For nearly a quarter century, The Pokémon Company International has been delighting people young and old with imaginative animated characters that come to life in the form of games and entertainment—from trading cards and television to home entertainment and online media. The company supports hundreds of millions of customers who connect through its games and apps hosted on the Amazon Web Service (AWS®) cloud platform, whether to engage with Pokémon GO, play the digital trading card game, or take part in other organized online events. That alone would be a full-time job for the information security team—but the team is also responsible for securing the entire corporate IT infrastructure and connections with numerous third-party developers who contribute to the Pokémon® portfolio.
It’s a complex ecosystem that is continually growing. To keep pace, the security team needs to work efficiently, staying lean and agile. John Visneski, director of Information Security, says, “The security team needs to move very fast to keep up with the business. To do that, we automate everything that does not require a human to do. We want to speed up our ability to observe, orient, decide, and act. By tightening up that process, we can not only respond better to incidents, but also be able to keep pace with the business and our developers in a way that security teams in the past were not able to do.”
To achieve that objective, Visneski and his team deployed Cortex™ XSOAR by Palo Alto Networks. With it, the team can automate operational processes in response to alerts on-premises and in the cloud. This frees up more time for Pokémon’s security operations analysts to focus on correlating data to better understand the overall threat landscape and how to defend against bad actors.
As one of two analysts on the security operations team at The Pokémon Company International, Sean Hastings feels the value of Cortex XSOAR firsthand. “We don’t have time to personally respond to every phishing attempt or incident of compromised credentials that SOC teams generally deal with on a daily basis,” Hastings says. “A single phishing email could take an average of 15 to 20 minutes per email, and at one point, we were receiving four to five of them a day.”
Addressing each incident manually was time-consuming, involving numerous steps to first determine if there was malicious activity, and then if so, to investigate and remediate the issue. However, the actions required were always the same. By automating incident response with Cortex XSOAR, every step is now automatically run as part of a playbook, which resolves the incident, keeps a detailed log of everything that occurred, and notifies the end user.
Hastings notes, “The value we have seen from Cortex XSOAR is we get stronger overall security because the response is instantaneous. We can provide better customer service for whomever reported the incident because they’re actually getting a message back confirming the action that was taken. And, ultimately, it gives me more time to focus on higher-level tasks.” He adds, “What a phishing incident looks like now is we check a dashboard in Cortex XSOAR and verify that it’s been resolved. That’s it.”
In addition to simplifying incident response for security operations, Cortex XSOAR also allows the Information Security team to play a more integral role in supporting DevOps.
Visneski explains, “We look at what our DevOps teams are trying to achieve and how we can leverage tools like Cortex XSOAR to help them meet their goals more efficiently, effectively, and securely. That positions InfoSec as an integrative agent to solve problems, using our tools and insights to enable the business.”
Since Pokémon’s initial “lift and shift” to AWS, the company has pushed toward cloud native application development, with One example is a situation where an engineer’s account has been compromised. The amount of time it takes to detect the problem, assess its severity, and then resolve it is critical to productivity. Historically, the security team would only learn of a compromised account when an engineer reported being locked out or seeing suspicious behavior. If the incident involved AWS credentials, the team also had to determine if any suspicious and/or malicious activity carried over to the local environment. Bridging that gap is another place where Cortex XSOAR now plays a pivotal role.
Hastings points out, “The automation and orchestration of Cortex XSOAR has really made our job a lot easier. It allows us to compile the AWS security health data with our Active Directory or SaaS logs, as well as on-prem resources like our Palo Alto Networks firewalls or our SIEM. All that data is in one centralized location, so if an account is compromised, the incident is created in Cortex XSOAR, which automatically runs a playbook to contain and remediate the incident instantaneously both in the cloud and in the local environment.”
He adds, “A human trying to coordinate everything manually would always be several steps behind an attacker. But with automation, the incident is essentially over before it begins.”
The implementation of Cortex XSOAR at The Pokémon Company International is a prime example of how automation and orchestration can give security operations teams an edge over attackers. It provides teams with a system that acts intelligently in real time to prevent successful attacks, rather than putting teams in a reactive position like traditional detection and response solutions.
Hastings concludes, “We have a small InfoSec team and a growing company, which means we constantly need to do a lot more with less. Using Cortex XSOAR, we can allow automation to do the repetitive, predictable tasks, which frees up more time for us to put toward projects that contribute value to the business.”