XSOAR - for an environment of 26 Palo Alto Firewalls + 4 PANORAMA, is it worth it?
Hello, good evening to the community, thank you for your time and collaboration.
I have some doubts regarding some points, which is what a certain partner commented on who is looking for more or less the following points to cover with Palo Alto, with some tool.
-Automation of processes in your firewalls.
-UEBA user behavior analytics
-Automation with Machine Learning
-Automatic security policies unified and centralized based on traffic flows and traffic behavior.
Now looking, let's say from one aspect, of automation of a platform, will it really be worth it, for costs, investment, efforts, specialization, results, added value, operation, time to take advantage of the tool, will it be worth looking for an XSOAR-type product for an environment of 26 Firewalls?
Aren't we looking to cover with a Ferrari something that a Mazda can do?
What or what are your comments, details, suggestions, with respect to what has been commented, it is not possible to give so much specific detail, but that is more or less what the technological partner is looking for.
What do you think? it's worth it ? are there other alternatives?
Stay tuned to your comments.
"Is it worth it" is an extremely broad conversation to have without knowing anything about the company or environment that would be looking to implement XSOAR or any other SOAR product. For a SOAR product to be really useful, you are going to need someone that can build out the workflows and remediation playbooks to make the investment make sense. No SOAR product can just be dropped into an environment and asked to run properly, but with XSOAR PAN is trying to get it closer to that sort of product. I personally don't think it's near that level of simplicity.
If you have someone that can actually build out workflows and build the playbooks, then you have to ask yourself if they have anyone working beneath them and how skilled they themselves are. If the security team is Bob/Karren, and Bob/Karren is amazing at scripting and building things out themselves, Bob/Karren might not get any benefit from a SOAR product. The benefit then is that if the team expands and Bob/Karren is forced to switch over to an actual XSOAR product, it's easier to train new personnel and get them running if the security response is wrapped up a bit nicer than a whole lot of scripts sitting in a repository. The business might see benefit in that, and they may not.
When you have an environment where you have an actual security team, that's going to be where you'll likely see the most benefit of a SOAR product. Having the ability to build out workflows and playbooks empowers your analysts to handle detections at a level they likely couldn't previously. It grants the SOC architects/engineers the ability to setup guiderails on what they want done within a workflow, while still giving more power to the individual analyst.
There's some workflows where you might unlock the ability for an analyst to quarantine and isolate off an endpoint through the workflow, but you aren't giving them the ability to do that globally across all of your endpoints. Maybe under certain workflows you're giving them the ability to isolate an entire network segment, but they otherwise wouldn't ever have that capability. SOAR products give you the ability to do that sort of thing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!