A media recently conducted a virtual interview with Nir Zuk, founder and Chief Technology Officer (CTO) of Palo Alto Networks, a leader shaping the future of cybersecurity. The discussion centered on the crucial role of machine learning in enhancing Security Operations Center (SOC) performance and its integration within the Cortex XSIAM architecture.
Before establishing Palo Alto Networks in 2005, Zuk served as CTO at NetScreen Technologies, which Juniper Networks acquired in 2004. He co-founded OneSecure, an early innovator in intrusion prevention systems, and was a principal engineer at Check Point Software Technologies, where he contributed to the development of stateful inspection technology.
For the fiscal second quarter of 2024, ending January 31, Palo Alto Networks reported a 19% revenue increase, reaching $2 billion compared to $1.7 billion in the same quarter the previous year. The company's GAAP net income surged to $1.7 billion from $0.1 billion in Q2 2023. Currently, Palo Alto Networks serves over 85,000 customers globally, including a majority of the Global 2000.
A media: Why is machine learning (ML) essential for improving SOC performance?
Zuk: Machine learning is crucial because it shifts our approach from investigating known attacks, which are infrequent, to assessing every event across the infrastructure as a potential threat. This transition allows us to evaluate millions of possible attacks every second—something that’s impossible for humans to manage alone.
VB: How is machine learning transforming security operations and optimizing key SOC metrics?
Zuk: We approach cybersecurity in two ways. The first is preventative, focused on keeping adversaries out—traditional network security, endpoint security, and access management. However, we must also address the reality that breaches can occur. Thus, if an intruder gains access, the SOC's role is to actively hunt for them, which is where machine learning plays a pivotal role—enabling detection and response whether threats are outside or already inside.
VB: Are you observing an increase in the number of cloud platforms your customers are using? Are they seeking to navigate the complexities of cloud detection and response?
Zuk: Absolutely. Security operations teams are often overwhelmed by the complexity of cloud environments compared to traditional data centers. This complexity requires effective tools for SOCs to manage cloud security. The previous concept of integrating security operations into DevOps hasn’t proven effective, as both still face similar challenges. XSIAM addresses these complexities, providing a solution for SOCs—whether cloud-focused or general.
VB: What is the role of machine learning in the Cortex XSIAM architecture?
Zuk: Cortex XSIAM is inherently a machine learning system that utilizes bespoke models to detect various types of attacks. We currently have around 1,400 specialized models developed by cybersecurity experts, including former military and intelligence cyber operatives, who translate their experience into effective models for threat detection.
VB: Are you anonymizing attack data to train your models from various customer interactions?
Zuk: Our machine learning approach is distinct from common market trends. We do not train models on customer data, but rather on attack data collected from various sources. This enables us to establish what is normal for a customer’s infrastructure and to identify anomalies without compromising data privacy.
VB: How are your customers approaching SOC metrics?
Zuk: We are actively encouraging customers to measure key metrics like the mean time to detect (MTTD) and mean time to respond (MTTR). Current research suggests MTTD averages in months, but I believe we can improve this to weeks and even days. The same applies to MTTR, which is often quantified in hours. Most of our customers and prospects are not currently measuring these important metrics.
VB: How do you handle pricing and upgrades?
Zuk: XSIAM pricing is based on the volume of data analyzed. We aim to align our pricing with existing SOC solutions, even though we process significantly more data—often 10 to 100 times greater than typical security information and event management (SIEM) systems. Our goal is to prevent SOCs from experiencing a drastic increase in their budgets.
Ranking
