Multinational organization enhances defenses by stress testing its cybersecurity program

A multinational corporation with tens of thousands of employees and operations in dozens of countries has an enterprise security team that manages a widely distributed network with hundreds of different applications under complex compliance requirements.

The organization chose Palo Alto Networks Unit 42 to assess and test the effectiveness of its security operations.

The client was looking for a partner with the business and technical expertise to help improve its security posture, including uncovering inefficiencies across its people, processes, and technology. The partner needed to move rapidly and adapt to the client’s particular requirements.

The scope of the project called for providing an assessment of the organization’s security program design, including effectiveness of SecOps controls, security team processes, and communication. The client wanted to learn about its strengths and opportunities for improvement, with actionable recommendations to improve its ability to defend and protect the organization.

With business locations around the world, the client faced a complex regulatory environment and stringent compliance requirements. The client’s security team had to manage a widely distributed network with hundreds of applications. This level of complexity had to be accounted for in its security program. Additionally, the client had a large investment in existing security infrastructure that it wanted to leverage, rather than installing net-new solutions.

The client engaged Palo Alto Networks Unit 42 because of its deep knowledge of the threat landscape and ability to rapidly provide an approach uniquely tailored to the client’s needs, environment, and specific security concerns. Unit 42 quickly developed a detailed plan to assess the client’s security posture and effectiveness in responding to security threats. Unit 42 has a comprehensive process to help clients assess their security program by looking at existing tools, processes, and controls. Unit 42 also uses structured simulations to see how teams react to security threats in real time.

Using the Cybersecurity Framework (CSF) from the National Institute of Science and Technology (NIST) and other proprietary controls, Unit 42 assessed the client’s capabilities in threat intelligence, threat hunting, threat detection, and threat response, as well as its security monitoring and reporting controls. This exercise revealed gaps in essential security operations controls, especially in the areas of threat hunting, detection, and response.

The assessment helped the client identify security strengths that already existed within the team and some opportunities for improvement. The assessment also provided actionable guidance for fixing problem areas and improving the overall security program maturity. This helped the client develop a roadmap for strengthening its security program design.

Simulating a cyberthreat in real time

After performing the Security Program Design assessment, Unit 42 ran a purple team attack simulation in the client’s environment to evaluate how the security team would react to a threat in real time. The simulation involved detecting, analyzing, and resolving a security ticket. It helped Unit 42 determine the effectiveness of the client’s response and communications between its Security and IT teams.

The simulation enabled Unit 42 to examine how and where the detection events were escalated to the team in the client’s security operations center (SOC), as well as assess the adequacy of existing incident response and investigation practices.

The threat simulation exercise gave the client insight into the lifecycle of an incident and how it was handled by its security teams. The exercise created opportunities for collaboration between teams by identifying processes that could be streamlined and improved. For example, the simulation revealed that the ticketing system created multiple tickets for the same event. By identifying such inefficiencies, the exercise allowed the client to take corrective action.

Unit 42 found numerous areas for improvement through the Security Program Design assessment and Purple Team Exercises. Unit 42 also highlighted areas that the client’s security teams were managing effectively. Unit 42 delivered an in-depth technical report to the security team, and helped to formulate an executive summary for the board of directors, including analysis of the security team’s strengths and documentation of specific improvements that could be beneficial to further maturing security operations capabilities.

Unit 42 enabled the client to understand the state of its security posture, and map a path to making improvements that would further harden its cybersecurity defenses. In brief, Unit 42 empowered the client to maximize its security investments in the following key areas:

• People: Unit 42 prioritized building rapport with the client’s security team to enable collaborative processes within the team to improve efficiency of coordinated operations. The result was increased communication and coordination. The engagement with Unit 42 reinforced the client’s need to design and build a security control environment in which its team members could thrive. Unit 42 also helped the security team formulate a briefing to the board of directors, which was received well and helped establish trust between the client’s security teams and its governance board.
• SecOps processes and technologies: Unit 42 helped the client optimize its processes around existing tools to ensure that operations were running efficiently. This involved identifying areas for improvement, including communication within the various security teams and efficiency of its incident handling processes. Unit 42 also helped the client improve its overall compliance by validating the various legal and regulatory requirements, including data protection and retention, and breach notification requirements.

The client was extremely pleased with the results of the engagement, stating they’d never had such a positive experience with a third-party assessment before their engagement with Unit 42.

Like most large organizations, the client had made significant investments in securing its environment. Working with Unit 42 enabled it to fine tune existing capabilities and maximize the value of those investments. It was also able to strengthen coordination and efficiency across its security organization, and demonstrate the value of its security operations to executive- and board-level leadership.

Palo Alto Networks Unit 42™ brings together world-renowned threat researchers, elite incident responders, and expert security consultants to create an intelligence-driven, response-ready organization that’s passionate about helping you proactively manage cyber risk. Together, our team serves as your trusted advisor to help assess and test your security controls against real-world threats, transform your security strategy with a threat-informed approach, and respond to incidents in record time so that you get back to business faster.

Visit paloaltonetworks.com/unit42.