• Sign In
    • Customer
    • Partner
    • Employee
    • Research
  • Create Account
  • EN
  • magnifying glass search icon to open search field
  • Get Started
  • Contact Us
  • Resources
  • Get support
  • Under Attack?
Palo Alto Networks logo
  • Products
  • Solutions
  • Services
  • Partners
  • Company
  • More
  • Sign In
    Sign In
    • Customer
    • Partner
    • Employee
    • Research
  • Create Account
  • EN
    Language
  • Get Started
  • Contact Us
  • Resources
  • Get support
  • Under Attack?
  • Unit 42 Threat Intelligence

How Esri Reduced Its Alert Barrage with Cortex XSOAR

How Esri Reduced Its Alert Barrage with Cortex XSOAR in Software Geographic Information Systems

Industry
Software/Geographic Information Systems

Integrations

  • Cortex XSOAR on-premises platform
  • SIEM
  • Network monitoring


Challenges

  • Alert fatigue (more than 10,000 per week)
  • Shortage of skilled SOC analysts (only five)
  • Detection of duplicates and related incidents
  • Complex and distributed threat indicator management 


Solution
Esri used Cortex XSOAR to:

  • Get faster closure and false positive detection with automated playbooks
  • Leverage historical cross-correlation for duplicate detection
  • Combine analyst knowledge with a collaboration window for joint investigations 


Results
Cortex XSOAR enabled Esri to:

  • Cut weekly alert volume by 95%
  •  Increase analyst productivity
  • Reduce organizational risk
Download

The Customer

Esri is a global organization that helps more than 350,000 customers around the world solve tough problems through advanced geospatial technology. With more than 75% of Fortune 500 companies deploying its solutions to meet business goals, it was critical for Esri to maintain a security posture that would protect its diverse digital assets and those of its customers.

The Situation

Esri’s vast customer base and digital nature led to multiple security challenges. Alerts in excess of 10,000 each week caused significant fatigue among the team of five security operations analysts. Detecting false positives and duplicate incidents amid a countless host of attacks was a specific concern that wasn’t being addressed. Esri was also looking to streamline threat indicator management processes, which were distributed, complex, and not conducive to lean threat hunting exercises.

Suboptimal responses to these issues were increasing Esri’s business risk, wasting resources, and making the security operations center (SOC) more difficult to manage.

The Solution

To meet its challenges head on, Esri deployed Cortex™ XSOAR for security orchestration, automation, and response in addition to its existing security information and event management (SIEM) and network monitoring solutions. To speed up incident triage and response, the team took advantage of custom playbooks that interweaved automated and manual tasks. These playbooks also codified analyst knowledge, facilitating a standardized response to specific attacks.

For false positive and duplicate detection, Esri used historical cross-correlation capabilities in Cortex XSOAR. By quickly highlighting common artifacts and indicators across incidents, Esri analysts could spot and close duplicate attacks without spending too much time on redundant investigations.

To enhance analyst productivity and learning, Esri used the Cortex XSOAR War Room to conduct joint investigations and help cross-pollinate its analysts’ skill sets. Now able to work on complex incidents together, pull in security actions from other tools, and document results in the same window, Esri’s analysts could restructure their task loads to focus on the cerebral over the trivial.

The Results

Esri’s application of orchestration, automation, and collaboration led to both objective and subjective improvements. Alerts went from 10,000 per week to roughly 500— a staggering 95% reduction stemming largely from swift resolution of false positives and duplicate incidents, thanks to automated playbooks and historical cross-correlation.

Moreover, Esri used Cortex XSOAR as the central hub to ingest all alerts, obviating the need for analysts to visit multiple systems to find relevant information. Including ticket management in the team’s incident response platform alongside automation and orchestration meant no alert could slip through the cracks at Esri to cause potential business risk.

Automation freed up the analysts’ time, letting them focus on strategic tasks and continuous process improvements rather than being mired in day-to-day firefighting. Playbooks allowed them to scale their efforts effectively, enabling Esri to more effectively leverage the toughest resource to find and retain: skilled analysts.

The Cortex XSOAR War Room led to increased analyst satisfaction. By automatically documenting all analyst actions, allowing them to improve each other’s skill sets, and giving machine learning-powered insights, the War Room lets analysts do more of what they do best—solve difficult problems—without drowning in documentation and menial tasks.

Nov 17, 2020 at 12:40 AM

Related Resources

Other

Cortex XSOAR Overview

CortexTM XSOAR is a comprehensive security orchestration, automation and response (SOAR) platform that unifies case management, automation, real-time collaboration and threat intel management to serve security teams across the incident lifecycle.

Read

Infographic

SOC Transformation Infographic

The Palo Alto Networks’ Cortex Portfolio consisting of Cortex XDR, Cortex XSOAR, Cortex Xpanse, and Cortex XSIAM help security teams close the loop on threats with continual synergies across the Cortex ecosystem.

Read

Get the latest news, invites to events, and threat alerts

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

black youtube icon black twitter icon black facebook icon black linkedin icon
  • USA (ENGLISH)
  • AUSTRALIA (ENGLISH)
  • BRAZIL (PORTUGUÉS)
  • CANADA (ENGLISH)
  • CHINA (简体中文)
  • FRANCE (FRANÇAIS)
  • GERMANY (DEUTSCH)
  • INDIA (ENGLISH)
  • ITALY (ITALIANO)
  • JAPAN (日本語)
  • KOREA (한국어)
  • LATIN AMERICA (ESPAÑOL)
  • MEXICO (ESPAÑOL)
  • SINGAPORE (ENGLISH)
  • SPAIN (ESPAÑOL)
  • TAIWAN (繁體中文)
  • UK (ENGLISH)

Popular Resources

  • Blog
  • Communities
  • Content Library
  • Cyberpedia
  • Event Center
  • Investors
  • Products A-Z
  • Tech Docs
  • Unit 42
  • Sitemap

Legal Notices

  • Privacy
  • Trust Center
  • Terms of Use
  • Documents

Popular Links

  • About Us
  • Customers
  • Careers
  • Contact Us
  • Manage Email Preferences
  • Newsroom
  • Product Certifications
Report a Vulnerability
Create an account or login

Copyright © 2023 Palo Alto Networks. All rights reserved