Professional Documents
Culture Documents
Threat Hunting With Cortex XDR: Jani Haapio Channel SE
Threat Hunting With Cortex XDR: Jani Haapio Channel SE
Threat Hunting With Cortex XDR: Jani Haapio Channel SE
Jani Haapio
jhaapio@paloaltonetworks.com
Channel SE
85 #1 60,000+
of Fortune 100 in enterprise customers
rely on Palo Alto Networks in 150+ countries
security
Revenue trend 40% CAGR
FY14 ‒ FY18
Endpoint
SECURE
THE FUTURE
Detection & Automation & Network traffic & Threat
response orchestration behavioral analytics intelligence
99%+ of attacks can be prevented <1% require analysis over time &
with the right tools across layers with machine learning
Manually searching for threats rather than waiting for technology to alert you
Search for known malicious Look for attacker tactics, Driven from a basic
file hashes, IP addresses, techniques and procedures understanding or lead from
other IoCs based on news new information
2B records 2M records
stolen stolen
145M records
200M records stolen 500M
stolen 110M records guest
stolen records
2.9M records stolen
77M
records stolen
stolen
134M credit
cards stolen
925M +
New Malicious
1.6M records 600M programs
stolen
New Malicious registered
Legacy tools generate too Manual tasks across siloed It takes days to
many alerts tools take too long investigate threats
MTTR/MTTD &
RISK
Low High
Maturity Medium
(Reactive) (Proactive)
Detection RULE-BASED CORRELATED RULE-BASED ANALYTICS-BASED
Legacy EPPs can’t keep up Current approaches do not EDR is locked to the endpoint
with advanced threats and share protections between and lacks a solution for
burden local systems different parts of the unmanaged devices
enterprise
High fidelity local detection Block exploits based Behavioral Threat Protection
trained by WildFire on techniques analyzes multiple behaviors
together to flag complex
attacks
Sophisticated attacks Teams waste time and miss Detecting anomalies requires
& insider abuse can bypass threats chasing low-context analyzing a comprehensive
controls false positive alerts data set
Endpoint
Data Data
Cloud Detection
Detection
Data
Cloud
Data Endpoint High-signal Alerts
ML-based
Custom Rules
Behavior Analytics
Human Correlation Integrated data
Detection
Data Data Data
Data
Data Network
Network
Endpoint Cloud Network
Analysts have to review each Teams must manually piece By the time you find root
alert individually together data from siloed cause, the attack has
tools & data sources progressed
EPP NTA
Phishing alert
TI
NGFW UEBA
Related alerts grouped into Incidents
Clicks on URL in Default browser is Downloads 7zip file 7zip runs *.pdf.bat *pdf.bat file creates Attempts C2
phishing email opened file in zip Virtual basic script for connection
Windows script
engine
Causality Group Owner (CGO): The
process that initiated the chain of events
21 | © 2019 Palo Alto Networks. All Rights Reserved. 21
Integrated response via live terminal
Eliminate blind spots across Detect the most attack Find hidden threats with
network, endpoint, and cloud techniques according to Machine Learning running
MITRE ATT&CK evaluations across all data
Cortex XDR