KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Security Orchestration, Automation & Response (SOAR) tools are the latest in the evolution of automated cyber defenses and are set to become the foundation of modern Security Operations Centers (SOCs). But SOAR is not only for large enterprises. The benefits for smaller organizations should not be overlooked.
Security Orchestration, Automation & Response (SOAR) tools are the latest in the evolution of automated cyber defenses and are set to become the foundation of modern Security Operations Centers (SOCs). But SOAR is not only for large enterprises. The benefits for smaller organizations should not be overlooked.
Hello, everyone. Welcome to the webinar today. Our webinar today is "Are you ready for security automation?" And I'm John Tolbert, lead analyst here at KuppingerCole. And today for this webinar, I'm joined by Amitabh Singh, CTO in EMEA for Palo Alto networks.
Hello, Amitabh. Hi, good evening. And good morning, everyone. Glad to be here.
Yes, welcome. So a little bit before we begin on some of our upcoming virtual and hybrid events, we have two virtual events. So the next couple of months, the first one is becoming a better privileged access manager that will be on February 16th, followed by a zero again on zero trust on March 23rd. And then our big event of the year is always European identity and cloud conference, which will be a hybrid again this year, both in Berlin and online, and that is May 10th to the 13th. So we hope you can join us for some of these events. So some logistics we're in control of the audio.
There's no need to mute or unmute yourself. We are recording the webinar and both the recording and the slides should be available within a day or two afterward. And there is a Q and a blank in the go to webinar control panel. And you can enter any questions that you may have in any time during the presentation, and we will discuss those at the end of our session. So once again, I'm John Tolbert. I'm going to talk about the soar market today and then, you know, look at the requirements, use cases and then results from a leadership compass, our comparative report on soar products.
And then I'll turn it over to Amitabh. So first up security orchestration, automation and response. It's always good to start with a definition.
And, you know, in the case of soar, even though it's a long acronym, it's all right there, orchestration automation and response orchestration is about taking information and capabilities within multiple security tools and having them work together more efficiently automation in this sense is about being able to really automate some of these very repetitive tasks that security analysts have to do. You know, an example might be looking through logs and finding IP addresses, and then submitting those to various cyber threat intelligence sites, tried to find out more information about that.
You know, automation can, can help a lot there not only in reducing the amount of time it takes to do Analyst work, but also making it more, more accurate because then you don't have copy and paste or, you know, data entry errors and things like that. So there's lots of ways that automation within security improves the environment. And then lastly response, you know, there are, that's an important piece sometimes as we'll see the security orchestration automation tools have a lot of capabilities in those first couple of areas with the dump as much on the automated response side.
So that's important because you know, security incidents, these days are posing increasing risks, increasing costs to companies. As we see here, you know, the average cost of a breach, depending on what source you look at can be between four and $9 million to remediate. And many organizations are still finding the can take upwards of six months to just detect the security incident has happened in their environment.
And then, you know, a further two months on average to do something, to resolve it. So there's a big need for orchestration automation response. So I think that's why we continue to see the soar market evolving and growing. So pre-recs for soar and well, first of all, you need the infrastructure and that means either someplace onsite or within cloud, or, you know, if you're gonna use a managed security service provider, you know, they'll handle that for you, but it should be available.
And high availability configs, you need the people that do the work, the expertise soar is really designed to help forensic investigators, threat hunters, and the people that run in your security operations center. So, you know, if you have a security operation center, a soar is probably a tool that you'll want to help, you know, expedite investigations and remediation. If you are a midsize or larger company enterprise, and for some reason you don't have a security operation center, then this is probably a case where you'd want to look for a managed security service provider to do this for you.
And then incident response. You know, you need to have processes in place, everything from, you know, how do you do business continuity to communications, both internal and external. There are people that need to be informed about the progress and resolving a security incident, both on the technical management side. And in many cases, you need to be able to tell people on the outside what's going on as well. So being able to convert your incident response processes into something that a sword can help you with is a good goal. Yeah.
On the security side, you know, soar is really designed to sort of work with a lot of different kinds of tools. First and foremost, as SIM security incident and event management.
This is where hopefully all the logs log files from your various servers and network devices and end points are going into SIM soar uses that as a tool, the data source, then, you know, we have various other data sources in areas of control that this can can help with endpoint security, InPoint protection, endpoint detection, and response, you know, preventing, discovering malware, discovering, you know, cases where malware has compromised endpoints.
That's both a source of data and a control, same thing on the network side, we've got network detection and response next gen firewalls, intrusion detection systems, you know, at the application level, there are web application firewalls and API gateways. Most security tools are really all security tools. These days need to expose some management functions via API. So you've got, you know, things at the application layer that need to be protected and need to be plugged into a source solution.
Many, if not most organizations are using the cloud. So you need an infrastructure as a service monitoring agents for, you know, performance configuration in security, email web gateway is, you know, fishing as a common case for how incidents start, same thing with, you know, users landing on malicious web pages.
Again, this sources of information and, and things that are sore platform can command changes into improve your security posture, then vulnerability management and asset management or unified endpoint management, you know, knowing what your organization has in terms of overall patch levels. And then being able to connect the two, you know, finding out and you've got vulnerabilities because they're unpatched end points or applications, then using the asset management system and UVM system to, to get those patched. So where does soar live?
Soar can either be on-premise or in the cloud, but, you know, logically it sort of needs to sit on top of SIM Sam as the place where all the information gets collected from around your infrastructure and your security tools. It falls in there. Soar can operate on the data that's found there, but it also needs to be able to go out and get, you know, real time informational updates from cyber threat intelligence sources about threats that may be in the environment. So information flows up to the SIM.
The soar can operate on that and also looks at incoming information and queries to cyber threat intelligence. And then it can also command changes, you know, in real time to some of these downstream systems say, for example, you know, making changes on a next gen firewall to, to block to certain IPS or domains. So in that case, you know, we see the soar console can either be in the cloud or on premise CTI, cyber threat. Intel is an important piece of soar overall. And that's one of the many use cases we'll look at here in just a second.
In fact, it's the first one, you know, there are many possible sources for cyber threat intelligence, lots of open source, curated sources that vendors provide. And one thing that soar can help you do is manage all of that, you know, aggregate the sources de duplicate, and there's lots of duplication amongst all the different sources that are out there, normalize it, rank it, you know, to show you what's important in your environment, phishing triage.
I think this is one of the more important things given the amount of fishing that goes on, you know, it can help you with collecting samples, extracting indicators of compromise, doing analysis, and then probably most importantly, to help prevent additional incidents automatically delete malicious emails that shouldn't be sitting in user's inbox as if one, if one user has been sent to a malicious email, a phishing email, if that should disappear across the enterprise, rapid ransomware response, being able to detect, you know, shut down both endpoint and network access.
So that ransomware doesn't propagate around an organization, quarantine and alert the proper people. It can help build apt investigations, you know, looking for those IOC indicators of compromise, look for signs of lateral movement.
You know, it's a great place to do threat hunting, you know, for AAPT insider threat, you know, it can help you put together all sorts of different signals from across an environment, whether it be lateral movement, unusual credential usage, unusual communications of any kind, maybe a user trying to access files that they're not really supposed to. All this information can be determined through a threat on there's indicator and compromise and query customization.
Maybe you find some interesting cyber threat Intel, and you notice something that looks maybe similar on one of your machines in your environment. So you decided to create a custom query. Soar can help you do that across your enterprise. Then a DDoSs, you know, DDoSs is still a major problem in many areas around the world, malicious traffic identify the source of it, shut it down, vulnerability tracking.
If discover that there are vulnerabilities being able to link with your asset management UTM system to automatically get those patched, finding a sample of code you think might think is malicious dispatch. You have to a sandbox for detonation. And then lastly, you know, case management and collaboration. So ideally you wouldn't have to manage two separate cases in your it service management.
Plus your soar platform soar should be able to work with its managed cases, you know, with either one sort of being primed for it, but being able to create update, allow Analyst to annotate cases and then, and then manage those between shifts is helpful, especially in a SOC environment. So last year we did a leadership compass, our comparative report on soar products, our leadership campuses, we rate products based on nine major categories. The first is security.
This is internal product security, you know, and this includes things like multi-factor authentication and role-based access control for Edmunds and analysts functionality. Does it have all the features that we think a soar product in this case should have? How well does it integrate is a part of, you know, an overall solution that a vendor provides or is it sort of a standalone package? And then how easy is it to deploy interoperability for soar? Interoperability really is key.
I mean, it's all about the more connections that you have to different upstream sources and downstream security tools. The more valuable it will be in an environment usability. We're really only considering what it looks like for admins and analysts, because those are the people that use this kind of a tool innovation.
You know, this is, this is pretty straightforward. I mean, this does, if a feed, if a solution has all the features that you think it should have, then how are they differentiating themselves in the environment?
You know, are they delivering new features? The customers need maybe before they know they need them? Is it a leading edge product? Are they still trying to play catch up and build in basic functionality? The next three market?
You know, how many customers, you know, how big are the customers, are there specific industries that each vendor targets and very important in each of these three categories is how globally distributed as a unit of they have customers around the world. Ecosystem is about partners, tech support, resellers, you know, do they have good support again in various places around the world? And then lastly here, financial strength, you know, this is a market where you have startups, you know, well-established, well-funded startups all the way up to very public companies.
So this is sort of a comparison in that regard. So the key evaluation criteria we used for this leadership compass you'll see is very similar to what we've been talking about here, functionality, you know, can it, it taken telemetry from Sam and then maybe other sources, the enrichment, this is where, you know, being able to aggregate cyber threat intelligence and then apply it to the specific cases in an environment case management, again, working with ITSMs or providing good facilities within the soar platform to do that.
And then, you know, the rest are really about connectors integration for IAM identity access management cloud, you know, infrastructure as a service platform, especially email and web gateway integration endpoint EPD are, or endpoint protection and detection or response integration, and then integration at the network layer with various tools like NDR next gen firewalls and intrusion detection. So in the leadership compass, we produce graphics that show, you know, relative positions of the different vendor products based on our analysis, the first one is usually product leadership.
And again, this is about how, how complete is the product in terms of, you know, the vision that we have, the vision that they have, the needs that the market is for a soar product in this case, market leadership, you know, number of customers, how geographically distributed are they, and this also includes the partner in support ecosystem, innovation leadership, you know, are, is the vendor kind of out in front anticipating users and customers needs and building those useful features in before the competition. And then lastly, overall leadership is a combination of these first three.
So here in were the vendors that we rated last time, we will be updating this report in just a couple of months. And, you know, to kind of show you how dynamic of a field that is like DF labs, I think was bought by Sumo logic and in simplify was bought by Google. So there's already been acquisitions in the field, you know, just since the iteration of this report. And I would certainly imagine that there will be more to come. So let's give you a look at the overall leaders in this leadership compass. I'm sore here. You can see Palo Alto upfront followed by IBM T3 XV service.
Now, you know, the overall leaders are kind of a mix of, you know, big security companies, big it companies and some specialized startups.
And then, you know, there's a good distribution across the challenger in the middle section as well, product leaders here, we see again, kind of good distribution of larger companies with various specialist, product leadership again, is about, you know, how functionally strong as a product, you know, how well does it help customers in tasks like doing threat hunting, you know, lots of integrations with other tools, how usable is the analyst console and how much automation is available, innovation leadership, you know, sometimes you see startups or the more well-established startups that have had time to build an innovative features, sometimes wind up getting acquired.
I think that's been the case in this market as well. Really innovation is also tied to the number and amount of integrations.
You know, companies are taking kind of a marketplace approach by building different kinds of integration kits for other security tools, and then making that easy for their customers to come and get in and hopefully snap into place without a whole lot of coding, maybe just some, you know, configuration changes to make it work with other tools in their environment. So that improves usability, but it's still sort of a distinguishing innovative feature to, at this point here, we see the market leaders and, you know, there are more spread out across the challenger section.
I think this is because there's certainly a lot of room for growth in the soar market. You know, not only add managed security service providers, but there are many enterprises of different kinds that, that have yet to adopt soar. But I think that is on the near term roadmap for many organizations that are out there, just because with all the emphasis that we see on, on security incidents that are happening today and the severity that there's a need for soar amongst these enterprises.
And I think that that recognition has been made now some of the positive things that we see in the market, again, connectors connectors are sort of the lifeblood of what makes soar work and there's enough connectors out there with the various products that we looked at to make this useful in many environments. So it's definitely, if you don't have soar and you kind of fit a lot of the criteria that we looked at earlier, I would say it's time to kick off an exercise to find a sore product that can help you achieve greater efficiency and remediating security incidents.
If you don't have a SOC, you know, managed security service providers and SOC as a service providers are out there, this is, this is something that you can definitely look into. So our, I think is, is a foundational tool that, that SOC as a service and MSSP is have to have in 2022, these tools do help increase efficiency. They can reduce the meantime to detect meantime, to respond and, you know, with the additional focus on the automation piece, I think we, which we will see over the next couple of years, both from vendors.
And I think it will be increasingly accepted by customers that certain kinds of responses have to be automated. So here in, in summary, there are lots of good strong products out there in the Martin, the store market today, they have a good mix of product features, as well as innovation.
You know, each vendor you would need to investigate on their own merits, you know, based on how well they fit into your environment. Like I said, soar has only been around for about 10 years or so, you know, but it's becoming a very important recognized piece of a security architecture, small, and medium-sized businesses can get advantages from, you know, the MSSP, if they don't have socks that they run themselves. If you are running a sock that, you know, like I said, it's probably a good time to be looking at it. The market will continue to grow.
And then integration really is key, you know, having connectors available for the other tools that your environment. So you don't have to retool your environment just to use a soar platform, look for the product, the soar product that works with the other products that you have within your environment today. So with that, I'd like to turn it over to Amitabh. Thank you, John.
You were, you covered exactly. What's the right thing from my perspective, create information about what soar is. And I'd like to add to the details of that. From practitioner's perspective, as a practitioner, I have run socks. I have operated socks in the past. And as a CSO, I also, as a seat, as I have also seen, what are the challenges of them on a firsthand basis when it comes to solar and sole platform pretty much works in the respond part of the, of the whole chain for, for, for salt show. So that's besides the, the area that we be focusing in.
And I, I exactly expand on more. John has talked about on why this, this part becomes so critical and why this is really the most important element for SOC in 2022. And we are starting to call this as the real hub for, for Sox going forward. So this is something that those of us who are running sock and managing sock believe that this is the reality of the current security operation centers. We have too many tools. We have too many alerts.
We have, obviously there's never enough people, never enough analysts. And you'd be really lucky to say that we are fully staffed with the right kind of skills in the SOC. I haven't heard any CSO saying that or claiming that. And the challenge also is that we still have too many silos. So you have a separate net ops team. In most companies, you have a SIM, that's doing something over there and there's an end point that works on something else. And it operations is trying to put everything into still on old ideas and tools.
And I think that that leads to some of the basic issues that we are still facing. So for instance, one of the top use cases that John was talking about was fishing. When we were preparing for this webinar, John and I were joking about fishing show that mean next to an extinct right now, it's not it's as much a problem today as it was decades ago. And I think the challenge for that is because attackers can leverage automation to launch very high quality fishing attacks with a click of a button.
The spear phishing attacks are beginning more sophisticated and sometimes completely undistinguishable from really mills, which resulted in a lot of compromise from human error. And this is where so black firms coming into the picture, the security teams, aren't able to follow the same processes while responding to the phishing alerts. So they must want it across email inboxes, threat intelligence by was ticketing and other tools. And because it would have a separate full data convention, then context, it's completely impossible for security teams to fill up the gaps and minimize errors.
So, so that in a nutshell is why, what John was referring to in those use cases. Fishing seal is one of those top use cases that we are talking about just because the tools are not just still have the whole issues of that. And soar platforms clearly can fill in the gap for most companies to manage that because it's really impossible for us to go to the company and say, guys, throw all your infrastructure out and buy completely new.
So, so I would say so in, in the short-term measure and also for the medium term measure is the right thing for the Sox you have in place. The other thing that I started to see is that if I look at this whole picture defense real remains really inadequate, even when we are talking about pen testing. And I think one of the biggest issues about pen testing is, and this is what we've been trying to talk about for a life that I did reasons is that pen testing is about a specific part of the environment.
So you should know the environment, and then you see these are the specific IBS, those specific part of the environment. And you should be then do pen testing about that. And we know that there are blind spots in a lot of the companies.
So, so for me, even with all kinds of environment, with vulnerability management, with pen testing, with all the other things, we still have a fair amount of challenge as far as defense is concerned in our environment. And this becomes the monitor. I don't know what I don't know, and that that's, that's increasing the why solar platforms tend to fill in a major void because of the, because of the automation, because of the playbooks and something that I will try and talk more about in this presentation.
So when you come, when it comes to that, in terms of how do we actually include reduce risk and increase efficiency? I think one of the basic topics that we need to cover when it comes to managing that is clearly, but there are five layers that we talk about in terms of when we covered all these broad spectrum of typical organizations, some of us may not have industrial robots. Some of those may not have RNB, but definitely if you look at it at all of us still have most of our, the most of the elements and you would see it's hard for most organizations to miss the elements.
So from an endpoint perspective, you would definitely have basically three or four element windows that only have mobile macro. So Lynox and office 365 G-Suite or legacy, I think systems for some of those who are really working in the manufacturing site and in grieving, the exotic becomes a bigger challenge. We still have shadow IDs, we still have cloud storage issues. We also have private clouds and also we have shadow cloud assets. Now bigger is once you're moving, you don't know how many instances of cloud are being managed overall.
So when it comes to all of that, the biggest thing that we're trying to see is that how does it happen that you're continuously discovering public assets and services? How have you prevent specific issues from happening? How do you manage threaded induction and hunting?
And then the Bob that I'd like to talk about is how do you ask us through all of them and how do you automate that without, without trying to have too many loose links where people are trying to still find out what is it that they should do, should they, should they encounter a phishing attack or should they encounter a specific incident that they need to manage? Do they need to contact nighty team or do they need to shut down the infrastructure? Do they need to do sandboxing is approaching emails.
I think those are the kinds of questions that we need to show, not struggled with Miranda, have very PIP pay books around and finally not to manage the risk efficiency need to have zero costs across you, that applications and infrastructure. So with that, I would offer introducing this topic. I would try and talk about a day in the sun.
As I said, I will focus only on the response part of it, which is where the topic of this webinar is today. As we see for us clearly from an automation perspective, what we're seeing is the volume of attacks is clearly increasing. And unfortunately, and this is the experience that we have is as the oil, fidax from a perspective of risk, we don't see that kind of labor out there. We don't see that there is a clear issue over there. We don't see that, how we are managing that.
We see that there's a clear problem in terms of how those business risks and, and attacks are kind of dovetailing into each other. Ideally speaking, the higher, the business risk, the more ability to respond and there for more automation is required for critical attacks. So businesses to clearly define the kind of playbooks that you should be deploying in the, in the areas and of the use cases that John was talking, talking about. I would highly recommend that you should delve deep into that and see which of those use cases are relevant to your environment. And then try and look at doing that.
Hey, that's, that's the part that we should be focusing on very clearly. And based on that, you should try and see how you're managing that, managing the environment.
So again, it's the question of managing this? It's a question of how many attacks have you seen in the bus load to what is your critical infrastructure? Are you managing your crowns Wells specific applications properly? So those becomes a big clear element of managing things. And in that way, where I would like to talk more from that perspective is the platform to support the tech life cycle.
So if you look at this standard picture out here, the part that I would like to focus is beyond the detection, which provides a context beyond the investigation, which helps us to take the right decisions in terms of criticality risk and prioritization, which we just talked about in the, in the last line, the response part of it when it comes to the automation part of it. And when it comes to the business continuity, part of it becomes the most important element out here.
Because even if you found out that an issues, you have detected that investigating that your response becomes way clearly the right thing. And that, that I feel so organizations are, are unable to do that in the right timeframe. So if you have detected that as specification than mom, and then it takes you more than two weeks or three weeks to manage that, I think that's where they still have an issue. So really we need to automate the processes, make sure that the playbooks are very clearly aligned to your processes.
You need to have the right kind of trained and skilled analysts who are able to understand and follow the playbooks and not just for the blue books to understand who need to do it, manage that. So to be analyzing through investigative bot and the threat incidents in fed hunting needs to be integrated into the soar platform.
It it's, it's, it's interesting that sometimes I've, I've found out that that people are saying, or organizations are saying we should have a separate funding team. Yes. But if you found out a specific incident, you need to be able to take action on that. That playbook should be directly coming from the shore. And automation actually helps you.
So if you have one certain restricted IBS that, that your, you get to know about it, then your source should only be opening tickets and trying to manage that so that if some of your, some parts of your organization are communicated with those restricted IPS, then something is wrong and that incident should actually happen on a real time basis. So, so that bot, I believe is something that we need to focus intensively now, and that that's most important element for our conversation to manage this.
And then when it comes to understanding the predict part of this, I think we still have not been able to restore the entire portfolio of our assets. And as cloud becomes more ubiquitous, we are seeing a lot of challenges that organizations I find to understand what's extent of the assets, how many cloud assets they have in their environment, how are they managing that from shadow IDs? Because I think the cloud assets are once people, companies are going to cloud businesses, just business units, just moving to the cloud because just because it's easy to move there.
And at some point of time, typical it and ID security departments just have no visibility to what's cloud assets on there. And that's also true for software as a service products. They're discovering them finding out the potential hopping points before they get used and monitoring them on a 24 by seven basis is something that should be integrated with the response platform. So what I'm talking about in terms of platforming is that the prediction part should also be moved into the response path.
If you are finding that some part of the issues with attack surface management configuration, or in one of the cloud in sensors, that's hosted by for, for your organization. Then that response also depends upon you found that out. And then a ticket has to be managed to the sod and actions need to be taken on an instantaneous basis. So with that, I'd like to talk a little bit about our own site, because I think that's, that's a critical element to define where we are. So we have done quite a lot of changes in terms of our own sock.
And I be taking some, some product names out there because that port showcase how fast we have been trying to, to manage our saga and how quickly we have tried to reorganize that. One of the things that I'd like to say is that in 2019, we replaced Phantom to move to XR product, which we call it demonstrate because that's, that is what we required, but we have actually made it as was being discussed by John earlier. Now the leading product in this market space, we a service now and 2019 September.
And then we took out a Splunk and a 2019 October that you can see that every month we have been changing that in 2019 by November, we started to include XDR cortex XDR to deploy across all our end points, which is ingesting all network security data, which is, which is able to give us really quick management magic, a capability to manage and prevent attacks that are not really not something that's been there in the media. So not just the standard ones. So for instance, we were able to prevent the SolarWinds attack pretty quickly on, in a, in as early as an August, 2021 last year.
So that was really fast and quick. And finally, if you look at it from, from some of those areas, by 2020 at me, we were able to decommission Tanium from the end point.
So, so I'm trying to say that in this case, we were able to manage huge amount of changes. And the reason why we could actually we needed to do that is because we could do almost everything through automation and obviously everything to do, managers from a comprehensive, automated, comprehensive automation out here to the orchestration tool could make sure that through 90% automation, we have 47 playbooks that are running 350 times a day.
We are, we are pretty positive about how we have done that. And we run our software that roughly about 10, 11 analysts. We have roughly 13,000 people worldwide, and 10 analysts are doing that report on a 24 by seven basis. I think that's, that's the kind of power that I would say that we are able to bring to the table. And even if it would go and double the number, we are not looking at doubling the size of the SOC. So I think that that's a part of automation.
That means you start seeing how important it is for, for us to look at managing the sock on a lower basis and to get the right elements. So this is where I am also trying to ask organizations that you cannot always look at protecting the investment. You need to actually define what kind of roadmaps you have, where your company from a managing your critical assets and at the same time, understand their industries moving forward.
And once you've done that, you should be able to clearly realize that in some cases, Sims are not necessarily the right area for managing, because I have seen that Sims take far too long to detect and manage that. But this is a point that John was also talking about in terms of efficiency, in terms of how quickly are you able to manage that, which is what I'm going to talk about in this slide. So what they're talking about from the SOC perspective and this, again, we are using our own example right now, there we take it off we 10 seconds.
That's the meantime to detect for us and we'll respond within one minute for all high priority alerts. So, so I think that's the kind of context we are talking about. What we have started to see is that a good song for large organizations should be able to manage security incidents and it's, and I'm not saying respond in less than 30 minutes. The current metric, when I've been talking to a lot of accompany. So far roll is anywhere from months to six months, depending upon how long is the organization is. And I think that becomes a huge challenge.
And that's pretty much why soar becomes the hub of SOPs. Even if you have detected that you need to be able to manage that. So you need to detect and manage really quickly. That's the whole part about managing proper security. It's about speed. It's about managing it through automation. And that's why all of us who are in the security industry really urge everyone that you need to embrace automation and you need to embrace source so that you're able to detect and respond in a near real-time basis when it comes to the security operations maturity center.
And this is where I'll stick, arrow through how the life cycle of SOC has been and what is going to be the next solution site. When we start in the first time around, I would say a decade back because that's what John said is something that soar that's a lot of sore platforms and the end point prediction, the EDRs were the starting point. That was the foundation level. But now what we have started to move for the last two years is having CR in the picture because you are building in proactive way of managing it.
% of the alerts we believe are from end points, three remaining drivers in from the network side. So you were able to combine that into one area and add analytics and user and entity behavior analytics to that. So that makes it really proactive and a very powerful way of managing it from the proactive ban, where you get to detect information, managing it through an automated fashion, which is what the pod that you're talking about, why it's important, have automated playbooks have a complete way of managing it for the enterprise wide responses.
You should be leaving that unprotected in terms of which part, the organizations you should touch. So if there is an element which enrolls, not just it, but non-ideal associates, legal, HR compliance, then this playbook should be clearly built across that as well.
So, so you should be able to manage that in a peer way. And finally, the trusted, which is the predictive part, which is what I was saying, that you should be able to predict analyze, and that needs to get back into the automated, keep ongoing, creating a virtual cycle in terms of finding out how trade intelligence gets into the soar platform.
So, so this is where the security operations maturity division comes from from what we have been seeing so far. And this is where we believe most of the organizations are moving towards now. And I believe this is where, what you're seeing at least in, in, in, in the Americas and Europe, that most of the organizations have been able to move to the autonomously. Or we have seen that traditional and autonomously there has been quite strengthened right now.
And, and if they have not moved in the app shown huge amount of interest in terms of structuring that. So, so this is the bar that we believe that that's hugely changing in the last year, past one to two years now. So from a perspective of what is it that we will be talking about, that would be a clear way of defining the, the party or not a normal song. So when it comes to this, this is also the definition that John was talking about, but the source solutions were designed to address the following challenges. The first component of soar is orchestration.
So that involves controlling an activating security product stack from a central location. The do this through playbooks, which are task based workflows that coordinate across people, process and technology. And the second component of that is automation, which is a subnet of orchestration. So within solar platforms, automation involves finding the repeatable tasks and executing them at machine level speed by machine. That will speed up when we're near real time speed. And this is also what I showed that we are doing it ourselves.
The soar that products have to have automation scripts and the right kind of product integrations to accomplish this again, referring to what John said, you need to be able to integrate to a lot of products. If you're not doing that, you would not be able to understand what's happening in the environment and the final component, their response involves maintaining incident oversight as it grows through the life cycle. So you just can't say that an incident has been managed, open case management is there, and then someone would take care of it. It has to be managed throughout the life cycle.
So some products, this includes case management collaboration during investigation analyzing and reporting after the incident glow and closure or lessons learned. So all of that has to be integrated into one area. And I think that's, that's the only way we can manage security in a clear fashion from a SOC perspective when it comes to striving the automation, everything part, I think this is the bar that we need to focus on clearly that from a sock automation and intelligent needs to be enriched, which means you need to know what's happening in the environment.
Unfortunately, a fishing response. So big on remains. One of the key elements, and I keep on pulling whatever is left out of mirror my hair too.
When I, when I read our fishing, the, on this same enrichment now SIM enrichment is something that that's there typically for the application layer, for those of the organizations, which are focusing on the, on the, on the back, where they need to have application logs, onboarded, this becomes an important factor for that, but those are organizations that are still focusing primarily on the network and then points and the cloud elementary to be moved onto same.
I would say there are better options for that because I still believe that same have reached a level where they're mostly used for compliance purposes rather than actual security management perspective. So to that extent they have outlived their efficiency. And as far as I'm concerned right now, now from an extended security and automation, one is very clear is one honorability management what's happening inside the moment. You need to be able to clearly understand what specific vulnerabilities are being detected. So that's an external as well as internal.
So you need to have very clearly way of understanding what kind of vulnerability scanners do you have inside the environment? What I normally have started to see is that most companies are really deploying caspase CSPs from a NATO, from a cloud, as a perspective internally. And from an external perspective, we are talking about a product like expanse with manager of attack. Surface management gives you a complete overall picture of vulnerability management.
And through that, you're also able to manage your cloud security because the CSV MC that rupees caspase of actively managing your software as a service, as well as your cloud assets, and then they directly communicate to. So, so, so the important part of what I'm trying to say here is that when you are looking at getting a soar product, make sure that it's integrated.
If you're trying to put everything together yourself, either you should have a very strong engineering team or a lot of money, but if you think that you need to, because most of the times, and that's actually an issue that so you should strive to buy things that we should try and buy best of breed security products, which may be good off strategy for some my own thought process, that the best security is one which is really big and insecure. So you're able to clearly respond quickly and properly.
And I think that's, that's a bond that I think I would highly recommend there specifically when it comes to enterprise security automation, to the network security, the compliance level, all of the use cases and the assets management possible fuel needs to be managed through an automated, the bond that comes into, into this, where I'm, I'm increasingly talking about, there is that all of those third body tools needs to be integrated. So at least from our perspective, we have, we are integrating with 700 plus third party tools for product X, or we integrate with Sims.
We have a way clear tooling, which is a single pane of glass gives understanding of Betty. It's fairly easy for people to manage that. We have API integrations to as many as thousands of products there, which is never a challenge for us to manage that. And I think they're able to clearly give an overall perspective from an automation real-time collaboration, case management and intelligence management for everything that's there to the environment. So within one area, you're able to clearly manage that.
Plus we have a very strong community which helps us to manage and make a product much more relevant, much more robust as time goes by. So that is why, as you were seeing in the slides before this presentation, who being accord has told us that we are the leader in the segment, now that we have moving on to this, I would like to show showcase some of the real labels in terms of what happens when we are actually showcasing some of our environment out here. So from a workflow perspective, cortex X or that's security challenges in three levels of focus, the first is workflow automation.
The second is ticketing and the third is collaboration. So let me then first take in the knowledge deep dive into work brought emission. So from that perspective, cortex X or makes workflow automation possible to an extensible integration, which is to a network of hundreds of security and non-security products. And these integrators integrations are powered by thousands of actions that can be remotely executed within products, XR. So excuse me a minute.
So the point I'm trying to make out here is all of those integrations can be remotely excluded by either as automated playbook tasks or in real time by analysts. You don't have to manage them or think about them when a specific issue happens. So for instance, you can automate looking up a URL separation. You can quarantine an endpoint, you can detonate a file in sandbox. You can send an email to define what needs to be done on those cases.
All of those tasks can be born at it, using a drag and drop visual playbook, playbook editor that allows for the playbooks reuse nesting and a combination of automated and manual tasks. So, so the cortex XR workflow automation really helps you to respond to incidents with speed and scale. And I think that's the important part for most organizations. Can you respond to my incidents between yes. And then for larger organizations, we have too many incidents. Can you manage this because we have too many of them. Yes.
So if you're able to answer those two questions, I think that pretty much takes care of bigger challenges for, for most of the companies having said that I'd like to move on to the next layer, which is the third focus on real-time collaboration and investigation. So because it's, it's the bot that behalf where we need to improve investigator quality. So how do you manage real-time collaboration and investigation? So to accomplish this, each incident has a water view, which is shared workspace where security analysts can chat with one another and conduct joint investigations.
And that's a very powerful feature. You, you can't investigate on your own. There's hardly anyone who would just get know everything by themselves. The one also enables third party product actions to be executed in real time with command line interface, which then shows that you take advantage of your security product stack with minimal screen switching and dead time. So you don't have to wait for things, you know, what needs to be done.
You are able to talk to people who are managing it along with you, and when you need to do certain things, you don't have to switch screens and then say, okay, I need to do that now and no that time. Okay. No thinking time, you are able to kind of manage that properly and all actions and commands are automatically documented in the world. So the documentation part, which is such a huge challenge, and most of those ID service management tools completely goes out that prevents the need of manual post incident documentation, but important information can pull back.
So you don't want to have a write off or type after, after the incident happened. What happened, which as we all know is never peer. Now the war on that XR has really helped to, to improve investigation quality. And it really works the way we are supposed to work as humans together, making sure it it's effective and gives you the right perspective at all times. Then I think that's, that's the power of what the stool has been able to clearly probably bring to the table. Something that I cannot stress enough, that that's how important it is when you're facing a crisis situation.
Now, I'm going to talk about something there's a sick ticketing system because that's the focus area for case management and ticketing, because we talked about that as well, or next exhort can ingest data across a range of sources, which include Sams networks, security tools, email inboxes, vulnerability management, and cloud security solutions. The best part about this is that these alerts can be into, to be searched and queried across according the biggest balometers, which can help to do slice and dice data at your disposal. So you can, you can assign customer salaries.
You can say, what's your importance level of that. You're going to identify, okay. If a specific issues, you do need to respond within a specific X number of time, seconds, and link them to your playbook execution. What it does is it creates an accurate measurement of your KPIs. You define your KPIs based on your organization's risk parameters. The XR also has a flexible dashboard and a reporting suite that is powered by a widget library. So you create your own dashboards.
You create your own reports, according to incident vibes, personnel indicator, data across any of the prosecutors who design the case. Management really helps you to standardize products and processes and teams. And it also gives you the flexibility that you need to adapt to that emerging offense. So with that, what I'd like to talk about finally on this is it is the largest, so work ecosystem. It footfalls all the things that was being talked about by John.
Does it have the number of integrators, how important it is for MSSP is to provide SOC as a service and how fast, how efficient it is in terms of responding. What does it mean time to detect, mean time to respond? So it fulfills all of those three things. And that is why it's rated as the leader in this category by KuppingerCole. Thank you so much. And it was really nice to be here and I hope there are some questions for us to answer. Yeah. Yeah. We've got a couple of questions here. So we'll move right on into the Q and a first question. Splunk is not covered in the leadership cup as well.
You know, good observation. There are different companies for, for different reasons. Sometimes they don't have the time to participate.
The, the process is kind of lengthy. We ask a lot of questions and we need to see demos and talk to customers and things like that. So not every addition has every vendor in it, but we, we are rerunning this report starting in a couple of months and I expect there'll be a larger field than there was in this first edition of the report. So it's question. Why are soar platforms becoming the hub of socks?
Well, I, I would say, you know, for years we've heard about a single pane of glass and now we have socks that are full of many, many single panes of glass. And, and really, I think something like soar is finally a way where you can sort of get all those things under control, you know, and get at a snapshot level, you know, on the soar dashboard, a good look at what's going on in enterprise and then be able to drill down from there into the individual tools.
I mean, Tom, any thoughts on that? I think, I think I already like the way you describe it, many, many single blade panes of glass. That was the challenge. And I think soar with soar, we are able to really simplify that because what normally happens in soccer is that you got to look at it from a SOC analyst perspective. And specifically, if you're a level two or level three analyst you are managing, and then at that point of time, you need to understand what's happening on the network site. So you log into the network consultants to understand what's happening on the firewall console.
Then you log into on an endpoint console, then you try and understand what's happening from the same console, because some of the same all logs, you don't go directly over there. And then you try and understand what's happening at the application layer. There's too many confusing aspects. And then you always have consoles on active directory.
And, and I didn't see an access management. And I think that is where soar platform really become important. Exactly what John was talking about. Efficiency. How do you deduce your mean time to detect and how do you improve your meantime to respond? That can only be there if you have a single pane of glass, not when analysts are trying to search with specific console, they need to use when there is a crisis.
Well, we've reached the top of the hour. We will have the recording and the slides available very shortly. So one and two, thanks, Amitabh and Palo Alto. And then thank everyone who's attended today.
And any, any final words on any time Anyway, it was a pleasure. Thank you for having me on this. I really enjoyed this. And if you, if any, are there any further questions or anyone who wants to contact us these to contact a KuppingerCole or directly contact us would love to speak to where we were in about this, because it's a topic that's really close to my heart. Yep. Thank you. Yep. Same thing here. If anybody has any questions afterwards, feel free to contact us and was that hope you have a good rest of your day. Thank you. Thank you. Bye-bye.
