Cortex XSOAR Telecom Case Study

Printer Friendly Page

Cutting Through the Noise

Cortex XSOAR in Telecom

 

A leading telecommunications company that provides cellular, internet, streaming TV services, and business infrastructure hosting services. With the data of more than 2.8 million subscribers at stake, this customer needed to protect its digital and infrastructure assets.

 

 

Industry
Cellular/Telecommunications

 

Integrations

  • SIEM
  • Threat intelligence
  • Email listener
  • Behavioral Analytics

Challenges

  • Lack of a defined SOC team
  • High volume of weekly alerts
  • Disparate teams (e.g., Production, Security, Development)
  • Open tickets and long response times

Solution
This telecom company used Cortex XSOAR to:

  • Execute playbooks for automated malware analysis and response
  • Ingest security intelligence across sources for centralized context
  • Facilitate team collaboration and information visibility with the War Room

Results
Cortex XSOAR enabled the company to:

  • Speed up response times by automating repeatable tasks
  • Coordinate across teams and improve team accountability
  • Improve response efficiency with single-console investigations

 

Story Summary

Because of the customer’s broad range of services, security was—and is—a multi-team effort. It had long been challenging to coordinate between security, development, and production teams for regular security operations and incident response. The lack of a defined security operations center (SOC) team exacerbated this, resulting in a high volume of daily alerts (around 100) and dead time during incident handoffs.

 

The customer’s security teams also had multiple ingestion and detection sources to deal with. While they had a security information and event management (SIEM) system in place to aggregate logs and machine data into alerts, some incidents also flowed in via mailboxes, where employees forwarded suspected phishing emails. As a result, there was no single console from which to view alerts and execute incident response at scale.

 

The Solution

The customer solved these challenges by deploying Cortex™ XSOAR alongside the existing SIEM, threat intelligence, email, and behavioral analysis solutions. Now, the security teams can take advantage of:

  • Ingestion across sources: With Cortex XSOAR orchestration allowing for ingestion of alerts across sources, the customer can direct alerts from its SIEM and mailboxes into the Cortex XSOAR console for single-window visibility, triage, and response.
  • Malware enrichment and response playbook: A custom playbook coordinates a range of products for automated malware enrichment and response. It runs threat intelligence actions on SIEM alerts to establish reputation for indicators of compromise (IOCs). Then, it retrieves endpoint details through integration with relevant tools, runs behavioral analytics using one of the customer’s custom tools, and deploys the dissolvable Cortex XSOAR agent on infected endpoints. Once extracted, Cortex XSOAR presents this wealth of data, such as file details and memory dumps, for the security team’s perusal.
  • Team coordination: To address team coordination, the customer uses the Cortex XSOAR War Room to great effect. The War Room provides a platform through which cross-functional teams can view playbook task results, collaborate on plans of action, and run security commands in real time.

 

“The platform has threaded together our security systems, enabled different teams to collaborate, and continuously onboarded new features to help us resolve incidents faster.
—CSO, Telecom Customer

 

Extended capabilities with Cortex XSOARExtended capabilities with Cortex XSOAR

 

The Results

No SOC Team, No Problem

Playbooks—such as for malware enrichment—help automate previously time-consuming tasks and free up analyst time by providing rich information for problem-solving. Codifying a sequence of steps helps the entire team stick to a response quality benchmark and quickly onboard use cases.

 

Cross-Team Collaboration

Using the War Room for incident investigations improves team coordination and productivity, preventing the need to maintain disparate threads of communication across emails, tickets, and so on. Moreover, since participants can work in a common window, it’s easy to impart visibility and assign accountability when required.

 

Faster Response

Cortex XSOAR provides a central console, where incidents from multiple sources can be ingested. Multiple attacks belonging to common campaigns can be identified as related incidents within Cortex XSOAR, further sanitizing and enriching the alert queue so that security teams can respond to incidents more quickly.

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
5 of 5
Last update:
‎05-20-2020 05:47 PM
Updated by:
 
Labels
Contributors