Palo Alto Networks Inc. is making its presence felt at the RSA Conference in San Francisco today with the introduction of Cortex XSOAR, a new security automation platform that builds on its $560 million acquisition of Demisto Inc. last year.

Demisto is one of the half-dozen security startups that Palo Alto Networks has bought since the start of 2019 to boost its product portfolio. It combined several of those startups’ solutions into a new offering dubbed Prisma Cloud that debuted last November.

Demisto’s namesake security orchestration, automation and response or SOAR platform, in turn, forms the basis of Cortex XSOAR. SOAR platforms provide collaboration features that help administrators share information with one another when they’re investigating a breach. Products in this category also automatically perform certain security tasks such as quarantining a machine when it’s found to contain malware. 

According to Palo Alto Networks, XSOAR’s big edge over the competition is threat intelligence.

Enterprise security teams subscribe to threat intelligence feeds that provide them with information on cybercriminals’ activities and emerging hacking campaigns. But putting this information to use can be technically challenging. According to Palo Alto Networks, XSOAR attempts to address the issue by providing a centralized interface where administrators can see threat intelligence side-by-side with data from their internal security systems. 

“Cortex XSOAR accomplishes this by layering third-party threat intel with internal incidents to prioritize alerts and make smarter response decisions,” Scott Simkin, the marketing head for the Cortex product line, detailed in a blog post. “Teams can gain confidence in their actions by enriching any detection, monitoring or response tool with context from curated threat intelligence.”

XSOAR allows savvier users to take the concept a step further by using threat intelligence to automate security operations. It provides so-called playbooks, brought over from the original Demisto platform, that trigger threat response actions when a security issue is detected. Security teams can configure these playbooks to trigger in response to information from a threat intelligence feed.

“Both SOAR and threat intelligence management have developed over recent years as tools to help them [security professionals], but existing product silos have led to even more manual work,” said Palo Alto Networks Chief Product Officer Lee Klarich. “It makes no sense to have SOAR without native threat intel.”

Palo Alto Networks plans to make XSOAR generally available next month. 

Photo: Palo Alto Networks