Moving from alert responders to pure threat hunters
With Cortex XDR, the majority of requests for security actions—previously handled manually—are being dealt with automatically, allowing the SOC team to become “pure threat hunters.” “Perhaps the human will click a button,” the senior VP of cybersecurity explained, “but the workflow is almost entirely automated.” For example, this has reduced mean time to respond (MTTR), in some cases, as much as 95% with automated response on certain phishing emails. The SOC team is then freed up to search for more complex APTs, validate custom applications, and identify flaws in procured applications or the highly complicated interactions between applications—whether internally developed or purchased.
They also get complete visibility into their network with Cortex XDR. The senior VP of cybersecurity adds, “Having the XDR telemetry reporting into Cortex XSOAR, it can automatically pursue any credible threats. XDR helps me find patient zero in an infection, and XSOAR provides the automation to track it all to the root cause with the data collected and provided by Cortex XDR.” They currently have 15 XSOAR playbooks in production, with eight more in the pipeline. They also have three playbooks related to XDR in production, which they estimate has already reduced the SOC’s manual operations by as much as 30%.
Realistically, anything that XSOAR and XDR can automate together provides the enrichment needed to allow an SOC analyst to make a “go/no-go” decision on a particular event almost immediately. “We’re aiming for a 75% automation rate,” the VP of cybersecurity says. “And my team has been ecstatic about the automation features because frankly, they have been overworked and overtaxed.”