Auto Trader Group plc is the largest digital automotive marketplace in the UK and Ireland. Established in 1977 as a local classified magazine, Auto Trader has evolved over 40-plus years to be a 100% digital business with a comprehensive ecosystem for buying and selling vehicles online. The Auto Trader marketplace hosts the largest pool of vehicle sellers (listing more than 470,000 cars each day) through its partnership with more than 13,300 retailers. With a focus on continually evolving the ecosystem to provide a better experience for consumers, retailers, and manufacturers, Auto Trader attracts more than 50 million cross-platform visits per month. Auto Trader is listed on the London Stock Exchange, and is a constituent of the FTSE 100 Index.
As a 100 percent digital business, Auto Trader is keenly focused on securing customer data and preventing cyberthreats from disrupting its online services. With the greatest risk coming from the potential spread of malware across endpoints and the internal network, Auto Trader needed a way to catch potentially malicious east-west network traffic and risky user behavior on the endpoints. However, its legacy firewalls and traditional endpoint protection lacked the necessary intelligence. By replacing its previous security infrastructure with Palo Alto Networks Strata™ network security platform and Cortex XDR™ extended detection and response platform, Auto Trader gained a holistic solution for securing its network and endpoints, with the intelligence to instantly identify anomalous activity, determine its risk level, and facilitate a rapid response. This enables Auto Trader to improve the efficiency of its security and infrastructure teams in handling security incidents, with remediation time reduced from up to 3 hours to less than 10 minutes, minimizing the impact on user productivity while strengthening protection of vital customer and business data.
Adapting to a Changing Threat Landscape
For more than 40 years, Auto Trader has been the go-to resource across the UK for people interested in buying and selling vehicles. In fact, the company prides itself on being the most trusted automotive marketplace in the nation. As a 100 percent digital business, earning and keeping that trust requires great care in the way Auto Trader manages and secures customer information, and protects its business infrastructure from cyberthreats that could disrupt online services.
Like most enterprises, Auto Trader historically relied heavily on perimeter firewalls to keep out malware, along with traditional antivirus software, to protect its endpoints. However, as the threat landscape has changed in recent years, and its reliance on cloud services and SaaS applications has grown, the company needed to take a fresh look at its security strategy.
Simon Taylor, security squad lead with Auto Trader, says, “The number one risk for us today is our own people clicking on malicious links. You can have security tools all across your landscape, but ultimately you have to be able to look holistically at behavior patterns and other signals to catch the threats. That’s quite difficult to do with disparate systems.”
Michael Braid, Auto Trader’s infrastructure manager, underscores this point: “Five or ten years ago, we had very few phishing attacks. Now they are through the roof. We have a more mobile workforce, using a variety of SaaS applications, and they’re not on our network all the time. That brings inherent risk. You have to adapt your security posture to these changes.”
Wanted: A Cohesive Security Strategy
While Auto Trader’s perimeter firewalls could protect against inbound threats, they didn’t prevent the spread of threats internally across the network. Observing east-west traffic required more intelligence and automation. Similarly, the company’s endpoint protection solution lacked intelligence to analyze the actions executed if someone clicked on a phishing link, meaning the only recourse was to wipe the machine.
With Auto Trader’s reputation at stake, the infrastructure and security teams began evaluating new solutions that could address these issues. Following intensive research, they considered several options, including upgrading the firewalls and deploying network traffic analytics. While NTA technology produces network intelligence, it stopped at the endpoint. Therefore, they’d need another solution for the endpoints.
Then the problem would be how to manage all the disparate systems and enable a cohesive response across security and IT.
After local partner Orange Cyberdefense UK introduced Auto Trader to Palo Alto Networks, the team also took a close look at Cortex XDR™ from Palo Alto Networks. Braid notes, “Cortex XDR gave us the ability to take in data feeds from both the firewalls and the endpoints and get truly actionable intelligence. That’s what we wanted. It’s a cohesive strategy. I don’t think there was anyone else in the market at the time even close to having that kind of one-vendor solution. Palo Alto Networks had the vision, and what they promised is where we ended up.”
New Levels of Efficiency for Incident Detection and Response
With deployment assistance from Orange Cyberdefense UK, Auto Trader has replaced its legacy firewalls with the Palo Alto Networks Strata™ network security platform, including Next-Generation Firewalls, Threat Prevention, URL Filtering, and the WildFire® malware prevention service. The company also deployed Cortex XDR for unified prevention, detection, investigation, and response across endpoint and network data, eliminating the need for separate antivirus software.
This comprehensive solution has been especially helpful during the COVID-19 pandemic as most Auto Trader employees are working remotely. Despite this change, Cortex XDR continues to apply behavioral analytics on traffic, and the security squad is still capturing all the logs, enabling the team to observe details of end-user activity on and off the network. This has proven highly beneficial from an incident investigation perspective.
Simon Smith, a cybersecurity specialist with Auto Trader, remarks, “In the past we might have an IP address but no easy way to trace that back to a particular machine. Now, with Cortex XDR, we can instantly know the machine, the user— we can see everything on one screen. If all we had was an IP address with everyone at home, that wouldn’t be useful to us. It feels like we’ve moved to a new generation of security, covering so many bases for looking into incidents. It makes everyone much more efficient.”
Taylor agrees, “Cortex XDR has brought the security and infrastructure teams closer together. When we have to respond to a security incident, we’re all using the same tool and the same data to combat the issue.”
A recent incident put Cortex XDR to the test. To support a new cloud telephony system, the infrastructure team pushed out an application to change the default browsers on all the endpoints, doing so in an unsigned format. Cortex XDR instantly detected this abnormal activity and alerted the security squad, which enabled immediate isolation of the machines from within the same Cortex XDR console. Despite everyone working from home, the security and infrastructure teams were both able to view the incident in Cortex XDR and, within 10 minutes, had the situation figured out.
Braid recalls, “It turned out to be a false positive, but that application could easily have been a piece of malware. It just shows how quickly Cortex XDR was able to bring us all together. We opened the forensics logs, which showed it was one of our engineers changing the default browsers. Without that forensic data, I don’t think we could have put two and two together like that. The actionable intelligence coming from Cortex XDR is absolutely key.”
Smith adds, “Cortex XDR provides a lot of valuable functionality for investigations. The ability to scroll back and forth on the timeline of events for a particular machine—from a forensic point of view—that’s as good as it gets. If there’s been a bad process, you can see if anything went out onto the network. You can tie information together in a way we couldn’t do before without looking across multiple systems. Cortex XDR makes everything much quicker and more efficient.”
Improves Service to the Business and Customers
Another key benefit Cortex XDR brings to Auto Trader is the ability to surface the most critical alerts for immediate attention, while reducing the noise of low-risk or benign activity. Smith points out, “The way Cortex XDR breaks down alerts based on risk is really useful. We’re able to clear off those incidents that we aren’t worried about and focus on the high and medium alerts as a priority.”
In addition, Cortex XDR provides the security team with a wealth of information about each alert. It incorporates threat intelligence coming in from WildFire®, the AI-based behavioral analytics to understand the context of anomalous activity, as well as the granular logs from the endpoints and firewalls. Smith notes, “There’s a lot of efficiency built into the product to help us make decisions. It saves time, which is important for a small security team like ours.”
Cortex XDR is also helping Auto Trader’s engineers be more efficient. In the past, the only way to know with confidence that an infected machine was safe to use, was to wipe it. That process could take one or two hours of an engineer’s time, and then another hour to reimage the machine. Meanwhile, the user cannot work.
“That’s not efficient,” says Braid. “It’s stressful and disruptive. We see about 10 malware detections a month—some heuristic, dodgy stuff—and with Cortex XDR, we now have a complete picture of what we need to do. We can take precise, actions based on data, not guesswork. So instead of wiping the whole machine, we can remediate particular elements and be confident nothing has spilled out into the network. We can have a user back up and running in less than 10 minutes. It takes a lot of pressure off everyone, and allows our engineers to spend more time on the user experience, which is the main objective of my team. We’ve taken surveys of users from a customer service point of view, and it’s improved significantly.”
At the end of the day, the value of improving the speed and effectiveness of incident detection and response extends beyond the security squad and engineering team at Auto Trader. The company is in business to help people buy and sell vehicles, and that only works if customers have trust in the online marketplace.
Taylor concludes, “Our digital business is built on reputation. People who come to our site put their trust in us to buy a vehicle. They have to be confident we’re protecting their personal information. Any loss in that confidence would be harmful to our reputation. That’s why it’s so important for us to have a holistic approach to security with Cortex XDR and the whole Palo Alto Networks platform. It protects our technology infrastructure, and most important, our data, which is the heart of the business.”