How The Pokémon Company International uses Cortex XSOAR automation and orchestration to catch ’em all

Despite a tremendous workload, the security and IT teams at The Pokémon Company International needed to work efficiently and remain lean and agile. John Visneski, director of information security, said, “The security team needs to move quickly to keep up with the business. To do that, we automate everything that does not require a human to do. We want to improve our ability to observe, orient, decide, and act. By tightening that process, we can respond better to incidents and keep pace with the business and our developers in a way that security teams in the past could not do.”

To achieve that objective, Visneski and his team deployed Cortex XSOAR by Palo Alto Networks. With it, the team can automate operational processes in response to alerts on-premises and in the cloud. This solution frees up more time for Pokémon’s security operations analysts to focus on correlating data to better understand the overall threat landscape and how to defend against bad actors.

As one of two analysts on the security operations team at The Pokémon Company International, Sean Hastings feels the value of Cortex XSOAR firsthand. “We don’t have time to personally respond to every phishing attempt or incident of compromised credentials that SOC teams generally deal with on a daily basis,” Hastings says. “A single phishing email could take an average of 15 to 20 minutes per email, and at one point, we received four to five of them daily.” Addressing each incident manually was time-consuming, involving numerous steps to determine if there was malicious activity and, if so, to investigate and remediate the issue. However, the actions required were always the same. By automating incident response with Cortex XSOAR, every step is now automatically run as part of a playbook, which resolves the incident, keeps a detailed log of everything that occurred, and notifies the end user. Hastings notes, “The value we have seen from Cortex XSOAR is we get stronger overall security because the response is instantaneous. We can provide better customer service for whoever reported the incident because they get a message confirming the action was taken. And, ultimately, it gives me more time to focus on higher-level tasks.” He adds, “What a phishing incident looks like now is we check a dashboard in Cortex XSOAR and verify that it’s been resolved. That’s it.”

In addition to simplifying incident response for security operations, Cortex XSOAR also allows the information security team to play a more integral role in supporting DevOps. Visneski explains, “We look at what our DevOps teams are trying to achieve and how we can leverage tools like Cortex XSOAR to help them meet their goals more efficiently, effectively, and securely. That positions InfoSec as an integrative agent to solve problems, using our tools and insights to enable the business.” Since Pokémon’s initial “lift and shift’’ to AWS, the company has pushed toward cloud-native application development. One example is a situation where an engineer’s account is compromised. The time it takes to detect the problem, assess its severity, and resolve it is critical to productivity. Historically, the security team would only learn of a compromised account when an engineer reported being locked out or seeing suspicious behavior. If the incident involved AWS credentials, the team also had to determine if any suspicious and/or malicious activity carried over to the local environment. Bridging that gap is another place where Cortex XSOAR now plays a pivotal role.

Hastings points out, “The automation and orchestration of Cortex XSOAR have really made our job a lot easier. It allows us to compile the AWS security health data with our Active Directory or SaaS logs and on-prem resources like our Palo Alto Networks firewalls or our SIEM. All that data is in one centralized location. If an account is compromised, the incident is created in Cortex XSOAR, which automatically runs a playbook to contain and remediate the incident instantaneously both in the cloud and in the local environment.” He adds, “A human trying to coordinate everything manually would always be several steps behind an attacker. But with automation, the incident is essentially over before it begins.”

The implementation of Cortex XSOAR at The Pokémon Company International is a prime example of how automation and orchestration can give security operations teams an edge over attackers. It provides teams with a system that acts intelligently in real time to prevent successful attacks, rather than putting teams in a reactive position like traditional detection and response solutions. Hastings concludes, “We have a small InfoSec team and a growing company, which means we constantly need to do much more with less. Using Cortex XSOAR, we can allow automation to do the repetitive, predictable tasks, which frees up more time for us to put toward projects that contribute value to the business.”

Cortex^® XSOAR^™ supercharges incident response across your SOC. Reduce time spent on incidents by 90%,* eliminate busy work, speed investigations, and orchestrate across your SOC. Cortex XSOAR enriches data, improves alert triage, and automates repetitive tasks to reduce investigation time from hours to minutes.

Learn more at https://www.paloaltonetworks.com/cortex/cortex-xsoar.