The security team at a North American freight company was using a series of point solutions that bogged down investigations with a high degree of manual labor. Thousands of incidents were going unresolved, and their median time to resolution stretched into days if not weeks. The company adopted Palo Alto Networks Cortex XSIAM to streamline investigations and reduce median time to resolution.
In brief
Industry
Transportation
Country
United States and Canada
Challenges
With a series of tools in their SOC, the security team had to jump from one console to another every time an alert came in. So much manual labor was required for each investigation, the team could get to only a small percentage of incidents, and the vast majority remained open.
Solution
- Cortex XSIAM®
- Enable the team to quickly and easily set up and run automations
The client was looking to close more incidents and reduce their median time to resolution. They chose a tool that would ingest and analyze data from more sources, plus bring telemetry together to reduce console-switching.
Results
- Improved its incident close rate from 10–20% to 100%.
- Decreased its median time to resolution from days or weeks to ~1 hour.
- Achieved a higher SOC maturity level across seven key pillars, including log collection, automation, alerting, and analytics.
After adopting Cortex XSIAM, the company:
CHALLENGE
Struggling with backlogs and unresolved incidents
The backlog of security alerts was overwhelming for a leading North American transporter of industrial, commercial, and retail goods. Because so much manual labor was required to resolve any given incident— including checking up to five separate consoles to establish a causality chain—over 6,000 unresolved alerts had piled up. As new alerts rolled in, only 10–20% were being closed.
Part of the issue was the lack of automation. Existing tools required a series of intricate steps to automate workflows: pulling data through the company’s cloud automation platform, learning how the APIs worked, making a request, testing the API, educating the team, and granting permission. The lone automation engineer didn’t have the capacity to do it.
Visibility was also limited, particularly in the cloud. The company was pulling only some of its data sources into its existing SIEM and security orchestration, automation, and response (SOAR) solutions, and those tools weren’t sufficiently communicating with each other to provide a digestible view of the environment.
SOLUTION
Seeking a smarter, sleeker approach
It was time to make a change. The freight company’s lean security team set out to adopt a single, more powerful solution to:
- Bring telemetry together to reduce (or even eliminate) console-switching.
- Enable the team to easily set up and run automations.
- Ingest and analyze data from more sources, especially the cloud.
- Free up the team’s time so they could take a more proactive approach to security.
In the process, the company wanted to mature its SOC, harden its posture, and increase protection.
The company selected Cortex XSIAM for its comprehensive capabilities, especially data ingestion, normalization, and automation. Very quickly, the outlook for the SOC began to change.
RESULTS
Streamlining tools and reducing labor
Almost immediately, the client was able to retire several of their existing tools, moving both their SIEM and SOAR functionality into XSIAM. Now when an alert comes in, the team almost always has all the information needed to resolve it within a single console. Gone are the 6,000 unresolved incidents. Instead, the team is closing 100% of their 9–10 daily alerts escalated from their Tier 1 SOC partner within 24 hours.
Automation changes everything
Before XSIAM, setting up automations was too labor-intensive for the team to accomplish. However, after adopting XSIAM, the client was able to quickly implement several playbooks and close alerts more quickly. In addition to robust out-of-the-box protections, they were able to build custom policies and rules specific to their environment. The time they saved from responding to incidents was redirected at improving their overall security posture.
For example, in one automation, indicators of compromise (IOCs) from a number of firewalls are ingested into XSIAM, and whenever a suspicious or malicious classification pops up, XSIAM automatically blocks those IP addresses, domains, and hash files. That single automation has reduced a significant number of alerts.
We increased the number of policies and rules by probably 200%, on top of the out-of-the-box rules that are there for Cortex.
Another example: Playbooks in XSIAM are providing visibility into phishing. If an attachment defense alert comes in, the playbook reports whether it’s a computer, a server, or something else—for example, a Citrix console—automating what used to be a manual multi-console investigation.
The freight company’s Tier 1 SOC partner noticed the change. The senior information security engineer reports: “Our partner said, ‘It’s impressive that you can keep up with the alerts that we are escalating to you.’”
Clearing the view into the cloud
Adopting XSIAM enabled the freight company to more than double the amount of data it could ingest and analyze, going from 500 gigabytes in its previous tools to 1.2 terabytes on XSIAM. Most of that new data was from the cloud, including Azure and AWS.
Additionally, because they were using other Palo Alto Networks tools, the team was able to leverage and correlate much more data—from their firewalls (including threat prevention data and data from Prisma Cloud), their network, and their endpoints. The senior information security engineer notes: “XSIAM has virtually eliminated false positives. Our security posture has improved significantly now that we are addressing all incidents.”
Running a tight ship
Thanks to XSIAM, the freight company’s lean security crew is now able to do much more with fewer dedicated resources. They’re managing the load, closing all incidents, and keeping median time to resolution much lower than it was using the old tools.
“I’m proud to be part of this product,” the senior information security engineer says. “I like working with it.”
Learn more about Cortex XSIAM on our website