Turkcell Cyber Defence Center SOARs with Palo Alto Networks

Turkcell is a converged telecommunication and technology services provider headquartered in Turkey. It serves more than 39 million customers with voice, data, TV, and value-added consumer and enterprise services on mobile and fixed networks.

In response to advanced cybersecurity threats and data privacy regulations such as the Turkish KVKK personal data law, Turkcell launched the Cyber Defence Center (CDC). Established seven years ago, the CDC comprises a team of 28 people tasked with planning, analysis, and incident response. Besides securing Turkcell’s internal operations, the CDC supports more than 100 enterprise customers on a fully managed or co-managed MSSP basis.

With more than 550 data sources, the CDC processes eight billion data logs every day. These are filtered down to three billion and then aggregated into 1.8 billion logs. These eight billion logs are filtered, aggregated, and correlated down to 400 million logs, which can result in up to 300 daily alerts requiring action.

Faced with a growing number of MSSP clients and endpoints to manage, the Turkcell CDC needed to automate monitoring. The specific requirements were to:

• Respond even faster to incidents, take action, and keep customers protected.
• Free CDC team from workflow complexity to focus on strategic tasks.
• Scale CDC to support a growing number of customers and endpoints.
• Monitor efficiency with metrics and dashboards.

Turkcell deployed Palo Alto Networks Cortex XSOAR in the CDC to deliver modern, agile security orchestration, automation, and response. The platform unifies alerts and incidents from almost any customer source on a single system for lightning-quick search, query, and investigation.

The initial deployment of Cortex XSOAR took approximately one week.

“The speed of the system is remarkable,” says Cihan Yuceer, Cyber Defence Center Associate Director, Turkcell. “We can automate multiple incident tasks in just a few clicks, such as blocking URLs on a proxy or blocking IPs on a firewall. Using the Cortex XSOAR search tool, our analysts can notify customers immediately and accelerate the investigation process.”

The multitenancy support is also vital in this MSSP scenario. “Customer data is separated into individual hosts and tenants, although we have a single view of every tenant. We can manage alerts whatever the source, take action on threat intelligence, and automate response for any type of customer situation,” says Yuceer. Security information and event management (SIEM) data from MSSP customers is integrated directly into Cortex XSOAR. Yuceer continues, “XSOAR complements SIEM for incident response. Connecting the two supports the selection of the best workflow to respond to the incident. XSOAR automates the execution of the workflows that respond to the incident, significantly reducing our response time.”

Playbook automation is also helping to standardise processes and reduce the mean time to repair (MTTR). “For all incidents, we use one custom playbook,” says Yuceer. “It orchestrates the most critical tasks such as formatting incidents or customer email notifications. We have XSOAR incident reminders and incident closure playbooks as part of the security operations service. Using these playbooks, we are closing the incident handling process without any analyst intervention.”

Cortex XSOAR is transforming the way the Turkcell MSSP service manages customer security. The benefits include:

• Reduced MTTR: Pre-built and customer playbooks enable the team to standardise actions and reduce MTTR, enforcing processes across use cases and between teams with ease.
• Valuable MSSP selling proposition: The platform is a valuable differentiator during MSSP sales negotiations. Tatli explains, “The multitenancy, data separation, and ready-to-use integration features are real differentiators for the MSSP service. Bundling our bespoke ‘Dbot’ threat intelligence service with Cortex XSOAR creates a real advantage against our competitors.”
• Complete automation: A broad range of Cortex XSOR integrations and content packs across different security use cases make it easier for Turkcell to orchestrate and automate incident response workflows and processes across the MSSP environment.
• Scalable security automation: The Turkcell MSSP service currently supports 100+ customers and is growing fast. Cortex XSOAR enables the team to create playbooks and enforce policy at both the controller and tenant levels, allowing the CDC to quickly onboard new customers, offer different levels of service, and expand into additional management options. Moreover, threat intelligence can be tied to incidents in real time and distribution automated to enforcement points at scale.