The Customer
As one of the largest electric utility companies providing energy-related services in the US, aggressive detection was a priority for this customer’s security operations center (SOC) team. The team also wanted to ensure its security analysts were not spending inordinate amounts of time investigating duplicate alerts.
The Problem
The SOC team had a mix of ingestion and detection sources to deal with, ranging from security vendor products and open source platforms to in-house tools and proprietary solutions. While the team had a security information and event management (SIEM) solution to aggregate logs, the analysts spent a great deal of time investigating duplicate alerts instead of hunting threats.
Case management was also bogged down with the need to pivot between multiple screens, often resulting in the analysts cutting and pasting information manually. In addition, there was a need to chase down analysts at the end of each month to get details for case management reports. These low-level tasks prevented analysts from focusing on data interpretation and problem solving, which ultimately led to longer resolution times and lower productivity.
The Solution
The SOC team first deployed Cortex™ XSOAR playbooks to identify and remove duplicate alerts generated by its cybersecurity tools. The team also leveraged Cortex XSOAR to automate case metrics tracking and reporting. With the expanded visibility across cases, the team was able to derive similarities and surface trends that weren’t visible before. As analysts tracked their actions within Cortex XSOAR, this facilitated monthly risk audit reporting since case data and analyst actions were now archived and easily retrievable from one location. This common knowledge repository enabled a smoother transition of knowledge between analyst shift changes and served as a training resource for lower level analysts.
The case management lifecycle managed within Cortex XSOAR includes ticketing. By automating and integrating the ticketing process, the SOC managers were able to free up analysts from doing tedious tasks, such as manually copying information from one system to another, so they could focus on threat hunting and decision-making.
As the SOC team is very focused on metric data-driven decisions, there are plans to integrate Cortex XSOAR with in-house visualization platforms for advanced reporting and insights.
The Results
Cortex XSOAR enabled the SOC team to be as aggressive as necessary in alert settings without worrying about impacting analyst workload. As a result of automating deduplication efforts, the SOC team was able to reduce alert volume by 30% within the first month of operation. This netted out to time savings approximately equal to a full-time analyst.
An added benefit was in the area of metrics. As SIEM users know, the process of extracting metrics from a SIEM to identify similarities across cases can be onerous. The SOC team was able to leverage Cortex XSOAR playbooks to automate some of these tasks, producing previously undetected insights into problem areas related to people, processes, and technology.
For example, the team discovered multiple malware cases associated with specific machines or user accounts. This was an unexpected benefit with the expanded visibility into case-related metrics. As the SOC team builds out its automation efforts, the goal is to map alerts and threat behavior to the MITRE ATT&CK™ framework to better understand security risk against adversarial threat behavior as well as aid in planning better defenses and verifying the effectiveness of existing defenses.
