Security Information & Event Management (SIEM) , Security Operations
Palo Alto CEO: 'SIEM Needs to Be Eliminated and Replaced'Arora Tells Conference Attendees XSIAM Can Replace Alert Triage Attempts From SIEMs
Palo Alto Networks CEO Nikesh Arora urged attendees at the company's annual conference in Las Vegas this week to move away for the alert triage model popularized by SIEM and embrace a different approach.
See Also: What is MDR? And Why is it Critical to your Security Strategy?
Arora says SIEM tools have for decades told SOC analysts the most important alerts to focus on, which has resulted in all the other alerts getting ignored since there isn't enough manpower to address everything. But today, threat actors can rent resources from Amazon Web Services that allow them to scan a potential victim's entire infrastructure in just 45 minutes and attack whatever holes they find.
"I feel very strongly that the category of SIEM needs to be eliminated and replaced," Arora says. "There are a bunch of SIEM tools created to minimize some noise, create a prioritization, and just go with the punches and ignore the rest. Or you hire 200 SOC analysts to go through everything as much as you can. That's fundamentally the wrong way to do it - because it's a computing problem, not a human problem."
Arora and Chief Product Officer Lee Klarich touted the company's new Extended Security Intelligence and Automation Management - XSIAM - tool as a modern alternative to SIEM due to its use of AI to respond to attacks in real time. Arora and Klarich delivered keynote addresses to more than 2,500 cybersecurity professionals and answered press questions in Las Vegas on Tuesday during Palo Alto Networks' Ignite '22 (see: Nikesh Arora on the Palo Alto Networks Growth Strategy).
Where SIEM Falls Short
Instead of simply prioritizing alerts through a SIEM, Arora says security operations centers should adopt technology that eliminates noise, isolates the signal and solves the signal. Eliminating noise can be done via vendor consolidation since that simplifies the cross-correlation of alerts across network and endpoint security products as well as automating redundant alerts from something such as a phishing attack, he says.
"Fundamentally, security is a data problem," Arora says during his keynote address. "If you want real-time security today, you need to have all the data coming in and out of your enterprise and be able to analyze it to understand what's anomalous behavior and what's not."
From there, Arora urged companies to run automation scripts and stitching scripts against the remaining alerts to get down to a far more manageable volume of security alerts that actually need to be tracked. At Palo Alto Networks, eliminating the noise and isolating the signal have allowed the company to cull the roughly 67,000 alerts it receives weekly to between 130 and 140 that should be tracked, he says.
"You have no choice but to block every hole," Arora says. "You can't leave noise because the noise is possibly an entry vector for threat actors. We've come to a point where today, everything is connected. Even all devices are being connected. Everything is an open threat vector. You've got to figure out how to shut it down."
Arora says Palo Alto Networks' new XSIAM product - which was announced in February and made generally available to customers in October - can reduce mean time to remediate by 75%. This is the first time Palo Alto Networks has committed to delivering a measurable outcome through the use of its technology, according to Arora (see: Palo Alto CEO: Vendor Consolidation Is Fueling Our Growth).
How XSIAM Goes Beyond XDR
The XDR tools offered by Palo Alto Networks and others are intended to augment rather than replace existing SIEM deployments by adding analytics as well as superior detection, investigation and response capabilities, Klarich says. XDR therefore ingests specific data sets that are known to be good sources of information such as endpoint data, identity data and cloud data and offers analytics around it, he says.
But XSIAM is intended to fully replace SIEM tools, meaning that Palo Alto Networks uses the good data that's been ingested to normalize and decontaminate less accurate data the company also has access to. Like SIEM, Klarich says, XSIAM must ingest and store all data sources regardless of their veracity so that the data is available to customers in case they need it down the road.
Similar to XDR, Klarich says, XSIAM also relies on high-quality data sources to drive analytics, detection, investigation and response activities. But XSIAM goes beyond XDR by using known good data to validate the quality of the remaining data and to allow customers to incorporate other aspects of SOC tools that have traditionally been deployed on a stand-alone basis, according to Klarich.
Palo Alto Networks' XSIAM collects telemetry from customers' network, identity and cloud-based tools to properly understand the relationships between all the data and drive analytics, Klarich says. From there, XSIAM applies not only workflow automation but also native automation that's build into the cloud, he adds.
The XSIAM technology has allowed Palo Alto Networks to go from ingesting 36 billion events daily to having just 130 possible incidents that need to be looked at, according to Klarich. Then, he adds, further automation is applied to bring the number of incidents down to just a handful that actually need to be manually investigated and understood by the company's SOC analysts.
"This is going to invert the model from humans leading the investigation response with machines helping them to machines leading it with humans overseeing it," Klarich says during his keynote address. "That is the only way to change cybersecurity outcomes."