Security teams face too many alerts, too many tools, and too many missed attacks; it is known that today’s siloed security solutions can’t keep up with evolving threats. According to Palo Alto Networks Unit 42 Incident Response Report, ransomware and business email compromise (BEC) were the top incident types, accounting for approximately 70% of incident response cases. With today’s cybercriminals becoming increasingly professional and adopting multivector approaches to staging their attacks, it broadens the attack surface and makes it harder to investigate and respond. Although previously, endpoint security was where security teams directed their focus (because of most security issues happening there), but with the current threat landscape coupled with the shortage of security talent globally, it is clear that reliance on just traditional Endpoint Detection and Response (EDR) to respond to cybersecurity incidents is no longer adequate.
The ability to extend rapid detection and response capabilities beyond just the endpoint level and across the enterprise, spanning the network and cloud environments as well, and utilise all three areas as sensors along with protection capabilities, enables synchronisation of events and intelligence, allowing customers to benefit from an end-to-end detection and response capability.
“The issue is that today, many internal systems and the majority of detection strategies rely on the security department having a relatively static understanding of what is harmless or harmful – a model followed by traditional antivirus engines. However, even though this is a highly efficient way to monitor activities and incurs relatively low costs from a CPU perspective, the issue is that as soon as there’s an activity which you don’t know is harmless or harmful, you can end up in a situation where you are unable to prevent malicious activity”, states Nicolai Solling, CTO at Help AG.
“Knowing whether an activity is malicious or not requires the additional capability of behavior analysis and understanding intent. Additionally, being able to record events and states to understand behaviors and subsequently being able to analyse them as part of incident response has become vital” Solling says. Once you have access to all that information, you can identify whether an activity is malicious and ensure that other users and endpoints are prevented from being further targets.
Arriving in line with the evolution of the threat landscape, Palo Alto Networks’ unified Cortex XDR (Extended Detection and Response) platform enables security professionals to fully understand the endpoint, cloud, and network environments, to prevent as many attacks as possible and detect what can’t be prevented. Taking a prevention-first approach helps convert operations evolve from reactive to proactive position, enabling unlimited visibility and simplified security operations.
“It has become crucial to coordinate detection mechanisms, machine learning, and artificial intelligence to create a unified view of the attack chain,” according to Jad Hamade, Regional Sales Manager, Cortex Middle East at Palo Alto Networks. “Cortex XDR’s approach depends on automation and AI/ML ensuring improved response times to attacks, which is important as limited human resources in the cybersecurity industry present the biggest challenge for security departments around the world.”
Solling further adds, “the XDR approach is all about creating a single pane view of what’s happening in your organisational environment from a security perspective. Additionally, you can do more with less – from the perspective of analysts’ capabilities and the volume of threats we deal with today, automation is an absolute must to be able to keep up with these timelines.”
“While data directed to the SOC has grown by more than 30 times in the last decade, and with human capabilities remaining almost the same, it has created a load on security analysts. The current solution in most SOCs today is ‘let the analysts figure it out’. The approach of response as human first and automation last must change. An analyst, our most important SOC asset, should be at the end of the process looking only at the 3% to 5% of incidents that would actually need human intervention, the rest should be done through automation, assisted by AI/ML to filter and address repeatable and defined tasks.” Hamade says
At Palo Alto Networks, we are addressing all those challenges with Cortex XDR being the foundation of our SOC solutions, and that is evolving into our next-generation Autonomous SOC, XSIAM; a solution that consolidates capabilities distributed among unrelated technologies, across endpoints, networks, cloud, attack surface, and identity data, through a single user experience across integrated workflows and makes it easy to be productive,” Hamade continues.
Solling explains that an XDR integrated approach enables security teams to do more with greater efficiency. That means teams can focus on what’s important – delivering efficient and effective security for the organisation.
“From a technological perspective, XDR and its evolution is a transformation of what customers have today,” says Hamade. “This consolidation will not only help security teams in their daily operations but will leave a big mark on the financial aspect. Due to its direct effect on freeing analyst hours and relieving the footprint of other SOC technologies, a right XDR strategy should be able to at least fund itself, if not bring savings to the operational cost of a SOC.”
