Multiplying Force with Automation — Reducing the Soul Crushing Work

Aug 08, 2023
4 minutes
... views

In our fourth episode of "This Is How We Do It," Peter Havens from Cortex product marketing, and Kyle Kennedy, Palo Alto Networks senior staff security engineer, sit down and take a deep dive into how we use automation. They discuss the critical role automation plays in our security operations.

Kyle, who leads the automation program within our engineering team, recalls the pre-automation era challenges that bogged down SOC analysts, including a deluge of low-fidelity alerts lacking in context. That absence of context in alerts often led to arduous, manual tasks and alert fatigue, which he refers to as "soul crushing work." Thankfully, automation has emerged as a much-welcomed solution, streamlining incident remediation and delivering tailored insights: "We would meticulously craft these alerts, yet they lacked crucial context," he states.

The core of their dialogue focuses on the transformative value of automation, including the “why” and “how” Palo Alto Networks uses automation. It's not about replacing human intellect, but instead enhancing analysts' capabilities and improving data quality. "We take action on relevant findings. Even if we identify something that isn't directly relevant to our security posture, we take action" Kyle explains.

By enriching data and expanding data points, automation empowers analysts to make swift, informed decisions accelerating incident resolution while circumventing redundant tasks. As Peter states, “We're trying to reduce the monotony, and really make the work more engaging and have them applying their skills to what really matters.”

The discussion delves a little more into the "soul crushing work," a term familiar to analysts grappling with manual investigations and seemingly endless alert triage. Automation, Kyle emphasizes, alleviates this by bypassing repetitive, low-level tasks: "Even if it's not a true-positive security incident, we often still uncover noncompliance or suboptimal configurations." This adaptability highlights automation's prowess and promise.

Kyle reveals the mechanics of automation implementation, outlining an automation and bug reporting pipeline – interconnected components that epitomize the Palo Alto Networks holistic approach, culminated and realized in Cortex XSIAM, our autonomous security platform. Using both XSIAM and Cortex XSOAR playbooks enables Kyle and his team to proactively identify and address gaps by harnessing the power of XSIAM's data capabilities. Automating the alerting and resolution of these gaps safeguards the seamless operation of the SOC, ensuring analysts only work alerts that require human intervention.

Kyle notes that the transition from independent playbooks to modularized workflows signifies a transition from playbooks that heavily leverage code, to a nearly no-code automation framework. Where independent playbooks performed unique tasks in a highly specific way, modular playbooks consolidate the logic and maintenance for core tasks to a single point. The objective is to enhance clarity, streamline maintenance, and foster scalability.

The advent of modularization not only bolsters the efficiency of automation but also paves the way for sustainable growth and continuous innovation. Palo Alto Networks XSOAR currently has over 900 integrations and automation packs for common use cases in the XSOAR Marketplace, as well as a free Community Edition to assist in getting you started in your automation journey.

Part way through the interview, Peter simply asks Kyle “What is automation?” Kyle explains in depth:

It's a very hard thing to answer. I mean, obviously it's taking care of something automatically – but [it doesn’t] live in any one place. And that's what makes it hard to answer. So, a lot of people think about, you know, the alert pipeline or the IR process as a very linear stage of steps, right? Automation plays a role in that, in multiple places ... And then we're also automating processes in and around the SOC itself, so that certain procedures are being handled behind the scenes and don't need to be handled by our SOC analysts. That can be governance or audit related, notifications and alerts of, you know, program or platform health. Automation to us generally is in service of expediting the time to resolve and increasing the clarity and confidence we have in the conclusions that we reach.

In exploring automation in SecOps, Peter and Kyle's conversation highlights the possibilities with Cortex XSIAM and XSOAR as next generation solutions powering the modern SOC.

Watch their full interview on our Cortex YouTube channel.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.