The Customer
Esri is a global organization that helps more than 350,000 customers around the world solve tough problems through advanced geospatial technology. With more than 75% of Fortune 500 companies deploying its solutions to meet business goals, it was critical for Esri to maintain a security posture that would protect its diverse digital assets and those of its customers.
The Situation
Esri’s vast customer base and digital nature led to multiple security challenges. Alerts in excess of 10,000 each week caused significant fatigue among the team of five security operations analysts. Detecting false positives and duplicate incidents amid a countless host of attacks was a specific concern that wasn’t being addressed. Esri was also looking to streamline threat indicator management processes, which were distributed, complex, and not conducive to lean threat hunting exercises.
Suboptimal responses to these issues were increasing Esri’s business risk, wasting resources, and making the security operations center (SOC) more difficult to manage.
The Solution
To meet its challenges head on, Esri deployed Cortex™ XSOAR for security orchestration, automation, and response in addition to its existing security information and event management (SIEM) and network monitoring solutions. To speed up incident triage and response, the team took advantage of custom playbooks that interweaved automated and manual tasks. These playbooks also codified analyst knowledge, facilitating a standardized response to specific attacks.
For false positive and duplicate detection, Esri used historical cross-correlation capabilities in Cortex XSOAR. By quickly highlighting common artifacts and indicators across incidents, Esri analysts could spot and close duplicate attacks without spending too much time on redundant investigations.
To enhance analyst productivity and learning, Esri used the Cortex XSOAR War Room to conduct joint investigations and help cross-pollinate its analysts’ skill sets. Now able to work on complex incidents together, pull in security actions from other tools, and document results in the same window, Esri’s analysts could restructure their task loads to focus on the cerebral over the trivial.
The Results
Esri’s application of orchestration, automation, and collaboration led to both objective and subjective improvements. Alerts went from 10,000 per week to roughly 500— a staggering 95% reduction stemming largely from swift resolution of false positives and duplicate incidents, thanks to automated playbooks and historical cross-correlation.
Moreover, Esri used Cortex XSOAR as the central hub to ingest all alerts, obviating the need for analysts to visit multiple systems to find relevant information. Including ticket management in the team’s incident response platform alongside automation and orchestration meant no alert could slip through the cracks at Esri to cause potential business risk.
Automation freed up the analysts’ time, letting them focus on strategic tasks and continuous process improvements rather than being mired in day-to-day firefighting. Playbooks allowed them to scale their efforts effectively, enabling Esri to more effectively leverage the toughest resource to find and retain: skilled analysts.
The Cortex XSOAR War Room led to increased analyst satisfaction. By automatically documenting all analyst actions, allowing them to improve each other’s skill sets, and giving machine learning-powered insights, the War Room lets analysts do more of what they do best—solve difficult problems—without drowning in documentation and menial tasks.
