MI-One Issue #13 - Equinox Edition

Hello there and?Happy Pi (π) Day.

Quite a community we have here, don’t you think? It might be hard to believe but it’s already been one year since the launch of?MI-One.

Yes indeed, this?π Day?marks?MI-One’s first anniversary, with many more to come. (And for the first time, MI-One is now available to be delivered directly to your inbox -> Subscribe)

Over the past year, we've shared deep dives, updates, and hot takes into the evolving landscape of security and technology. From our inaugural edition to the most recent "Columba Edition," we've circled the core of modern cybersecurity.

A few things we have covered over these 12 issues include:

• A close examination of cutting-edge trends:?From Federated Security Operations to Generative AI in security, and the rise of Data Security Platforms.
• Thoughts and updates on technical innovations:?Including Autonomous SOCs, hyperautomation integrations, and the critical role of DSPM in cloud security.
• Insights into practical applications and use cases:?Whether it be OCSF, XDR, SOAR, security data lakes, or other concrete platform integrations, we’ve had a few things to say about them this past year.
• Thoughts and observations about DevSecOps and Platform Consolidation:?Notably, how this relates to the changing landscape of security operations.

Now, as we step into our second year, let’s take a look at what’s currently been going on:

• While February saw a strong focus on GenAI within SOC environments, March has witnessed its integration into a broader range of security functions, including training, compliance automation, and attack surface management. Notably,?Google's Security Operations?platform has further enhanced its?Vertex AI?integration, introducing capabilities for automated compliance reporting and regulatory gap analysis.
• Gartner published its widely followed?Top Trends in Cybersecurity for 2025, and three ?key trends that caught our eye since we support these areas and fall in our areas of expertise:

GenAI Driving Data Security Programs.?Preference for Synthetic Over Obfuscated Data in GenAI Training, as synthetic data is increasingly favored since it enhances privacy, mitigates data scarcity, and enables diverse scenario generation. Metron has been building?Mock Servers?to help generate synthetic data to train GenAI models. In addition, Metron continues to expand its services in Data Annotation and Data Labelling, focusing on the cybersecurity application and platforms.

IAM Strategies to Address the Rise of Machine Identities.?Managing nonhuman identities for machines and workloads is increasingly critical as AI drives the widespread use of machine accounts and credentials. With identity security a top priority for CISOs, there is a growing focus on integrating IAMs and related tools. For example,?CrowdStrike's announcement of Falcon Identity Protection for Microsoft Entra ID. This integration helps secure machine accounts by continuously monitoring and enforcing identity-first security policies. It detects unauthorized access attempts, strengthens authentication, and ensures compliance, addressing the growing challenge of managing nonhuman identities across devices and workloads.

Cybersecurity Technology Optimization.?Gartner reports that the average organization uses 43 cybersecurity tools, highlighting the need for an optimized security stack.?Cybersecurity mesh architecture?serves as a guide for balancing platforms and point solutions, and Metron supports companies by building and maintaining integrations between these security tools.

Under the Lens — Palo Alto Networks

Ever feel like you're drowning in security point solutions that don't talk to each other? You're not alone. The struggle to build a unified security strategy that delivers the overall security posture of your organization is real.

Enter Palo Alto Networks: the big player security ecosystem that's redefining what integrated protection looks like in 2025.

In this month's deep dive, we aim to explore how Palo Alto's product suite can tackle these challenges. This guide will help you understand how these tools fit into your existing architecture, to help you against threats and also deal with them.

Let's explore the various tools and solutions Palo Alto Networks offers below:

Next-Generation Firewall (NGFW) Solutions:

• Palo Alto Networks NGFWs?deliver advanced threat prevention, application visibility, and precise control in a single platform, connecting network and security teams for comprehensive protection.
• PAN-OS?is the operating system that powers all Palo Alto Networks NGFWs, providing consistent protection across physical, virtual, and cloud environments.
• DNS Security?protects against DNS-based threats using machine learning and real-time analysis.

Secure Access Service Edge (SASE) Platform:

• Prisma Access?ensures consistent protection for remote users and networks globally. It consolidates security functions, delivering Zero Trust access and optimized user experience with strong SLAs. It delivers a Secure Access Service Edge (SASE) solution, combining networking and security.
• Prisma SD-WAN?is a next-generation SD-WAN solution that replaces traditional WANs with cost-effective internet connectivity. It optimizes application performance through intelligent routing and simplifies network operations with automation and machine learning.

Cloud Security:

• Prisma Cloud?forms the backbone of cloud security, providing visibility, compliance, and protection across multi-cloud and hybrid environments.

Security Operations:

• Cortex XDR?enables detection, investigation, and response across endpoints, networks, and cloud, with AI-powered analytics for automated threat hunting.
• Cortex XSOAR?(Security Orchestration, Automation and Response) orchestrates the entire incident response lifecycle, automating playbooks and facilitating collaboration across security tools.
• Cortex XSIAM?(Security Information and Asset Management) consolidates security data across your entire infrastructure for comprehensive visibility and analytics.
• Cortex Xpanse?helps organizations manage their attack surface by scanning the internet, identifying risks, and recommending how to reduce them.

Platform Integration:

• Panorama?provides centralized management for all Palo Alto Networks products, enabling consistent policy deployment and visibility.

Threat Intelligence and Consulting:

• Unit 42?offers threat intelligence and security consulting services, including incident response and risk assessment.
• WildFire?allows organizations to detect and prevent advanced threats.
• AutoFocus,?a threat intelligence platform, offers deep insights into emerging cyber threats.

AI and Analytics:

• Precision AI?powers Palo Alto's security platforms with AI-driven threat detection and remediation capabilities.

Cloud Manager:

• Strata Cloud Manager?offers a centralized, cloud-based platform for managing Palo Alto Networks' network security, simplifying operations for NGFWs and SASE. Strata Copilot enhances this with natural language capabilities, enabling faster threat analysis and response.

Palo Alto Networks offers a range of integration-ready products that provide a unified security view. Our expertise includes building both inbound and outbound integrations:

Inbound Integrations:

• NGFW + OT Security platform:?This integration between PAN’s NGFW and OT Security platform enables synchronisation of the OT assets details and access control (ACL) rules from the OT Security platform to the NGFW. With this integration, you leverage OT security rules but can still manage them from a single Palo Alto NGFW.
• Cortex XSOAR + EDR:?The integration makes it possible to transmit detection logs from EDR to XSOAR, creating incidents for each detection. The XSOAR incidents can trigger playbooks to remediate the security incidents. The playbook can utilize the actions not just from current, but any integration that is available in your XSOAR tenant.

Outbound Integrations:

• Cortex XPanse + SIEM:?While leveraging the unified platform, some SOC teams might still want to analyze the data within the SIEM platform of their own. The team at Metron has experience building the outbound integrations for several PAN products. XPanse attack surface data is made available?on SIEM platforms to investigate the issues.

Security Application and Version Updates

In case you’ve missed them, there’s been significant developments across various platforms, from security enhancements to new feature releases.

Here's a rundown of the most notable updates of platforms, highlighting their recent improvements and fixes.

ServiceNow has rolled out the Yokohama release,?featuring notable enhancements to the?Vulnerability Response?application. Key updates include:

• Streamlined Remediation:?Users can now manually generate host remediation tasks directly within the Vulnerability Manager and IT Remediation Workspaces, offering greater control over the remediation process.
• Enhanced Vulnerability Assessment:?A new publisher-based assessment allows for vulnerability exposure tracking by vendors, enabling focused remediation efforts.
• Improved Visibility and Tracking:?Risk score changes are now trackable within work notes when a system property is enabled.
• Validation and Testing:?Quick Start Tests have been added to validate the functionality of Vulnerability Response after upgrades or deployments.

Palo Alto Networks - Cortex XDR 3.13, made available in March 2025,?introduces enhancements to threat investigation capabilities, strengthening defenses against advanced threats. Key updates include:

• Streamlined Incident Response:?Cortex XDR 3.13 now combines?MITRE ATT&CK TTPs,?URL verdicts, and?WildFire?reports?to provide actionable insights into security alerts. Together, these features will help respond to incidents more efficiently, reducing detection and remediation times.
• Integrating System Data with Causality Cards:?Key incident data, including OS system details, memory and runtime information, and application-specific logs, can now be integrated into causality cards. This will provide a detailed overview of security incidents, enabling teams to quickly identify attack patterns, trace root causes, and take targeted response actions.
• Protection Against Security Bypass Techniques:?Enhanced protection for Windows-based endpoints safeguards against malicious actors attempting to bypass built-in Windows security controls.
• Extended File Type Coverage for Windows:?Cortex XDR now analyzes ASP and ASPX files on Windows servers, detecting and preventing malicious files to strengthen defenses.
• Release notes?include more details.

Palo Alto Networks - Cortex XSIAM 2.5,?released in March 2025,?is now more robust, unifying real-time and historical data, enabling rapid legacy SIEM upgrades. Let’s scroll through a few of its features:

• Accelerated Legacy SIEM Upgrades with Bulk Data Import:?Historical data can now be imported into cold storage, simplifying migration while ensuring secure, long-term storage for analysis and compliance.
• Analytics Alert Response Playbooks:?New playbooks allow endpoint agents to request assistance and receive decisions based on a comprehensive incident view, enhancing endpoint security effectiveness.

Palo Alto Networks - Cortex XSIAM 2.5,?released in March 2025,?is now more robust, unifying real-time and historical data, enabling rapid legacy SIEM upgrades. Let’s scroll through a few of its features:

• Simplified Self-Service Asset Management:?New bulk asset management features enable proactive addition/removal of assets, such as IP address ranges, paid-level domains, and subdomains.
• Expanded Coverage for Automated Exposure Remediation:?Support for Kubernetes Control Plane Component, LDAP Server, NetBIOS Name Server, NFS Rpcbind Server, Rpcbind Server, and SMB Server reduces manual work across attack surface exposures.
• You can find more details in their?release notes.

Insights: From Our Integration Factory

ServiceNow Service Graph Connectors + IoT:?The integration between IoT and Service Graph Connectors aims to enhance visibility and security for IoT devices within an organization's network. Integrating your IoT platform with Service Graph Connectors will provide you with:

• Enhanced IoT Visibility: IoT platform provides detailed information about IoT devices, including their type, vendor, behavior, and vulnerabilities. ServiceNow Service Graph Connectors will help create a comprehensive map of your IT infrastructure and services. ?The integration allows the IoT data to populate the Service Graph, providing a unified view of both IT and IoT assets.
• Emproved Security Posture:?By integrating IoT device information into the Service Graph, you will get a better understanding of the potential impact of IoT vulnerabilities on critical services. This integration enables automated workflows for incident response, vulnerability management, and change management related to IoT devices.
• Streamlined Asset Management:?The integration automates the process of discovering and classifying IoT devices, reducing manual effort and improving asset accuracy. It enables organizations to track the lifecycle of IoT devices and ensure that they are properly managed and secured.

Microsoft Defender XDR + IoT:?The integration of Microsoft Defender XDR with IoT security solutions strengthens an organization's overall security posture by extending threat detection and response capabilities to IoT devices. This is how:

• This integration aims to provide a unified security experience, allowing security teams to monitor and manage both traditional IT endpoints and IoT devices within a single platform (Microsoft Defender XDR).
• It bridges the gap between IT and operational technology (OT) security, offering a more comprehensive view of the organization's security landscape.

Palo Alto Networks - Cortex XDR + CNAPP:?The integration between Palo Alto Networks' Cortex XDR ?with CNAPP capabilities creates a unified security framework that addresses the challenges of protecting complex cloud environments from sophisticated threats and combines extended detection and response capabilities with cloud-native application security.

Key Data Streams:

• Security Telemetry and Alerts:?Captures security events and alerts generated by cloud security tools, such as intrusion detection systems, firewalls, and endpoint protection platforms. This data stream is crucial for real-time threat detection and response across cloud environments.
• Cloud Configuration and Entitlement Data: Imports information about cloud assets, including configurations and entitlements, to identify misconfigurations and excessive permissions that could lead to security vulnerabilities. This data helps maintain a strong security posture by ensuring compliance with security best practices.
• Vulnerability and Threat Intelligence: Ingests vulnerability data specific to cloud-native applications and infrastructure, along with threat intelligence feeds, to enhance threat detection and risk management. This integration enables proactive defense against emerging threats by providing context on potential security risks.

Palo Alto Networks - Cortex XSOAR + ITOps:?This integration combines Palo Alto Networks' Cortex XSOAR with an IT Operations tool to enhance security and overall operational workflows. By connecting Cortex XSOAR with IT management systems, organizations create a unified approach to incident management across security and IT domains, enabling automated coordination between security and IT teams, standardized response procedures, and faster resolution of security incidents impacting the IT infrastructure.

Key Data Streams:

• Incident and Alert Data:?Captures security incidents and alerts from various sources, enabling centralized management and automated response workflows across security and IT operations. This includes fetching incidents from SIEM systems and creating tickets in IT service management platforms.
• IT Service Management Information:?Imports ticket data, change requests, and configuration items from IT service management platforms, allowing correlation with security events for comprehensive incident handling.
• Automation Playbooks and Workflows:?Leverages pre-built and customized automation playbooks that coordinate actions across both security tools and IT operations systems, enhancing incident response efficiency.

Before you go…

We'd love to connect if you're planning to be at any of these industry events:

1. Black Hat Asia, April 1 — April 4, 2025, Singapore
2. RSAC, ?April 28 — May 1, 2025, San Francisco

P.S.?Feel free to connect with us at?[email protected], and we’ll be sure to assist you.