KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Security Orchestration, Automation & Response (SOAR) tools are the latest in the evolution of automated cyber defenses and are set to become the foundation of modern Security Operations Centers (SOCs). But SOAR is not only for large enterprises. The benefits for smaller organizations should not be overlooked.
Security Orchestration, Automation & Response (SOAR) tools are the latest in the evolution of automated cyber defenses and are set to become the foundation of modern Security Operations Centers (SOCs). But SOAR is not only for large enterprises. The benefits for smaller organizations should not be overlooked.
Welcome. I'm John Tolbert, a lead analyst here at KuppingerCole and today's webinar's topic is: are you ready for security automation? And I'm joined by Dan Sarel, the vice president of product management at Palo Alto Networks. Hi Dan. Okay. Before we begin, we have some other upcoming events, KC live events we wanted to tell you about briefly on May 11th, we'll have modern IGA capabilities for identity centric security followed by enabling the future of identity and access management on May 27th, and then managing digital workflows with service now on June 23rd.
And we hope you can join us for those events as well. So some logistics about the webinar and we control the audio. There's no need to mute or unmute yourself. We are recording the webinar and both the recording and the slides will be available in the next day or so. And at the end, we'll have a Q and a session, and you'll notice on the go-to webinar control panel, there's a place to enter questions and you can do that in any time during the webinar and we'll take them at the end.
So again, I'm John Tolbert, I'll start off talking about the background on the soar market, what the business drivers are, what the requirements are. And then we'll take a look at some of the results from the leadership compass on soar that I did last year, and then I'll turn it over to Dan and we'll take Q and a at the end. So let's look at soar. It stands for security, orchestration, automation, and response, and the need for soar is really driven by the increase in the number of, and severity of security incidents.
And we're all aware, you know, the news has been full of these for the last, you know, months. There is definitely a need for companies and organizations of all kinds to be able to better respond to security incidents. And that's really driven by the fact that if you looked at a couple of key metrics, like meantime to detect and meantime to resolve the meantime to detect most security incidents is still somewhere around six months in the meantime to resolve as in the neighborhood of two months. And that's, you know, that's born out by the, the recent solar winds incident.
And in case in that case, there are companies that are still dealing with the aftermath of that and the average cost of doing remediation on an event, depending on what source you look at. And there's a number of different studies that show this can range between four and $9 million per incident.
So that's, that's a significant cost. So solar again, stands for security, orchestration, automation and response. And we're going to focus on what each one of those means in slides ahead, but before you have a sore or want to look for us, or you probably have other things in place in your infrastructure security infrastructure that you need to be able to integrate with and connect.
So infrastructure for one, you know, having the on premises hardware or, you know, being able to deploy the soar console and the cloud, putting it in a high availability configuration, you need the expertise, forensic investigators, threat hunters, SOC analysts, SOC managers, soar will require some dedicated resources in order to operate and get value from, and then a SOC a security operations center or a managed security service provider sores are really, you know, becoming the foundation for a security operation centers is a single console to be able to, you know, administer and get status on all the different security tools and an environment.
And that's especially true for MSPs and SOC as a service vendors. And then incident response process is once you identify a security incident, you need to have both the technical means to deal with it. But also the process side, you know, all the way up to business continuity planning and the communications. How do you communicate, you know, information about an ongoing security incident to internal staff, as well as what would you say externally? And some of the advanced store platforms can help you with that by even helping to automate functions within the say communications. Yes.
So some of them security and prerequisites that you should have in place before soar first off is a SIM security incident and event management. This is the collection point for all your security telemetry, all your internal servers and, you know, different systems that you see listed below here should be able to send their log information to a SIM solution, which then soar interacts with EPP and EDR endpoint protection, end point detection and response. These are common security tools that most everyone has. If you don't have them, you need them.
And all of these will be, you know, both sources of data for the soar to use as well as controls through which soar can command actions. So we've got an end point covered. There's also network. So network detection and response next gen firewalls intrusion detection systems. You need to be able to have visibility at the network level of what's going on over and above, just what's going on with your end points, servers, web servers, location, firewalls, and API gateways.
API is, are becoming the, the main way applications communicate both internally business to business business. Consumer applications require that. So hopefully your secure API gateways and laughs send information to SIM, which then can be integrated with social, okay.
Infrastructure as a service, many organizations are using cloud today, and you need to be able to get telemetry from the cloud and then also be able to hopefully pipe that in and do controls back to cloud instances and the capabilities depend on not only the soar platform, but what the underlying systems support as well via their API APIs, email and web gateway is email is, you know, a very common vector for things like phishing and business, email compromise, which can lead to other kinds of attacks and data breaches, as well as web gateways.
These are things that should be in place and integrated into your source solution. And then vulnerability management.
You know, many of the security incidents that we've seen over the last few years are exploiting vulnerabilities. So being able to assess those, get information about, you know, where your environment is in terms of overall security posture, which machines might need to be patched managing that. And then integrating that with asset management and unified endpoint management to push out automated patching when necessary. So these are some of the background capabilities that you'd want in place before sore and that you need to integrate with.
So, okay. So with that in mind, just a quick graphical look at how it all fits together. You see soar over here on the right it's operating on information in the SIM, which collects information from all the other parts of your environment, but then it can also act upon those other parts of the environment through API APIs and the capabilities again are, are both dependent on what the soar platform allows and then what the downstream security tool can expose through its API.
And then you see the up to CTI that cyber threat intelligence that's, you know, there are many sources of cyber threat intelligence and the soar platform can pull that in for you and, and make it pick out the relevant things to enter into cases. Lastly, I'll say, you know, soar console can be either on premises or in the cloud. Most vendors offer in the cloud options as well. So top 10 use cases for sore talking about threatened till management they're open sources. There are curated third party subscriptions that are available. A lot of this information has a limited lifespan.
There can be lots of duplicates. So, so our platform can help normalize that D duplicate it and prioritize that information per per incident. Phishing triage fishing is, is still a significant problem. So being able to pull indicators of compromise out of that do lookups, and then even in the case where you may, your organism, but organization may have been spammed in mass, delete all copies of a malicious email across the enterprise.
All at once is a useful thing that soar platforms can do rapid ransomware response to detect it, and then isolate an effected node to stop it from spreading across the network, or being able to encrypt files on the network. That's a useful in time, time saving thing that soar platforms can help initiate apt investigations, advanced persistent threat. This involves, you know, doing IOC searches across an enterprise, looking for signs of lateral movement. Once an attacker gets in and compromises one machine, they want to look around the environment and see, what else do you have?
A sore can look at all the different underlying data sources like EDR and NDR put that together to figure out if there unusual communications going on, maybe between compromised machines in your environment and command and control infrastructure, insider threat investigations, looking at unusual credential usage, internally, maybe users that are logging in at unusual times or attempting to access files that they really don't have permission to.
So this soar can, again, synchronize all this information from different sources across the environment, then an indicator there's of compromise and query customization, being able to take maybe standard IFCs that you find in threat intelligence and then modify them, and then execute those threat hunts across your advice indeed and malicious traffic mitigation.
There are many ways to deal with DNS, and there are services that you can engage to do that, but then also soar platforms can help with some of that by identifying the source of the DDoSs, blocking that at the blocking, the IPS or URLs or domains on the firewall, making changes to DNS, alerting ISP and management vulnerability tracking. As I was mentioning, getting information from vulnerability management systems, using that to push out changes through, say UEM or other configuration management industry structure submitted code samples that are found to sandboxes.
Let's say you've got a sample from an endpoint protection program. You can submit that to either the vendor or third party sandboxes for analysis and determination, whether or not it's malware. And then lastly here, case management and collaboration, being able to create update have analysts, you know, add notes to the cases as they go along route those to the appropriate analysts, collaborate, you know, between shifts between security operation centers and tie that into your it service management. If in fact, you are using ITSs as sort of a master for case management.
So with that in mind, let's take a look at the leadership compass cited on soar last year. So for our leadership campuses, there are comparative reports. We look at, you know, all the relevant products in a particular product space or a service. We have nine major categories of information that we consider, you know, that are invariant on the different subjects. And so we'll look at these real quickly here. Security does the product meet the security standards that, that we see is essential for the field today. So that's internal products, security functionality. Is that feature complete?
Does it have all the features that we would expect a product in this space to have? Is it integrated? Is it integrated within itself is a part of a suite how easy to deploy is it interoperability? And this is really key for soar because these connectors from soar to all your other security tools are really what makes it a extremely valuable in your environment. So interoperability is how well does it work with other services? It doesn't support all the relevant standards, usability, you know, this case soar is mostly used by SOCs, SOC management, threat hunters, security analysts.
So it may have a more limited user base, but still we like to look at how easy is it for an analyst to use, how useful is it for as a primary tool for sock management, innovation, you know, where do the products fit in the overall market? Are they, are they leading edge or are they kind of playing catch up? Do they have all the features that we would expect?
And then some, are they listening to their customers and putting, you know, the features in that they need, or are they even looking at the market itself or security field itself and saying, you know, here are opportunities to deliver some features that anticipating the needs of the market. That's what we mean by innovation for a market. How many have deployed each given vendors product? Are they targeting specific industries?
And then how geographically distributed are they, are they limited to north America or do they also have operations in Europe, APAC, other regions of the world ecosystem measures, how many partners do they have of different sorts like ISBNs and VARs or support, you know, within the, the vendor organization itself across the world, which will help you understand if they're, if they're global and can support you where you and your business exists and operate financial strength. You know, this is a, there can be a wide spectrum.
There, there are startups that are fairly new, but they may be innovative. They're late stage startups, they're public companies.
You know, how profitable are they, are they are, they have, they got a sufficient amount of funding. This is what we rate in the financial strength category. So you'll see that the key evaluation criteria, very similar to what we just talked about with regard to use cases and functionality a number also, I'll just kind of quickly go over this again, telemetry collection, the able to pull in all your information from your environment into a SIM enrichment.
This is where cyber threat intelligence comes into play case management, the ability to collaborate and integrate with your it service management systems. I am integration being able to connect to your IBM systems, your authoritative user repositories, cloud integration, both infrastructures of service and, and SAS applications as well, email and web gateway integration, EPP, and EDR integration, and then network integration.
And these for the leadership compass evaluation, I'm looking at, you know, not only the numbers of connectors, but whether or not the connectors and integrations that are available cover the most popular tools in the market. And then again, you know, the quality of the API integration are these packaged nicely. So it's easy for a customer organization to take one of these integrations, put in into place and start getting value out of it.
There are cases where there are third party built integrations for different security tools into soar that may or may not have support from the people that created it. So, you know, the quality of the API integration, as well as you know, which, which connectors are actually available for the tools that you may want to run are important things to consider when you're doing an RFP, okay, then we roll all this together and have four major leadership categories.
First off, product leadership, this looking at the overall functionality, is it a complete product market leadership? This is an amalgamation of that number of customers, geographic distribution, size of the ecosystem and financial strength, innovation leadership really drills down into how innovative is the company and the product compared to all the others in the market and where we think they should be. And then those three combined give an overall leadership score. So let's take a look for this leadership compass. I won't read these off to you, but you'll see.
These are the companies that are individually rated over here on the left. And then there are also companies that are in the vendors to watch will be rerunning, the soar leadership compass, I think later this year. So here's a look at the overall leader graphic to the right is the higher score.
And again, overall leader is, you know, product plus market plus innovation. And you can see a good distribution here, Palo Alto out front here. Then we'll look at the product leaders and again, product leaders are the ones that have the most complete and functional products, you know, in this market. I think some of the key features are those integrations and being able to facilitate threat hunts, and then, you know, how usable is the analyst console, and then how much can actually be automated. These are what I'm scoring in the product leadership graphic here.
Again, you'll see a good distribution across the, from the leaders through the challengers here, innovation leaders, you know, in, in soar innovation really is tied to usability of the console. It's also tied to the number of quality of integrations. How well can Analyst use it for doing the threat HODs? How customizable is it? What about the playbooks?
You know, does it ship with a lot of playbooks that then can be customized as needed by individual organizations? You know, if you look at trends, there are some innovative startups here and there also some large security stack vendors. In some cases they've absorbed some of the most advanced startups already and then market leadership.
Again, this is about overall size of the company and profitability or how much funding they have, if they're a startup, what their revenue levels are. And then, you know, how many customers do they have, how widely distributed they are. And you'll see, you know, the larger companies are, tend to perform better here. Okay. So sort of wrapping up on this side, the positive things that we see, there are enough vendors with products that have a sufficient number of connectors to make soar a really useful security solution today.
And again, it's, it's gotta be able to integrate into your environment and, and draw information from and command orchestration and automated responses in the tools that you have MSSP is and SOC as a service, you know, I think soar is going to be the foundation for these going forward. I think that, you know, in a situation where you've got multiple clients that you're running the security operations for the soar platform is an excellent way of being able to get all the information that a SOC analyst needs to see at once.
And then being able to give them the tools to make positive changes in the environment based on security conditions and then overall increasing efficiency. So our platforms can help reduce the meantime to detect and meantime to resolve. I think it's really important to remember that attackers are using automation today against you, and we have to use automation to help repel these attacks without it, you know, it's a very asymmetric situation where attackers have an advantage. So a soar is a way to help bring that automation and, and, you know, gain some, a leg up on the competition.
And then in summary, you know, there are lots of great products out there in the space, as you've seen in the leadership compass results. You know, the overall leaders have a good mix of functionality innovation, and they're rewarded with that with good market share, but each vendor has their own strengths and challenges.
And you need to look at not only a leadership compass, but thinking about your own specific security requirements and look at those in detail during RFPs, soar is a growing market, and it's only been around for about a decade, but it's really taken off again because defenders need automation. They need good quality information to be able to make their analysts more efficient and soar can do that. It was more, mostly an enterprise thing a few years ago, but there's increasing interest on the part of SMBs and, you know, managed service providers and SOC as a service.
I think we're going to see a big increase in those kinds of services being used by a variety of organizations and soar will be the platform that they choose to use to integrate the, and I can't really emphasize it enough, but integration is key or is about orchestration and trying to automate a lot of those time consuming tasks, especially around investigations and then making like one click or even totally automated responses where appropriate. So, you know, the best value you can get from sower is picking one that, you know, supports the things that you have in environment.
Plus, you know, where you may be going. If you've got things on your own security roadmap, make sure you consider not only your two as is architecture, but you know, where you want to be in the future with that. So with that, I will turn it over to Dan. Thanks again, John, for, for the presentation and the, for the recognition for XR, the Palo Alto networks source solution. I'm going to, my name is Dan and I'm responsible for the source solution here at Palo Alto networks.
And I'm going today to, to tell you a little bit about the vision behind the product and, and why, at least I think it got a high up on, on the leadership, I guess the, the leadership part of, of the product that, that John spoke about.
So I want to repeat much of what John said, but I don't want to our perspective of what soar is and what is the more importantly, what is our efficient, and more importantly from here, please, we want to be in this situation, the thing in a few years time, almost every attack that comes into your, so get an automatic response and, and, and maybe most of the attacks, most of the security incidents will get resolved automatically. That's why we want to go. We realize that we're not there. We realize that nobody's there.
We realize that you're not there, that you don't necessarily have all the tools to get there between one, to get you as, as close as possible to, to such a situation and, and basically make you a lot more efficient.
So the story really started from John said exactly from automation, orchestration and response, and a few words about what we mean for each of these functions, just so that we all speak the same language automation to us means the ability to connect to another product and to run commands to, for example, to make the other product, do what I want it to, to bring the information from the product that I need to get in order to continue my investigation to understand what happened, et cetera. So, so if you will, an automation is kind of the building block, a four source solution.
It's really the, they built it to, to create scripts, for example, that do do this thing exactly the tasks that say, bring me this part of information from, from this product or change the policy in another product. That's, that's an automation orchestration built on top of automation. At least this is how kind of we think about orchestration. And once you have the building blocks of, of automation means that for example, you can connect to the same as John said, and bringing, bringing information from the scene.
And if you have the ability also to send emails in the organization organization, and you have the capability of, of sending the firewall information that will allow the firewall, for example, to block new IFCs that the two now know about that's where orchestration begins. Think about this, think about us as the source, as the source solution. The thing is like the, the terms, your, your security tools into an orchestra and not to solo tools that, that each place, their own tune we actually orchestrate.
And we make sure that, for example, when you have a phishing campaign that is hitting your organization, that we orchestrate everything, your email, your active directory, or SIM your endpoint solutions, et cetera, we orchestrate all these parts to, to respond and to make sure that you work as an orchestra to, to respond to the phishing campaign, for example, same goes for any security incidents. So we, we don't really all, we don't only deal with phishing and malware, which are the kind of the every day security incidents that you have.
But, but there are lots of other incidents that, that many times customers don't think about a security incident. So for example, a, one of your employees, laptop is stolen or lost. That's also a security incident that you have to deal with and that you need to orchestra because there are lots and lots of things you need to do to make sure that that you're secure, be it changing passwords all over the place.
So, so whoever has control of the laptop can not do much in, in your network, but also an investigation that looks to see if, if anything has been already exploited using the laptop that was a lost or stolen Response Is the last pillar of, of the original source solutions. And here, this is where we can help organizations a lot. And this is where organizations really, really suffer. That's the response part because many times it's very, very painful.
So do some to do something that John had mentioned to delete an email that appears in, in many people's inbox is not a necessarily a trivial thing. And to change a, an, a role in the firewall. For example, it's not a three book thing often requires a lot of people's permissions. It requires you to, to do some change control, to understand what happens once a you you're going to change your role, et cetera.
And in, in essence, the response part of a, of a soar is based on, on the ability to take the workflow and automated to the extent possible, and when not possible also to reduce the time as much as possible. So if, for example, today, someone in the soft would be stuck for a long, long time because they don't know if they got permission or did not get permission from the relevant folks in, in networking. For example, all of these workflows get automated to the extent possible.
So, so this is kind of the basic store, but what we've created is a lot more than that. And, and we've been working diligently in the last few years to really expand the idea of soar and to make it a lot more of a platform that, that really helps him get to the next stage. And I will call the next stage, like once that once then behind the ultimate goal, which is again, to automate a hundred percent of, of anything, any security operation that you need to, that you need to do.
So if we start from automation and orchestration here on the left hand side and, and edit to it, the case management capability, again, as John mentioned, some customers will have a case management or a ticketing system that they will connect with at soar. And that's a perfectly fine. And our soar actually connects to the surface now that you may have, or your JIRA solution or whatever solution that you have. We support dozens of, of ticketing systems, but we also bring our own case management system, which was really designed from the ground up for security operation centers.
I'll come back to this in a second, but this was the first thing we've done. When, when we released the product was really to connect the two worlds of automation orchestration and case management, another pillar, which was third pillar that we had was a real time collaboration.
And, and this starts from the collaboration within the stock. So the ability, for example, for two analysts who are working on the same incident to work together, to show each other what they're doing to, to seek help from each other. So if I'm a windows expert and the next Analyst is a Linux expert, and, and during the investigation, I really need someone with linens internals knowledge to help.
Yeah, I can actually show this person online, what's going on no matter where the other person is and, and, and share the information that, that, that requires their feedback. So real time collaboration was really key, started again from the internal SOC collaboration, which we found was missing in, in many, many for many customers, but also the collaboration within other teams inside the organization with the it, with the firewall admins and so on and so forth. We wanted to give all the possible tools to collaborate efficiently within the product or within the platform that manages the SOC.
We added to this the fourth pillar on the right hand side, which is the threat Intel management. And again, John mentioned this, you can always connect to it to an external threat intelligence platform to whatever feeds the that you have.
Again, we connect today with many dozens of threat intelligence platforms and many, many feeds, but we felt we need to do a lot more than that, and really take upon ourselves to do what the threat intelligence platforms have not done really, really well, which is to bake in the entire phrase, intelligence, intelligence management into the store, beginning with the topic there, tactical tactical part of, of threat intelligence, meaning the ability to take, take in feeds. First of all, make sure that, that we clean up all the feeds that we get, that we did the duplicate, et cetera.
And then the tactical part is, is really deploying information, the organization. So for example, the firewalls, no, which I assume is to look for an to block that your IPS is, are up to date with, with such information that your endpoint security is aware. For example, of all the files that are currently files the, that you're monitoring and making sure that they're not appearing in any of your endpoints.
So this is the tactical part and, and the strategic part, which we are now investing in, developing a lot more is the ability to take the intelligence, make sure that you know, which intelligence is really relevant to you of all the intelligence out there that, that you consume and create the reports. For example, for your executive management, maybe for your board as well, about what you're looking at, what is the current risk, a scenario who are the main actors that you need to look out for, et cetera.
So this, this is part now of the XR solution, which is why we changed the name from soar to XR to extend that soar where we believe the threat intelligence management should be part of the same solution. So, so this, this is a, this is a part of what we've done. The next thing we've done, we took the idea of collaboration and we, and we agreed.
We, we, we, we advanced it to the next level. What do I mean by that? We've we found out that many of our kids customers, when we start working together at us, what are other customers actually doing with, with the product? Can I see playbooks that other customers are using, for example, to handle phishing or to handle malware outbreaks or to handle a lost and stolen laptops scenario.
And, and we realized that that the world really needs more collaboration and we created the market exactly for that. And the marketplace is a place inside of, or products where customers sharing information with other vendors, sharing information with our customers.
And, and this has become, even though we, I think less than a year ago, I think it was June of last year. It's, it's become the most popular part of our product with, to date with above, I think 50,000 downloads from, from the marketplace of, of material that is collaborated.
So, so people collaborate really on, on solving issues on automate automations, scripts, automation, scripts, layouts of screens inside the product. And we have information from one too, into XR and so on and so forth, lots of data there in the marketplace that makes our product really lot more valuable for our customers than, than, than even it was before. So going back to, to the basics, just to manage it and, and to give you an idea what, what sort of looks like and what it does for you.
So, first of all, it's, it's really a workflow automation engine on the left-hand side here, you can see what a playbook in our environment looks like really, really easy to, to create those. And, and, and again, the marketplace already comes with hundreds of playbooks that our customers can can adopt, can also tailor to their own environment. And these are really easy to create kind of dragon dragon drop tasks that become, become playbooks or playbooks are very sophisticated. As you can see, they can, they can be at first linear, then they can split into multiple, multiple sections.
They can have conditional tasks. So, so that when something is something that, that we see happens, then then we go to the left hand side, if not to the right insight and, and, or split three ways or four ways or 10 ways. They're also sometimes fully automated. The yellow sign here shows that these tasks are completely automated, but that's not us can be manual and can wait for a user to, to do something for an analyst to do something we can even send as part of the playbook request for an employee to, to answer a question or to fill a form.
And this will automatically get back to, to the product in order to, to continue the automation. So, so this is the first part of soar.
It's a, as I said before, it's also a collaboration platforms. So here, for example, you can see that you can not only collaborate with other people. You can also collaborate with our bot, which, which does a lot of the actions. And one of the really nice things that we've added in, in the first release, which made us very popular is the ability since, since the SOC is already connected through our product to many, many product, many other products, the SOC analyst can actually run many of the commands directly from here.
So for example, if you need to expire password active directory, you don't have to log into the active directory. It looks for the user for the user screen, then scroll down or find the user that you're looking for, and then find a command to expire. The password here. All you need to do is, is basically run a command within the source solution within, or that says expired password, a user equals then@paloaltonetworks.com and, and that's, it you've you've expired the, the password.
As I said, we have a full fledged case management system, which means also that customers can create their own dashboards for the incident, for the indicators, for everything that they do inside the, inside the product. And as, as with everything in the product, everything is completely customizable. One customers therefore look very different from another customers. And not only that one user within the SOC can see completely different dashboards, then the next analytics based on what they're doing based on what they're looking for.
And, and again, depending on how centralized your, your sock is, you can either force all the analyst to see the same thing and to get the same incidents, according to, for example, the, the critical fee, or you can do a lot more sophisticated stuff such as, for example, allow our machine learning to decide based on, on the analyst that you have at this moment in the SOC, you can allow the system to actually assign to them the, the incidents that they need to work on based for example, on our learning of what they've done in the past and how good they are in solving particular incidents.
So again, lost in lots of richness hearing in, in the product. And I spoke about the threat, the income management. So a full if, if want a full threat intelligence platform within your store, that is intimately connected also with, with your sore, which, which really means that I think for the first time in history, we've made threat intelligence actionable inside of Sox.
And, and, and again, this is something that, that is above a year old in, in our product and the very popular, most new customers by the product already with the, with the incident, with the sorry, the threat intelligence management module, and, and many of our existing customers are also either planning or have already started to use our threat intelligence management inside the, their source solution. Because basically it makes a lot of sense marketplace I spoke about.
So, so this is what it looks like within the product also, if you wish to do so, you can go into the Palo Alto networks website and look for the marketplace, and you can view an online view of what's available in the marketplace. Many hundreds of playbooks, hundreds of more than a thousand techs, I think of, of automation, scripts, screen layouts, and, and use cases, including use cases that we create for the latest issues that that show up.
So, so for example, within I think 24 hours, we had a playbook that does a lot of things that you need to do when solar storm happened. So the, the solar winds hack, we did the same for exchange for the half moon attack.
So we, we create in, in the, in the marketplace immediately paths that allowed customers to immediately respond to major breaches. And we continuously do this all the time in, in, in, in collaboration with other parts of our organization, such as the unit 42, that does the research that allows us to know exactly how to combat these, these hacks. I'm going to, for the sake of time, I'm going to skip this slide.
This slide speaks about some of the use cases that we do and mentioned one last thing before we open this up for questions, we do not stop at, at, at the traditional soar, as you've already seen, we continuously think about how do we make you more efficient? And this is a great example of a, of a feature we added, I think about 18 months ago, give or take, which is a, maybe the history of this we've we've done for the last four years. Give or take we've done for a customer is based on, on data that they given us about their fishing investigations.
We've had a model that was trained and deployed for many of our customers so that they can have a machine inside of their store. That besides automatically whether a suspicious email is malicious or not in this. So very quickly at the same accuracy level as a, as a human analyst.
And, and what we found out also is that if we train the same model for the customer using the customer's own emails and only their own emails, then we get to an even better accuracy. So, so taking months ago, we released a, the module that, that you see here that the customers of X or get for free, which allows them to actually train a model inside their organization, do it the way that the exact thing that they wanted. So they can, for example, decide on three possible verdicts for emails.
One would be, for example, malicious another would be a benign and or legit, and another would be spam. And, and we start learning in within the organization automatically. And pretty soon the customers can actually use the model after it learned for a few, for a few weeks, what's going on inside the organization, it will start predicting on its own, whether an email suspicious email is actually a malicious or not. So these are the kinds of advanced features that we continuously add to, to the product in order to make our customers more efficient.
Finally, slide of, of some of the products that we, that we support. It's, it's a very small fraction of the product that we support. We support today over 650 different products, mostly in the security domain, but also in, in it in general. So messaging ticketing, email and so on, and that's, that's about it. So maybe I'll, I'll pause here. We have 10 more minutes to go, so we can answer a few of your questions.
Well, thank you, Dan. And the Greg content.
So yeah, we do have some questions here. We'll, let's take a look at the first one marketplace sounds like it could be susceptible to a solar wind style attack. How do you protect it and how do you know it already? Hasn't been attacked. Really good question. So I I'll say a few things, first of all, nothing gets to the marketplace before we actually review this. We have engineers, the third train security engineers that, that look at each and every contribution that we receive, nothing gets published before we actually reveal this.
And, and so we definitely hope that that, that nothing slips through, through our systems or through our, our, you know, strict review, this is one thing, the second thing, which is maybe more important to say is that we are, you know, we, our security folks, all, all of the folks that, that actually designed the product, and we made a few, quite a few design design, w w we, we designed the product in, in such a way that, that even if someone found a way to explore, for example, one of the integrations that we have, that the impact on, on, on the entire system will be as minimal as possible.
I'll give you an example, one of many, because these are the sorts of things we do day in and day out. We, we think about, and, and we enter the product, but, but just one example that is unique to us every, each and every integration that we have is completely isolated from the operating system where our server is running. So basically we use a Docker for every integration that isolates the integration from the other integrations and from, and from our server.
So that, again, even if some exploit manages to do some harm to one of the integrations we made, we made sure it's to the extent possible that, that it is completely isolated, same goes with, by the way, for MSSP, John spoke a lot about them as a species. And, and many of our customers are actually MSPs. We have over 80 of the largest MSPs in the world using us in, in the SOC and there too, we made sure that, that the strict there's a strict division between the tenants between the, the customers of, of these MSSP.
So that even if for whatever reason, one customer is customer is breached, there's no way that they can get to the MSSP itself or to another customer, et cetera. So these are definitely things in our design that, that we continuously think about and, and protect our, our product from. And of course there are lots and lots of other security mechanisms to make sure that, that the wrong hand stone good get into
You know, I think that was a really good question. I mean, especially because we've been talking about, you know, the cybersecurity supply chain, so making sure that all the, the tools that companies use are secure and have proper access controls of, and I know the marketplace's a really strong feature and, you know, you have a lot of integrations and so protecting each one of those, you know, with authentic, strong, authentication, and authorization, to be able to place those there and then configuration control on that, that, that makes a lot of sense. That was really good question.
So next question. Do you recommend deploying soar on-prem or use it from the cloud? I'll just start off with, you know, I think the cloud is, is the future, as we'd been saying in the recent past, but, you know, even more so now we see more and more organizations that are undertaking projects with a cloud first strategy, you know, soar will have on-premise components in terms of the overall security architecture.
There may be, you know, you're going to be running tools on printing tools on your end point, but, you know, the console itself, I think, is something that if adequately practice protected, there would be a lot of value in using a cloud hosted service, just because, you know, with any security tool, maintaining a console means you not only have to maintain the application software, but also the underlying operating systems and, you know, the network space, data center space. I think there's, it's easier to consume it as a service from the vendor generally. What are your thoughts, Dan?
Yeah, so my cutter almost the same, but I will say two things. One that I, as the product manager for this product, I took the easy way out, which is a great of the product that, that can be consumed from the cloud as well as on-prem. So didn't want to make, make the decision for all of my customers, but I do prepare for customers to, to actually consume the product as, as a hosted solution that we host.
And for the reasons that you have mentioned, because our experts are really good at making sure that the operating system is patched and, and that the product is continuously updated and upgraded. So it takes a, it takes off a lot of the burden that the customers actually have to deal with when, when they install on prem. But having said that we are familiar with many markets that the choose the choose to be on prem for, for a good reason, certain geographies in the world or work cloud is, is not there yet in, in, in many, many respects.
So, so for these customers, we, we definitely have a solution as well, but yes, the visuals for us and for our customers, we, we prefer to give them the hosted solution that, that we take care, we take care of. And, and, and they can basically use this almost as assess solution to, to solve their, their sock management issues. Great. Next question, who actually creates play in books, can we create our own, do we need coding capabilities?
Let's say, look at the field, many of these products ship with playbooks, you know, a varying number and yes, to most degrees they're customizable, but it really does vary between the products. Dan, can you speak to the power position?
Yeah, absolutely. So I think I, I wouldn't even, I, I would use this question to, to actually answer something else, which is how do you as a customer, if you haven't started your journey of, of soar, how do you, how do you need to prepare?
And so, so first of all, you know, to answer the question, the product itself comes with a marketplace that as I said, has hundreds of playbooks that most customers can simply adopt and maybe change a little creating playbooks. We've, we've made it really, really easy to do no coding whatsoever. It's required all the components of their, or the scripts are there that, that you can even dream up.
So, so you can take the components and basically create your own playbooks really easy to do, but believe important part really what I see customers struggling with is actually understanding what they need to do. It's, it's not actually the authorizing the, the playbook.
It's, it's understanding what is the right work for, for, for my organization to deal with the fishing campaign or to deal with a mower outbreak or to deal with, with a lost laptop, et cetera. And, and this is why I actually recommend to all new customers, to have someone who's dedicated in, in the SOC that understand things are processed, that understands the, the, the organization that can actually create your work flowing in mind or on, on, on a white board.
First, that that is the right way for the, for the particular stock to, to do things. And then from the white board to, to create a later a playbook in inside our product, that's a, that's a very easy transition.
Now, I find that it's, it's harder for the organizations not to create the, the playbook, but to, to actually understand what they need to do. And, and for that, most organizations have this person already in the soft, they just need to realize this and, and they need to, to assign to this person, the, the job of, of being the SOC architect of thinking about the architecture of the workflow and how to design the whole sock to work very efficiently, the rest is easy. So are the top of the hour, but we do have one final question that should be a really quick answer.
And that is what percentage of your customers choose to deploy it on-prem versus cloud. So it used to be up until two years ago, it was, it used to be about 10% on cloud. And I can present on prem. I think we're at 25% now in, in the cloud, but, but we're actually pushing more and more for customers to go on cloud. This is our cloud, right?
So many, many customers of course, deploy on their own, right, or on AWS, on, on GCP, et cetera. So I'm not counting those.
So, so many of the, like other customers who work for us, quote unquote, or on prem don't necessarily install on prem. They might install actually on, on their own cloud or, or on eight cloud.
And, and so the numbers are probably bigger than that. Great.
Well, thanks, Dan. And thanks to everyone who participated good questions, and we did record and we will make the recording and slides available in a couple of days. So thanks again, Dan, and thanks everyone for attending. And this concludes our webinar for today.
