• Sign In
    • Research
    • Partner
    • Customer
    • Employee
  • Create Account
  • EN
  • magnifying glass search icon to open search field
  • Get Started
  • Contact Us
  • Resources
  • Get support
  • Under Attack?
Palo Alto Networks logo
  • Products
  • Solutions
  • Services
  • Industries
  • Partners
  • Why Palo Alto Networks?
  • Company
  • More
  • Sign In
    Sign In
    • Research
    • Partner
    • Customer
    • Employee
  • Create Account
  • EN
    Language
  • Get Started
  • Contact Us
  • Resources
  • Get support
  • Under Attack?
  • Explore Zero Trust

Keeping the SOC Lights On

Keeping the SOC Lights On in Energy

Industry

Energy/Electric Utilities

Integrations

  • SIEM
  • Forensics and malware analysis
  • Ticketing
  • Data analytics

Challenges

  • High volume of alerts
  • Detection of duplicates and related incidents
  • Time-consuming case management/ticketing

Solution

This electric utility company used Cortex XSOAR to:

  • Automate duplicate alert detection and consolidation
  • Orchestrate workflows across products on one platform
  • Correlate threat intel from multiple sources, including open source tools
  • Detect similarities between cases for better insights and training opportunities
  • Accelerate case management reporting 

Results

Cortex XSOAR enabled the company to:

  • Reduce case volume by 30%, seeing time savings of approximately one full-time analyst
  • Deploy aggressive detection without negatively impacting analyst workload
  • Speed up monthly risk audit reporting with case management information in one place
Download

The Customer

As one of the largest electric utility companies providing energy-related services in the US, aggressive detection was a priority for this customer’s security operations center (SOC) team. The team also wanted to ensure its security analysts were not spending inordinate amounts of time investigating duplicate alerts.

The Problem

The SOC team had a mix of ingestion and detection sources to deal with, ranging from security vendor products and open source platforms to in-house tools and proprietary solutions. While the team had a security information and event management (SIEM) solution to aggregate logs, the analysts spent a great deal of time investigating duplicate alerts instead of hunting threats.  

Case management was also bogged down with the need to pivot between multiple screens, often resulting in the analysts cutting and pasting information manually. In addition, there was a need to chase down analysts at the end of each month to get details for case management reports. These low-level tasks prevented analysts from focusing on data interpretation and problem solving, which ultimately led to longer resolution times and lower productivity.

The Solution

The SOC team first deployed Cortex™ XSOAR playbooks to identify and remove duplicate alerts generated by its cybersecurity tools. The team also leveraged Cortex XSOAR to automate case metrics tracking and reporting. With the expanded visibility across cases, the team was able to derive similarities and surface trends that weren’t visible before. As analysts tracked their actions within Cortex XSOAR, this facilitated monthly risk audit reporting since case data and analyst actions were now archived and easily retrievable from one location. This common knowledge repository enabled a smoother transition of knowledge between analyst shift changes and served as a training resource for lower level analysts.

The case management lifecycle managed within Cortex XSOAR includes ticketing. By automating and integrating the ticketing process, the SOC managers were able to free up analysts from doing tedious tasks, such as manually copying information from one system to another, so they could focus on threat hunting and decision-making.

As the SOC team is very focused on metric data-driven decisions, there are plans to integrate Cortex XSOAR with in-house visualization platforms for advanced reporting and insights.

The Results

Cortex XSOAR enabled the SOC team to be as aggressive as necessary in alert settings without worrying about impacting analyst workload. As a result of automating deduplication efforts, the SOC team was able to reduce alert volume by 30% within the first month of operation. This netted out to time savings approximately equal to a full-time analyst.

An added benefit was in the area of metrics. As SIEM users know, the process of extracting metrics from a SIEM to identify similarities across cases can be onerous. The SOC team was able to leverage Cortex XSOAR playbooks to automate some of these tasks, producing previously undetected insights into problem areas related to people, processes, and technology.

For example, the team discovered multiple malware cases associated with specific machines or user accounts. This was an unexpected benefit with the expanded visibility into case-related metrics. As the SOC team builds out its automation efforts, the goal is to map alerts and threat behavior to the MITRE ATT&CK™ framework to better understand security risk against adversarial threat behavior as well as aid in planning better defenses and verifying the effectiveness of existing defenses. 

Nov 17, 2020 at 12:40 AM

Related Resources

Other

Cortex XSOAR Overview

CortexTM XSOAR is a comprehensive security orchestration, automation and response (SOAR) platform that unifies case management, automation, real-time collaboration and threat intel management to serve security teams across the incident lifecycle.

Read

Book

Elements of Security Operations

The Elements of SecOps book outlines the fundamental strategies, tools, and processes for building a modern security operations team that is effective, efficient, scalable, and able to meet the needs of the business.

Read

Get the latest news, invites to events, and threat alerts

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

black youtube icon black twitter icon black facebook icon black linkedin icon
  • USA (ENGLISH)
  • AUSTRALIA (ENGLISH)
  • BRAZIL (PORTUGUÉS)
  • CANADA (ENGLISH)
  • CHINA (简体中文)
  • FRANCE (FRANÇAIS)
  • GERMANY (DEUTSCH)
  • INDIA (ENGLISH)
  • ITALY (ITALIANO)
  • JAPAN (日本語)
  • KOREA (한국어)
  • LATIN AMERICA (ESPAÑOL)
  • MEXICO (ESPAÑOL)
  • SINGAPORE (ENGLISH)
  • SPAIN (ESPAÑOL)
  • TAIWAN (繁體中文)
  • UK (ENGLISH)

Popular Resources

  • Blog
  • Communities
  • Content Library
  • Cyberpedia
  • Event Center
  • Investors
  • Products A-Z
  • Tech Docs
  • Unit 42
  • Sitemap

Legal Notices

  • Privacy
  • Trust Center
  • Terms of Use
  • Documents

Popular Links

  • About Us
  • Customers
  • Careers
  • Contact Us
  • Manage Email Preferences
  • Newsroom
  • Product Certifications
Report a Vulnerability
Create an account or login

Copyright © 2022 Palo Alto Networks. All rights reserved