Automation-first managed detection and response centre helps Saudi Information Technology Company provide best-in-class services

Saudi Information Technology Company (SITE) provide secure-by-design digital services and cybersecurity solutions – delivered by Saudi professionals – that protect the Kingdom’s critical digital assets. These products and services have made SITE a critical partner for major government organisations, private sector, and national entities.

SITE provide innovative, reliable digital and cybersecurity services and solutions – and develop future technologies – to address needs, aspirations, and threats while fostering an entrepreneurship ecosystem and developing a highly talented pool of Saudi human capital.

Saudi Arabia has a knowledge-hungry economy. Digital transformation is disrupting traditional processes, bringing agility, innovation, and rapid change to commercial and government services. SITE are adapting to this new era, boldly reimagining the way they support central and local entities with modern, trusted cybersecurity solutions.

SITE’s Managed Detection and Response (MDR) centre is the heartbeat of this strategy, providing more than 150 clients across the Kingdom with modern, 24x7, remotely delivered security operations centre (SOC) services. MDR is a turnkey, rapidly provisioned, threat-centric SOC that improves the security postures of subscribers from day one. With a diversified technology stack of five main platforms deployed at clients’ sites, covering host, network, applications, and analytics, and a cohesive matrix of more than 20 supporting cybersecurity-focused technologies, MDR is supercharged with a rich, well-designed ecosystem focused on sophisticated delivery.

Security orchestration, automation, and response (SOAR) was engraved into the MDR service manifesto right from the start. Until the ideal solution was found, SITE MDR started developing in-house tools and standalone script as short-term fixes to provide the automation necessary to keep up with the MDR service’s rapid growth.

SITE needed a trusted partner to support their best-in-class MDR service. They identified that a solution would be required to:

• Automate repetitive tasks.
• Triage security incidents faster with automated investigation and response.
• Increase productivity, efficiency, and accuracy.
• Strengthen defences by connecting complex workflows across the team and tools.
• Achieve parallelism by carrying out multiple tasks simultaneously with less resources.
• Standardise the investigation approach to reduce human errors.

A Palo Alto Networks Cortex XSOAR trial convinced the Lead Automation Engineer and her team that the platform offered the multitenancy, flexibility, and mature functionality to meet SITE MDR’s needs. “XSOAR is a security design masterstroke,” she says. “The integrations are fast and simple, and the workflow to build playbooks is incredibly intuitive – not to mention the high flexibility it provides. We simply create an object and link it to a use case. A malware analysis playbook, for example, can be reused for another use case with minimal configuration.”

SITE MDR is staffed with highly skilled analysts and engineers, distributed across Tier 1 to Tier 3 in the monitoring team and other dedicated teams – automation, threat hunting, content creation, and administration.

The Lead Automation Engineer is rightly proud of SITE MDR’s XSOAR deployment.

On a typical day, SITE MDR will receive up to 1,200 alerts, raised by the SIEM, in any of the 150+ clients’ environments or by SITE MDR’s internal threat hunting. XSOAR ingests aggregated alerts and indicators of compromise (IoCs) from internal sources, and the technologies deployed client-side provide complete visibility across different log types, network traffic, and endpoints. The majority of SOC alerts are mapped to playbooks based on a sophisticated detection catalogue developed to detect advanced tactics, techniques, and procedures (TTPs). Strategies from the playbooks are then executed in response to these incidents.

SOC security automation is upending operations and service delivery to enable SITE MDR to:

• Deliver consistently secure, high-quality client experience: SITE MDR has significantly improved SLA without jeopardising quality by using XSOAR. For example, alerts processed using the playbooks are investigated 30% faster than those processed manually. Their Lead Automation Engineer comments, “For alerts managed entirely by XSOAR, we are meeting 100% of SLAs.”

  Moreover, SITE MDR has the flexibility to automate prioritisation of alerts, ensuring nothing is overlooked. XSOAR is also integrated with SITE MDR’s custom-built Client Portal, so clients can automatically perform massive security scans, without having to wait for human interaction. This extends the SITE MDR service catalogue and increases client satisfaction.

• Reduce false positive alerts: XSOAR automatically closes known false positives without human intervention using playbooks designed to assess alerts for false positive detection. XSOAR also assists the team responsible for building use cases by suggesting tuning cases to reduce the number of false positive alerts a rule may trigger. This has led to a reduction in false positive rates for automated alerts and gave analysts more time for strategic, value-add tasks.

• Optimise SOC operations: XSOAR saves time, streamlines operations, and increases SOC productivity. Analysts no longer need to be booked for a day or more to perform exhausting manual tasks – instead, XSOAR automation makes the team highly efficient.

• Automate across SITE’s security stack: Alerts are ingested across sources and 150+ client environments, executing automated workflows/playbooks to speed up incident response and provide standard investigations.