Have you ever felt like you’re getting fatigued from too many solutions designed to “help” you out? We joke all the time about how the next vendor to come down the pike is trying to sell us on the fact that their solution is the one that is truly a single pane of glass (SPoG). This will be the end to all of our woes! Except it often becomes just another pane of glass that we must pay attention to in order to do our jobs.
The Security Operations Center (SOC) is quickly becoming a wall of monitors that represent the silos where data lives. We can look at all of the pretty lights we want and tell ourselves that everything is fine, but the odds are good that the next attack in your environment won’t even trip one of those glowing sensors. That’s because more and more attackers are figuring out how to get around monitoring solutions. Instead of causing a lot of ruckus to steal data or create zombie machines they are testing their limits slowly, trying to creep in and own things a little bit at a time. That way they can take what they want and make it out without every having been seen. And you only find out about it when someone is selling your customer data somewhere nefarious.
Full Frontal Cortex
In order to stop this problem with security silos, you have to have a tool with the visibility to see past the barriers we create. One such tool was show off by Palo Alto Networks during Security Field Day 2. Cortex is one of their newest solutions designed to avoid the problems with siloed data.
Cortex can look at a variety of data being generated by your systems. It can accept data from just about any firewall, IPS, or sensor. But, unlike the solutions that just aggregate the data and give you a slightly remixed picture for your SPoG, Cortex does more. It can use cloud-based algorithms to look deeper with machine learning to figure out patterns. Even the best intruder is going to start doing regular things to increase their footprint or perform reconnaissance in the network. Cortex can sniff out these patterns and help you understand how to fight them.
Cortex is also smart about when to alert you. Anyone that’s ever had their email inbox explode after an outage or an incident knows the feeling of alert fatigue. Most people don’t care. They just want the lights to be green and the emails to stop. Cortex can assemble alerts based on specific criteria and tell you about them with enough detail to make it worth your while. So instead of chasing something that triggered a threshold you can have a high confidence level that Cortex is telling you something really important.
But even as Cortex is telling you something is up, it’s digging deeper into the problem. Cortex is constantly looking for root cause in an attempt to help you get to the bottom. It’s not enough to catch someone trying to scan your network for vulnerable hosts. You have to know where they are attacking from and how long they’ve been there. And you have to plug the holes that let them get in. Cortex can display all of this and more.
And once you know what’s going on, Cortex can even help you fix it. Because Palo Alto Networks knows that alerts are useless without action, Cortex can integrate with enforcement software to start triaging the damage right away. So instead of just getting an email alert telling you something is going wrong, Cortex will give you suggested actions and let you implement them right away. It might be enough to stop the bleeding so you and your SOC team can dig in with Cortex’s help to figure out how to really stop this bad actor for good.
The above video has some great examples of Cortex finding malicious software payloads and quarantining them before they can cause issues. There are also walkthroughs of the UI so you can see how easy it is to drill down into a problem without alert fatigue.
Bringing It All Together
Security is hard enough without getting blinded by the tools that are trying to help you. Rather than just giving us another dashboard with lights and email alerts companies need to step up and give us things that multiply our capabilities to fix issues. Tools should help us get work done. They shouldn’t be crutches that keep us from doing our jobs. Thankfully Palo Alto Networks has a great tool with Cortex that should help us stop the security silos and get back to keeping our networks safe.