{"id":172222,"date":"2022-10-12T05:00:56","date_gmt":"2022-10-12T12:00:56","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=172222"},"modified":"2022-10-12T08:05:00","modified_gmt":"2022-10-12T15:05:00","slug":"xsiam-to-revolutionize-the-soc","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2022\/10\/xsiam-to-revolutionize-the-soc\/","title":{"rendered":"XSIAM Has Arrived to Revolutionize the SOC"},"content":{"rendered":"<p>As a leader in the network, endpoint and cloud security markets, we collect an incredible amount of data that can be ingested and integrated to feed machine learning, analytics and automation that could provide immense value and revolutionize the Security Operations Center (SOC). But, it\u2019s largely discarded by the SIEM because they aren\u2019t designed to use this data.<\/p>\n<p>How do we know the data we collect can work wonders in the SOC? Because we do it in our own SOC:<\/p>\n<ul>\n<li>The Palo Alto Networks SOC ingests over 1 trillion events per month, nearly 40 billion per day, and intelligently groups and analyzes alerts, resulting in only eight incidents a day on average in need of investigation.<\/li>\n<li>Our mean time to detect is ten seconds, and our mean time to respond to high priority alerts is one minute, all with a relatively small global team working regular hours.<\/li>\n<li>Our analysts do the kind of interesting and valuable security work they joined the industry to do, without burnout or heroics, because we\u2019ve built our SOC on a platform designed from the ground up, for the modern threat landscape.<\/li>\n<\/ul>\n<p>And your SOC can, too, with XSIAM \u2013 the autonomous platform powering the modern SOC, which I am excited to share, is now generally available.<\/p>\n<p>Before we detail exactly how XSIAM can revolutionize the SOC, let\u2019s explore the issues security operations is currently facing.<\/p>\n<h2><a id=\"post-172222-_encmg68gpb1m\"><\/a>The SIEM Just Isn\u2019t Working<\/h2>\n<p>What\u2019s become increasingly clear is that SIEM just isn\u2019t working for many customers: they complain it\u2019s too expensive, too hard to manage, too hard to operate, and it fails at the most important task \u2013 helping stop threats and keep organizations safe.<\/p>\n<h4 style=\"padding-left: 40px;\"><a id=\"post-172222-_5xhycxmxxm3y\"><\/a>Be a Defender, Not Just a Detective<\/h4>\n<p style=\"padding-left: 40px;\">It\u2019s not difficult to see that there\u2019s a problem. Whenever an organization suffers an attack, they are always able to figure out what happened afterwards. They can reconstruct methods, know which systems were affected and which information was taken. But, if the data is available to understand what happened afterward, why couldn\u2019t it have been used to stop the attack in the first place? The answer, sadly, is that too many alerts and too many silos ultimately lead to too little insight.<\/p>\n<p style=\"padding-left: 40px;\">The problem is that SIEMs are built to digest and prioritize alerts, then present them to analysts for triage and investigation. But, the amount of alerts keeps growing, so the analysts simply can\u2019t keep up. Of course, today there is so much more data than just alerts and logs. Without the ability to handle that larger data set, and more importantly, to make sense of it for early detection and response, a huge opportunity is lost. Further, the modern SOC processes EDR, NDR, cloud, identity, threat intelligence and other types of data, but all in silos and almost never as part of the SIEM.<\/p>\n<h4 style=\"padding-left: 40px;\"><a id=\"post-172222-_kqinv54215zk\"><\/a>Not a Cost Problem, but a Value Problem<\/h4>\n<p style=\"padding-left: 40px;\">Contrary to what some vendors say, this isn\u2019t a <strong><em>cost<\/em><\/strong> problem. It\u2019s a <strong><em>value <\/em><\/strong>problem. However, we believe it\u2019s possible to address both: dramatically improved value <em>and<\/em> lower cost. If your SOC could ingest ALL relevant data, apply machine learning to detect in real time, and apply automation to free up humans to do what only humans can do, it would dramatically improve the ability to detect attacks in real time and respond fast enough to prevent successful breaches. That\u2019s the promise of SIEM, but it\u2019s a promise that hasn\u2019t been fulfilled.<\/p>\n<p style=\"padding-left: 40px;\">Our customers asked us if we could build something better. So we did. Since February, we\u2019ve worked with design partners to tune XSIAM, and the feedback has been strong:<\/p>\n<p style=\"padding-left: 40px;\">\u201cXSIAM is already helping us to resolve and address threats way more quickly and efficiently, reduce risk and track metrics,\u201d said Paul Alexander, director of IT operations at Imagination Technologies Group, an international leader in the creation and licensing of semiconductor System-on-Chip Intellectual Property.<\/p>\n<p style=\"padding-left: 40px;\">\"From our first demo of XSIAM as part of the early access program, we were shocked and impressed with the maturity of the platform,\u201d said Randy Watkins, chief technology officer at Critical Start. \u201cThis was not a beta product, but a solution that customers would immediately be able to build their entire security operations program around. The data models within XSIAM are some of the best approaches we\u2019ve seen to solving the lack of consistency with log management.\u201d<\/p>\n<h2><a id=\"post-172222-_sf3ursw9hy2d\"><\/a>Revolutionize the SOC with XSIAM<\/h2>\n<p>We believe that the only way a SOC platform can operate at today\u2019s scale is to completely rebuild from the ground up. So we\u2019ve done exactly that with XSIAM, the autonomous security operations platform designed to enable all customers to achieve the outcomes Palo Alto Networks does in our own SOC. How? It all comes down to data that drives analytics, automation and proactivity.<\/p>\n<h4 style=\"padding-left: 40px;\"><a id=\"post-172222-_pe4ucr184yzg\"><\/a>Data and Analytics: Much More Detail, Much More Insight<\/h4>\n<p style=\"padding-left: 40px;\">When designing XSIAM, we started with an assumption that it would have to collect massive amounts of data (more than just alerts and logs) to implement our vision for analytics. XSIAM would need to pull data from endpoints, the network, identity systems, the cloud and data about the environment itself (such as, attack surface data). To use this data as the foundation for analytics, XSIAM must normalize it, understand it, and integrate it (i.e. stitch it together), so our machine learning doesn\u2019t process it as unrelated subsets, but with an understanding of how the data elements relate to each other.<\/p>\n<p style=\"padding-left: 40px;\">Imagine how much more intelligent a system can be if it analyzes every event from the perspective of the endpoint, the network, the identity systems and the cloud, all at the same time. And then uses that context to drive the detection, investigation and response capabilities.<\/p>\n<p><div style=\"max-width:100%\" data-width=\"3552\"><span class=\"ar-custom\" style=\"padding-bottom:63.06%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter wp-image-172347 size-full lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/10\/XSIAM-Incident-Dashboard.png\" alt=\"XSIAM incident dashboard\" width=\"3552\" height=\"2240\" \/><\/span><\/div><\/p>\n<h4 style=\"padding-left: 40px;\"><a id=\"post-172222-_1rajy2ilgaib\"><\/a>Automation: More Than Workflow<\/h4>\n<p style=\"padding-left: 40px;\">When we talk about automation, we don\u2019t just mean <em>workflow automation<\/em>, (i.e. automating what a human analyst does with an alert). We also mean <em>native automation<\/em> embedded into the product to normalize and stitch events together into an \u201cattack story,\u201d to create new detectors to dispatch alerts, etc. With XSIAM we have built this native automation in addition to workflow automation. In some areas, we\u2019ve combined the two. For example, XSIAM can recommend new playbooks or response actions based on machine learning, thereby making workflow automation (SOAR) more powerful.<\/p>\n<h4 style=\"padding-left: 40px;\"><a id=\"post-172222-_892prcwaz0pf\"><\/a>Proactivity: Actually Getting Ahead of Attacks<\/h4>\n<p style=\"padding-left: 40px;\">If you were to talk to SOC analysts, many would describe their job as reactive. But, defending against attacks is a lot easier if they never happen, so we decided to provide capabilities for the SOC to get ahead of attackers. An excellent way to do that is to start proactively looking at the attack surface and which systems are vulnerable before an attacker discovers an opportunity to exploit something that's misconfigured, open or otherwise at risk. Embedding attack surface discovery and response into XSIAM frees the analyst from the cycle of responding to never-ending alerts.<\/p>\n<p style=\"padding-left: 40px;\">What can a \u201cliberated\u201d SOC actually accomplish? Analysts can actually hunt threats. They can look at the attack surface and take action to secure it <em>before<\/em> a vulnerability becomes an attack. In our own SOC, we\u2019ve seen the benefits of proactive security combined with greatly-improved response. It\u2019s turning 36 billion daily events into zero major incidents through effective analytics, automated response and a continuous reduction in the attack surface.<\/p>\n<h2><a id=\"post-172222-_ahfwbfwo0k05\"><\/a>Check It Out for Yourself<\/h2>\n<p>At Palo Alto Networks, we've been here before. Sixteen years ago, the IT world was struggling with traditional firewalls, trying to surround them with IPS, URL, sandbox and proxy systems to fix all their gaps. We saw that the only way to solve the problem was to start over and design something from the ground up \u2013 the next-generation firewall. For the SOC, it\u2019s time to stop surrounding the SIEM in hopes you can hide the flaws; it\u2019s time to fix it from the ground up with data, analytics and automation. All of that is to say we understand what it takes to revolutionize a market, and we know this is going to be a journey \u2013 one we\u2019re excited to begin with XSIAM.<\/p>\n<p>Today, I am happy to share that it\u2019s generally available, and we are excited to tell you even more. You can read more on the <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xsiam\">website<\/a> and download our <a href=\"https:\/\/www.paloaltonetworks.com\/resources\/techbriefs\/cortex-xsiam\">solution brief<\/a>. In addition, on November 2 we\u2019ll hold an online launch event including a demonstration, and we\u2019d love to have you <a href=\"https:\/\/start.paloaltonetworks.com\/the-modern-soc-reimagined#Register\">join us<\/a>.<\/p>\n<p>XSIAM is ready, and the future of the SOC is here.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Palo Alto Networks understands what it takes to revolutionize the SOC, and we know this is going to be a journey \u2013 one we\u2019re excited to begin with XSIAM. <\/p>\n","protected":false},"author":208,"featured_media":172274,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[308,6717],"tags":[760,635,8373],"coauthors":[2224],"class_list":["post-172222","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcement","category-products-and-services","tag-siem","tag-soc","tag-xsiam","sec_ops_category-must-read-articles","sec_ops_category-news-and-events","sec_ops_category-product-features"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/10\/cortex-xsiam-launch-blog_400x300.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/172222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/208"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=172222"}],"version-history":[{"count":7,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/172222\/revisions"}],"predecessor-version":[{"id":172366,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/172222\/revisions\/172366"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/172274"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=172222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=172222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=172222"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=172222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}