{"id":294911,"date":"2023-05-25T06:00:23","date_gmt":"2023-05-25T13:00:23","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=294911"},"modified":"2023-09-27T12:15:43","modified_gmt":"2023-09-27T19:15:43","slug":"automating-the-automation","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2023\/05\/automating-the-automation\/","title":{"rendered":"Hasta La Vista Human Powers \u2014 Automating the Automation"},"content":{"rendered":"<p>\u201c<em>This is How We Do It: The True Story of How Palo Alto Networks Runs Security Operations<\/em>\u201d is a new video and <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/tag\/this-is-how-we-do-it\/\">blog series<\/a> that features interviews with various members of our SOC team. We discuss how we run our own SOC and apply our own products while openly sharing our practices.<\/p>\n<p>At Palo Alto Networks, our SOC is highly optimized because we actively choose to break away from the traditional four-tier SOC approach. This ranges from tier 1 analysts who monitor, prioritize and investigate SIEM alerts, to tier 4 SOC managers responsible for recruitment, security strategy and reporting to management. Taking more of a hybrid approach, the Palo Alto Networks SOC team follows a general philosophy:<\/p>\n<ul>\n<li>50% of the SOC staff has previous SOC experience while others are skilled in various technical areas.<\/li>\n<li>Cross-train the SOC team in all domains, including alert triage, incident response, threat hunting and others.<\/li>\n<li>Provide a well-funded annual training budget for all analysts.<\/li>\n<\/ul>\n<p>Our Rationale:<\/p>\n<ul>\n<li>Maintain a nimble team, able to pivot between responsibilities.<\/li>\n<li>Support business continuity.<\/li>\n<li>Provide a more engaging atmosphere and reduce staff burnout.<\/li>\n<li>Promote an environment of continuous learning.<\/li>\n<li>Provide greater coverage with less staff by relying on the right technology to get the job done.<\/li>\n<\/ul>\n<h3><a id=\"post-294911-_yfoautxebzcr\"><\/a>Episode 1: \u201c<em>Hasta la Vista Human Powers-Automating the Automation<\/em>\u201d \u2013 An Interview with Devin Johnstone, SOC Operations Specialist at Palo Alto Networks<\/h3>\n<p>Devin Johnstone shares how the SOC team handles the large volume of security alerts that they receive every day. Devin reveals that the Palo Alto SOC ingests nearly 56 terabytes of raw log data per day, and more than half of that comes from the cloud. Devin and his team take this raw data and filter it down to a manageable number of alerts. They achieve this by using machine learning in their products, as well as their own knowledge to reduce the number of important alerts that require a ticket.<\/p>\n<p><div class=\"styleIt\" style=\"width:358px;height:636px;\"><lite-youtube videoid=\"dmcwjlWFBkg\" ><\/lite-youtube><\/div><\/p>\n<p>Palo Alto Networks has tens of thousands of companies where we help protect millions of people from cyberthreats and data compromise. Devin believes our company's responsibility is to protect the infrastructure behind the services we offer:<\/p>\n<p style=\"padding-left: 80px;\">\u201cAs much as we are working for Palo Alto Networks specifically, our<br \/>\nresponsibility is protecting all of the infrastructure behind the services that we<br \/>\noffer. Our SOC is really focused on making sure everything behind the scenes<br \/>\nis safe, as well as our employees, and monitoring what they do on a<br \/>\nday-to-day basis.\"<\/p>\n<p>Devin says that every single alert that comes into the SOC is automated in some way. The goal is to fully automate as many alerts as possible, so the team can focus on more important tasks, such as threat hunting. They use <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xsoar\">Cortex XSOAR<\/a> to automate the investigation and response to security alerts.<\/p>\n<p>Devin explains further:<\/p>\n<p style=\"padding-left: 80px;\">\u201cOnce those 130-ish alerts get into Cortex XSOAR, which is both our ticketing<br \/>\nsystem and running the XSOAR playbooks to help us with the SOC response,<br \/>\nthere's a portion of them (about 15%) that are fully automated end-to-end.<br \/>\nSo the playbook picks it up, does all of the background research it needs to do<br \/>\nand then closes.<\/p>\n<p style=\"padding-left: 80px;\">That is marked as something the SOC handled, but we didn't put any hands<br \/>\non it. Every single other one of those alerts has some automation to help it<br \/>\nalong\u2026which will run proactively, start the investigation, and response in the<br \/>\nSOC will finish it, or vice versa. Sometimes we'll start an investigation and<br \/>\nthen we'll reach a decision path where we can hand it over to XSOAR and say,<br \/>\n\u2018close this off for me.\u2019\u201d<\/p>\n<p>Even with this workflow, Devin believes there will always be a need for human analysts to understand the context of a situation. Overall, the SOC's approach is to <em>embrace<\/em> automation to help them handle the large volume of alerts they receive every day.<\/p>\n<p style=\"padding-left: 80px;\">\u201cI get asked often: Is this automation ever going to take your job? And my<br \/>\nanswer is, I hope not. I think there's still going to be an aspect where we need<br \/>\nto be focused on threat hunting, because that's where we provide value as<br \/>\nhumans \u2014 understanding the context of a situation, thinking like the attacker<br \/>\nand giving the repetitive stuff to the automation. I think our jobs are safe, but<br \/>\nthey're going to get even more interesting, because we're going to be able to<br \/>\nfocus on more important stuff rather than just looking at the same tickets<br \/>\nevery single day.\u201d<\/p>\n<p>With the sheer volume of alerts and events coming into the SOC each day, it's essential to have a system in place that can handle as much of the low-level work as possible. This would leave the analysts to focus on the more complex and nuanced threats, such as those seen from attacks, like SolarWinds:<\/p>\n<p style=\"padding-left: 80px;\">\u201cWhen the SolarWinds attack happened, we had already been using<br \/>\nSolarWinds for some time. There was a signed, trusted update that was<br \/>\npushed down and it started trying to call out to a command &amp; control. There<br \/>\nwere multiple analytics-based detections\u2026 without us having to configure<br \/>\nthose detections in advance.<\/p>\n<p style=\"padding-left: 80px;\">This is one of the areas where we excel because now it's not up to the SOC to<br \/>\nimagine all of these potential scenarios and try to predict the future. We have<br \/>\nmachine learning today that can do that type of behavioral detection and<br \/>\nprevention for things we have never seen before.\u201d<\/p>\n<p>One thing that's clear from speaking with Devin \u2013 automation isn't seen as a threat to his team's jobs, but rather as a tool to enhance their capabilities. By leveraging the power of machine learning and AI, they're able to analyze vast amounts of data and identify potential threats faster than ever before. By automating many of the repetitive tasks, they can free up time for their analysts to focus on what they do best \u2013 using their knowledge and expertise to outsmart attackers.<\/p>\n<p>As the threat landscape continues to evolve and cybercriminals become more sophisticated and aggressive, it's clear that the role of the SOC is more critical than ever. By embracing automation and applying the latest technologies, teams like Devin's can stay one step ahead of the attackers and protect their organizations from even the most advanced threats.<\/p>\n<p style=\"text-align: left;\"><strong>Watch the <a href=\"https:\/\/www.youtube.com\/watch?v=oAQz_BTFkbU&amp;ab_channel=CortexbyPaloAltoNetworks\" rel=\"nofollow,noopener\"  ?utm_source=blog-GTM-global-cortex&amp;utm_medium=social\">full interview<\/a> on the Cortex YouTube Channel.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Devin Johnstone shares how the Palo Alto Networks SOC team handles the large volume of security alerts that they receive every day \u2013 nearly 56 terabytes.<\/p>\n","protected":false},"author":714,"featured_media":305319,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6719,6724,6717],"tags":[9320,635,8532,9411],"coauthors":[7544],"class_list":["post-294911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-company-culture","category-points-of-view","category-products-and-services","tag-interview","tag-soc","tag-soc-automation","tag-this-is-how-we-do-it","sec_ops_category-must-read-articles","sec_ops_category-product-features"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2023\/05\/cortex_how-we-do-it_ep-1_blog_4_3.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/294911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/714"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=294911"}],"version-history":[{"count":10,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/294911\/revisions"}],"predecessor-version":[{"id":295331,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/294911\/revisions\/295331"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/305319"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=294911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=294911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=294911"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=294911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}