Because of the customer’s broad range of services, security was—and is—a multi-team effort. It had long been challenging to coordinate between security, development, and production teams for regular security operations and incident response. The lack of a defined security operations center (SOC) team exacerbated this, resulting in a high volume of daily alerts (around 100) and dead time during incident handoffs.
The customer’s security teams also had multiple ingestion and detection sources to deal with. While they had a security information and event management (SIEM) system in place to aggregate logs and machine data into alerts, some incidents also flowed in via mailboxes, where employees forwarded suspected phishing emails. As a result, there was no single console from which to view alerts and execute incident response at scale.
The customer solved these challenges by deploying Cortex™ XSOAR alongside the existing SIEM, threat intelligence, email, and behavioral analysis solutions. Now, the security teams can take advantage of:
- Ingestion across sources: With Cortex XSOAR orchestration allowing for ingestion of alerts across sources, the customer can direct alerts from its SIEM and mailboxes into the Cortex XSOAR console for single-window visibility, triage, and response.
- Malware enrichment and response playbook: A custom playbook coordinates a range of products for automated malware enrichment and response. It runs threat intelligence actions on SIEM alerts to establish reputation for indicators of compromise (IOCs). Then, it retrieves endpoint details through integration with relevant tools, runs behavioral analytics using one of the customer’s custom tools, and deploys the dissolvable Cortex XSOAR agent on infected endpoints. Once extracted, Cortex XSOAR presents this wealth of data, such as file details and memory dumps, for the security team’s perusal.
- Team coordination: To address team coordination, the customer uses the Cortex XSOAR War Room to great effect. The War Room provides a platform through which cross-functional teams can view playbook task results, collaborate on plans of action, and run security commands in real time.
No SOC Team, No Problem
Playbooks—such as for malware enrichment—help automate previously time-consuming tasks and free up analyst time by providing rich information for problem-solving. Codifying a sequence of steps helps the entire team stick to a response quality benchmark and quickly onboard use cases.
Using the War Room for incident investigations improves team coordination and productivity, preventing the need to maintain disparate threads of communication across emails, tickets, and so on. Moreover, since participants can work in a common window, it’s easy to impart visibility and assign accountability when required.
Cortex XSOAR provides a central console, where incidents from multiple sources can be ingested. Multiple attacks belonging to common campaigns can be identified as related incidents within Cortex XSOAR, further sanitizing and enriching the alert queue so that security teams can respond to incidents more quickly.