Palo Alto Networks releases Cortex XSIAM to automate the SOC

Working in a security operations center (SOC) isn’t easy. In fact, the high volume of manual alert processing and triaging takes a huge mental toll on the analysts securing the environment. Research shows that 70% of SOC teams report feeling emotionally overwhelmed by the volume of alerts. 

As a result, automation is critical for ensuring that security teams aren’t bogged down managing false positive alerts, but have the flexibility to tackle legitimate security incidents. 

In an attempt to bring its vision for the automated SOC to life, today, Palo Alto Networks announced the general availability of Cortex XSIAM, an automated security operations platform designed to automate the SOC. Palo Alto Networks claims the solution can deliver an 80% reduction in alerts that SOC teams need to analyze. 

For enterprises, this solution could provide an answer to analyst fatigue in the SOC, and act as a false multiplier so that human users can process security incidents faster. 

Cortex XSIAM makes the SOC more efficient 

The announcement comes after Palo Alto Networks made Cortex XSIAM available to a handful of design partners as part of the XSIAM Design Partner Program earlier this year. It’s a solution based around the idea of making the SOC more efficient through the use of automation. 

“The underlying problem is that, as new security technologies developed, they have generated more and more data. That data is stored in different systems, and the task of sifting through thousands of alerts every day, then triaging each alert, is left to human analysts, who are overwhelmed. As a result, threats get missed and breaches keep happening,” said Rick Caccia, SVP and CMO of Cortex and Unit 42 at Palo Alto Networks. 

Caccia explains that Cortex XSIAM addresses these challenges through the use of automation. XSIAM handles the bulk of automated SOC work, tackling all the alerts it can, while passing incidents to analysts that are too complicated to be automated. This gives analysts the opportunity to manage “interesting and unusual” incidents. 

Palo Alto Networks is revamping the SIEM market 

As a solution, Cortex XSIAM is most directly competing against security information and event management (SIEM) solutions. The SIEM market itself continues to grow, with researchers valuing the market at $2.8 billion in 2019 and anticipating it will reach a value of $6.2 billion by 2027 as organizations attempt to automate security operations. 

Today, Google Cloud is one of the main competitors in this space, following the launch of Chronicle Security Operations and Chronicle SIEM yesterday, and the rebrand of Siemplify. Chronicle SIEM promises to leverage Google’s threat intelligence to enhance an organization’s detection, investigation and response capabilities. 

Earlier this year Google Cloud announced it has surpassed $6 billion in cloud revenue.

Another key competitor in the market is Splunk with Splunk Enterprise. Splunk Enterprise collects and ingests data from thousands of sources throughout an organization’s environment, while using machine learning and artificial intelligence (AI) to identify security issues and reduce manual admin for human users. Splunk recently announced raising $2.7 billion in revenue. 

Caccia argues that currently, the key differentiator between Cortex XSIAM and existing technologies is that the level of automation requires much less input from human analysts. 

“These technologies have been in use for two decades, and were built to present alerts to humans, forcing analysts to figure out what was a real threat. XSIAM flips this model on its head, assuming that automation comes first, that the XSIAM software will process much more data than a human can, and will handle the bulk of the tedious work,” Caccia said.