PAN Ignite 2019 Cybersecurity Conference Recap
Time flies when you’re having fun building software! I can’t believe it’s almost been a month since Palo Alto Network’s Ignite 2019 cybersecurity conference in Austin. Between the packed booths and the fast pace of the Respond Software development cycles, I’m just now getting a chance to share my reflections.
It’s clear that Palo Alto Networks has not only built great products but also has a strong community of users who believe in their vision:
“Secure the enterprise.”
“Secure the future.”
At Respond Software, we're committed to helping Palo Alto customers realize each of these initiatives.
Secure the Enterprise with Automation
Securing the enterprise centered around PAN’s legacy next-generation firewall and newer endpoint protection solutions, like TRAPs. These products provide some of the basic and foundational security controls needed by large and small organizations alike.
How does our security operations software help secure the enterprise? Security controls that prevent threats are not enough, otherwise we wouldn’t see initiatives like zero trust or even bother with security monitoring (a ~$17B market!).
So what is the value of security monitoring? In short, reducing attacker dwell time – or the average duration between the initial compromise and its detection. In the recent ‘Cost of a Databreach Study’ conducted by the Ponemon Institute, they reported the mean time to identify (MTTI) a data breach was 197 days. That is 197 days too long!
However, security monitoring in its current state is extremely challenging and prohibitively expensive, likely resulting from the perfect storm of problems:
- the exponential growth and increased complexity of data
- the dramatic shortage of skilled security analysts needed to triage the data
- a more sophisticated attacker, resulting either from the rise in nation-state activity or incentives from the successful monetization of cyber intrusions (e.g. Ransomware and anonymized cryptocurrency payments)
The Respond Analyst automates security monitoring with robotic decision automation by evaluating ALL of the security data generated by Palo Alto NGFW and TRAPs within the context of your organization. It’s just like receiving a team of virtual security analysts, but without the HR headache of running and managing a SOC. Additionally, our security operations software is cost-effective, about 1/3 the price of a traditional MSSP.
Automating security operations not only reduces the operational cost of hiring and staffing but also reduces the financial impact of breaches. Ponemon estimates the average cost of a breach for organizations that fully deploy security automation is $2.88 million. Without automation, the estimated cost is $4.43 million, a $1.55 million net cost difference.
Secure the Future – Augment your Cortex Data Lake with RDA
With the Cortex Data Lake, organizations can collect, integrate and normalize their enterprise’s data in the cloud. This helps jump one hurdle to security monitoring, the CAPEX and OPEX investments required to build and maintain on-premise log collection and SIEM. This challenge is offloaded to Palo Alto Networks for Cortex customers. In addition, Cortex Data Lake is an open app ecosystem that encourages the integration of security applications, so you can get more from your data without having to replicate it for each and every use case or partner.
Respond Software is one of the select partners chosen to work with Palo Alto Networks and help launch the Cortex Hub. With the click of a button, the Respond Analyst comes alive and starts monitoring and triaging intrusions within your environment. The Respond Analyst is a virtual security analyst that automates the analysis and triage of security data, at machine speed, with a level of depth & consistency unmatched by human analysis. Its proprietary intelligent decision engine provides built-in reasoning and judgement to make better decisions, faster.
I found myself repeatedly explaining the differences between the Respond Analyst and Cortex XDR app provided by Palo Alto. There are similarities in messaging, as both the Respond Analyst and Cortex XDR seek to reduce attacker dwell time, eliminate alert fatigue, and remove blind spots by stitching together endpoint and network silos.
However, our approach and outputs are fundamentally different. Cortex XDR is built on top of previous acquisitions of a UEBA solution LightCyber and an EDR solution SecDo. Cortex XDR, like other UEBA and EDR solutions, helps detect attackers by finding behavioral anomalies indicative of attacks, ships with over 100 predefined rules, and provides analysts or security engineers the ability to build custom rules. Naturally, because of its tenure in EDR, XDR takes an endpoint first focus and only secondarily looks at the network data after an endpoint alert has been triggered. Afterward, a human analyst is still required to triages these alerts. When the XDR alert queue fills up, the alerts turn over, so if your analyst is not able to get to them in time, you have lost visibility into your environment.
The Respond Analyst, like a human analyst, does not just focus on the endpoint but takes a holistic view by sitting on top of both endpoint and network alerting telemetries. Security alerts are just an indication of suspicious activity, so an analyst is required to evaluate the entire situation and all other indicators in the context of your environment. What is the likelihood the attack was successful and relevant to my organization? What type of attack is this? How important are the infected systems and how many are involved?
Given the open framework of the Cortex partner ecosystem, customers are encouraged to try both apps as they complement each other. Additionally, Cortex customers can try the Respond Analyst for free for a limited time.