Palo Alto Networks’ CTO on why machine learning is revolutionizing SOC performance

VentureBeat recently sat down (virtually) with Nir Zuk, founder and chief technology officer (CTO) of Palo Alto Networks. Zuk is considered one of the leading technology leaders defining the current and future cybersecurity landscape. Our interview focused on how machine learning is helping improve Security Operations Center (SOC) performance and its essential role in their Cortex XSIAM architecture. 

Before founding Palo Alto Networks in 2005, Zuk was CTO at NetScreen Technologies, which was acquired by Juniper Networks in 2004. Prior to NetScreen, Nir served as co-founder and CTO at OneSecure, an early pioneer in intrusion prevention and detection appliances. Nir was also a principal engineer at Check Point Software Technologies and was also one of the developers of stateful inspection technology.

For the fiscal second quarter of 2024, which ended on January 31, 2024, Palo Alto Networks reported a 19% increase in revenue, reaching $2 billion, up from $1.7 billion in the same quarter of the previous year. The company’s GAAP net income for the quarter rose to $1.7 billion compared to $0.1 billion in the fiscal second quarter of 2023. Palo Alto Networks serves over 85,000 customers worldwide, including a majority of the Global 2000.

VentureBeat: Why is machine learning (ML) essential for improving Security Operations Center (SOC) performance? 

Zuk: Why machine learning is essential is because we want to move from a mode where you only investigate the attacks that you know about, that you find which are few in the SOC, to investigate each event that happens anywhere in the infrastructure as if it was an attack and then deal with it. We’re moving away from investigating an attack once every few hours or once every few days to investigating 10s of millions or 100s of millions of potential attacks every second. Humans can’t do that we need machine learning.

VB: You’ve talked a lot about how machine learning is reducing detection and response times, including a session at your recent Symphony 2024 event. How is machine learning revolutionizing security operations and helping deliver key SOC metrics?  

Zuk: We look at security in two ways. The first part of cybersecurity is trying to keep the adversaries out. And that’s really been the focus of the industry for many years. And I think we’ve come to the realization that since we’re not going to be correct 100% of the time, and they will try a million times and if we miss them once they’re inside. We should also invest more in “let’s assume that they’re inside. Now let’s go find them.”

So, when it comes to data center security, you have to do both. You have to keep them out. And that’s the role of traditional cybersecurity. So network security, including, of course, the security between the data center and Ethernet, internal security for segmentation. It includes endpoint security for making sure that vulnerabilities aren’t being exploited and malware isn’t running. It includes identity and access management. Or even privileged access management (PAM), which we don’t do. We don’t do identity access or PAM. It includes many different things. This is about keeping them out or not letting them walk inside laterally. 

And then the second part of it which, which goes to your question, is now let’s assume they are inside and all defenses have failed. It’s the role of the SOC to look for them. We call it hunting, the hunting function in the SOC. How do we do that? You need machine learning, not [large language models] LLMs, or GPT, but real, traditional machine learning, to do both, both to keep them out and also both to find them if they’re already inside. So we can talk about both and how we use machine learning here and how we use machine learning there. 

VB: Are you seeing your customers proliferating the number of cloud platforms they’re using? And are they coming to you saying they want to span the differences between the multiplicity of cloud platforms and data centers they’re on to better handle cloud detection and response?

Nir Zuk: Yes, I would even take it further. I think that security operation teams are struggling with the cloud. Meaning they are used to more traditional enterprises with traditional data centers, and the cloud is very, very complicated. Definitely. So they’re struggling with the cloud. And certainly, the Security Operations Center (SOC) certainly needs tools to help them with the cloud. 

You probably remember there was a period several years ago where one of the buzzwords was DevSecOps. The idea was, well, the SOC cannot deal with the cloud, so we’re going to build a security operations team inside DevOps, and we’re going to deal with the cloud there. It turns out that that was not the right approach, because they have the same challenges. So XSIAM is kind of a solution that helps security operation centers, whether they’re dedicated to the cloud or general, which is usually the case, to deal with the complexities of the cloud.

VB: What role does machine learning have in the Cortex XSIAM architecture?

Zuk: In the case of XSIAM, it’s a machine learning-based system. And because it’s a machine learning-based system, it needs machine learning models to model different attacks. Part of that is how we use machine learning to find attacks. So, we have specifically developed these machine learning models and today, we have about 1,400. They are developed by cybersecurity experts, and specifically, they’re developed by researchers with attack experience. And more specifically, we use ex-military and intelligence cyber attackers to take their cyber attack knowledge and translate it into these machine learning models. 

VB:  As you’re trading these 1,400 models, are you looking at aggregating and anonymizing attack data and using attack data to train those models that you’ve captured from a variety of your customer’s interactions, not customer data, but attack data?

Zuk:  So this machine learning is different than what you hear about in the market when it comes to LLM. There are no machine learning models that are trained on the customer’s data. So, these are all machine learning models that train on the customer data and then use that training to find the attacks in the customer data. So, you train for some time to understand what’s normal for a customer’s infrastructure. Then, you use that training to find normal anomalies and where things deviate. You have to make sure that the attackers don’t gaslight you. Models are trained and are being run on customers data on each customer’s data separately.

VB: What are you seeing with your customers’ adoption and use of SOC metrics?

Zuk: Yeah, so first, I would say that we are on a mission here to convince our customers to start measuring the mean time to detect and the meantime to respond. In the meantime to detect, you find that something happened an incident; when you discover an incident, you go back in time to see when the penetration happened. And that’s that’s the meantime, that’s the time to detect them. You average that over time. That’s the mean time to detect and some research shows that it’s in months. I don’t believe that. I think it’s in weeks, but you know, even days to detect looks bad. And the same is true for the meantime to recover. It’s measured in at least hours and probably more than that. So, we first are on a mission to convince customers to start measuring those. Most, the vast majority of our customers and our prospective customers don’t measure these numbers. 

VB: How are you handling pricing and upgrades?
Zuk: The pricing of XSIAM is based on the amount of data that needs to be analyzed. We try to make it in the same order as the pricing of the existing SOC solutions, even though we collect at least ten times more, probably a hundred times more data than a typical customer’s current security information and event management (SIEM). We don’t want the SOC to have to increase their price and their budget to 10x or 100x.