Cortex XSOAR Energy Utility Case Study

Printer Friendly Page

Keeping the SOC Lights On

Cortex XSOAR in an Electric Utility Company

 

Industry
Industry Energy/Electric Utilities

 

Integrations

  • SIEM
  • Forensics and malware analysis
  • Ticketing
  • Data analytics

Challenges

  • High volume of alerts
  • Detection of duplicates and related incidents
  • Time-consuming case management/ticketing

Solution
This electric utility company used Cortex XSOAR to:

  • Automate duplicate alert detection and consolidation
  • Orchestrate workflows across products on one platform
  • Correlate threat intel from multiple sources, including open source tools
  • Detect similarities between cases for better insights and training opportunities
  • Accelerate case management reporting

Results
Cortex XSOAR enabled the company to:

  • Reduce case volume by 30%, seeing time savings of approximately one full-time analyst
  • Deploy aggressive detection without negatively impacting analyst workload
  • Speed up monthly risk audit reporting with case management information in one place

 

 

The Customer

As one of the largest electric utility companies providing energy-related services in the US, aggressive detection was a priority for this customer’s security operations center (SOC) team. The team also wanted to ensure its security analysts were not spending inordinate amounts of time investigating duplicate alerts.

 

The Problem

The SOC team had a mix of ingestion and detection sources to deal with, ranging from security vendor products and open source platforms to in-house tools and proprietary solutions. While the team had a security information and event management (SIEM) solution to aggregate logs, the analysts spent a great deal of time investigating duplicate alerts instead of hunting threats. Case management was also bogged down with the need to pivot between multiple screens, often resulting in the analysts cutting and pasting information manually.

 

In ­addition, there was a need to chase down analysts at the end of each month to get details for case management reports. These low-level tasks prevented analysts from focusing on data interpretation and problem solving, which ultimately led to longer resolution times and lower productivity.

 

The Solution

The SOC team first deployed Cortex™ XSOAR playbooks to identify and remove duplicate alerts generated by its cybersecurity tools. The team also leveraged Cortex XSOAR to automate case metrics tracking and reporting. With the expanded visibility across cases, the team was able to derive similarities and surface trends that weren’t visible before.

 

As ­analysts tracked their actions within Cortex XSOAR, this facilitated monthly risk audit reporting since case data and analyst actions were now archived and easily retrievable from one ­location. This common knowledge repository enabled a smoother transition of knowledge between analyst shift changes and served as a training resource for lower level analysts. 

 

The case management lifecycle managed within Cortex XSOAR includes ticketing. By automating and integrating the ticketing process, the SOC managers were able to free up analysts from doing tedious tasks, such as manually copying information from one system to another, so they could focus on threat hunting and decision-making. 

 

As the SOC team is very focused on metric data-driven decisions, there are plans to integrate Cortex XSOAR with in-house visualization platforms for advanced reporting and insights.

 

Outcomes with Cortex XSOAROutcomes with Cortex XSOAR

 

The Results

Cortex XSOAR enabled the SOC team to be as aggressive as necessary in alert settings without worrying about impacting analyst workload. As a result of automating deduplication efforts, the SOC team was able to reduce alert volume by 30% within the first month of operation. This netted out to time savings approximately equal to a full-time analyst.

 

An added benefit was in the area of metrics. As SIEM users know, the process of extracting metrics from an SIEM to identify similarities across cases can be onerous. The SOC team was able to leverage Cortex XSOAR playbooks to automate some of these tasks, producing previously undetected insights into problem areas related to people, processes, and technology. For example, the team discovered multiple malware ­cases associated with specific machines or user accounts. This was an unexpected benefit with the expanded visibility into

case-related metrics.

 

As the SOC team builds out its automation efforts, the goal is to map alerts and threat behavior to the MITRE ATT&CK™ framework to better understand security risk against adversarial threat behavior as well as aid in planning better defenses and verifying the effectiveness of existing defenses.

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
3 of 3
Last update:
‎05-20-2020 05:15 PM
Updated by:
 
Labels
Contributors