Cortex Copilot - Another Step Forward in SOC Transformation

Oct 15, 2024
8 minutes
... views

 

When Incidents Pile Up, You Need A Way Out

Security operations is hard. End-to-end attacks—from compromise to impact—happen in a matter of hours. This requires security analysts to quickly identify and remediate threats before significant impact can happen. However, the time it takes to respond highly depends on an analyst's skills and experience with the tools they use. Even for experienced analysts, the need to collect various artifacts and navigate different capabilities across a security tool can eat away precious time.

When analysts are on their own, figuring out where to start and which actions to take can significantly slow incident response times. Incidents pile up and analysts get stuck in a reactive vortex that is hard to escape. This vortex is the reality for the majority of security teams, leaving no time for proactive activities that help stay ahead of new threats.

In security operations, analysts need every advantage they can get to remain one step ahead of the attacker. This is why we created Cortex Copilot.

Cortex Copilot – Another Step Forward in SOC Transformation

Back on May 7, Palo Alto Networks announced a wave of new security solutions powered by Precision AI™. These solutions help solve various security challenges for organizations, including how SOCs respond to cyberthreats. To support this, we previously announced the private beta of Cortex Copilot, an advanced security operations AI assistant.

Over the last five months, we have partnered with mature security teams in different industries to test it in real-world scenarios and learn from their experiences. Numerous users at these organizations leveraged Cortex Copilot to investigate incidents, harden defenses, and hunt for threats in their environment. Along the way, they have provided feedback, which we use to enhance capabilities and overall user experience. One theme that immediately became clear is that Cortex Copilot helped streamline security operations for our customers.

Today, we are excited to announce the general availability (GA) of Cortex Copilot to all our customers. This is a key step in transforming how the SOC drives improved security outcomes. With this GA release, Cortex Copilot will be available to all Cortex XSIAM customers, accessible from anywhere in the product, Customers will be notified in-product once this capability has been activated – free of charge.

Empowering the SOC Analyst

Cortex Copilot is an advanced security operations assistant designed to change how analysts work in security tools. This powerful tool empowers security analysts to reenvision threat detection and response by providing context and step-by-step guidance throughout their day-to-day work. And that, in turn, enables them to move faster, resolve incidents sooner, and proactively hunt for threats.

“According to ESG Research, 45% report that Security Operations are more difficult today than two years ago. Despite the many automated security tools in use, the SecOps process is fraught with tedious, time-consuming tasks, as analysts race with the adversary to identify and stop attacks before objectives can be carried out. GenAI assisted tools, such as Palo Alto Networks’ Cortex Copilot, can automate many of these manual activities, accelerating response while helping to guide the investigation and response process for both junior and senior security analysts.." - Dave Gruber, Principal Cybersecurity Analyst at Enterprise Strategy Group

With Cortex Copilot, SOC teams can accomplish three primary objectives:

1. Speed Up Investigations

Analysts can utilize Cortex Copilot within Cortex XSIAM to examine new incidents, explore impacted systems and users, and pinpoint signs of compromise without toggling between screens. Incident details, such as indicators of compromise, are automatically enriched with threat intelligence.

Additionally, Cortex Copilot will suggest investigation and response actions such as running queries or isolating systems. For example, when an analyst asks a question like “What processes are running on client-02?”, Cortex Copilot will automatically provide the recommended appropriate query, saving the analyst valuable time.

Image 1: Cortex Copilot automatically recommends queries based on the question.
Image 1: Cortex Copilot automatically recommends queries based on the question.

 

Image 2: Cortex Copilot automatically recommends the necessary XQL query and prepopulates required parameters, saving the analyst time.
Image 2: Cortex Copilot automatically recommends the necessary XQL query and prepopulates required parameters, saving the analyst time.

 

2. Optimize Analyst Workflow

Cortex Copilot enables analysts to stay more productive by suggesting in-context actions, helping them get the most out of XSIAM's capabilities. When an analyst provides a prompt, such as asking a question about a system or user name, Cortex Copilot automatically recognizes it and populates relevant details. Additionally, Cortex Copilot will recommend context-appropriate actions based on the prompt. For example, if the question includes a system name, response actions like isolating the system or initiating a live terminal will be presented.

Image 3: Cortex Copilot recommends appropriate response actions based on the system name prompt.
Image 3: Cortex Copilot recommends appropriate response actions based on the system name prompt.

 

Copilot also helps analysts with support issues or product-related questions. Instead of searching through product documentation for answers, analysts can ask Cortex Copilot for summarized information about a topic, reducing the overall learning curve and enabling new analysts to contribute immediately.

Image 4: Cortex Copilot answers a support question and links to relevant documentation from the Cortex Help Center.
Image 4: Cortex Copilot answers a support question and links to relevant documentation from the Cortex Help Center.

 

3. Democratize Threat Hunting

Cortex Copilot empowers analysts of diverse skill levels to conduct comprehensive threat detection by simplifying searches across data sources and guiding them through hunting actions. It suggests potential actions such as enabling the execution of advanced queries, examining attack chains, and enhancing security protections. This empowers analysts to uncover advanced threats and proactively improve overall security effectiveness.

Analysts can proactively search for suspicious activity throughout the environment. For example, an analyst may ask Cortex Copilot to “Show rare new services created in the last 24 hours.” With this analyst prompt, Cortex Copilot will suggest relevant queries that can be executed.

Image 5: Cortex Copilot helps with threat hunting by writing complex queries for the analyst.
Image 5: Cortex Copilot helps with threat hunting by writing complex queries for the analyst.

 

If the analyst finds something suspicious, such as a malicious file, they can immediately take action in Cortex Copilot. This proactively strengthens an organization’s security posture every day.

Image 6: Cortex Copilot enables analysts to add a malicious hash to a block list.
Image 6: Cortex Copilot enables analysts to add a malicious hash to a block list.

 

Cortex Copilot is transforming the way security analysts work in the SOC by changing how they interact with Cortex XSIAM, and helping them to make decisions even faster.

Cortex Copilot Results in the Real-World

During the private beta of Cortex Copilot, we spent five months working with over 100 security analysts. These analysts work for security teams facing the most sophisticated security challenges and represent organizations from high technology, healthcare, and financial services. We asked them to test Cortex Copilot by using it in real-world scenarios, from asking product questions, to getting support, investigating incidents, and crafting complex hunting queries.

We’re excited to see that Cortex Copilot is already delivering on its promise of transforming the way analysts work by allowing them to take security actions in one place.

Cortex Copilot is a great one-stop-shop to quickly investigate and take action on incident artifacts.

- Zachary Ivins, Principal Security Analyst, HealthPartners

 

Cortex Copilot simplifies analyst investigations:

Adopting Cortex Copilot within security operations centers has proven to be a significant step forward in SOC transformation. During the private beta phase, 60% of users used Cortex Copilot to simplify and accelerate security actions, like running advanced queries.

Cortex Copilot accelerates tasks:

Nearly half of the beta users trusted their Copilot to take security actions on their behalf. The data further demonstrated the value of adding Cortex Copilot to the normal workflow, with nearly 70% of users continuing to leverage it week-over-week during the private beta period.

What’s Next for Cortex Copilot?

In the fast-paced world of security operations, early results show that Cortex Copilot is emerging as a true partner for the SOC analyst. Designed to empower security analysts and transform threat detection and response, this advanced AI assistant streamlines investigations, optimizes workflow, and democratizes threat hunting. By providing context, step-by-step guidance, and automating certain actions, Cortex Copilot enables analysts to stay one step ahead of threats and quickly respond to incidents. This further enhances an organization’s security posture in today's cybersecurity landscape.

As we move forward, Cortex Copilot will continue to integrate into more SOC workflows. The possibilities for future capabilities and use cases are endless - faster response, improved actions with automation, and more. While available in XSIAM today, Cortex Copilot will extend across the Cortex platform, enabling more workflows for endpoint security, automation, attack surface management, and more.

To learn more about Cortex Copilot visit the Cortex XSIAM page, download the Cortex Copilot Datasheet, or speak to your account manager. If you missed it, check out our Prepare for a Brand-New Fight virtual event, where Nikesh Arora, CEO of Palo Alto Networks, details how security professionals should prepare for cybersecurity’s AI inflection point.

 


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.