Case Study

Enabling state-of-the-art cybersecurity at a comprehensive cancer and research center

A leading cancer hospital and research center established a model cybersecurity practice and next-gen security operations center (SOC) using advanced technologies from Palo Alto Networks, featuring Cortex® XSOAR, Cortex XDR®, and GlobalProtect™.

In brief



Organization SIze

28 inpatient, outpatient, and teaching campuses with 27,000+ endpoints


United States


Headquartered in California


Advance this medical center’s security and response capabilities while building a world-class cybersecurity function and next-gen SOC—all while enabling and securing a remote workforce to perform without interruption during COVID-19 WFH protocols.

  • A SOAR with next-gen capabilities and playbooks that automate responses and repeatable actions
  • Cloud-based capabilities
  • Complete network and endpoint visibility
  • Secure remote access to business networks and resources

Leverage Palo Alto Networks Cortex XSOAR and Cortex XDR products as foundations for its new Cyber Defense Operations Center (CDOC), and GlobalProtect to secure its remote workforce.

Download PDF Share

Leading the way to secure vital research and care

This world-class comprehensive medical center has grown into a leader for advancing cancer research and treatment protocols and is consistently ranked among the nation’s “Best Hospitals” in cancer care by U.S. News & World Report. It is designated a comprehensive cancer center by the National Cancer Institute and is a founding member of the National Comprehensive Cancer Network. Their work to combat cancer and diabetes there is life-changing.

Achieving the outcomes that they are known for requires not only expert staff and treatment modalities but also advanced cybersecurity to ensure all of their data, including PII (personally identifiable information), and communications are secure. In today’s complex and active threat landscape, a medical institution’s cybersecurity practices must be as innovative and transformative as the work they protect.

Their chief technology officer understands this critical need well, affirming, “If you look at innovation in healthcare, you’re hard-pressed to see something that’s not technology enabled,” so there were plenty of technology solutions that they were called on to deploy. To ensure success, their CTO looked to what they considered to be the pillars of successful tech deployment: “It’s cost effective, it meets business outcomes. It delivers a good user experience. And then we always end with, ‘Can we secure it?’ And we want to say that in every case,” they added.

On top of that, they specified the challenge of managing the veritable explosion of data taking place in healthcare—and the requirement to adhere to compliance and security mandates. As a result, their IT team has to think about protecting data in all of its forms, from clinical trials and the research their institution leads to the data within its core systems from ERP to financial accounting.


When we look at things like precision medicine, it’s really about the full 360° of a patient. But we don’t necessarily own all that data. So, the democratization of data—where it’s secure, but it can be shared across a wider audience—needed to happen.

Chief Technology Officer
They acknowledged that security in healthcare used to be about protecting the network perimeter and not letting people in. But today, “trust, but verify” is their Zero Trust mantra. They seek to understand where threats are coming from in order to stay ahead of them and eliminate them.

In 2019, all of these factors led the CTO to call upon their then security and infrastructure engineering director to lead their cybersecurity strategy. Both leaders were focused on continuing to advance their technology, infrastructure, and security practices to ensure they could protect the groundbreaking work happening across their organization.

The security and infrastructure engineering director took on the role of acting director of cybersecurity with the prime directive to aggregate and formalize their current security operations practices and team and build, from the ground up, a next-gen SOC. He sought to deliver something for them that could stand as a model for other healthcare organizations—leveraging automation and the latest AI to manage and eradicate threats.


Standing up a next-gen SOC is step one

To advance their cybersecurity maturity to the next level and lay the groundwork for building a modern SOC, the first line item was updating or replacing their existing security orchestration capabilities. The security and infrastructure engineering director also sought to expand endpoint security beyond antivirus to a full-featured, next-gen EDR (endpoint detection and response). “To maximize our security and investment dollars, I knew we had to be strategic about how we were defining our design and looking at our existing infrastructure,” the director said.

Little did the director know at the time, but their group would soon also be responsible for scaling their security and response to protect a remote, home-based workforce due to COVID-19. Even with this added challenge, the center was able to successfully stand up their new Cyber Defense Operations Center (CDOC), their preferred name, over the more traditional SOC nomenclature. However, there were many decisions and needs to be addressed on the way to that significant milestone.


Advancing security while reducing cost and complexity

When embarking on his journey, the security and infrastructure engineering director already had three requirements:
  • The SOC must be based on next-gen SOAR (security orchestration, automation, and response).
  • It should be a cloud-based solution.
  • It should serve to upgrade their endpoint protection—integrating with their SOAR to automate many of the functions that SOC analysts in their industry and others often spend too much time on.

  • Specifically, they wanted SOAR and endpoint tools working together for full SOC capability. The SOAR they chose would need to orchestrate detection and response on the network and endpoints, with automated capabilities and playbooks that enable security staff to focus on higher-level security and risk management tasks.

    Along with orchestration, the center needed full visibility into all endpoints and next-gen endpoint protections to supplement and orchestrate under their SOAR-based SOC. They also needed this level of integration to easily and quickly identify and classify all assets in the enterprise, manage their vulnerabilities, and automate responses. Most importantly, they needed it to detect unknown threats to ensure that no devices would infect the network.

    While assessing and inventorying their existing security products, the security and infrastructure engineering director was determined to consolidate systems while also reducing costs and complexity. “We needed to understand what we knew, which meant getting an inventory, and then we needed to understand what we didn’t know and protect against it,” they explained. “I knew a SOAR was going to be the core of our SOC. So, the first thing I did was look into the endpoint and SOAR solutions we already had in-house.”


    Palo Alto’s XSOAR was a SOAR on steroids.

    Director, Security and Infrastructure Engineering


    Discovering the capabilities of Cortex XSOAR and Cortex XDR

    The center’s original orchestration and endpoint solutions came up for renewal during the planning process, and the orchestration system, in particular, had a hefty price tag for renewing. So, before moving ahead, the security and infrastructure engineering director and CTO asked for a new demo of their current product.

    During that demo, the leaders noted that the main benefit of their current orchestration system was its ticketing system. However, it lacked the level of automation they really needed to support a next-gen SOC. This led them to request a live demo of Palo Alto Networks Cortex XSOAR. Seeing the tool in action made them confident they’d found the perfect solution.

    “Palo Alto’s XSOAR was a SOAR on steroids. Once I found out what Palo Alto had and how it integrated into our stack, and because we were already working on vendor consolidation, Palo Alto became our primary vendor to support the four pillars of the SOC, which also meant we would utilize them for securing our endpoints,” the director added

    Once installed, they then focused on the endpoints, installing XDR with XSOAR to identify their gaps and applications of value (such as its critical SAP servers), to learn behaviors, and to prioritize security updates.

    In the midst of all of this transformation, COVID-19 protocols and new work-from-home mandates led them to move much of their workforce to home offices in March 2020. Fortunately, they were able to pivot easily by installing Palo Alto Networks GlobalProtect for firewall and VPN-layered access protections on the network, which integrated with their new Cortex XSOAR for SOC orchestration.


    Setting the bar for next-gen protection

    By upgrading to Cortex XSOAR orchestration and Cortex XDR for endpoint protections, the medical center’s security and infrastructure engineering director built the CDOC and accomplished the top three goals for the team: integrative orchestration and response; expanded visibility and automation; and vendor consolidation. Achieving these things has elevated their security posture and even shifted the focus of the team in positive ways.

    Cortex XSOAR orchestration significantly reduces alerts

    When the CDOC went live in October, the team initially fielded 1,500 alerts and resolved all of them within a month by utilizing their playbooks. They could have pulled the trigger to automatically resolve all the alerts overnight, but they chose to slow down the process and use the alerts to learn and understand their new playbooks and capabilities. Now alerts are down to a manageable 40 per day, most of which are automatically resolved based on playbooks and automated analysis.

    “For us to have been able to do that work,” stated their security and infrastructure engineering director, “I think about seven FTEs we would’ve needed … And so, from a resourcing perspective, I saved a lot of money to be able to manage this amount of work with the four analysts that I have in the SOC.”

    Cortex XSOAR playbooks automate investigation and response

    XSOAR provides playbooks that, once set, automate many of the detection, investigation, and response actions—such as log analysis, device, access and application behavior analysis, and whois lookups—that analysts usually do manually. “What I really love are the playbooks that allow us to document our investigation and response processes and model our security practices. We worked with Palo Alto extensively to set policies for dozens of playbooks and sub-playbooks to automate responses,” added the director.

    As an example, the playbook performs automated blocking of malicious IP addresses. Cortex XDR uses behavioral analytics to identify a malicious IP address and then processes it using the following steps:
    1. IP Enrichment
      • Checks several threat intelligence sources.
      • Generates an automated scoring calculation.
      • Automatically determines if the IP address should be blocked based on threat analytics.
    2. Queries Palo Alto Networks Panorama™ or firewall to determine if the IP address already exists as part of the Static Block Group.
    3. Adds IP address to the Static Block Group.
    The playbook automatically blocks malicious IP addresses
    The playbook automatically blocks malicious IP addresses


    Threat actors do not wait till the afternoon; they will process malicious IPs at 3 a.m. on a Saturday. With the XSOAR automation, we are guaranteed we have IPs dropped almost in real time, 24 hours a day, 365 days a year.

    Director, Security and Infrastructure Engineering

    SOC analysts can be deployed in new ways

    Those playbooks force the exact same processes to occur under the playback scenarios for classified incidents and protected endpoints. That means that new staff members are easily trained, and the playbooks also remove a lot of the redundant work of trying to discern and identify real alerts from network noise.

    “Because XSOAR automates our playbooks’ steps and processes, it frees up our analysts’ time, and it allows me to involve them in other facets of security that keep their interest. This frees up our team members to learn new things, which keeps them interested in sticking around,” the director notes. “We’re also focusing on red and blue teams (for security and vulnerability testing), holding brown-bag lunches, and hosting tabletop exercises.”

    Cortex XDR and its data lake offer unparalleled visibility and gap analysis

    With the implementation of Cortex XDR on endpoints, the new CDOC has achieved near-full coverage, even with the added stress of securing remote teams during the pandemic. As a result of this coverage, visibility into endpoint states and threats has improved dramatically. They attribute this in part to the Cortex XDR-generated data lake, which pulls alerts, logs, and behavioral activity from their 14,000+ endpoints into a cloud-based data lake for analysis and correlation.

    The director affirms, “We have 98, 97% coverage of XDR in our environment, which is really great because not only do we have XDR, but we have the [Cortex] Data Lake, which takes the alerts from all of those endpoints and puts them into that Data Lake cloud, which gives us more visibility ... I really liked the Palo Alto frameworks. The visibility is critical.”

    GlobalProtect enables a simpler, more enjoyable remote experience

    When the world changed in March 2020 due to COVID-19, suddenly, nearly everyone needed to work from home. Organizations had to pivot quickly to figure out how to secure people working remotely and give them access to the appropriate resources. Fortunately, the center was in the midst of a proof of concept (PoC) for Palo Alto Networks GlobalProtect. When COVID-19 happened, they were able to jump in and leverage GlobalProtect to get nearly 3,000 staff working from home in a matter of weeks to securely connect to their network.

    For the security and infrastructure engineering director, one of the best parts about deploying GlobalProtect was its single sign-on (SSO) ease of use. “If you sit there and you visualize you as that person at home working, you see how much better it is to be able to just open up your laptop, log in and work, as opposed to going through hoops.”

    Palo Alto Networks technology detected SolarStorm andother unknown threats

    “XDR orchestrated through XSOAR uses threat intelligence, AI, and behavioral analysis to determine that if it walks like a duck and quacks like a duck, it’s a duck. In the same vein, if it takes actions like a threat, it’s a threat; the need for signatures is not necessary. It determines incidents by their actions and behaviors,” the director continues.

    For example, in December 2020, Palo Alto Networks detected and remediated the trojanized backdoor malware, SolarStorm, part of the SolarWinds SUNBURST supply chain attack. This was before the SUNBURST attack had been made public. The trojan attempts were detected based solely on the behaviors of the malware trying to install itself, and response actions were executed through the playbooks.


    Palo Alto stopped SolarStorm before it was known to the public. Those are the kinds of things that make me very comfortable with our Cortex XDR Data Lake and our Cortex XSOAR implementation.

    Director, Security and Infrastructure Engineering
    Together, the integrative approach with XSOAR and endpoint protections helped the center develop its world-class CDOC with the playbooks and feedback loops to continuously improve its security posture. “Palo Alto has a powerful set of tools that integrate seamlessly for orchestration and response to known and unknown threats,” the director concluded.