Palo Alto Ignite Takeaways: Attackers Never Rest, Retailers Can’t Either

It felt great to be back at Palo Alto Networks Ignite in Las Vegas, connecting with friends old and new. Besides hanging out with awesome people, I like to check out expert speakers and hear about the big topics each year. We recently rolled out our own 2023 Cyber Predictions featuring ransomware and extortion being here to stay, and discussing how organizations can focus on posture management and leverage risk-based frameworks to guide security initiatives. With that in mind, it was no surprise that frameworks and operations were popular topics this past week.

This year, Palo Alto focused on three main themes:

• Secure Access Service Edge (SASE)
• A Re-emphasis on Zero Trust
• and Security Operations

SASE and Zero Trust playhand in hand, with controls from SASE enabling security regardless of user location and following both the device and identity all the way to the destination resource – be it SaaS, Cloud or on-prem. The re-emphasis on Zero Trust was also driven from enhanced capabilities stemming from the Cortex and SASE enabled end-to-end visibility.

However, XSIAM was the “Belle of the Ball” for security operations, touting a singular backend data-plane coupled with automation pulled from its XSOAR platform. With automation tied directly to the backend, investigations rely less on summarized alerts and can pull context directly from the raw data.

While XSIAM is a major leap forward for security operations, there’s still human interaction required for full resolution of alerts where automation requires human input, decision, or action be taken.

Through integrated security products and our Zero Trust Analytics Platform™ (ZTAP™), the Critical Start SOC team delivers Managed Detection and Response (MDR) services that give you access to 24x7x365 resources who investigate every security event ingested into ZTAP. This includes triage of security events, response actions, and security guidance to continue strengthening your infrastructure.

Our SOC does things a little differently, guaranteeing one-hour SLAs for Time to Detection (TTD) and Median Time to Resolution (MTTR) on every alert. That’s a one-hour time to detect and a one-hour time to respond. So, it’s a promise – not an objective.

At Palo Alto, I got to speak about our MDR services in action.

Critical Start Presents: Attackers Never Rest, Retailers Can’t Either

During the conference, I partnered with the CSOC lead from a large retailer to chat about the importance of leveraging Managed Detection and Response (MDR) providers to get 24×7 coverage. Critical Start has been providing MDR services since before “MDR” existed. We’re a leading provider of MDR services for Palo Alto Networks supplying end-to-end capabilities – including incident response.

This retailer was facing challenges, with over 950 locations open 24 hours, 7 days a week, that require SOC monitoring. With difficulty hiring, training, and retaining employees, their 24×7 security operation turned into an on-call escalation program for only select alerts. This large operational burden involving tuning alerts and false positives from internally developed applications which inevitably resulted in a creation of false negatives. While the company leverages XSOAR, human interaction is still required for investigation and response.

Enter Critical Start. The retail company tapped us to monitor XDR, including 24×7 investigation, and response capabilities. MDR was deployed with EDR, where we built and monitored custom rules, like creating a detection for Teams Token Reuse, and added an integration with XSOAR.

We were also able to implement a custom escalation process, where alerts requiring escalation during business hours go directly to the CSOC, while alerts requiring escalation after-hours go to the service center, activating a playbook to alert the on-call analyst. The company also uses our industry changing MobileSOC to make response fast and convenient for analysts, lowering attacker dwell time.

We’re happy to help you achieve the same outcomes, and you don’t need to wait until the next Ignite Conference to get started. Contact an expert today to learn how we can alleviate large operational burdens and false negatives to help you prevent breaches and stop business disruptions in the new year.