Hello, everyone. Hi, Andre. Welcome to Cyberevolution. It's good to have you here. I'd like to begin the conversation by maybe asking a little bit about your work at Unit 42. What do you do? And maybe you can also tell us what are some of the threads that you see emerging, for the next year in 2025? Considering the the role of state actors in this geopolitical climate that we see.
Yes. Thanks for having me. So first of all, Unit 42 is a bunch of consultants in Palo Alto Networks that is serving globally as clients. It's consisting of a large team of threat researchers that are investigating cybercrime, state actors and hacktivists and what they are up to. And it's also represented by consultants that help clients during incident responses. But we also can collect our information and our intelligence on different threat actors. Plus, we help clients to prevent these kinds of attacks, giving them early warnings or helping them to set themselves in a position that they can detect and prevent those kinds of attacks. Looking into the evolution of this threat landscape is that we see since last year, basically a trend that is consisting out of three different, evolutions. First of all, we see that the level of sophistication of attacks is rising. So it's pretty much from sophistication level hard to tell the state actor from a cybercrime group because the improved, on the cybercrime group, to a big extent, using different kinds of social engineering and technical features. We see that the speed of attacks is increasing. So we talk about hours of dual time. So between the click and something is happening like encryption, like data exfiltration, just in a few hours and two years ago would have been weeks and months. This is different for state actors, which are usually up to pre-positioning and persistence. So they want to stay in long as they want want to be seen. But we also see that the scale of attack is increasing. So with all the publications of different vulnerabilities, threat actor have put themselves into a position that they are capable to identify hundreds of thousands of exposed devices globally within less than 15 minutes, and they are also in the capacity to exploit them to a large extent. So this is trends that is, that we see increasing. We see that, the exploitations of vulnerabilities that are internet facing is rising. And it's more prominent than phishing, which is still an important factor of entrance. But we see that the, exploitation of those vulnerabilities has become more than a trend in regards of development on the state actors side is that coming from 2024, which has been a super election year, so there have been 60% of the, global people who have had elections during the year. There has been a lot of campaigns and trends. We have seen Chinese threat actors acting in the United States. We have seen a lot of Russian influence. We have seen Chinese actors in Southeast Asia. So there is a lot of activity ongoing. Also influential campaigns in the, conflict in Gaza and around Israel. So there is a lot of noise and a lot of activities of these actors.
Based on your experience and all of these threats that you talked about, what are some, let's say, advanced defense strategies that you would recommend for federal agencies, critical infrastructure and private organizations to follow?
Yes. So thank you for the question. This is a lot of technical improvements that we have seen in regards of detection, in regards of leveraging machine learning, in regards of automation, because just based on the trends of the speeds that actors are bringing to that game, you need to put more work into automation, into machine learning. So quote unquote, a “AI technology” that is leveraging and helping and resolving much faster than human beings can. It's also important that information sharing and partnering is prominent. There is a lot of activities already ongoing in the last years of the industry, and these different agencies are working together. This needs to be put on a broader basis, needs to be also done more, because if you see something happening there and basically having the fast and broader exchange in the community is helping everybody to react to, to new trends and investing in the organizational side, because, yes, technology helps to become faster, but in the end, tools need to be operated by people that are sophisticated, that are trained, that know how these things are working to to prevent them to identify and detect.
And as we see the European Union, let's say, pushing for greater technological sovereignty, and then we see a potential US isolationist, power, in this increasingly fragmented international system, how can the EU leverage this situation, to increase our cyber resilience?
Yeah. So there is there have been some legal trends, just mentioning the NIS2, the DORA the CRA, which are let's say was a good intention. We need to see that these are actually ending in the right implementation of processes and technology and not just become some compliance operation. That is taking care of a lot of documents and audits. So it needs to become, practice, and best practice, practice cybersecurity in this regard. I am kind of, shy to say that that we will have sovereignty when it comes to technology and products in the European Union, because chips are usually manufactured in Taiwan. Most of the software development is done in Israel, isn’t done in the United States. And we don't have actually a big hyperscaler that is coming in Europe. So that that's I would say, we will rely on the United States, how much we want to have this independence. Because it's basically just choosing between different states or nations to, to, to support us on our journey to secure ourselves.
But moving forward, do you think that this has been a sort of wake up call for the EU to start launching different initiatives to, let's say, not achieve these sovereignty, but maybe gain some independence and more, resilience on its own?
Yeah. So I'm a long time in this industry and have been at a lot of conversations and discussion and this topic of sovereignty and waking up. And we had Snowden. We had different attacks from Russia. We have seen different influence operations by the Chinese. It becomes a constant conversation for more than ten years now. I have not really seen something that goes beyond some legislative acts. So real big investments, funding alliances and cooperation that France and Germany are sitting together and working something out that can work. In the European Union, I have not seen the big reach to the Eastern European countries being involved. We have a lot of, sophisticated workforce when it comes to software development. There's a lot of possibility on the production side as well. So I have not seen this leverage. So it has been for the best part of ten years on the conversational level. And it's giving me a hard time to consider that this is going to change in the next 2 or 3 years.
Absolutely. And well, you represent, the company you represent is Palo Alto is an American company that has a strong presence in Europe. Could you maybe tell us a little bit about whether doing, in terms of solutions or any technology in particular that comes to your mind that could be relevant for this conversation?
Yes. Of course. So, Palo Alto Networks is driving the concept of platformization. So growth coming from best of breed. It's basically going towards the platformization where you have the platform of business. So and we provide basically coming from our history as being the first company that invented and brought to market the next generation firewall, have increased our portfolio to, cover cloud security in different ways, offering sourcing services and secure access, for, for different location on a global scale. And we provide also a platform for security operations. So we have, according MITRE test, the best XDR, product for endpoint security. We have developed, XSIAM which is basically an automated and sophisticated platform for security operations. So if you will, it's kind of a next gen scene where we have a lot of experience put into and also all the machine learning technology that we include since ten years into a product that is leveraging and helping security operations, rather from pure, lock, congestion and alert evaluation, bringing it to the next level, which basically, as explained, the timings and sophistication requires to put into also that we have a workforce shortage when it comes to security analyst, to security operators. So we need to put more, technology, in the place that can cover those gaps that we have there. And also covering on a 24/7 basis, this kind of operations.
One of the things that I do at KuppingerCole is I do research on XSOAR And I recently published a report, where Palo Alto scored, quite high, on this area. And if I compare this report to the one I did two years ago, I saw most vendors were talking to me about genAI. They it was something that they really wanted to share with me. How do you envision the role of the human analyst in the future in SOC operations? Do you think that this technology is something that could potentially transform the human analysts?
Yeah. There's this basically two things. When we talk about genAI, this is hugely helping. Translation machine logs, IP data, congested data into something that I can reach in the human way depends on the translator function. And also that I can ask questions that I can have kind of a conversation with the system. So this is kind of the copilot systems that that a lot of vendors are providing. What makes us kind of unique is something that we have named in this year, precision AI, which is basically these topics for all our machine learning technologies that we have, invented and built in the last ten years. And this is helping in a way to, to to give you kind of a use case. We, we have kind of the bore out situation for SOC operators because imagine one use case you receive hundreds of phishing mail requests from the different employees. So everybody is getting a phishing mail and is taking it. You need to look into it. You have to evaluate it. You have to generate the rule. And you do this 500 times. This is filling up, let's say 90% of whatever the SOC operator is doing. And exactly this use case getting the mail, making the detonation of the content and taking it at it's, malicious, it's benign. And setting up a general rule that you can handle 500 in the background is something that the machine takes over. So it's taking off the load so the operator can concentrate on the relevant alerts, can concentrate on the relevant incidents. So reducing the time off I have to do a lot of boring repetitive stuff to going right to, to the meat and taking the analytics and doing the right measures and becoming much faster and making also the job more fun again, so that you concentrate on what you actually want as an analyst. It's an operator. You want to dig deep. You want to identify what is happening in the attack. You want to help the company to prevent and mitigate those. But this is in the past has not worked out because it was a lot of different stuff. And if I put more into playbooks in automation and support of machine learning, of tasks and resolution of tasks, this this is changing the game. And this is something that we have put with the experience of different of our clients and our own SOC operation into the XSIAM platform. And this is a game changer from our point of view.
From what I can get from this conversation is that we see that cyber threats are moving fast. We see, let's say a delicate geopolitical climate, but we also have new technological developments that that are attempting to address some of these challenges. And companies like Palo Alto, are doing this. Maybe my last question would be, moving forward in 2025, is there anything you would like to share to the audience, anything to to keep in mind for next year?
Yeah. So next year is kind of the compelling event for a lot of organizations in Europe. When it comes to critical infrastructure, in NIS2 implementation, we will see what happens in Germany due to the easy break of the coalition. So we'll just move in the future. And how will this become effective? So this is a big milestone for a lot of our clients. The other thing is the DORA, which is basically for the financial sector. Also the regulation in regards of taking measures to to put more resilience in the cyber landscape. So this is just to cover a lot. But we see a lot of political events moving forward. And this comes also always this was kind of a hybrid scenario. So we see a lot of pre-positioning. We see a lot of influence operations that is growing over the different regions. So there will be more or there will be higher trends from, from Russia for sure. When it comes to effectiveness of NATO, when it comes to invest, when it comes to forming a new government in Germany in the next year, same might be for France. The government currently breaks also. So there will be a lot of things that that puts noise in the cyber space. There will be acceleration of data. And we need to prepare ourselves for this and looking forward into these see more stricter conflict in China and also in Israel looking on our supply chains. There needs to be awareness and needs to be preparedness. And there needs to be a good invest for security to, to to, put more resilience into our business as the industry, into the state and the operations.
Exciting times...
It is.
We're no longer living in this end history of the 1990s, things are moving fast and changing and. Well, that's all from for for today. Andre, thank you so much for your time and for sharing all these insights. And, for the audience, just, make make sure to check out KuppingerCole, our website or head out to Palo Alto and, we cover many of these topics that were discussed today. So thank you so much.
It's been a pleasure. Thanks a lot.
