My Cortex XSIAM journey, from skepticism to deep conviction and admiration

By John Murray, Director, Product Management

When Palo Alto Networks announced XSIAM back in February, I’ll admit that my first emotion was excitement followed by a wave of skepticism. For longer than I’ve been in security (somehow now over 13 years), SIEM has been omnipresent in almost every conversation that I’ve had even though I’ve never built, implemented or personally sold SIEM. Promises of an easier and better SIEM have existed since essentially its inception with most “next gen” SIEM solutions simply shifting the burden to different challenges.

What resonated from Nir’s introductory video was that incremental steps to fix the traditional SIEM are never going to get us to the real-time threat detection needed to shorten the time to detect bad things,  so a different approach was needed. I was humbled when Palo Alto Networks invited Critical Start to participate in their early access Cortex XSIAM design program. We’ve always had a deep relationship with them, with insight into their product roadmaps and platform releases over the years as a valued partner. The XSIAM early access design program was more comprehensive than any vendor beta program I’ve previously seen or been a part of. In addition to having our own environment for testing, we met with over a dozen members of the Cortex engineering team, from product managers to engineers to threat researchers, to learn not just what they were planning to build but discuss the problems with traditional SIEMs that they were looking to eliminate with XSIAM.

Being part of the Palo Alto Networks early access design program included access to a few of their first Cortex XSIAM design partners, a two-day onsite workshop with the design partners and their global architects and SME, weekly implementation and progress update calls and a two-day onsite meeting at our Plano, Texas office with members from their Tel Aviv based team.

While there are a lot of great new features and elements of XSIAM that are going to simplify the lives of security engineers and SOC analysts, I am most excited about the approach Palo Alto Networks is attempting with Data Models. I purposely say attempting, because this is a massively ambitious effort, but one that I think is fully achievable with the engineering resources that they are dedicating to it. 

With traditional SIEMs individual parsers for each log source are had and then individual security content is built to try to detect threats out of each log source. With Data Models, XSIAM is normalizing these log sources out of the box. Key artifacts will automatically be tagged and can be matched against generalized content. This also makes the grouping of incidents within XSIAM that much more intelligent, so that the entire scope of an attack is exposed to an analyst during an investigation making it less likely for a small amount of noise to be dismissed as a false positive. At Critical Start, we’ve been utilizing key artifacts capabilities to form stories within XQL, particularly around authentication that can be used to query events across a variety of log sources. Data Models within Cortex XSIAM is putting XQL stories on steroids.

Today we announced our new service offering for Cortex XSIAM for Endpoint. We are currently developing additional offerings around the analytics and data lake capabilities of both Cortex XDR and XSIAM. We will continue our work with the Cortex product management team to ensure that we are on the leading edge of all of the features and functionality being built into their products. Most importantly with our MDR release, we are emphasizing our continued partnership with Palo Alto Networks and our commitment to Cortex customers.