Sabre’s cybersecurity defenses take off, fueled by Unit 42

SUMMARY

Sabre Corporation is a leading technology company that empowers airlines, hoteliers, agencies, and other partners to retail, distribute, and fulfill travel worldwide.

Given Sabre’s complex and global ecosystem, robust cybersecurity is paramount. To protect customer data and maintain operational integrity, Sabre uses a broad suite of Palo Alto Networks® products, from firewalls and network security to cloud protection and endpoint detection and response. More recently, Sabre engaged Unit 42 experts to assess and pressure-test its cybersecurity defenses.

RESULTS

100%

of vulnerabilities exploited during testing remediated

<1 hour

to remediate high-risk vulnerability identified during Unit 42 exercise

5 minutes

for Cortex XDR to identify compromise and automatically block access during Unit 42 exercise

CHALLENGES

Testing—and demonstrating—readiness against attacks.

As a global travel organization with a vast technology footprint, Sabre is in a constant state of security evolution and has to ensure robust security as its approach matures.

Sabre lacked a way to measure the effectiveness of its evolving security solutions and needed a solution for testing its posture.
To meet contractual demands, the company had to demonstrate readiness against advanced attacks via third-party validations.
The company’s previous incident response (IR) provider wasn’t aligned on Sabre’s tools and couldn’t offer immediate containment in the case of an incident.

“We wanted to eliminate risks, especially in the higher-level part of our environment. I wanted the Red Team to go in there and see what they could shake loose so we could harden it. Because to me, when you’re in there, you’ve bypassed all our security. You’re in the inner courtyard. And that’s the hardest to fix.”

Rudi Peck

Senior Principal, Cyber Threat Management, Sabre

SOLUTIONS

Evolving security with proven protection.

To mature its cybersecurity program, strengthen protection, and increase efficiency, the company elected to platformize its approach with Palo Alto Networks. From there, Sabre’s security team set out to address two needs: first, partnering with the Palo Alto Networks Unit 42 elite team of incident response experts to ensure rapid containment in the event of an incident; and second, proactively assessing Sabre’s enhanced defenses for vulnerabilities and gaps.

Platformization across security operations

Unit 42 Retainer

Always-on proactive and reactive support

Learn more

Unit 42 Proactive Services

Compromise Assessment
Red Team Exercises

Learn more

AI-Driven SOC Platform

Cortex XDR
Cortex XSOAR
Cortex Xpanse

Learn more

“A pinky promise doesn’t work. We have to have strong proof that the degree of protection our leadership and customers have agreed to is established by the controls we’ve put into place.”

Matthew Bissell

Senior Director, Cloud Security and Response, Sabre

Turning on a dime when attackers strike

Sabre’s previous incident response provider required that resource-heavy agents be deployed across the server fleet, adding a burden that would slow down containment efforts. Additionally, because the vendor only supported its own tool set, it didn’t use Cortex XDR, and a learning curve would delay response times. “We wanted an IR partner that is both recognized and aligned around our technology,” explains Matthew Bissell, Senior Director of Cloud Security and Response. “The Unit 42 Retainer gives us immediate access to IR experts who understand our technology, layering in the global threat and attack vector perspective. That enables us to act very quickly when we need to contain threats and minimize disruptions.”
On the hunt for indicators of compromise

Increasingly, Sabre’s customers have been requesting—even requiring—third-party cybersecurity program validations to meet regulatory and insurance demands. One customer required that a new environment be confirmed as secure ahead of production implementation (and annually after that). To comply, Sabre enlisted Unit 42 to run a compromise assessment, which assured the customer that the environment was protected as intended. “As we build agreements with a customer that might require these assessments,” Bissell explains, “we work with them to understand what assurances are most important to them and focus on scoping the assessment appropriately.”
Inviting attacks—the safe way

For several years, Sabre’s internal team had been performing tabletop and limited red team exercises. In 2024, the organization expanded to third-party testing, using its Unit 42 Retainer credits for proactive services. Bissell explains: “This was about shifting from doing an intellectual exercise that involves talking something through to simulating a real-world advanced persistent threat attack—done in a safe space that the team wasn’t aware of.”

The results were affirming. During Unit 42 Red Team Exercises, the team gained a temporary foothold into Sabre’s perimeter network, but within minutes, Cortex XDR identified the intrusion, alerted the team, and automatically blocked the attack. “They found an exploit in a web application—there was an input-type exploitation,” reports Peck. “But the tools went above and beyond. XDR took care of business.”

Unit 42 discovered 10 vulnerabilities in the exercise. One high-risk item was remediated within an hour after identification by Unit 42, reducing Sabre’s attack surface. All told, 90% of vulnerabilities were remediated during or after the test; during the retest, 100% of the previously exploited vulnerabilities were no longer exploitable.
Mean time to contain shaved to hours

For Sabre, one of the benefits of working with Palo Alto Networks technology has been a precipitous decrease in the mean time to contain (MTTC). “We used to have a target of seven days for low-priority incidents and three for high-priority ones,” reflects Bissell. “Since we’ve changed our tooling and moved to Cortex XDR, we’ve been able to get that rate down to hours for all incidents.”

Hand in hand with a trusted partner.

Sabre’s engagements with Unit 42 have succeeded in increasing customer and board-level confidence. The Unit 42 team validated system configuration and alerting capabilities, including some attack vectors not previously explored. Finally, the team assessed real-time member reactions, helping to improve skills.

“Unit 42 is absolutely a trusted partner,” reports Bissell. “They fill some of the gaps we have in our skillsets while allowing us to get work done where we may be limited in resources.” Sabre will continue working with Unit 42, both for incident response and proactive services, as it evolves its environment.

Check out how Precision AI^™ is enhancing Sabre’s threat detection and response in this blog and learn more about Unit 42 Proactive Services and the Retainer on our website.