{"id":295207,"date":"2023-06-01T09:30:38","date_gmt":"2023-06-01T16:30:38","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=295207"},"modified":"2023-09-27T12:13:08","modified_gmt":"2023-09-27T19:13:08","slug":"cracking-the-code-how-machine-learning-supercharges-threat-detection","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2023\/06\/cracking-the-code-how-machine-learning-supercharges-threat-detection\/","title":{"rendered":"Cracking the Code \u2014 How Machine Learning Supercharges Threat Detection"},"content":{"rendered":"

In the second episode of the \"This Is How We Do It<\/em>\"<\/a> series, we dive further into the dynamics of security operations centers (SOCs) with Devin Johnstone, a senior staff security engineer (SOC Ops Specialist) at Palo Alto Networks. David Szabo, sales enablement consultant, conducts the interview, discussing the structure of SOC teams and their essential players. Johnstone shares his experience working in SOC teams of various sizes and explains how to build a new SOC from scratch.<\/p>\n

The needs of a security team may vary depending on the organization, according to Johnstone. At Palo Alto Networks, the SOC started with just two managers and three analysts six years ago, but a lot has changed:<\/p>\n

\u201cAs companies grow and mature, it does usually happen that IT and security will
\nseparate. That happened for us around that 2017 timeframe and now we've grown
\nto the 22 full-time employees that we have here in the SOC today. And of those 22,
\n10 are in the traditional analyst role where they're actually looking at alerts coming
\noff the technology and doing threat hunting. And then the rest of us on the team
\nsupport those analysts by enabling tooling, logging \u2014 giving them the alert data
\nand the insights they need in order to be successful.\u201d<\/p>\n

Palo Alto Networks employs a red team, a group of full-time employees dedicated to attacking the company's systems, also known as \u201cpenetration testing.\u201d They operate quarterly exercises where they select a target and attempt to breach it without the SOC's knowledge. If the SOC identifies a potential attack during the exercise, they consult with the red team to avoid wasting resources on internal investigations. The red team provides valuable feedback and insights to help the SOC improve their defenses.<\/p>\n

\u201cOur red team are full-time employees whose job is to test our defenses. They'll
\npick a target. It's always new, so they're not repeating something that's going to be
\neasy and something that the SOC is going to find fast. They first get approval for it
\nbecause they want to make sure that leadership is going to be okay with them
\npotentially attacking an internal system, and they go pretty far.<\/p>\n

They're that good sometimes that we are even reaching that point and questioning,
\n\u2018Is this them or not?\u2019 And they'll go about their attack in secret as long as they can
\nfor three months. If we find something in the SOC, on the blue team side of the
\nhouse, and determine it might be the red team, we check with them to confirm, so
\nwe don't spend too much time chasing down our own internal team and then either
\nstop the exercise or finish.<\/p>\n

At the end of the exercise, we do a debrief where they report on everything that
\nthey did, which gives us in the SOC a literal checklist where we can go back and say,
\n\u2018We saw this, we didn't see this, we need to build a new alert here. We need to
\nbuild new automation here.\u2019 And we get that feedback.\u201d<\/p>\n

In addition to automation capabilities in cybersecurity, the advancement of artificial intelligence (AI) has sparked both excitement and concern. ChatGPT, a language-based machine learning model, is not exempt from this discussion. While ChatGPT presents promising opportunities in cybersecurity, it also raises ethical considerations. Adversarial attacks, where malicious actors manipulate AI systems to deceive or exploit them, are a real concern.<\/span> Devin explains more in this short video clip:<\/span><\/p>\n

<\/lite-youtube><\/div><\/p>\n

Johnstone also highlights the rise of supply chain attacks, such as the SolarWinds incident, where attackers target organizations connected to the true victims. Palo Alto Networks aims to protect not only itself, but also its customers by preventing the company from becoming a gateway to widespread attacks.<\/p>\n

When it comes to threat actors, the Palo Alto Networks Unit 42 Threat Intelligence team is monitoring the evolving landscape. Johnstone says:<\/p>\n

\u201cOur Unit 42 team publishes regular reports on the type of threat activity that
\nthey're seeing out in the wild, and it is ever-changing. There are certain groups
\nthat trend year over year. I won't name any in particular, but there is an ever-
\nchanging pool of those groups, and we have Unit 42 to help us keep tabs on them
\nand even track activity that doesn't affect us. We want to know what they are doing
\nin other parts of the world, so we can be aware and then also share that with all of
\nour customers.<\/p>\n

Part of the work we do at Palo Alto Networks is showing our customers the
\ninformation that is important to them to help them make decisions. And in those
\ncases where we come across threat intelligence or actions of specific groups or
\nnations or individuals that might be valuable to us or our customers, we want to
\nshare that as proudly as possible.\u201d<\/p>\n

Palo Alto Networks uses its own products extensively within their SOC, acting as the first customer. They also collaborate closely with product teams, providing feedback and shaping roadmap decisions. The SOC relies on Cortex XSOAR as the central platform for incident management and threat intelligence. Additionally, they use a range of sensors and enforcement points, such as next-generation firewalls and Cortex XDR to monitor network activity and endpoints. The Prisma suite of products helps secure cloud services, while Cortex Xpanse provides visibility into external exposures and potential vulnerabilities:<\/p>\n

\u201cAnd then we've also got Cortex Xpanse which gives us the outside-in view. So,
\nwe've got a lot of sensors inside, showing us what we already know about. But
\nbecause we've grown by acquisition, there's always the chance that we've got
\nenvironments still lingering out on somebody else's cloud account or shadow. It is
\na big concern. The stuff that we don't know about we can't protect. Cortex Xpanse
\nis going out into the cloud and finding all of those exposures that we may not have
\nknown were out there and allowing us to get control of them before they become a
\nproblem.\u201d<\/p>\n

Before acquiring Cortex Xpanse, Palo Alto Networks had gaps in asset discovery and monitoring. With Xpanse, we have gained the ability to identify traffic and track potential attacks, even if they weren't directly targeted. This proved invaluable during incidents like the SolarWinds attack<\/a>, where Palo Alto Networks could proactively assist compromised customers.<\/p>\n

Want to dig in more? Watch the full interview<\/a>. <\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Read about building SOCs, leveraging red teams for pen testing, monitoring threat landscapes and using products like Cortex XSOAR and Cortex Xpanse.<\/p>\n","protected":false},"author":714,"featured_media":305306,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6719,6724,6717],"tags":[9320,4321,637,9411,3037,422],"coauthors":[7544],"class_list":["post-295207","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-company-culture","category-points-of-view","category-products-and-services","tag-interview","tag-machine-learning","tag-soc-analyst","tag-this-is-how-we-do-it","tag-threat-analysis","tag-threat-detection","sec_ops_category-must-read-articles","sec_ops_category-product-features"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2023\/06\/cortex_how-we-do-it_ep-2_blog_4_3.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/295207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/714"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=295207"}],"version-history":[{"count":8,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/295207\/revisions"}],"predecessor-version":[{"id":295329,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/295207\/revisions\/295329"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/305306"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=295207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=295207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=295207"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=295207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}