Cracking the Code — How Machine Learning Supercharges Threat Detection

In the second episode of the "This Is How We Do It" series, we dive further into the dynamics of security operations centers (SOCs) with Devin Johnstone, a senior staff security engineer (SOC Ops Specialist) at Palo Alto Networks. David Szabo, sales enablement consultant, conducts the interview, discussing the structure of SOC teams and their essential players. Johnstone shares his experience working in SOC teams of various sizes and explains how to build a new SOC from scratch.

The needs of a security team may vary depending on the organization, according to Johnstone. At Palo Alto Networks, the SOC started with just two managers and three analysts six years ago, but a lot has changed:

“As companies grow and mature, it does usually happen that IT and security will
separate. That happened for us around that 2017 timeframe and now we've grown
to the 22 full-time employees that we have here in the SOC today. And of those 22,
10 are in the traditional analyst role where they're actually looking at alerts coming
off the technology and doing threat hunting. And then the rest of us on the team
support those analysts by enabling tooling, logging — giving them the alert data
and the insights they need in order to be successful.”

Palo Alto Networks employs a red team, a group of full-time employees dedicated to attacking the company's systems, also known as “penetration testing.” They operate quarterly exercises where they select a target and attempt to breach it without the SOC's knowledge. If the SOC identifies a potential attack during the exercise, they consult with the red team to avoid wasting resources on internal investigations. The red team provides valuable feedback and insights to help the SOC improve their defenses.

“Our red team are full-time employees whose job is to test our defenses. They'll
pick a target. It's always new, so they're not repeating something that's going to be
easy and something that the SOC is going to find fast. They first get approval for it
because they want to make sure that leadership is going to be okay with them
potentially attacking an internal system, and they go pretty far.

They're that good sometimes that we are even reaching that point and questioning,
‘Is this them or not?’ And they'll go about their attack in secret as long as they can
for three months. If we find something in the SOC, on the blue team side of the
house, and determine it might be the red team, we check with them to confirm, so
we don't spend too much time chasing down our own internal team and then either
stop the exercise or finish.

At the end of the exercise, we do a debrief where they report on everything that
they did, which gives us in the SOC a literal checklist where we can go back and say,
‘We saw this, we didn't see this, we need to build a new alert here. We need to
build new automation here.’ And we get that feedback.”

In addition to automation capabilities in cybersecurity, the advancement of artificial intelligence (AI) has sparked both excitement and concern. ChatGPT, a language-based machine learning model, is not exempt from this discussion. While ChatGPT presents promising opportunities in cybersecurity, it also raises ethical considerations. Adversarial attacks, where malicious actors manipulate AI systems to deceive or exploit them, are a real concern. Devin explains more in this short video clip:

Johnstone also highlights the rise of supply chain attacks, such as the SolarWinds incident, where attackers target organizations connected to the true victims. Palo Alto Networks aims to protect not only itself, but also its customers by preventing the company from becoming a gateway to widespread attacks.

When it comes to threat actors, the Palo Alto Networks Unit 42 Threat Intelligence team is monitoring the evolving landscape. Johnstone says:

“Our Unit 42 team publishes regular reports on the type of threat activity that
they're seeing out in the wild, and it is ever-changing. There are certain groups
that trend year over year. I won't name any in particular, but there is an ever-
changing pool of those groups, and we have Unit 42 to help us keep tabs on them
and even track activity that doesn't affect us. We want to know what they are doing
in other parts of the world, so we can be aware and then also share that with all of
our customers.

Part of the work we do at Palo Alto Networks is showing our customers the
information that is important to them to help them make decisions. And in those
cases where we come across threat intelligence or actions of specific groups or
nations or individuals that might be valuable to us or our customers, we want to
share that as proudly as possible.”

Palo Alto Networks uses its own products extensively within their SOC, acting as the first customer. They also collaborate closely with product teams, providing feedback and shaping roadmap decisions. The SOC relies on Cortex XSOAR as the central platform for incident management and threat intelligence. Additionally, they use a range of sensors and enforcement points, such as next-generation firewalls and Cortex XDR to monitor network activity and endpoints. The Prisma suite of products helps secure cloud services, while Cortex Xpanse provides visibility into external exposures and potential vulnerabilities:

“And then we've also got Cortex Xpanse which gives us the outside-in view. So,
we've got a lot of sensors inside, showing us what we already know about. But
because we've grown by acquisition, there's always the chance that we've got
environments still lingering out on somebody else's cloud account or shadow. It is
a big concern. The stuff that we don't know about we can't protect. Cortex Xpanse
is going out into the cloud and finding all of those exposures that we may not have
known were out there and allowing us to get control of them before they become a
problem.”

Before acquiring Cortex Xpanse, Palo Alto Networks had gaps in asset discovery and monitoring. With Xpanse, we have gained the ability to identify traffic and track potential attacks, even if they weren't directly targeted. This proved invaluable during incidents like the SolarWinds attack, where Palo Alto Networks could proactively assist compromised customers.

Want to dig in more? Watch the full interview.