How Palo Alto Networks modernized its security management with AI
The SIEM, or security information and event management console, has been a staple for security teams for more than a decade. It's the single pane of glass that shows events, alerts, logs, and other information that can be used to find a breach. Despite its near ubiquity, I've long been a SIEM critic and believe the tool is long past its prime. This is certainly not the consensus; I've been criticized in the past for taking this stance.
Legacy SIEMs are outdated
The proof point I offer is the fact that whenever a breach occurs, the SIEM vendor claims to have seen it, yet the breach happened anyway. That was the case with many big-name businesses that suffered a newsworthy cyberattack. Target, Sony, and many others all echoed the same. The SIEM saw it, but the security team missed it. If SIEMs are so powerful, why does this continue to happen?
The answer is that SIEMs can no longer keep up with the massive volumes of data that come into them and need to be correlated, sorted, and viewed in a way that helps security operations prioritize events. This can help separate an actual breach from a false positive. Many security pros have told me their SIEM shows so much info now that they ignore much of it. In a sense, too much information is as useful as no information.
Palo Alto introduces an AI-powered operations tool
This week, Palo Alto Networks introduced its Cortex XSIAM (eXtended Security Intelligence and Automation Management), which can be viewed as a modernized SIEM with an infusion of artificial intelligence. The concept of the XSIAM is that it uses AI to separate the threats from the noise in the immense amounts of telemetry data generated by infrastructure today. If done correctly, this would accelerate threat identification, which in turn, speeds up threat response.
The infusion of AI into security is something that has been badly needed for some time. There are still some people opposed to it, and the thought of taking the analytic process out of people's hands and trusting machines, in reality, can be scary.
The truth is the bad guys are using AI. Using people to fight threat actors armed with machine learning is akin to bringing a knife to a gunfight. It's time to fight fire with fire, and that means accepting that AI needs to be a key part of cybersecurity moving forward.
CXO
One of the major differences between a traditional SIEM and Cortex XSIAM is that the latter collects granular telemetry information, not just logs and alerts. This is where AI can add value as it can drive natively autonomous response actions, such as cross-correlation of alerts and data, detection of sophisticated emerging threats, and automated remediation based on threat intelligence and attack surface data.
Security platforms are the way forward
The release of Cortex XSIAM is a direct result of the security platform that Palo Alto Networks has built. Historically, security pros have used best-of-breed point products to secure specific points in the environment. This is why, according to ZK Research, the average enterprise has 32 security vendors, with some reporting more than 100. One of the three-letter U.S. government agencies told me it has more than 200.
CISOs are now starting to understand that this strategy does not work. One CISO stated that best of breed everywhere does not lead to best-in-class threat protection. In fact, it creates suboptimal protection because it becomes impossible to manage security policies across the various vendors.
I do not believe we can ever have one vendor to handle everything, but businesses do need to pick a single open-platform vendor that has a strong foundation in networking, cloud, and endpoint, and then augment that with technologies that interoperate with that platform. This has been the vision on which Palo Alto has been working.
The first proof point for validating the value of the platform was the release of Palo Alto's XDR solution. In 2018, I authored this post, proclaiming XDR to be the evolution of EDR. My thesis at the time was that looking at endpoint data in isolation wasn't enough; XDR rolls up data from across the infrastructure to see things EDR can't.
The release of Cortex XSIAM follows the same thought process. SIEMs use limited data, and manual analytics and are no longer a viable way of finding threats. This model has not worked, is not working, and won't ever work. Security teams need an operations tool that uses AI-based analytics, which pulls granular data from across the platform to combat today's highly advanced threat actors.