Cortex XSOAR in Telecom
A leading telecommunications company that provides cellular, internet, streaming TV services, and business infrastructure hosting services. With the data of more than 2.8 million subscribers at stake, this customer needed to protect its digital and infrastructure assets.
Because of the customer’s broad range of services, security was—and is—a multi-team effort. It had long been challenging to coordinate between security, development, and production teams for regular security operations and incident response. The lack of a defined security operations center (SOC) team exacerbated this, resulting in a high volume of daily alerts (around 100) and dead time during incident handoffs.
The customer’s security teams also had multiple ingestion and detection sources to deal with. While they had a security information and event management (SIEM) system in place to aggregate logs and machine data into alerts, some incidents also flowed in via mailboxes, where employees forwarded suspected phishing emails. As a result, there was no single console from which to view alerts and execute incident response at scale.
The customer solved these challenges by deploying Cortex™ XSOAR alongside the existing SIEM, threat intelligence, email, and behavioral analysis solutions. Now, the security teams can take advantage of:
“The platform has threaded together our security systems, enabled different teams to collaborate, and continuously onboarded new features to help us resolve incidents faster.
—CSO, Telecom Customer
No SOC Team, No Problem
Playbooks—such as for malware enrichment—help automate previously time-consuming tasks and free up analyst time by providing rich information for problem-solving. Codifying a sequence of steps helps the entire team stick to a response quality benchmark and quickly onboard use cases.
Using the War Room for incident investigations improves team coordination and productivity, preventing the need to maintain disparate threads of communication across emails, tickets, and so on. Moreover, since participants can work in a common window, it’s easy to impart visibility and assign accountability when required.
Cortex XSOAR provides a central console, where incidents from multiple sources can be ingested. Multiple attacks belonging to common campaigns can be identified as related incidents within Cortex XSOAR, further sanitizing and enriching the alert queue so that security teams can respond to incidents more quickly.