Case Study

Samaritan Ministries International keeps financial information private and secure with endpoint protection

With Cortex XDR, SMI now has near-real-time detection and response capabilities, enabling the security team to quickly block malicious activity while enabling staff to maintain high productivity without false positives

In brief


Samaritan Ministries International




United States


Improve the efficiency and effectiveness of security operations in detecting potentially malicious activity on endpoints. Accelerate the response to alerts with greater intelligence to block or allow activity.

    • Protect personal and financial information of members.
    • Complete visibility across all endpoints.
    • Enable employees to work from home.
    • Prevent known and unknown attacks.

Cortex XDR Pro, WildFire, Threat Prevention, URL Filtering

Download PDF Share


Samaritan Ministries International (SMI) is a member-driven healthcare cost-sharing organization. A 501(c)(3) nonprofit charity established in 1994, SMI provides its members with a personalized, affordable noninsurance option to cover their costs for healthcare, with members paying a monthly share directly to other members in need.

Samaritan Ministries International manages healthcare cost-sharing for more than 80,000 members, handling private, personal, and financial information. Therefore, securing its network and endpoints against cyberthreats is critical.


Ensuring the privacy of personal information

For many people, healthcare costs can be among their greatest expenses. In some cases, added financial strain on top of coping with an illness or injury can also be psychologically debilitating. Traditional insurance policies may help relieve some of the financial burden, but they rarely bring much personal comfort.

Samaritan Ministries International has an answer for that disparity. SMI offers people of the Christian faith an alternative approach to paying for healthcare: direct cost-sharing through a close-knit community that provides both financial assistance and spiritual support.

With SMI’s direct cost-sharing model, each member household receives a monthly “share slip” that provides the name and address of another member needing financial assistance for healthcare expenses, along with the amount of money to send that person. Members pay other members directly, with each member’s share based on various options, such as shareable percentage and family size.

Personal messages of support are also encouraged. Everyone follows a detailed set of guidelines on what types of healthcare needs are eligible for cost-sharing, the process for submitting requests for healthcare needs, limits on how much can be shared per need, etc.

While SMI is not a healthcare organization or a financial institution, it adheres to many of the same standards to ensure the privacy of members’ personal and financial information. This is especially important as monthly assigned shares are distributed through a newsletter mailing and eShare notifications.

The responsibility for ensuring that information is shared only with whomever is permitted to see it—and no one else— falls squarely on SMI’s security team, of which Keith Merriman is a part. “We strive to act above reproach,” Merriman says, “to work above compliance standards even though we are not technically held to them.”


Comprehensive cybersecurity from network to endpoints

To support its high standards for protecting private information, SMI relies on an advanced cybersecurity infrastructure built on the Palo Alto Networks network security platform and Cortex XDR extended detection and response platform. This provides SMI with strong security in its core network with Palo Alto Networks NGFWs, configured with Threat Prevention, URL Filtering, and the WildFire malware prevention service.

By installing the Cortex XDR agent on all its physical and virtual desktops and servers, SMI also provides a protective shield against cyberthreats across its endpoints. In addition to endpoint data, the Cloud Log Collection Service (CLCS) collects insights from network solutions, which Cortex XDR uses for behavioral analytics and to enable forensics.

SMI is a long-time Palo Alto Networks firewall customer but historically used another vendor solution for endpoint detection and response (EDR). Merriman points out that the legacy product was effective, but it required a great amount of time to manage and tune. When attending the Palo Alto Networks Ignite Security Conference in 2019, Merriman discovered there was a better way to handle EDR.

“I went to a demo of Cortex XDR and dug into everything it could do,” Merriman recalls. “Cortex XDR provides visibility and correlation with a lot more information than we had previously. It provides detailed tracing of an event chain, and I don’t have to spend all my time to get it. That was the lightbulb moment.”

Another key factor was that Cortex XDR is a cloud-based solution. Merriman saw the inherent risk of running security on the same infrastructure being monitored, which a cloud solution avoids. Moreover, with log forwarding to SMI’s on-premises security information and event management (SIEM) system, Cortex XDR ensures the company has a copy of the same log data that is housed in the cloud.

For endpoint protection, Merriman initially deployed the Cortex XDR agent on approximately 700 endpoints. This included physical and virtual desktops—delivered in a virtual desktop infrastructure (VDI)—for SMI’s 400 employees as well as several hundred virtual machines and physical servers running business applications.

Compared to the endpoint protection of SMI’s previous EDR solution, Merriman says, “We’ve received comments from end users reporting a performance improvement since moving to Cortex XDR; none had any negative impact.”

When the global pandemic hit, Merriman and his team faced a new challenge: enable the vast majority of SMI employees to work from home, and do so securely. Merriman notes, “In about one-and-a-half weeks, we transitioned from approximately 8% of employees working from home to 80%, and Cortex XDR was a big part of making that happen.”

A large number of the end users going remote had been on virtual desktops and were moving to laptops, many of them personal devices. To address the potential security vulnerabilities of this arrangement, the SMI team configured a Citrix gateway to connect staff from their homes to the VDI environment so no business information would end up on their personal devices. He also installed the Cortex XDR agent on the employees’ personal devices.

“All of a sudden, we went to a BYOD deployment, which could have left us with a security gap, but Cortex XDR filled that gap beautifully. I don’t believe we could have done it without Cortex XDR and Citrix.” Merriman adds, “There were other healthcare cost-sharing organizations that had to shut down their call centers and reduce business. We didn’t. We were able to maintain business continuity and keep our call center operating to support our members.”


Near-real-time detection and response

With Cortex XDR, Merriman and his team are now able to spot risky user behavior or anomalous system activity and quickly address the issues to prevent SMI’s endpoints from being compromised. This applies to potentially malicious files or links from outside cyberthreats, such as phishing attacks, as well as internal vulnerabilities that the company’s application development team may inadvertently introduce.

“We focus a lot of our effort on monitoring user behavior and developer activity,” Merriman says. “If we see users doing risky things, we try to educate them about the risk and explain safer practices.”

Sometimes, a user’s actions require a more urgent and definitive response.


We had an incident where a user clicked a link they should not have, and an alert came up immediately on the Cortex XDR console. One click and I was able to isolate the endpoint—it couldn’t touch anything. That’s how fast we can respond with Cortex XDR.

–Keith Merriman, Samaritan Ministries International

Merriman and his team also carefully monitor developer activity to spot any vulnerabilities that could compromise endpoints and potentially open paths to the rest of the network. This effort requires a careful balance between stopping risky human or machine behavior and supporting ongoing productivity.

This is another place where the detection speed and depth of information Cortex XDR provides are key. Merriman explains that his mean time to detection (MTTD) with Cortex XDR enables him to determine the true nature of an activity quickly enough following an alert to either block a legitimate threat or allow the activity to continue, and then work with the developer on modifying behavior to avoid setting off alarms in the future.

“With Cortex XDR, we are able to provide a security service for developers and respond to them in a time frame that doesn’t slow progress,” Merriman says. “It returns information fast enough so we can enable DevOps to refine their processes and help them be more secure while staying productive.”


Improving security operations productivity and efficiency

Cortex XDR also helps the security team improve its productivity and efficiency. SMI’s previous EDR product required extensive administration, which took valuable time that could have been better spent on analysis.

Merriman notes, “One of the biggest changes in our day-to-day is the amount of time we now have to focus on productive work, analyzing activity, and better understanding what’s happening on our endpoints and network. The difference is in how much time we spend managing the tool versus using it. We’ve flipped that from 80/20 with the old tool to more like 40/60 with Cortex XDR.”

He concludes, “In the past, security was a black hole of spending, where resources go in but not much comes out. Now, with Palo Alto Networks, we’re able to return real value to the business from our security investments, and Cortex XDR has been a foundational piece of that turnaround.”

Learn more about Cortex, the Palo Alto Networks endpoint protection platform.