Cutting Through the Noise
Cortex XSOAR in Telecom
A leading telecommunications company that provides cellular, internet, streaming TV services, and business infrastructure hosting services. With the data of more than 2.8 million subscribers at stake, this customer needed to protect its digital and infrastructure assets.
Lack of a defined SOC team
High volume of weekly alerts
Disparate teams (e.g., Production, Security, Development)
Open tickets and long response times
Solution This telecom company used Cortex XSOAR to:
Execute playbooks for automated malware analysis and response
Ingest security intelligence across sources for centralized context
Facilitate team collaboration and information visibility with the War Room
Results Cortex XSOAR enabled the company to:
Speed up response times by automating repeatable tasks
Coordinate across teams and improve team accountability
Improve response efficiency with single-console investigations
Because of the customer’s broad range of services, security was—and is—a multi-team effort. It had long been challenging to coordinate between security, development, and production teams for regular security operations and incident response. The lack of a defined security operations center (SOC) team exacerbated this, resulting in a high volume of daily alerts (around 100) and dead time during incident handoffs.
The customer’s security teams also had multiple ingestion and detection sources to deal with. While they had a security information and event management (SIEM) system in place to aggregate logs and machine data into alerts, some incidents also flowed in via mailboxes, where employees forwarded suspected phishing emails. As a result, there was no single console from which to view alerts and execute incident response at scale.
The customer solved these challenges by deploying Cortex™ XSOAR alongside the existing SIEM, threat intelligence, email, and behavioral analysis solutions. Now, the security teams can take advantage of:
Ingestion across sources: With Cortex XSOAR orchestration allowing for ingestion of alerts across sources, the customer can direct alerts from its SIEM and mailboxes into the Cortex XSOAR console for single-window visibility, triage, and response.
Malware enrichment and response playbook: A custom playbook coordinates a range of products for automated malware enrichment and response. It runs threat intelligence actions on SIEM alerts to establish reputation for indicators of compromise (IOCs). Then, it retrieves endpoint details through integration with relevant tools, runs behavioral analytics using one of the customer’s custom tools, and deploys the dissolvable Cortex XSOAR agent on infected endpoints. Once extracted, Cortex XSOAR presents this wealth of data, such as file details and memory dumps, for the security team’s perusal.
Team coordination: To address team coordination, the customer uses the Cortex XSOAR War Room to great effect. The War Room provides a platform through which cross-functional teams can view playbook task results, collaborate on plans of action, and run security commands in real time.
“The platform has threaded together our security systems, enabled different teams to collaborate, and continuously onboarded new features to help us resolve incidents faster. —CSO, Telecom Customer
Extended capabilities with Cortex XSOAR
No SOC Team, No Problem
Playbooks—such as for malware enrichment—help automate previously time-consuming tasks and free up analyst time by providing rich information for problem-solving. Codifying a sequence of steps helps the entire team stick to a response quality benchmark and quickly onboard use cases.
Using the War Room for incident investigations improves team coordination and productivity, preventing the need to maintain disparate threads of communication across emails, tickets, and so on. Moreover, since participants can work in a common window, it’s easy to impart visibility and assign accountability when required.
Cortex XSOAR provides a central console, where incidents from multiple sources can be ingested. Multiple attacks belonging to common campaigns can be identified as related incidents within Cortex XSOAR, further sanitizing and enriching the alert queue so that security teams can respond to incidents more quickly.
... View more