Palo Alto Networks Cortex and IBM Enhance Modern Incident Response

Feb 07, 2023
6 minutes

Every day, IBM Security X-Force works with organizations to prevent, detect, respond and recover from cyberattacks. Choosing the right security tools is critical to keeping team members focused, productive and ready to respond when ransomware, data breaches and other cyberthreats put clients at risk. X-Force has partnered with Palo Alto Networks to complement its existing, industry-leading capabilities with the Cortex product portfolio. This will allow customers to get a complete, accurate and actionable view of today's fast-moving and increasingly data-rich IR environments.

Together, Palo Alto Networks and X-Force offer an important advantage in terms of where and how to direct IR resources — minimizing time to actionable findings, which accelerates the time to contain and remediate an incident. Cortex will enable X-Force analysts to verify and investigate threats more quickly, as well as formulate more effective responses to cyberattacks on customers.

By pairing best-in-breed technology with one of the industry's most elite incident response teams, X-Force allows customers to stay ahead of today's increasingly sophisticated and persistent cybersecurity threats.

Ransomware Gets Real and Businesses Pay the Price

Incident response has always been a core capability for the X-Force team. But today, ransomware attacks and other threats are increasingly likely to impact real-world business operations by disrupting supply chains, throwing distribution and transportation networks into chaos, and damaging a company's brand image and customer relationships.

These types of real-world impacts mean that IR has become a business-critical discipline that leaves little to no room for error. Responders are under pressure to move quickly, cut through the chaos and complexity surrounding a typical attack, and make critical decisions about where and how to focus their efforts.

Endpoint detection and response (EDR) solutions have long been a critical part of the software stack X-Force and other IR teams used to identify, assess and respond to ransomware and other types of cyberattacks. Unfortunately, IR teams are also dealing with more situations where they can't get what they need from traditional EDR tools. A new approach to IR is required, so enterprises can achieve a level of incident preparedness that keeps pace with the rapidly changing threat landscape.

3 Reasons Legacy EDR Is Falling Behind

There are three areas where previous approaches to using EDR was problematic:

  1. A Focus on Forward-Looking Data Sources – Traditional EDR tools are designed primarily to capture real-time security telemetry and to make the data available to IR teams. They are less useful for integrating historical telemetry generated before the tool was installed, even though this backward-looking data can be critical to understanding the scope and impact of an attack, as well as understanding where current security weaknesses lie.
  2. An Inability to Look Beyond the Endpoint – While endpoint telemetry is an essential IR resource, it's often just as important to look at external data sources — cloud logs, firewall data and authentication data. Most EDR tools lack the ability to integrate or assess this valuable contextual data.
  3. Creating Unnecessary Complexity – IR teams often attempt to fill these analytical blind spots with a patchwork of solutions, including EDR tools, custom scripts and log aggregators. This approach can make an IR team's job far more complicated than needed, leading to avoidable mistakes.

Cortex: Built with Incident Response in Mind

X-Force needed a simple and sustainable way to address these challenges and elevate its IR capabilities. The Cortex platform offered an ideal solution based on a number of key capabilities:

Extending and Adapting to a Wide Range of Data Sources: Cortex excels at gathering and integrating security data from any source (from the endpoint to the data center, as well as telemetry from the cloud). It also allows IR teams to gather critical security data from before the platform was integrated into the technology stack. It gives X-Force analysts a more complete picture of the landscape. Cortex XDR is beyond EDR; it is extensible, incorporating network, cloud, endpoint and third-party data.

Enabling a Simpler, Streamlined IR Process: X-Force analysts are leveraging Cortex to collect and analyze data that previously forced them to work with various tools, integrating and presenting data-driven insights within a single pane of glass.

Enabling Analysts to Focus on the Things That Matter: In our words, Cortex supports "tactical automation," handling a variety of routine data collection and aggregation tasks. This frees up analysts to focus on high-value assessment and analysis activities.

Cutting Through Complexity and Inefficiency: By allowing X-Force analysts to do more of their work within a single tool, Cortex enables a simpler and more reliable IR workflow. This gives analysts fewer opportunities to make avoidable errors.

Measuring Success: How Cortex Creates Value for IBM X-Force

By enabling simpler and faster IR operations, Cortex is poised to improve two key X-Force cybersecurity metrics: mean time to discovery (MTTD) and mean time to recovery (MTTR). But, the X-Force team also looks at two additional metrics, both of which offer valuable insights essential to understanding and responding to attacks and helping X-Force target IR efforts, where they can do the greatest good for clients.

First, X-Force tracks the ability to identify the most valuable data sources for understanding and responding to an attack. Cortex aims to cut through the noise, allowing IR teams to focus on the most important data with a high likelihood of malicious activity.

In addition, X-Force measures the ability to minimize business impacts in the wake of an attack. This metric is critical to being a proactive resource for clients. It prevents damage from a cyberattack rather than simply cleaning up the aftermath.

X-Force Secures Its Future with Cortex

Palo Alto Networks and IBM Security X-Force know that it’s impossible to eradicate threats and prevent breaches. By adopting Cortex, however, the deep experience and expert incident responders at X-Force can leverage a unique and powerful technology toolset that raises the bar on best-in-class cybersecurity performance and allows customers to stay ahead of emerging security threats.

As one of the industry's most capable cybersecurity organizations, the X-Force team includes hackers, responders, researchers and analysts, all of whom are top experts in their respective fields. These experts understand how threat actors think and act, and their experience gives X-Force a strategic edge in incident preparedness, detection and response, as well as crisis management solutions.

Palo Alto Networks Cortex is already proving its value in helping IBM Security X-Force to achieve all of these goals by creating a measurable advantage in the team's IR performance. Looking ahead, we're excited to see how this partnership will keep X-Force armed with the right technology, for whatever the future holds for its incident response teams.

Learn more if you are interested in partnering with Cortex for service delivery. If you have questions and want a deeper discussion about prevention, detection and response techniques, or learn how IBM X-Force can help you with incident response, threat intelligence or offensive security services, schedule a follow up meeting with the IBM X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812; Global hotline (+001) 312-212-8034.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.