M+E Daily

As workforces become even more dispersed and widespread, cyberattackers have been taking advantage of these growing attack targets and redoubling their efforts to compromise even the most secure organizations, according to Palo Alto Networks.

During the Sept. 29 webinar “Uncompromising Virtual SOC Tour, September 2021,” the company provided a unique view of how it built and operates its first security operation center (SOC), offering a deep dive into its security stack and processes.

Although the SOC is what Palo Alto Networks uses to “protect ourselves… many of these strategies and tools that I’m going to share with you today can be applied to security — whatever that may look like — for” your company also, Devin Johnstone, senior staff security operations engineer at the company, told viewers.

During the webinar, he explained how the firm designed the SOC to be resilient in the face of changing workforce models and new technologies and how it uses prevention-focused technology, automation and machine learning to optimize operations and increase staff productivity.

The first SOC facility that Palo Alto Networks built is located at the company’s headquarters, in Santa Clara, California.

“Our SOC is not” a managed security service provider (MSSP) and “we are not looking at customer data,” Johnstone explained. Instead, “we are responsible for protecting our own employees and infrastructure,” he said, adding: “At a high level, it’s responsible for threat monitoring, threat hunting and incident response.”

The SOC Team

The company’s SOC team is made up of 17 full-time employees split between two office locations, one in North America and the other in the Europe and Middle East region, he said.

“Ten of those team members are responsible for the traditional SOC analyst work, including incident response, and the other seven are in roles supporting the SOC,” he explained.

Those seven include one team member responsible for proactive attack or disruption, two team members responsible for log management, three team members who build and maintain automation for the company’s Cortex Security Orchestration Automation and Response (XSOAR) platform, and “I’m responsible for our data loss prevention program,” he pointed out.

Members of the SOC team at the facility currently have the choice to work at the facility or remotely because of the ongoing COVID-19 pandemic, he noted, adding they do not work around the clock but instead work their respective local business hours only.

“We rely on the automation in [the] Palo Alto Networks platform to give us 24/7 visibility by alerting us after hours if there is an urgent enough incident that we need to wake up and respond to,” he said.

The SOC team is part of the company’s InfoSec department and, within InfoSEC, there are “a couple of other teams we partner closely with, including security engineering, who works with and advises our IT network team in building security into our internal network,” he said.

There is also the InfoSEC security architecture team that works with SOC’s product teams to “build security into the products that you are using as a customer; and we have the governance risk and compliance team, which is responsible for policy and also our vulnerability management program,” he told viewers.

“We are responsible for protecting our 10,000 employees all around the world,” along with “50,000 end points, including users’ laptops, desktops, servers and compute instances,” he noted.

“We have 13 data centers, which include on-prem and in the cloud, and we have approximately 82,000 customers like yourselves, who are consuming our services,” he added.

The SOC Journey

“Our SOC journey began in the spring of 2017,” Johnstone told viewers.

At the start, members of the SOC team “identified some of the challenges we had faced in… previous SOC environments because we wanted to build the Palo Alto SOC a little differently,” he explained.

“A security operation center today has to deal with an ever-increasing list of alerts and there is usually a subset of those alerts that are low-fidelity or not providing much value,” he said.

SOC investigations “can also become time-consuming for us when we’re dealing with users in other time zones who may not be working the same business hours,” he noted, adding: “We wanted to give ourselves enough data to be able to handle these incidents quickly, without necessarily having to be up 24/7 to do it.”

There is also “a lot of repetition involved” because as the “alert list starts to grow, the SOC usually has to do some of the same activities over and over again in order to analyze and respond to those alerts,” he explained.

And that is “why we started investing a lot more time into automation and machine learning — to take some of that repetition off of the SOC’s plate,” he said.

What often happens is that a SOC’s management will feel the need to hire more people as alerts grow, he pointed out. But Palo Alto Networks decided to invest more in technology to help it “handle all of that data but remain a lean and efficient team,” he explained.