In brief
Transportation
United States and Canada
With a series of tools in their SOC, the security team had to jump from one console to another every time an alert came in. So much manual labor was required for each investigation, the team could get to only a small percentage of incidents, and the vast majority remained open.
The client was looking to close more incidents and reduce their median time to resolution. They chose a tool that would ingest and analyze data from more sources, plus bring telemetry together to reduce console-switching.
After adopting Cortex XSIAM, the company:
CHALLENGE
The backlog of security alerts was overwhelming for a leading North American transporter of industrial, commercial, and retail goods. Because so much manual labor was required to resolve any given incident— including checking up to five separate consoles to establish a causality chain—over 6,000 unresolved alerts had piled up. As new alerts rolled in, only 10–20% were being closed.
Part of the issue was the lack of automation. Existing tools required a series of intricate steps to automate workflows: pulling data through the company’s cloud automation platform, learning how the APIs worked, making a request, testing the API, educating the team, and granting permission. The lone automation engineer didn’t have the capacity to do it.
Visibility was also limited, particularly in the cloud. The company was pulling only some of its data sources into its existing SIEM and security orchestration, automation, and response (SOAR) solutions, and those tools weren’t sufficiently communicating with each other to provide a digestible view of the environment.
SOLUTION
It was time to make a change. The freight company’s lean security team set out to adopt a single, more powerful solution to:
In the process, the company wanted to mature its SOC, harden its posture, and increase protection.
The company selected Cortex XSIAM for its comprehensive capabilities, especially data ingestion, normalization, and automation. Very quickly, the outlook for the SOC began to change.
RESULTS
Before XSIAM, setting up automations was too labor-intensive for the team to accomplish. However, after adopting XSIAM, the client was able to quickly implement several playbooks and close alerts more quickly. In addition to robust out-of-the-box protections, they were able to build custom policies and rules specific to their environment. The time they saved from responding to incidents was redirected at improving their overall security posture.
For example, in one automation, indicators of compromise (IOCs) from a number of firewalls are ingested into XSIAM, and whenever a suspicious or malicious classification pops up, XSIAM automatically blocks those IP addresses, domains, and hash files. That single automation has reduced a significant number of alerts.
Another example: Playbooks in XSIAM are providing visibility into phishing. If an attachment defense alert comes in, the playbook reports whether it’s a computer, a server, or something else—for example, a Citrix console—automating what used to be a manual multi-console investigation.
The freight company’s Tier 1 SOC partner noticed the change. The senior information security engineer reports: “Our partner said, ‘It’s impressive that you can keep up with the alerts that we are escalating to you.’”
Adopting XSIAM enabled the freight company to more than double the amount of data it could ingest and analyze, going from 500 gigabytes in its previous tools to 1.2 terabytes on XSIAM. Most of that new data was from the cloud, including Azure and AWS.
Additionally, because they were using other Palo Alto Networks tools, the team was able to leverage and correlate much more data—from their firewalls (including threat prevention data and data from Prisma Cloud), their network, and their endpoints. The senior information security engineer notes: “XSIAM has virtually eliminated false positives. Our security posture has improved significantly now that we are addressing all incidents.”
Thanks to XSIAM, the freight company’s lean security crew is now able to do much more with fewer dedicated resources. They’re managing the load, closing all incidents, and keeping median time to resolution much lower than it was using the old tools.
“I’m proud to be part of this product,” the senior information security engineer says. “I like working with it.”
Learn more about Cortex XSIAM on our website