Hello, welcome to the webinar, The Evolution of SOAR, Trends, Leaders, and the Path Forward. My name is Alejandro Leal, I'm a Senior Analyst at KuppingerCole. And today with me, I have Jane Goh, she's a Principal Lead and Product Marketing at Palo Alto.
Hi, Jane, how are you? Hello, nice to be here. Thanks. Jane is joining us from the West Coast, it's very early for her. So thank you so much for being with us today. Before I start, I'd like to say that I'm a bit sick today, I tested for COVID. So if I sound a little bit rusty, just be patient with me. And without further ado, let's start the webinar. All of you are muted centrally. So there's no need to mute or unmute yourself. Here's just some information before we proceed with the topic. During the presentation, we'll be conducting a few poll questions.
So I encourage you all to participate on those. And at the end of the session, for the last 20 minutes, we'll be having Q&A. So you can enter any question at any time using the Livestream control panel.
And yes, we will be recording the webinar. So the recording and the presentation slide decks will be available for download in the next few days. So here's the agenda for today. From my side, first, I'll provide a brief introduction of SOAR. Then I will go on and talk about some of the trends and innovations that I see in the market. Then I will talk a little bit about the evaluation criteria that we used at Kupner Gold to create our latest report on SOAR that was published late last year. And then at the end, we'll be showing the results of that report. So here is the first question.
What are your primary goals when considering the implementation of a SOAR solution? A, reducing response times.
B, streamlining other management and reducing false positives. Improving coordination among different tools. Or enhancing security. I will give you guys about 10 seconds and then we'll proceed. So here's the quote of today. SOAR platforms stand at the forefront of security operations, delivering advanced automation and orchestration capabilities that improve the efficiency and effectiveness of SOAR teams.
Of course, we'll go more into detail, but I think first it's important to explore a little bit the origins of SOAR. So as we know, first came SIMS, which primarily focused on lock collection to support different use cases such as compliance, data storage, and analysis. And back in the days, many vendors were sort of saying that SIMS were sort of like the ultimate solution for security that organizations needed to implement. But as threats became more sophisticated, traditional SIMS became a bit outdated.
And that's when SOAR comes SIMS because SOAR solutions, they incorporate other features such as orchestration, automation, and response capabilities that SIMS do not have. So SOAR solutions can be extremely valuable if they're used in conjunction with SIMS. You can kind of understand this as an assistant to SIMS.
And today, over the past few years, and I'm sure Jane is going to talk more about this, we see the trend of XDR solutions coming into the market. And back then, some vendors were saying that XDR solutions would replace SIMS and SOARs. But in reality, it's not, let's say, a substitute for either because you write XDR, among other things focuses a lot on threat detection, but there are some use cases that both SOAR and SIM address that XDR solutions cannot do.
So generally, you could say that incorporating these three solutions could provide a lot of benefits for many organizations, depending on your needs, of course. So in a way, that's the evolution of SIMS to present day. So what's the definition of SOAR? SOAR stands for security, orchestration, automation, and response. If we look at the two main areas to determine how an organization should address security, one needs to look at the mean time to detect, MTTD, and the mean time to response, MTTR.
On average, based on recent studies and research, it takes around six months for an organization to detect a security incident, and it takes around two months, on average, to respond to such incident. And the cost of an incident or a data breach is around $4 to $9 million. So some analysts say that XDR solutions are great for the detection part, and then SOAR comes in and addresses very well the response part.
But also, maybe you can understand this in a different way, and I will talk about it later on. You can use automation to detect a security incident, and then the human analyst can be extremely good at responding to such incidents, because with automation, now the SOC analyst can spend more time thinking more strategically, can think more about threat hunting, and more sophisticated tasks that otherwise an analyst wouldn't be able to perform if it wasn't for SOAR solutions.
So if we look at how organizations deal with security, I think it's important that from the very beginning, the mindset is important. So one needs to take for granted that one will get attacked. It's important to know that. It's not a matter of how, but when, and the goal should be to create a strategy in order to come up with a solution on how to respond to such attacks. And I think that will make it easier for organizations in any industry to be better prepared for the threats that we see in the market today. So what challenges do SOC teams face?
Well, there's many of them, but here I have a list of a few that I believe are important. The volume of alerts, so the number of false positives, analysts can be overwhelmed by such a high number of alerts, and that can lead to alert fatigue and can impact the productivity of the analysts. Also we see the complexity of threats. Things are becoming more complicated, not only if we look at the geopolitical landscape, but we see many cyber criminals engaging in different sort of threats. We're using commercially available tools, such as generative AI, to launch more sophisticated attacks.
The speed of response, as I mentioned earlier, when it comes to the mean time to detect and the mean time to response, those two things are crucial when it comes to dealing with these issues. And the integration of tools. So cybersecurity, as we know, can be a bit complex. There are many tools addressing different areas of cybersecurity. So having the ability to integrate all of these tools to create a more streamlined way and automation workflows, et cetera, that can be extremely beneficial for SOC teams. And compliance, that's something that is constantly changing and evolving.
So it's important for SOC teams to be up to date and to know how regulations are changing depending on the geographical region that they are dealing with. So a new approach is needed. I think we've known this for a long time, but since things are changing fast, it's important to always be up to date and to think about what things need to change, what things we need to work on. And if I look, for example, at the report on SOAR that I published last year, which I will go more into detail later, I see that there's more need for SOAR solutions in different regions.
So one region that stood out in the report was North Africa and the Middle East, because if we pay attention at what many of these governments are doing over the past few months, they've been launching initiatives on digital transformation in the public sector. And that, as a consequence, has the effect of bringing private actors into the country to understand how these initiatives are going to be working across the country, across different organizations, industries, use cases, you name it. So there is growth for these solutions in these regions.
And of course, the adoption is mostly in the U.S. and in Europe, but as I said, it's increasing in other regions as well. So many people talk about how AI and automation will... Some people say they will take over the human analyst, the role of the human analyst, but in reality, it's going to be more of a complement, it's going to be more of a tool for the analyst to work better, to focus on different tasks that are not routinary and that are more sophisticated. So as I said here in this slide, there's the need for a shift to human-machine collaboration.
And many sub-teams, they do not have the time or the budget, let's say, to deal with these issues. So yes, a new approach is needed, and I'm sure that Jane will talk more about what the market is responding and the market is delivering. So here's an analysis of where SOAR excels and where it has challenges. So one of the strengths is the automation of repetitive tasks, orchestration, the consolidation of workflows, collaboration, the decreased mean time to detect and mean time to response. But there are some challenges. So many organizations don't know how to begin.
They believe that it's very complex to implement, and I'm sure, again, that Jane will talk more about it in her presentation. There's also scalability challenges and initial setup costs that intimidate some organizations. But I think the opportunities outweigh the challenges. We see growth of MSSPs. We see vendor services and third-party development of additional integrations. And we know that the threats are just becoming more and more complex as we speak. So now I have the second poll question here.
So what metrics or KPIs do you consider most critical to measure the effectiveness of your security operations? Mean time to detect and mean time to respond, the number of incidents handled per analyst, the accuracy of threat detection and false positive rate, or compliance with industry standards and regulations? I will give you a few seconds, and then we'll move on. Okay. I'm aware of the time, so I'm going to try to go a little bit faster. So based on our research, we predict that the compound annual growth rate of the sole market is around 14.9, 15 percent.
It's a well-established market, but it continues to experience growth, driven by the complexity of threats and the need for more efficient security operations, as well as the digital transformation of many countries and organizations. Customers in the sole market, they tend to be, in general, mid-sized businesses, enterprises and government agencies, but any organization of any size can adopt a SOAR solution. SMBs and some enterprises are, some of them, outsourcing IT functions, so that's why we see the growth of MSSPs. And as I've said before, the market is valid globally.
The greatest uptick is in North America and Europe, but we see the expansion of SOAR solutions in other regions. So what are some of the trends that we see?
Well, it's not surprising to see that many people are talking about generative AI. But based on my research, I encountered some vendors that were a bit more cautious when it came to integrating generative AI solutions. Some of them are coming up with their own proprietary tools. Some of them are integrating it with open AI. But I think what's important is that many vendors remain cautious because they want to see how the market evolves, and they want to meet the expectations of their customers.
So instead of having a lot of marketing around gen AI, they wanted to talk to their customers, see how things change, how things evolve, and then come up with some tool that could meet those expectations. But there are things to consider, right? There's a risk that AI models may develop biases based on the data they are trained on, which can lead to inaccurate or unfair outcomes. So the use of LLMs must be accompanied by quality control on the part of the vendor to ensure that information provided is going to be useful and accurate to the end user.
And as I briefly mentioned earlier, back then it used to take a long time to understand what happened when an incident occurred. But time is of the essence when these things happen. Organizations need to be prepared. They need to have a strategy. They need to have an idea of what to do when the incident occurs. So thankfully automation can do that and make it much more easier. So what are some of the positive things, let's say, of gen AI? It can help with the creation of playbooks. It can create reports. It can also, of course, automate responses.
There are also some negative aspects, such as the lack of transparency on the part of the vendor, the dependency on data, and the potential for adversarial attacks. So as we see in the quote below, the models are trained with data, therefore the algorithm depend on new inputs to generate new content. And moving on, we'll go to the report. But before that, the last poll question. So how many of you currently use automation in your security operations? Just give you a few seconds and then we'll be moving on. Okay. So just briefly, I will explain to you how we create these reports.
So we gather first a list of vendors per topic, and then we reach out to them asking them if they would like to participate. If they agree, then we send them a technical questionnaire with hundreds of questions. And we also schedule a briefing with them so they can talk to us about the product and they show us a demo. And then based on the questionnaire and the demo, we evaluate information and then we create a chapter, so a draft, analyzing the product and highlighting some of the strengths and challenges of each product.
Then we send that back to the vendor for fact check, and then we publish the report. It usually takes, depends on the topic, depends on how many vendors participate, but around three to four months from beginning to end. Then we have different categories of leadership. So we have product leadership, which is mostly focusing on the functionality of the product vision. We look at the market. So the number of customers and the geographic distribution, how many partners and ecosystem. Then we look at innovation. So are there any features that stand out that some of the competition doesn't do?
And then based on all of these three categories, then we have the overall leadership. So in the next slide, I will show the required capabilities that we require some of these vendors to have. Since I'm running a little bit of time, I'm just going to skip this. And then we have in each chapter, we also have a spider graph where we, I guess, assess each vendor's product based on these criteria. So how much API support have, how do they do responses, automation, compliance, et cetera. And in the next slide, I will show the results for the 2024 SOAR report. This is the overall leadership.
And as we see, Palo Alto Networks takes a lead in the report, followed by Fortinet, ServiceNow, Splunk, and Swimlane. Then we see other vendors that are perhaps a bit more smaller in size and they focus on unique regions and use cases. But I'd say that the market is competitive. Many of these vendors are very passionate on what they're doing. They're all coming up with new solutions and new capabilities. So as I said earlier, the market keeps evolving and it's changing. We have also related research on this. We have webinars. We have other types of reports and blog posts as well.
And just a reminder for all of you, if you're interested in attending our events, we'll be having our European Identity and Cloud Conference in May of this year in Berlin. And if you're interested in our membership, just feel free to reach out to us and visit our website for more information. And here's more information on our services. But I think it's time for Jane to step in. So thank you so much and I'll see you soon.
Thank you, Alejandro. So my name is Jane Goh and I am the lead product marketing manager here at Palo Alto Networks for the Cortex security automation, primarily Cortex XSOAR, but our automation capabilities are also available in our other products, primarily in Cortex XIM, which is the Uber platform, if you will, that's AI driven. And Alejandro had alluded to, it combines now XDR capabilities, right? SIM capabilities, SOAR capabilities, tech service management, and even SIM.
So it is, if you will, the next generation of SIM and, but without further ado, we obviously have all of these different capabilities available as standalone offerings as well. So I won't belabor the point, but some of these are the challenges, as Alejandro had told you earlier, the challenges that we see with our customers, that we speak to them, thousands of our customers, it is probably what you're facing as well today, lots and lots of alerts, things are manual, it takes a long time to resolve incidents, they have a small team, right?
So automation is seen as an assistant, if you will, right? It's not necessarily, well, we're not going to replace humans, right, but automation can serve as a very helpful tool to help you eliminate some of the very manual and repetitive tasks that your analysts have to do now and shouldn't be doing, they're very highly skilled professionals. They should be focused on proactive threat hunting, building better control, security control postures in your organization, and just doing, like I said, more of the complex tasks and complex incidents and threat hunting activities.
So these are some of the places, and I won't belabor this, as Alejandro has also mentioned this, obviously, what automation can do is help you reduce the number of alerts that your team has to actually humanly touch, speed, right, incident, investigation, so reduce MTTD, MTTR, I mentioned automate tasks, manage and act on threat intel, I'll talk a little bit about how you would be, you should be incorporating your threat intelligence into your instance response process and automating that as well, and then orchestrating response across all of your security tools.
This is just a marketer, if you will, of like what Cortex XSOAR, the platform, the key components of the platform, if you will, and I just want to also mention that we have been a great partner with Kupinger Coal as they've done assessment of our product and our offering for all the years that they have published their wonderful report, and that we have consistently placed as a leader in all of these assessments.
So you can see the four main components that you should be looking at when you're looking, considering a source solution, obviously, automation, right, the automation, the playbooks that automate your use cases and your workflows, but you should also look at a platform that offers you real-time collaboration, the investigation component, so your analysts still have to come in, you may not want to automate, you know, a workflow end-to-end, there may be a decision process or there might be more investigation that needs to happen before you actually perform any kind of remediation actions, so you want to have that ability in the same platform to be able to chat with each other, to assign incidents, to investigate incidents, and that's where the case management, obviously, collaboration, be able to chat, like I said, with each other across teams and so forth, and then integrate Threatnetel right feeds as well.
And we have a marketplace for all of the automations that we build out of the box, we have a very robust community, we have been in the market and have been a leader in the store market for many years now, so we have a very, very rich community of technology partners, integrations out of the box, you know, as well as customers who have contributed to this marketplace with all the different use cases for how you can automate tasks and workflows in your SOC. And you can see here, we integrate across the board with all the different types of security tools that you would use in your SOC.
Now let's go in a little bit, I'll show you a little bit of some screenshots of the UI. The automation piece, right, as you can see here, it's just a screenshot of an out of the box playbook. We have 1000s of these pre-built integrations and automation packs. What does that mean, really? That means that you saved a lot of time in deployment stage, you don't have to figure out how to configure an integration, an API integration with an existing tool, we probably have it out of the box.
And also, you know, you can easily clone these kind of what we call best practices, if you will, automated workflows and make it your own. And there's a visual editor that allows you to build them from scratch or to leverage a lot of the automation scripts and tasks or an existing workflow that you can start from and just modify it to suit your needs, simplify it, make it more, you know, your own. And the real time collaboration, so every incident comes with a virtual room in Cortex XSOAR.
So this is the room where your analysts will go in and all the information that they need is at their fingertips to be able to resolve that case or that incident. I talked about the chat ops, there's a command line interface, so they can basically execute or perform any kind of command that is exposed through the API integration. And it kind of augments what the playbook already does, you know, if they want to do anything on the fly. Every action that a human or a playbook or an automation performs on an incident is automatically documented. Why?
Well, it's really useful for post investigation roll up reports, you don't have to go in and find out what happened and collect all the data from different teams, anyone who's worked on the incident and done any kind of action on it, it's automatically documented. Obviously, for auditing and compliance reporting, that's very helpful as well.
But also, you know, for knowledge sharing. So we have customers that actually have demo tenants that kind of mirror their production tenants. And they use that to train incoming and junior analysts. So they actually put the analyst, junior analysts in training in the demo environment, and they work through these incidents, or they shadow a more senior analyst. And they don't put them into production until they, they show that they are capable or they are able to effectively, you know, perform their job that's required within that team.
And obviously, because everything is auto documented, everything is easily tracked. So it can be a great training tool as well.
Obviously, we have machine learning built in. So as the system learns about what your actions that you use and the and what you do, it will start recommending either analysts to assign some tasks to you who might be the expert in that particular type of incident or actions that you potentially want to take. The threat intel piece is the threat intel management module that we have. It's fully integrated into XSOAR. So I'm sure all of you who are in incidents response also do subscribe to free as well as maybe some paid, you know, incident threat, I'm sorry, threat intel feeds, right?
VirusTotal is an example, Fiodo is a free one. We basically allow you to integrate these automatically into, so we have over 200 out of the box threat intel feed integrations, right, all the all the main ones. And what that means is you can actually automatically map any external threats. So all the indicators that are coming in, if we see them in the instance that are coming into your network, it will be automatically mapped.
And then your your analysts will see this in the window and they can easily click on that link, let's say to VirusTotal and find out more context about what this threat actor is all about. The other thing that's really useful for automation here in this context is you can also have workflows that automatically push indicators, critical indicators, right, that come in that you want to update your EDLs, your firewall EDLs, right, the allow and deny lists. Some of it can be also allow lists.
So we do have threat, not necessary threat feeds, but feeds, right, from Microsoft and some of these, these assess services where you don't actually, or Zoom feeds where you don't actually want to lock out inadvertently any kind of IPs, right, that your employees in your organization use. So data enrichment as an automation use case is kind of a basic use case that all of our customers and users of XRAW obviously take advantage of.
So like I mentioned, we have thousands of these integrations over time, we have been in the industry, and we have been a leader in the SOAR industry for a long time now. And these come from, obviously, requests, right, directly from all of our customers. We also build them proactively as well. We have hundreds of researchers that are in the, that are, you know, looking in the space. So they explore different new vendors and new technologies that come on the market, and they'll proactively research and build these best practices, automation packs, and integrations for our community.
Okay, these packs basically are available as a single click. So it can be basically just an integration, multiple playbooks, one playbook. There's also important thing is we also a lot of times provide a customized incident layout window. Why? Because different types of incidents, you look at different data, right? Phishing data, your analyst is looking at different things than, you know, potential suspicious login, right, incident. So we basically customize these fields for you out of the box.
So you have these fields preset, obviously, you can customize them yourself from scratch if you want to do so as well. So that's just a snapshot of the thousands of integrations that we have. We do have this available on the web, if you're interested, you don't have to download and commit to, you know, our product, you can just go in and everything is pretty open for everyone in terms of the types of integrations that we, you know, provide out of the box.
As you can see, it's not just security tools, obviously, it's messaging tools, can it is also ticketing tools, pretty much any tool that your SOC would, you know, use all your security operations team, incident responders would encounter and would, you know, potentially use in a workflow. What kind of use cases do we offer?
Obviously, the common ones that most of our users use are phishing, right? Phishing is the poster child for still very, very prevalent, but it's about 10 or 12 steps, right, in resolving a phishing incident. And a lot of these steps are repetitive. And I am sorry, hang on a second.
Okay, can you guys still see my screen? Okay. Alejandro? Okay. All right. Hold on a second. Let me just go through that. Yes. So then the next level though, then you have malware breach, right, investigation, data enrichment is a basic use case. The next level obviously is you want to incorporate cloud security, vulnerability management. And then as you go, as you get more, I guess what you call a little bit more mature in your operations or automation operations, as some of our customers have done, you're thinking about literally transformation, digital transformation.
So you can go out of the SOC and automate all kinds of different workflows, right? Can be in network security, you know, be it like upgrading the operating versions, can be upgrading that, it can be also compliance, you know, use cases, fraud use cases. If you're in FSI, it could be employee onboarding and offboarding. Needless to say, we use and leverage our own products. So our HR department leverages XR on the backend to onboard, offboard employees. And they have links into like 80s or so HR applications as well. So deployment options, we offer a cloud native version as well as an on-prem.
So depending on your needs, we obviously have customers that either have to be air gapped for compliance reasons that need or security posture reasons need an on-prem. So we support that. We also have the cloud native, which obviously has a lot of the benefits, right? You don't have to worry about maintenance or infrastructure, high availability. And we obviously have FedRAMP, which is an American, you know, government requirement for those of you who are here from the U.S. And then SOC 2 compliance as well. This is obviously a host in multiple locations worldwide.
Please, next. I just want to go talk about some of the use cases, customer case studies, because I think that's kind of interesting for you to understand how our customers are using automation to really drive efficiencies. This is a French manufacturer of automotive parts in, and they have a global presence. They're in 30 countries, 250 industrial sites. They have over 1,000 employees.
Next, please. So they were basically getting a lot of LITs. Just one solution, detection tool was generating about 20,000 LITs. But with XSOAR and automation, they were able to reduce it down to 200 LITs that were handled manually. So that is a 99% reduction in manual workload, right? And it gave them an immediate return on investment. They actually have a pretty small team. You'd be surprised at how small some of these SOC teams are that we have.
Palo Alto, you think, well, the security company, how many people do we have? Well, under 20 that are managing our SOC, and they get a billion incidents a day between obviously being attackers and also just supporting a whole network worldwide. But they automate the heck out of the operations. So anyways, so they have six people managing 80,000 LITs. So this is a 70% increase in team productivity. So these are real numbers. It's not just talking out of the box here. These are what we've seen talking to our own users.
Next, please. This is a financial services team. So they have a team of about 20,000 LITs. And they have a team of about 10,000 LITs. So they have a team of about 10,000 LITs. And they have a team of about 10,000 LITs. This is a financial services customer in Argentina, a bank. They have 350 offices, 5,000 employees, 3 million customers.
Now, obviously, if you're an FSR, you know that these are one of the key entities that really do get a lot of hits, right? Next, please.
So again, here is basically speed, right? They're able to be able to implement and manage the LITs automatically that they took it down from several minutes to being able to manage and resolve and close in seconds. So obviously, a lot of automation is involved in the back end. But some of the use cases that they've done to automate are IOCs, data enrichment, right?
Phishing, DLP, privilege escalation, right? So these are just some of the workflows that they have been able to automate.
Next, please. This one is a smaller company. I just want to show you its size really doesn't matter when it comes to automation. It depends on how much volume you're getting. This is a gaming company. They have 5,000 employees. But they have very, very active data going through the network, 34 million active users. And they have to process 9 terabytes of data on a daily basis.
Next, please. So they leverage automation to be able to reduce the MTTR from an average of three and a half hours, right, to be able to deal completely resolve an incident to 45 minutes.
So this, again, was able to help them reduce their user complaints, improve customer satisfaction. And customers can be internal users as well, from 200 to less than 10 in terms of their complaints that they've been getting.
Okay, next, please. So for those of you who are from the US, coming back here, state of North Dakota. So we have, like I said, all kinds of verticals. They manage basically the security infrastructure for the whole state down to the local state government offices. So they were looking and they actually have been with us for quite a while. So they're pretty sophisticated in their automation operations. They have hundreds of playbooks running in the back end, which is why you kind of see this type of returns, right? So 99.6% decrease in open alerts from 16,000. And they use Cortex XDR.
You see that they use a lot of Palo Alto products. 60% of the total incidents are resolved automatically with Cortex XOR. And it is minutes to find a true positive. And this is using our research team help as well.
Next, next, please. Colgate-Palmolive is a global company. So consolidation of tools is another thing as well.
So, you know, everything can be ingested into XOR platform, all of the alerts. So not just, you know, your traditional alerts, your network security alerts, your cloud alerts, right?
IAM, SASE, whatever you want to ingest that you are having to deal with. So it's all in one place. So they're able to consolidate multiple tools under one console with Cortex XOR. They're primarily a firewall part customer, but they use the automation piece to automate their processes.
Obviously, we integrate very deeply with all of our Palo Alto products. So if you use other Palo Alto products, there's definitely an out-of-box integration for you. There.
Next one, please. I'm going to go quickly. Asante is health organization. Like I said, 99% of incidents are handled without manual intervention. They cover all the health services for Oregon and California. They use XDR and XOR in the Cortex portfolio. The important thing here, I actually went there and interviewed and talked to the CISO. And these are the things he told me that with automation, they've been able to save 20 hours of manual work per analyst. So now it's not that they got rid of any analysts. Now the analysts are a lot happier, have more balance. Work lifestyle.
And also now can focus on the threat detection. They have a threat model investigation team and so forth. So being able to do that is really great. We had another customer that was a very small team. They didn't have any people to deal with managing their threat feeds. So they use virtual automation to tee up a threat intelligence management program.
Go ahead, please. Next. Let me know if I'm running out of time as well, please. So these are just some assets. So this one is a SANS. SANS actually did kick the tires, if you will, of Cortex XR. And here's just a, if you want, you'll get the, you can take a screenshot or you can look at this later, but you can check out an independent review of our product.
Next one, please. Copenhagen Call, of course, the report, if you want to read that in detail. We also have it available on our website.
Next one, please. And then there's a virtual tour. So you don't have to download anything. Don't have to, you know, just go, don't have to sign up, just go to our website and you can see how XR is used in a scenario of a zero day breach being detected. And then you can see all the different steps of how an analyst would potentially be using XR to resolve the incident.
Next, please. This is obviously, if you're more interested in talking to a human, and we welcome you to, you know, call, fill in a form and request a demo. We'd be happy to kind of walk you through that in more detail and to talk to you about your particular needs. I think we're at the end of this, so. All right. I am pretty much done. I know it was a bit of a whirlwind, but I wanted to save some time for our next speaker. But I wanted to save some time for questions at the end. So back to you, Alejandro.
Thank you, Jane. That was a really good presentation, especially with the use cases and the examples that you provide, because these are real world examples. So it's always good to present these. We have some questions, but maybe just briefly, I'll just go over the poll results. So the first poll question asked, what are your primary goals when considering the implementation of a SOAR solution? And the number one result was to enhance overall security, followed by the reduction of time to security incidents and improving coordination among security tools. So I guess no surprises there.
It's all about security. The second one was, how many of you currently use automation in your security operations? And most people answered that they are in the process of implementing automation. Are you surprised by that result, Jane? No. A few years back, we had to explain what SOAR meant. Now there is no need. I think it's a given. I think the barrier to entry is how to do it, right? Like you were talking, Alejandro, earlier. Yeah. Yeah. And the last question is, what metrics or KPIs do you consider most critical to measure the effectiveness of your security operations?
And as we said in both of our presentations, it's the mean time to detect and mean time to response. So now let's go and check the questions. We have a few questions on the chat. One of them is asking, and I think this is for you, Jane, what are some emerging trends in SOAR that Palo Alto Networks is excited about?
Yes, obviously AI, right? Agentic AI coming on here. And we are exploring ways to leverage that to really kind of simplify and make it easier for our users to be able to either build automations, but also communicate, interact with the automation. So there'll be exciting things coming out in the roadmap that you guys will probably hear about if you keep up with what we are doing here at Palo Alto Networks in this coming year. We recognize that sometimes it can be pretty hard to, you know, with the resources you have, right, to tee up automation projects.
So we're also looking to simplify and make it easier also within our interface for people to be able to either do their jobs or build the automations that they need to build. And I just want to note, too, that we have partnered with a lot of MSSPs. So we are also very, very involved in that space. So if you don't have resources, there are lots of MSSPs that you might want to consider that do offer this service. Do you think that automation and the use of AI will be what will determine whether a SOAR vendor will succeed in the coming years? Do you think it's like an important element?
I think it is. Why?
Because, well, the other side, right, is leveraging AI. The hackers and all that are leveraging AI and the agents that potentially anyone can build at some point. Not right now, obviously. I know most of it is just marketing speak, as we all know, but I think that technology is coming. The other thing, too, your company is also leveraging AI for the business, right? Everyone's looking at, you know, how do you include AI to make things, you know, better, customer service and so forth and internally as well. We obviously leverage AI internally at Palo Alto for our own employees, right?
AI can be like LLMs, right? Like natural language searching of assets, of tools, of answering questions and all that, or even just eliminating kind of internal tech support, right, or other things. So as your business and organization is leveraging this, obviously, there's more risk that is going to be exposed. So you definitely want also to be able to protect against them. So not just, obviously, AI-driven automation, but AI-driven, obviously, security tools.
And I think it behooves a SOC team or SOC teams to keep pace, right, with what's going on within your organization, but obviously, what the attackers are doing, are building, right? So I think the only way to keep up is to leverage the same tools and technology to your advantage. Yes. The next question is, many organizations treat cybersecurity as a technical issue rather than a business risk. What's the best way to shift cybersecurity discussions from IT teams to the boardroom?
If I can say something about it first, I think that something that we at Copenhagel say over and over and over again is that it's important to emphasize that cybersecurity is also about the health of the business. It's about, in a way, profit. And something that we mention often is that many people, or I guess it's a stereotype, but in technical teams, people tend to maybe not be very good at communication.
So I think that having a clear message from the part of the vendor when introducing a cybersecurity tool is going to help the IT team from your customer, from an organization, to clearly communicate the opportunities that a solution can bring to the organization in terms of profit to the people making the business decisions on top. So I think that the messaging needs to be very clear. I would like to hear your thoughts on that.
So, yeah. So I think we work with a lot of our users. And I'm not just talking extra customers, right? But Palo Alto customers, we do work with them and the CISOs to help them present the value and the benefit, right? That the cost, it's a cost center in a way, right? So I think having the ability to, like Alejandro was saying, be able to present to the executive level, but also having solid metrics and data on how you are improving productivity and securing the employees as well, right, against attacks.
And the company, you know, in terms of breaches, it's pretty catastrophic, right, if something does happen to, you know, to your company. So I think it's a necessity, but it's also, you know, it's important. Our own SOC team does a lot of internal promotion as well. Of how they are providing value in terms of how fast they're resolving incidents, also like how they're leveraging the set automation to increase productivity. Yes.
Yeah, that makes sense. Another question, for organizations considering SOAR, what key factors should they evaluate before implementation? Want me to go in?
Yeah, go ahead. Okay, take that one.
Okay, so I would say look and see, you know, try out if you can, get a demo, take a look at the comparison of what the solution allows you to do. Again, make sure that it's a solution that will grow with you, right? Make sure that it's scalable. You can start small. There's really no need to boil the ocean. Sometimes one or two quick wins, and we've seen that with our own users and customers, get the couple of wins.
That way, it's a change management process within your organization, right? To convince both the teams to use it, just focus on a few use cases that you can kind of have some quick wins on, and then build from there. And one of the things that you do want to consider down the road is once you've had a couple of good wins, and you have like maybe three or four automation use cases done, you might want to think about resourcing at some point. There is going to be some champion on your team, probably somebody who is very interested in this space.
I would, you know, have them focus and be dedicated in really looking at where you want to automate, right? You want to maybe reach out to other teams as well, and see if you can shadow their processes and see if you can help them with the automation, you know, as well. Yeah. Absolutely. That's the criteria. Scalability can grow with you. It has all the functionality that, you know, I mentioned earlier, right? Not just automation, but integrated case management, threat intel, intelligence feeds, and so forth. Yeah.
Yes, yes. As you said, scalability.
Also, maybe they should look at integration capabilities, customization, and also into to the analyst to understand what they need, what are their preferences. The user experience, the communication with the team is important. Yes. User experience is a very important one, I think, to get buy-in and also to get people to keep using it, because you're actually asking people to change their actual work practices and habits. Yeah. And perhaps the last question before we wrap it up. What would you say are the most common misconceptions about SOAR, and how would you address them? Yes.
I think the misconception is that it is completely, like, you know, easy. Well, I shouldn't say easy. I think we are all working as vendors to make it as easy as possible. Like I said, one of the important things that AI can bring to the table is to facilitate that process, right? To be able to just allow you to use natural language, right? To be able to say, hey, I need to build, I need to automate X, Y, Z, and have the system be able to recommend to you. So obviously, we're working on those areas as well.
So I think in terms of, like, the barriers to entry, just be aware that some of the things that it does take a while, right? I think the automation piece is probably the shortest thing in your project lifecycle, to be honest. You need to make sure that you talk to your teams and map out what are the use cases that would be important, right?
Obviously, you have to make sure that you have access to the systems. Sometimes that takes a while to get access to the system if your team doesn't have. So these are some of the barriers and the misconceptions that it's just all automation only. But it's a whole process that you have to consider, right? So I think, you know, this is where a vendor that partners with you to kind of go through these different stages is pretty critical.
And obviously, we have customer success teams that will lead you through to kind of map out what are the most important critical use cases and then work with your teams to kind of get them up to speed. Yeah. All right. Yep. Okay. On that positive note, I think we can end it here. Thank you so much, Jane, for joining us today. I think it was a very nice discussion. And if you have any questions, feel free to reach out to Jane directly. Or if you have any questions to copy or call, just reach out to us. And thank you so much for your time.
Thank you, Jane. Yes.
Thank you, everyone, for your time. Thank you. Bye-bye.
