The Respond Analyst App for Cortex by Palo Alto Networks Available Now

Recently, Respond Software announced the Respond Analyst app for Cortex by Palo Alto Networks. Cortex is the industry’s only open and integrated AI-based continuous security platform. It delivers radical simplicity and significantly improves security outcomes through automation and unprecedented accuracy.

In other words, Cortex allows Palo Alto Networks customers to aggregate and normalize massive amounts of data from various sources including their next-generation firewalls (NGFW) and Traps (endpoint data) into a single data lake in the cloud. Once the data is collected, customers are able to analyze it, as well as to apply artificial intelligence and machine learning to find threats and orchestrate responses quickly. The Respond Analyst app on Cortex, using Robotic Decision Automation (RDA), is one of the first apps to deliver automated monitoring and triage for the entire Cortex Data Lake dataset.

The Challenge

Under normal operating conditions firewalls and endpoints collect a massive amount of security event data. The Cortex platform reduces the siloed event data being collected from these sources, however security teams need to be selective about which data they use.  To increase manageability of the data, organizations often filter or apply rules tuning their security infrastructure to reduce the event volume to be analyzed.  Tuning down systems means the probability of an attack will increase since not all data is being exposed to the security team.  Still, a vast number of false positives are surfaced, frustrating security teams as they weed through them looking for real incidents.

The Respond Analyst App

The Respond Analyst app for Cortex addresses this problem head-on. The Respond Analyst app is trained to perform consistent, thorough security analysis at scale — without having to tune down firewall or endpoint data collection. The Respond Analyst eliminates the need for security teams to spend their days, nights and weekends manually analyzing alerts to determine if they are true positives that require actionable responses.  Instead, security teams are empowered to do what they like best – hunt for real events that threaten their business.

Like a frontline security analyst, the Respond Analyst app escalates triaged and scoped incidents based on data collected by Cortex, including but not limited to alerts on malware beaconing, malware outbreaks, lateral movement through exploitation, and unauthorized scanning and reconnaissance.

The Respond Analyst app for Cortex optimizes total cost of ownership of Palo Alto Networks next-generation firewalls and Traps customers by removing the human analyst’s task of reviewing and analyzing alerts in addition to automating analyst decision-making.

Respond Software at Ignite’19

Does the Respond Analyst app seem too good to be true?  Join us at the Palo Alto Networks Ignite event in Austin, TX from June 3rd to 6th in the Innovation Sandbox where you will be able to sign up for the Respond Analyst app right from the show floor! See for yourself how companies from different industries are using the Respond Analyst to reduce the time it takes to weed through mountains of false positives, while vastly reducing their security risk.

If you are not able to make it to Ignite, you can download the app from the Palo Alto Networks app page.

Press Release


Jumping to a New Curve

In the business classic “The Innovator’s Dilemma“, author Clayton Christensen shows how jumping to a new productivity curve is difficult for incumbent leaders but valuable for new innovators.  I think a lot about this concept for cybersecurity. The world has changed dramatically these last 5-10 years and the curve most enterprises are on results in lots of siloed detectors, rudimentary processing, people-centric processes, and high costs to maintain platforms. The solutions for these problems had great promise in the beginning but still can’t provide the level of productivity necessary to keep up with advances by the adversary. Workflow automation helps, but not enough to address the “orders of magnitude” problem that exists. The scale is definitely tipped in favor of the attackers.  So how do we think out of the box to help companies jump to that new productivity curve?

Helping Customers Jump to a New Curve of Productivity

Three years ago, we started on a mission to help security operations teams right the balance between attackers and defenders. We are on the front-lines to change the status quo and to bring in a new way of thinking to defend the enterprise.

At Respond Software, we strive to unlock the true potential of Man + Machine —without bankrupting security teams. We aim to elevate the human analysts/incident responders to do what they do best (be curious, think outside the box, proactively take action) and let the machines do what machines do best (consistently analyze huge amounts of data thoroughly and accurately based on hundreds of dimensions). In short, security teams can use modern processing and computing techniques to help jump to a new curve and better defend their enterprise.

Today, our product, the Respond Analyst, is fulfilling that mission for customers around the globe. In fact, over the last 30 days, our Robotic Decision Automation product actively monitored billions of live events, vetted those into tens of thousands of cases, and escalated (only!) hundreds of incidents to our customers’ incident responders. What’s more, our security operations software customers were able to give the Respond Analyst feedback on what they liked, what they didn’t like and how to improve the results.  They now have an analyst on their team that can plow through the alerts and invoke expert judgement to group and prioritize them into incidents. This eliminates a huge amount of time wasted chasing false positives while freeing analysts to focus on threat hunting, deeper investigations, and proactive security measures.  What a change for those teams!

New $20 Million Investment = More Status Quo Busting

To continue these efforts and to expand to meet increasing demand, we are pleased to announce our $20M Series B round of financing.  The round was led by new investor ClearSky Security, with additional investment from our existing investors, CRV and Foundation Capital.

We are extremely pleased to add ClearSky Security to our team. ClearSky’s depth of cybersecurity knowledge and experience—both personally amongst the partners and from backing successful companies such as Demisto and Cylance—will be extremely helpful as we look to establish our innovative robotic decision automation software in more security operations teams. On top of it, we get Jay Leek, current ClearSky Managing Director and former CISO at Blackstone, to be on our Board.  See our press release (and the accompanying video) for more details and his perspective.

I’d also like to thank the hard work and dedication of the entire group of Responders that got us to where we are today. As I recently told the security operations software team, I’m certainly psyched to get the endorsement and funding from three world-class investors. Even more so, I look forward to using the funds to work with ClearSky to further innovate, provide service to customers, and expand our reach to help more security operations teams take the fight to the adversaries…and save money while they do it.  It’s time for security operations to bust through the status quo and jump to a new curve of productivity, capability and job satisfaction.

It’s time for the next phase of Respond Software.

Watch and Read More:

Video:  Jay Leek shares his reasons for investing in Respond Software (on the way to the airport in an Uber)!

Press Release:  Respond Software Raises $20 Million to Meet Growing Demand for Robotic Decision Automation in Security Operations


Why we’re supporting the next generation of cybersecurity professionals with (ISC)²

The RSA security conference halls at Moscone Center were abuzz last week with conversations ranging from nation-state attacks to speculation about which household brand will be breached next.

But one conversation stood out like an ominous black cloud on the horizon—the cybersecurity skills gap.

At Respond Software we believe the talent shortage has gone far beyond something people alone have the capacity to tackle. The solution of the future is one that augments human capabilities with Robotic Decision Automation (RDA), which complements the security analyst’s skillsets and expands their ability to do more. Raising the bar for security expertise is our aim and we understand that the need for higher-skilled cybersecurity experts is more critical than ever before.

This year at RSA we decided to take a slightly different approach by giving back to help expand our cybersecurity community. Starting at RSA and events throughout 2019, in lieu of giving away hundreds of coffee mugs, pens, or other swag that ends up in landfills, Respond Software will instead route a portion of our promotional budget to (ISC)² Cybersecurity Scholarships programs. Attendees at several hand-picked Respond Software events throughout the year will have the option to add their name to our donation roster.

To kick this off, last week 90% of the attendees at our sponsored RSA ISE VIP Luncheon agreed to support this effort! Today we will send our first donation check, in the amount of $2,000, to (ISC)2. We are aiming to donate upwards of $10,000 throughout the course of 2019 to support the valuable work the scholarship program does and to give back to our industry.

About ISC² CyberSecurity Scholarship

Each year, (ISC)², the world’s leading cybersecurity and IT security professional organization, and the Center for Cyber Safety and Education, partner to offer scholarships to students around the world.

The Respond Analyst

Last year, the Respond Analyst, our flagship product pre-built with decision-making skills, was able to expand the capacity of security teams by adding the equivalent of 14 ‘human’ analysts to every team which shines a light on how quickly automation can help close the skills gap.

New Paradigm for SecOps
Atones for the Sins of my Past

I’m an advocate for SIEMs, and have been a staunch believer in correlation rules for the past 15 years. So why did I decide to take the leap and join the Respond Software team?

The simplest explanation is that I joined to atone for the sins of my past. In the words of the great philosopher, Inigo Montoya, “Let me explain…No, there is too much. Let me sum up.”

Coming to terms with the reality of SIEMs

For 15 years I’ve been shouting from the rooftops, “SIEMs will solve all your Security Operations challenges!”  But all my proclamations came into question as soon as I learned about the capabilities of the Respond Analyst.

I’ve held a few different roles during this time, including Sales Engineer, Solutions Architect, and Security Operations Specialist. All of these were pre-sales roles, all bound together by one thing—SIEM expertise. I’ve worked with SIEM since it began and I’ve seen it evolve over the years, even working as part of a team that built a Risk Correlation Engine at OpenService/LogMatrix. Make no mistake about it, I’m still a big fan of SIEM and what it can do for an organization. It doesn’t matter whether you are using a commercial or open source solution, or even built your own, SIEMs still provide a lot of value. For years I helped customers gain visibility into their logs and events, worked with them to meet compliance requirements, and pass their audits with ease. I developed use cases, wrote correlation rules, and firmly believed that every time a correlation rule fired, it would be a true incident worthy of escalation and remediation.

Funny thing about that correlation part, it never really worked out. It became a vicious cycle of tuning and tweaking, filtering, and excluding to reduce the number of firings. It didn’t matter the approach or the technique, the cycle never ended and still goes on today. Organizations used to have one or two people that were responsible for the SIEM, but it wasn’t usually their full-time job. Now we have analysts, administrators, incident responders, and content teams and SIEM is just one of the tools these folks use within the SOC. In order to solve the challenges of SIEM, we have added bodies and layered other solutions on top of it, truly unsustainable for all but the largest of enterprises.

In the back of my mind, I knew there had to be a better way to find the needle in a pile of needles. Eventually, I learned about this company called Respond Software, founded by people like me, who have seen the same challenges, committed the same sins, and who eventually found a better way. I hit their website, read every blog, watched numerous videos, and clicked every available link, learning as much as I could about the company and their solution.

The daily grind of a security analyst: Consoles, false positives, data collection—repeat

I think one of the most interesting things I read on our website was the 2017 Cyentia Institute’s Voice of the Analyst Survey. I can’t say I was surprised, but it turns out that analysts spend most of their time monitoring, staring at a console and waiting for something to happen. It’s no surprise that they ranked it as one of their least favorite activities. It reminded me of one of my customers, who had a small SOC, with a single analyst for each shift. The analyst assigned to the morning shift found it mind-numbing to stare at a console for most of the day. In order to make it a little more exciting, the day would start by clearing every alert, every day, without fail. When I asked why, he said the alerts were always deemed as false positives by the IR team, and no matter how much tuning was done, they were all false positives. At least they were actually using their SIEM for monitoring. I’ve seen multiple companies use their SIEM as an expensive (financially and operationally) log collector, using it only to search logs when an incident was detected through other channels.

My Atonement: Filling the SIEM gaps and helping overworked security analysts

Everything I’ve seen over the years combined with what I learned about our mission here, made the decision to join Respond Software an easy one. Imagine a world where you don’t have to write rules or stare at consoles all day long. No more guessing what is actionable or ruling out hundreds of false positives. Respond Software has broken that cycle with software that takes the best of human judgment at scale and consistent analysis, building upon facts to make sound decisions. The Respond Analyst works 24×7, and never takes a coffee break, never goes on vacation and allows your security team to do what they do best—respond to incidents and not chase false positives.

I’ve seen firsthand the limitations of the traditional methods of detecting incidents, and the impact it has on security operations and the business as a whole. I’ve also seen how the Respond Analyst brings real value to overwhelmed teams, ending the constant struggle of trying to find the one true incident in a sea of alerts.

If you would like to talk to our team of experts and learn more about how you can integrate Robotic Decision Automation into your security infrastructure, contact us:

3 Top Cybersecurity Trends for Channel Partners to Watch

We all know the next big IT shift towards AI and intelligent automation is on the horizon. Over the last few years, vendors and press have focused on the human-to-machine automation transformation. Many vendors promise solutions—but often those solutions are complex and not optimized for the channel.

The good news is that cybersecurity is primed and ready for automation now. But the question for Partners remains: How can VARs, Integrators, and MSSPs find the right solution that provides true human-to-machine technology to simplify life for their customers?

Here are 3 cybersecurity trends driving the industry towards automation and 1 simple recommendation that Channel Partners can leverage to get ahead of the game immediately:

Trend 1: Traditional console monitoring is ineffective

Security teams are spending too much time monitoring alerts that are providing little value for their efforts. Sifting through endless alerts with a high percentage of false positives is ineffective at best. It’s causing us to burn-out analysts and puts us in a continuous cycle of hiring and training new analysts. The analysts interviewed for the Voice of the Analyst (VOA) Survey help to inform us on where analyst time is better spent and what activities we should automate first. Automating workflow to increase analyst efficiency is important, but automating level 1 alert monitoring itself? That’s downright disruptive.

Cyentia Institute: Voice of the Analyst Survey, October 2017

Figure 1: We asked analysts to score their daily activities on a number of dimensions. One key finding is that analysts spend the most time monitoring, but it provides low value in finding malicious and actionable security threats. (Download VOA Survey here)

Trend 2: People shortage

Most security teams don’t complain about a lack of tools. They complain about a lack of people. Whether the budget won’t allow or skilled resources are in too high a demand to find (or retain), we’ve reached a point where supply has been outstripped by demand. What choice do we have? Leverage the power of machines to augment our security teams. This is finally possible with the advent of decision-automation tools that can off-load the task of console monitoring.

Bitdefender: CISOs’ Toughest Dilemma: Prevention Is Faulty, yet Investigation Is a Burden, April 2018

Figure 2. People shortage is a significant trend in our industry, forcing us to re-think how we’ll actively monitor our environments.

Trend 3: Too many tools

“Too many tools” is a regular complaint in organizations. Did you know most large organizations have on average 75+ security tools? Small organizations are not far behind. It’s all we can do to deploy these necessary security tools and maintain them let alone reviewing the endless alerts that these tools generate. What’s even more challenging is that we’ve seen an industry trend toward platform-based tools (e.g. SIEM or SOAR) that require engineering resources with the expertise to build and maintain platform content such as correlation rules and playbooks. Many organizations are overwhelmed by this task. In contrast, tools with expertise built-in, intelligent applications if you will, are what’s needed and they will change the way we think about platforms going forward.

Momentum Cyber February 2017 CYBERscape

Figure 3. Most organizations have dozens of tools to deploy and maintain.

An industry transformation is underway: Automation will disrupt the way cybersecurity is performed

We think 2019 will be the year of automation for cybersecurity. Customers will require automation to address the top 3 trends. They need to scale with the growing number of alerts and the increased complexity of monitoring today’s hybrid environments. Adding more people is not the answer. Finding ways to automate to off-load cumbersome tasks typically performed by humans is the answer.

This presents exciting new revenue opportunities for Channel Partners and also explains why we are experiencing increased momentum with: VARs, Integrators, and even MSSP’s. Respond Software is at the forefront of the industry transformation—applying machines to roles traditionally executed by humans.

One simple recommendation to gain a competitive advantage: the Respond Analyst

The Respond Analyst software is a scalable, plug-and-play “virtual analyst” that perfectly complements any security detection tool sale: Channel partners can increase revenue by providing both the tools and the Respond Analyst to monitor them.

This provides a unique selling opportunity for our Partners. Partnering with Respond Software gives customers—especially the mid-size enterprise ($50M-$1Bil revenue) simple solutions with fast results. Partners can also take advantage of recurring revenue, fast installations, and the potential to increase opportunities to sell more sensors.

To all of our potential partners: Please reach out if you’re interested in learning more about our solution and our partner program by registering at our partner page. Here’s an opportunity to bring new value to your customers and join us on our journey to bring automated security monitoring to the world.

For more information, read the Global Channel Partner Program Press Release

Keeping NCAA football fans safe from cyber threats on game day

Did you happen to catch the Clemson vs Alabama NCAA Championship game Monday night? While the Clemson upset was thrilling to watch, I bet most fans had no idea there was another team behind the scenes, hard at work, keeping attendees and the stadium safe from cyber threats.

Yep, our diligent Respond Analyst™ was working away in a state-of-the-art Security Situation Room live during the entire game day experience. We had the privilege to partner with students from Norwich University in this onsite cyber-offensive in one of the newer football stadiums.

Cybersecurity is becoming more critical than ever before at these big events. Keeping close to 100,000 fans streaming video, playing social streams on the jumbotrons, and communication on the field has turned sporting events into a serious technical infrastructure. The potential for malicious malware attacks or other security breaches during these live events keep IT leaders on edge, the entire time they are online.

Really, every event should be monitored and analyzed for security implications during live events to help ease the risk. The problem is there are never enough people to handle it. That is until now…

For the first time in my 18-year career, I witnessed 243,000 events analyzed, 431 events diagnosed as malicious, and 13 scoped incidents escalated—without one false-positive through the entire event! The Respond Analyst’s Decision Automation technology performed without any disagreements from the onsite security team. Bottomline, the Respond Analyst learned its environment in less than a few hours!

To put that into perspective, a traditional security team would need more than 125 trained analysts to cover this volume in the same timeframe. The Respond Analyst covered all of this, freeing up the 6 onsite Norwich students to focus on threat hunting and more strategic security concerns.

This was a humbling experience for all of us at Respond Software who work so hard to deliver solid results for our customers. For those who know my style, I’m not one to brag or fluff the numbers just to give marketing a win, and this time, even I had to sit back and feel good about our capability and results.

One of the best parts was how fast everything was up and running. We built a server loaded with the Respond Analyst and sent it into the Norwich University students to set up. Everything was handled remotely by the Respond Software team and the Respond Analyst was operational within 6-7 hours from start to finish. Immediately after the first escalation, the students realized the event was a real threat (not junk data)—right away it generated more interest with the students and security personnel.

This is why I love helping customers. Knowing that the Norwich team could go to bed knowing that their networks were safe. They could identify and address cyber threats quickly—covering more with a smaller security team, meant they could focus on higher priority tasks. I look forward to working on more events like this in the future.

For more information, check out the Respond Software and Norwich University Press Releases.

The Power of Humans Working With Machines

In a recent article from BBN Times, AI/IOT/BLOCKCHAIN expert, Ahmed Banafa, reflects on the cybersecurity issues and threats that plague organizations today.

It’s no secret that cybersecurity has been and continues to be a major issue for most companies. Most noteworthy is the fact that 2017 saw a number of high-profile security incidents, 1+ year later we are no more prepared. This is caused from a number reasons, the main one being that security threats have and continue to evolve in a manner which makes it difficult for human intervention alone to keep up or even address the issue.

“Another great benefit of AI systems in cybersecurity is that they will free up an enormous amount of time for tech employees. Another way AI systems can help is by categorizing attacks based on threat level. While there’s still a fair amount of work to be done here, but when machine learning principles are incorporated into your systems, they can actually adapt over time, giving you a dynamic edge over cyber criminals”.

But can AI alone solve the problem? According to Banafa, no, and most industry veterans would agree.

“Unfortunately, there will always be limits of AI, and human-machine teams will be the key to solving increasingly complex cybersecurity challenges.”

Combining human reasoning and judgement with the power of AI/ML is the secret ingredient to defending your network environment from malicious activity.

Watch this webinar to learn how you can add more capacity and efficiency to your team.

Respond Software Named Top 25 CyberSecurity Innovators

As the new Product Marketing Manager at Respond Software, I knew when joining the team they were doing some outstanding work. Simplifying the complexity of network security monitoring and triage and giving hope to small security teams working to defend their business.

The hard work and dedication from the team has been paying off!

We are proud to announce Respond Software has been selected as one of the Top 25 CyberSecurity innovators by Accenture Innovation Awards! The 25 leading innovations consist of a diverse batch of cutting-edge concepts, developed by pioneers in our eight global themes. These innovations are reshaping our world and unlocking new value and benefits for all parties.

I tip my hat to the amazing product and engineering teams that have developed Respond Analyst to tackle some of the complexity in security operations.

Thank you, Accenture Innovation Awards for recognizing Respond Software as a top CyberSecurity innovator! We are excited to be a part of such an amazing and forward-thinking group!

Autonomous network security monitoring; analyzing the ‘breadcrumbs’ that are hiding in your Palo Alto Networks IPS/IDS logs

Detecting an intruder at the point of entry can have the greatest impact on reducing system compromise. That is why Network Intrusion Detection and Prevention Systems (IDS and IPS), such as Palo Alto Networks, are essential tools for any security organization, whether they are protecting the data of a large financial services company or the sensitive research and valuable intellectual property of a university.

The downside is that these systems generate such a high-volume of data that even large, mature security teams do not have the capacity to analyze all the data collected.

A common strategy for dealing with this volume of data is to apply rules to filter data, such as, ‘only show me an IPS detection alert if it appears to be high priority’. The result is that a great deal of relevant security data is disregarded, limiting visibility into relevant clues and context which would save time in identifying and responding to actual threats.

Imagine being able to increase the visibility and depth of analysis by leveraging every IPS detection alert from your Palo Alto Networks’ devices.

An autonomous network security monitoring tool should seamlessly integrate into existing PAN IPS/IDS implementations and immediately begins providing value by taking over the monitoring, analysis and decision-making required to turn IDS/IPS data into vetted, actionable security incidents that are ready for human analyst response.

By the way, out-of-the-box, Respond Analyst’s accuracy rate is between 83-92%, after a month on the job, accuracy rates push higher – with many customers reporting nearly 100% accuracy after 60-90 days.

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.