Automating to secure an entertainment empire

When it comes to securing an enterprise as large and complex as the one for this hotel and entertainment company— with more than 50 properties and tens of thousands of devices on a highly distributed network—the stakes are always high. That’s especially true these days, as entertainment enterprises are increasingly frequent targets of sophisticated cybercriminals due to the rich bank of customer and corporate data they hold.

“Not a day goes by that we don’t see a spear phishing attack that’s particularly aimed at one of our executives or a finance or procurement person,” says their senior vice president of cybersecurity. As a result, the Security Operations Center (SOC) team stays vigilant with threat hunting and current on applying software updates and patches. “We receive notifications from CISA (the U.S. Cybersecurity and Infrastructure Security Agency), Homeland Security, and the FBI that they are seeing specific attacks against our industry.” In addition to a continual stream of threats, the attacks are becoming more sophisticated and well-researched.

“My team has to identify these threats before they reach the targeted users—and before those users have a chance to click on links or expose the enterprise to financial attacks. These are very real, very serious threats,” the senior vice president adds.

Protecting the threat landscape and attack surface of large enterprise operations is likened to protecting a municipality or small city. The company is comprised of numerous discrete areas such as gaming, food and beverage, hotel and hospitality, retail, and conventions. This brings into focus the enormity and complexity of deploying the right security solution at the right time.

With initiatives in place to eventually build out a Zero Trust architecture and define “privacy-as-a-service,” the senior VP knew they needed to partner with a company that not only shared their vision but was also aligned in a commitment to offering security solutions that could scale to help the team achieve their longer-term goals.

Additionally, having a security solution that could ease the burden of adhering to multiple compliance mandates in different jurisdictions and geographies was a selling point with Cortex XDR. That includes the ability to meet and exceed PCI compliance provisions through automated security controls for endpoint protection.

They were already a vast multinational corporation before being acquired by and merged with another large entertainment organization. With that transaction, they are now one of the world’s largest entertainment companies. That said, the size of their cybersecurity team has not grown in parallel to keep pace with the number of properties they now protect. With the merger, the team oversees the cybersecurity needs of 50% more properties than their competitors—a testament to why the team needs to ensure they are partnering with a security provider that can scale efficiently, providing the best solutions and coverage on the market.

Consequently, they now have a broader attack surface which is an impetus to quickly modernize and bolster their security stack to account for the increase in oversight and orchestration required across their expanded properties. In taking a proactive approach to align with industry best practices and deploy best-in-class security solutions from Palo Alto Networks, they are now well-poised and better-equipped to withstand and prevent today’s sophisticated attacks.

The senior vice president of cybersecurity is able to boost productivity and coverage by deploying security tools like Cortex XDR and Cortex XSOAR that help automate formerly manual processes, letting his team focus on more critical responsibilities.

Before they began taking a platform approach to their security using Palo Alto Networks comprehensive portfolio, their team deployed 17 different core cybersecurity solutions, including intrusion detection, malware protection, firewalls, and endpoint protection products—something not uncommon for other enterprise organizations who are tasked with protecting environments of a similar size. “It was challenging at best to manage multiple tools,” recalled the senior VP. “There was little consistency. And our people were working much longer hours to keep up with the constant cyberattacks.”

Teams had to understand and manually configure different streams of information in order to verify and respond to threats. With even more properties to protect after the merger, they knew they had to streamline security operations without compromising productivity.

Realizing each standalone tool required hands-on management that ate up valuable employee time, the decision was made to streamline operations and partner with Palo Alto Networks. The senior vice president of cybersecurity says they “did the math” and found that if they sent each person in the department to one class per year for each of the 17 products they were using, he would lose approximately 40% of employee productivity for the year. That’s one of the reasons they sought out a comprehensive security platform with a consistent user interface across all components.

They needed to reduce remediation times—alleviating false positives and ensuring they could quickly validate and correlate threats across different third-party sources. Having visibility into the respective telemetry from these sources could enable faster and more accurate triage, improve investigations, and speed decision-making.

After researching a broad range of vendors and asking about their future product plans, they selected the Palo Alto Networks Cortex platform, with a particular focus on using the Cortex XDR (extended detection and response) and Cortex XSOAR (security orchestration, automation, and response) solutions.

Cortex XDR® provides a single platform approach that leverages AI-powered detection to protect their endpoints as well as the data intelligence SOC teams need to accelerate detection and response to attacks. Cortex XDR shortens investigation times by stitching security telemetry and alerts from multiple endpoints and additional data sources into a single incident that reveals the root cause. Leveraging cloud-based analytics across data sources eliminates security blind spots and improves detection accuracy by identifying sophisticated attacks and providing additional context to simplify investigations. By consolidating data, it also reduces the number of disparate solutions that they need to manage.

Cortex XSOAR allows them to standardize and automate processes and response actions. It manages the end-to-end incident lifecycle, boosts SOC efficiency, and facilitates cross-time engagement with real-time collaboration. XSOAR serves as a central repository for threat intelligence (both internal and external), enabling automated correlation between indicators, incidents, and intel, so their security analysts and incident responders get enriched strategic intelligence for added insight into threat actors and attack techniques.

This company chose Palo Alto Networks in part because of the tight integration of the Cortex platform. This seamless interoperability allows their cybersecurity professionals to undergo comprehensive training to learn about all the products they’ll be using. Less time in training means more time on the job, keeping an eye out for breaches and other risks. According to the senior VP of cybersecurity, “We needed a platform solution that was both integrated and automated, with a common user interface and common user metaphors, so we didn’t have to train our engineers on a bunch of different vendors’ interface philosophies.”

As a result, the team is now much more productive and efficient. They’ve also seen cost savings from a single-platform approach, as the cost of the different components would have been much more expensive if purchased separately. “Although the people and process side of it are more important, I don’t have to worry about whether they understand the user interface metaphor for a particular product, and they can focus on tracking events to the ground.”

With Cortex XDR, the majority of requests for security actions—previously handled manually—are being dealt with automatically, allowing the SOC team to become “pure threat hunters.” “Perhaps the human will click a button,” the senior VP of cybersecurity explained, “but the workflow is almost entirely automated.” For example, this has reduced mean time to respond (MTTR), in some cases, as much as 95% with automated response on certain phishing emails. The SOC team is then freed up to search for more complex APTs, validate custom applications, and identify flaws in procured applications or the highly complicated interactions between applications—whether internally developed or purchased.

They also get complete visibility into their network with Cortex XDR. The senior VP of cybersecurity adds, “Having the XDR telemetry reporting into Cortex XSOAR, it can automatically pursue any credible threats. XDR helps me find patient zero in an infection, and XSOAR provides the automation to track it all to the root cause with the data collected and provided by Cortex XDR.” They currently have 15 XSOAR playbooks in production, with eight more in the pipeline. They also have three playbooks related to XDR in production, which they estimate has already reduced the SOC’s manual operations by as much as 30%.

Realistically, anything that XSOAR and XDR can automate together provides the enrichment needed to allow an SOC analyst to make a “go/no-go” decision on a particular event almost immediately. “We’re aiming for a 75% automation rate,” the VP of cybersecurity says. “And my team has been ecstatic about the automation features because frankly, they have been overworked and overtaxed.”

With Palo Alto Networks, this world-class entertainment company has dramatically increased awareness of both their environment and process efficiencies without needing to increase their cybersecurity team staffing. Adds the senior VP of cybersecurity, “The efficiency comes with synergies between the security solutions on the platform. And with the increased visibility, we’re exacting increased control. It’s all good.”

For more information about the Palo Alto Networks security platform, visit the Cortex XDR and Cortex XSOAR webpages.