refresh cycle
• Created by you!
• Platform play:
• EPP > EDR > SOAR
• SOAR > Better EDR
How SecOps must transform to reduce risk
EFFICIENCY
MTTR/MTTD
& RISK
Maturity
Low High
Medium
(Reactive) (Proactive)
Detection RULE-BASED CORRELATED RULE-BASED ANALYTICS-BASED
ALERTS IN 1000’s
100’s SIEM
TIER 1 >8m
APPLICABILITY
D&R TOOL
APPLICABILITY
1’s TIER 3 >2h
ALERTS IN 1000’s
100’s SOAR
KNOWN AUTOMATED / T0 >0-2m
APPLICABILITY
TRIAGE 33%
TX XDR TOOL
UNKNOWN 10’s HUNT 33%
APPLICABILITY
ADAPT 33%
Threat Intelligence
Manage Cases
Analytics Incident
Alert Aggregation
Automate Response
Prevent and Investigate Respond
Data Analytics Alert Agg. Inc. Mgmt Auto/Orch Response
Create efficiency with a Gain context across known Handle more alerts, faster
comprehensive product suite and unknown to speeds with more clarity across all
for prevention, detection, validation, enrichment and existing tools
response, and automation resolution
Reduce Mean Time to Detect Automate Manual Tasks and Become a Proactive
and Respond Known Use Cases SOC
Next-Generation
User click Firewall Incident created Hunt for threats and adapt defenses
• Focus Areas
• Phishing, user access, incident response, IOC enrichment, case management
Security Orchestration,
Automation, and Response • Market Convergence/Longevity
(SOAR) • Convergence of SAO, SIRP, and TIP.
Market Size in 2024*: • Market growth due by breadth of use cases.
• Future expansion driven by both product and content.
$1.791B • Flexible product that enables user-created content.
• OOTB content packs for specific use cases.
15.6% CAGR
Link: https://www.marketsandmarkets.com/Market-Reports/security-orchestration-automation-response-market-176584778.html
Ticketing
Email
Da
Lack of defined process
ta
Security Analyst Ac EDR
tio
Threat Intel n
Repetitive and manual actions
Firewall Admin
Lack of product interconnectivity
IT Team DevOps
Ingest
Cross-product coordination
01 Reduced weekly alerts requiring human review by 95% (from 10,000 to 500) by deploying playbook
that automatically resolved false positives.
04 (MSSP) Saved ~53 hours per month using Demisto phishing playbook and machine learning. This
time is now being spent in proactive activities and decision-making.
Tightly integrated case Use War Room (both chat and Integrations, incident types
management, orchestration and CLI), leverage machine and layouts, playbooks,
automation, collaboration. learning insights to conduct dashboards can all be
real-time investigation. customized.
BE
Alert sources
Who is using this IP
address? Email
Endpoint Detection
And Response
Manual response
Are we
IP 1.1.1.1 impacted?
CSO
Malware Manual response
Security analyst Analysis
Manual response
Internet access
Spreadsheet
Ticketing system
Manual response
Manual response
Threat
Which policy is
Threat intel analyst
blocking this IP
platform Research
address? Firewall
Who is behind
it?
Reports
Bad IP 1.1.1.1
Orchestration &
Automation
XSOAR
Automated playbooks
AF
30
30 || © 2020
2019 Palo
PaloAlto
Alto Networks.
Networks, Inc.All
AllRights Reserved.
rights reserved.
Cortex XSOAR Threat Intel Management key takeaways
Take full control of your Unify external threat intel Make smarter decisions Act fast and with precision
threat intel data data with internal incident with enrichment and via automated playbooks
alerts prioritization
Jacobo Resnikov
jresnikov@paloaltonetworks.com