The Israeli woman who spearheads Palo Alto Networks' Managed Threat Hunting unit

“With unemployment numbers around the world dramatically growing, some people will inevitably turn to cybercrime,” said Liat Hayun

James Spiro 10:1724.07.20
Liat Hayun has had an exciting year. After returning to work following maternity leave, she was thrown into the deep end when she was called on to create the first ever "Managed Threat Hunting" service at the cyber giant Palo Alto Networks.


"This last year hasn't been a normal year for anyone. We had our global launch of the service during Covid-19 – which, as you can imagine, we did not expect.” said Hayun in an interview with CTech.

Liat Hayun,  VP of Product Management. Photo: Palo Alto Networks
Liat Hayun, VP of Product Management. Photo: Palo Alto Networks


"But the pandemic also made our service even more meaningful for our customers. As more and more people switch to working in remote mode, cybersecurity becomes more of an issue. Our clients are exposed to more threats and are able to respond to them differently – making our Threat Hunting service extremely beneficial and even crucial."


"Covid-19 also had an impact on us as a team – we had to build much of the team remotely, hire new team members without ever meeting them and figure out how to create this entire new service while, at the same time, having to completely change how we work and operate", she says.


Palo Alto Networks officially launched the service a couple of weeks ago, completely modeled and developed in Israel, and now operates around the world. The Managed Threat Hunting service is another "layer" in the company's Cortex XDR product. By continuously monitoring customer data, it helps identify hidden attacks and could prevent a wide scale attack by foreign adversaries who could aggravate world leaders to cause the next World War or crash the markets.


Why was the product developed out of Israel? What does this country bring that others don’t?

With the rich cybersecurity ecosystem that Israel has, it is really not surprising to see how much of the talent and expertise is found here. As you probably know, in recent years Palo Alto Networks made several acquisitions in Israel, making it's Israeli site the company's largest R&D center outside of California. Building the Managed Threat Hunting team here made sense for two reasons: it allows us to work very closely with the product team which is located here, and it allows us to leverage the knowledge and cyber-security experience that Israel has to offer.


Who are threat hunters and what are the ways they provide more "peace of mind"?

The threat hunters are the people actually reviewing our customers' data, making sure no threats will go missed or unnoticed by the customer. They do so by performing manual threat hunting, as well as running sophisticated algorithms allowing them to sift through the vast amounts of data. In addition to proactively notifying the customer about such threats, customers can reach out to them for further assistance and rely on their expertise when they need to respond to critical threats.


In today’s world, what are some of the biggest threats online?

Covid-19 expedited the "digital transformation" process and the amount of time people are now online has skyrocketed – making us all much more exposed to attacks whenever we click a link or open a document. Palo Alto Networks' research team, Unit 42, recently released a report predicting that we will see a spike in cybercrime as economies go into recessions. With unemployment numbers around the world dramatically growing, some people will inevitably turn to cybercrime, as typically happens in economic downturns. The report also anticipates an increase in attackers targeting home routers and other Internet of Things (IoT) devices to compromise home networks, as more people will be working from home.


Additionally, even if you don't "get attacked" personally, much of your assets are now online - whether it's your bank, email or even twitter accounts, your identity is defined by virtual components, and if those are attacked, your actual identity can be compromised. When we think about the impact that this has on organizations such as our customers, and not just to specific people, the results of an attack can be disastrous.


Twitter’s recent hack saw financial markets change due to a few tweets. What are the types of warfare that don’t include conventional viruses or hacks?

A cyber-attack can have direct and indirect results that can be devastating. A direct attack can be used to cut off water supplies or mess with the traffic light system and cause massive congestion on the road, it can be used to shut down cellular networks and wipe out millions of dollars. But even indirect attacks can cause significant harm. Would you continue trusting our financial systems if all banks were attacked? Would you trust your government if your personal information got leaked? Something like that can ruin the economy of an entire country.


What are some of the ways that Cortex XDR Managed Threat Hunting is making the world a better place?

The attacks we mentioned don't happen instantaneously - hackers need to find a way in and then propagate within the organization until they find the "Holy Grail," the specific database or access that they can leverage to cause harm. This means we have time to identify the attack before its mission is completed. As long as we continue doing this successfully, we can provide that peace of mind, not only to our customers, but to our clients' clients.

We are shaping the future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices – helping to make each day more safe and secure than the one before.


Tell us as much as you can about the takedown of an insider threat.

We started working with a tech company based in Europe, employing approx. 5000 people. Within days of joining the service, our team found a threat. An employee of the company used legitimate applications to gain permissions to resources that should not have been available to him. By using these legitimate applications, he was able to "fly under the radar" and collect sensitive information. Preventing such threats is extremely difficult since there is no way to prevent employees from using these completely legitimate applications, but detecting this type of activity and investigating it whenever it occurs is a key element in making sure that no one will have access to information they should be able to collect. You can imagine how sensitive this issue is and if it wasn’t for us – the attempt would have probably succeeded.


What has the Corona outbreak and work from home done to the cybersecurity sphere?

It changed two significant things - the first is that many more employees are working remotely and require access to internal systems from outside the organization, which exposes these organizations to attacks on critical assets. Secondly, the security teams monitoring the environment and responding to threats that were found are no longer working the same way they used to, and need to collaborate differently, adjust their methodologies, and leverage new capabilities to increase their efficiency.


I'll give you an example. Traditionally, security operation centers (SOCs) have been physical environments that serve as the frontline of defense for organizations. However, that model has changed with the Covid-19 pandemic, as organizations move to a remote workforce. Palo Alto Networks’ internal security platform combined with Cortex XSOAR enabled the company to roll out a remote SOC – and so back in April, SOC analysts have adjusted their daily communication cadence by holding regular standups throughout the day and relying on Cortex XSOAR’s virtual War Room for real-time incident response and collaboration. The team’s security alerts have remained flat since moving its SOC from onsite at HQ in Santa Clara to remote.