About ELaufer

Join me next week on Thursday, June 24th at 9 am PT when I will be hosting this live webinar and Q&A session on how to automate your SlashNext and Pcysys workflows! Register today.   ... View more

Post here for all of your Community Edition support questions and one of our product experts will get back to you soon!  ... View more

Has anyone written a playbook that would check the age of a domain, say via it's Whois creation date, and then do a task?* *Originally contributed to dfircommunity.slack.com #playbooks channel by SteveC on Friday, May 15th, 2020 at 3:11 pm   ... View more

Navigating Rough Seas How Esri Reduced Its Alert Barrage with Cortex XSOAR   Industry Software/Geographic Information Systems   Integrations Cortex XSOAR on-premises platform SIEM Network monitoring Challenges Alert fatigue (more than 10,000 per week) Shortage of skilled SOC analysts (only five) Detection of duplicates and related incidents Complex and distributed threat indicator management Solution Esri used Cortex XSOAR to: Get faster closure and false positive detection with auto- mated playbooks Leverage historical cross-correlation for duplicate detection Combine analyst knowledge with a collaboration window for joint investigations Results Cortex XSOAR enabled Esri to: Cut weekly alert volume by 95% Increase analyst productivity Reduce organizational risk   The Customer Esri is a global organization that helps more than 350,000 customers around the world solve tough problems through advanced geospatial technology. With more than 75% of Fortune 500 companies deploying its solutions to meet business goals, it was critical for Esri to maintain a security posture that would protect its diverse digital assets and those of its customers.   The Situation Esri’s vast customer base and digital nature led to multiple security challenges. Alerts in excess of 10,000 each week caused significant fatigue among the team of five security operations analysts. Detecting false positives and duplicate incidents amid a countless host of attacks was a specific concern that wasn’t being addressed.   Esri was also looking to streamline threat indicator management processes, which were distributed, complex, and not conducive to lean threat hunting exercises. Suboptimal responses to these issues were increasing Esri’s business risk, wasting resources, and making the security operations center (SOC) more difficult to manage.   The Solution To meet its challenges head on, Esri deployed Cortex™ XSOAR for security orchestration, automation, and response in addition to its existing security information and event management (SIEM) and network monitoring solutions. To speed up incident triage and response, the team took advantage of custom playbooks that interweaved automated and manual tasks. These playbooks also codified analyst knowledge, ­facilitating a standardized response to specific attacks. For false positive and duplicate detection, Esri used historical cross-correlation capabilities in Cortex XSOAR. By quickly highlighting common artifacts and indicators across incidents, Esri analysts could spot and close duplicate attacks without spending too much time on redundant investigations.   To enhance analyst productivity and learning, Esri used the Cortex XSOAR War Room to conduct joint investigations and help cross-pollinate its analysts’ skill sets. Now able to work on complex incidents together, pull in security actions from other tools, and document results in the same window, Esri’s analysts could restructure their task loads to focus on the cerebral over the trivial. Outcomes with Cortex XSOAR   The Results Esri’s application of orchestration, automation, and collaboration led to both objective and subjective improvements. Alerts went from 10,000 per week to roughly 500—a staggering 95% reduction stemming largely from swift resolution of false positives and duplicate incidents, thanks to automated playbooks and historical cross-correlation.     Moreover, Esri used Cortex XSOAR as the central hub to ingest all alerts, obviating the need for analysts to visit multiple systems to find relevant information. Including ticket management in the team’s incident response platform alongside automation and orchestration meant no alert could slip through the cracks at Esri to cause potential business risk.   Automation freed up the analysts’ time, letting them focus on strategic tasks and continuous process improvements rather than being mired in day-to-day firefighting. Playbooks allowed them to scale their efforts effectively, enabling Esri to more effectively leverage the toughest resource to find and retain: skilled analysts.     The Cortex XSOAR War Room led to increased analyst satisfaction. By automatically documenting all analyst actions, allowing them to improve each other’s skill sets, and giving machine learning-powered insights, the War Room lets analysts do more of what they do best—solve difficult problems—without drowning in documentation and menial tasks.   The automation infused into our security infrastructure by Cortex XSOAR complements our existing SIEM, allowing our SOC team to realize greater efficiencies. Automating these mundane tasks allows our analysts to focus on decision-making. – Sean Kohlmeier, Security Operations Manager, Esri ... View more

Keeping the SOC Lights On Cortex XSOAR in an Electric Utility Company   Industry Industry Energy/Electric Utilities   Integrations SIEM Forensics and malware analysis Ticketing Data analytics Challenges High volume of alerts Detection of duplicates and related incidents Time-consuming case management/ticketing Solution This electric utility company used Cortex XSOAR to: Automate duplicate alert detection and consolidation Orchestrate workflows across products on one platform Correlate threat intel from multiple sources, including open source tools Detect similarities between cases for better insights and training opportunities Accelerate case management reporting Results Cortex XSOAR enabled the company to: Reduce case volume by 30%, seeing time savings of approximately one full-time analyst Deploy aggressive detection without negatively impacting analyst workload Speed up monthly risk audit reporting with case management information in one place     The Customer As one of the largest electric utility companies providing energy-related services in the US, aggressive detection was a priority for this customer’s security operations center (SOC) team. The team also wanted to ensure its security analysts were not spending inordinate amounts of time investigating duplicate alerts.   The Problem The SOC team had a mix of ingestion and detection sources to deal with, ranging from security vendor products and open source platforms to in-house tools and proprietary solutions. While the team had a security information and event management (SIEM) solution to aggregate logs, the analysts spent a great deal of time investigating duplicate alerts instead of hunting threats. Case management was also bogged down with the need to pivot between multiple screens, often resulting in the analysts cutting and pasting information manually.   In ­addition, there was a need to chase down analysts at the end of each month to get details for case management reports. These low-level tasks prevented analysts from focusing on data interpretation and problem solving, which ultimately led to longer resolution times and lower productivity.   The Solution The SOC team first deployed Cortex™ XSOAR playbooks to identify and remove duplicate alerts generated by its cybersecurity tools. The team also leveraged Cortex XSOAR to automate  case metrics tracking and reporting. With the expanded visibility across cases, the team was able to derive similarities and surface trends that weren’t visible before.   As ­analysts tracked their actions within Cortex XSOAR, this facilitated monthly risk audit reporting since case data and analyst actions were now archived and easily retrievable from one ­location. This common knowledge repository enabled a smoother transition of knowledge between analyst shift changes and served as a training resource for lower level analysts.    The case management lifecycle managed within Cortex XSOAR includes ticketing. By automating and integrating the ticketing process, the SOC managers were able to free up analysts from doing tedious tasks, such as manually copying information from one system to another, so they could focus on threat hunting and decision-making.    As the SOC team is very focused on metric data-driven decisions, there are plans to integrate Cortex XSOAR with in-house visualization platforms for advanced reporting and insights.   Outcomes with Cortex XSOAR   The Results Cortex XSOAR enabled the SOC team to be as aggressive as necessary in alert settings without worrying about impacting analyst workload. As a result of automating deduplication efforts, the SOC team was able to reduce alert volume by 30% within the first month of operation. This netted out to time savings approximately equal to a full-time analyst.   An added benefit was in the area of metrics. As SIEM users know, the process of extracting metrics from an SIEM to identify similarities across cases can be onerous. The SOC team was able to leverage Cortex XSOAR playbooks to automate some of these tasks, producing previously undetected insights into problem areas related to people, processes, and technology. For example, the team discovered multiple malware ­cases associated with specific machines or user accounts. This was an unexpected benefit with the expanded visibility into case-related metrics.   As the SOC team builds out its automation efforts, the goal is to map alerts and threat behavior to the MITRE ATT&CK™ framework to better understand security risk against adversarial threat behavior as well as aid in planning better defenses and verifying the effectiveness of existing defenses. ... View more

Cutting Through the Noise Cortex XSOAR in Telecom   A leading telecommunications company that provides cellular, internet, streaming TV services, and business infrastructure hosting services. With the data of more than 2.8 million subscribers at stake, this customer needed to protect its digital and infrastructure assets.     Industry Cellular/Telecommunications   Integrations SIEM Threat intelligence Email listener Behavioral Analytics Challenges Lack of a defined SOC team High volume of weekly alerts Disparate teams (e.g., Production, Security, Development) Open tickets and long response times Solution This telecom company used Cortex XSOAR to: Execute playbooks for automated malware analysis and response Ingest security intelligence across sources for centralized context Facilitate team collaboration and information visibility with the War Room Results Cortex XSOAR enabled the company to: Speed up response times by automating repeatable tasks Coordinate across teams and improve team accountability Improve response efficiency with single-console investigations   Story Summary Because of the customer’s broad range of services, security was—and is—a multi-team effort. It had long been challenging to coordinate between security, development, and production teams for regular security operations and incident response. The lack of a defined security operations center (SOC) team exacerbated this, resulting in a high volume of daily alerts (around 100) and dead time during incident handoffs.   The customer’s security teams also had multiple ingestion and detection sources to deal with. While they had a security information and event management (SIEM) system in place to aggregate logs and machine data into alerts, some incidents also flowed in via mailboxes, where employees forwarded suspected phishing emails. As a result, there was no single console from which to view alerts and execute incident response at scale.   The Solution The customer solved these challenges by deploying Cortex™ XSOAR alongside the existing SIEM, threat intelligence, email, and behavioral analysis solutions. Now, the security teams can  take advantage of: Ingestion across sources: With Cortex XSOAR orchestration allowing for ingestion of alerts across sources, the customer can direct alerts from its SIEM and mailboxes into the Cortex XSOAR console for single-window visibility, triage, and response. Malware enrichment and response playbook: A custom playbook coordinates a range of products for automated malware enrichment and response. It runs threat intelligence actions on SIEM alerts to establish reputation for indicators of compromise (IOCs). Then, it retrieves endpoint details through integration with relevant tools, runs behavioral analytics using one of the customer’s custom tools, and deploys the dissolvable Cortex XSOAR agent on infected endpoints. Once extracted, Cortex XSOAR presents this wealth of data, such as file details and memory dumps, for the security team’s perusal. Team coordination: To address team coordination, the customer uses the Cortex XSOAR War Room to great effect. The War Room provides a platform through which cross-functional teams can view playbook task results, collaborate on plans of action, and run security commands in real time.   “The platform has threaded together our security systems, enabled different teams to collaborate, and continuously onboarded new features to help us resolve incidents faster. —CSO, Telecom Customer   Extended capabilities with Cortex XSOAR   The Results No SOC Team, No Problem Playbooks—such as for malware enrichment—help automate previously time-consuming tasks and free up analyst time by providing rich information for problem-solving. Codifying a sequence of steps helps the entire team stick to a response quality benchmark and quickly onboard use cases.   Cross-Team Collaboration Using the War Room for incident investigations improves team coordination and productivity, preventing the need to maintain disparate threads of communication across emails, tickets, and so on. Moreover, since participants can work in a common window, it’s easy to impart visibility and assign accountability when required.   Faster Response Cortex XSOAR provides a central console, where incidents from multiple sources can be ingested. Multiple attacks belonging to common campaigns can be identified as related incidents within Cortex XSOAR, further sanitizing and enriching the alert queue so that security teams can respond to incidents more quickly. ... View more

Clearing Digital Battlefields Cortex XSOAR in a Top Tech Company   Industry Application Development   Integrations Cortex XSOAR Endpoint monitoring Network detection Log collectors User login tools Challenges Growing alert numbers Small IR team in a fast-growing company Coordination among multiple security products Increasing network sensors in remote locations Solution This tech company used Cortex XSOAR to: Leverage playbooks as single source of truth for investigations Employ playbook task-blocks to reduce pivoting between screens and systems Handle repetitive task flows through automated computing power Results Cortex XSOAR enabled the company to: Reduce investigation times from as much as four hours to 10 minutes Put richer incident context at analyst fingertips Maintain leaner security operations     The Customer This technology company has worldwide operations spread across multiple spheres of application development. Juggling multiple business units, the company must facilitate a high volume of users and maintain a security posture robust enough to guarantee the integrity of users’ personal and financial data.   The Situation Fast business growth engendered a rise in security challenges. The incident response team faced a growing number of net- work sensors in remote locations, and coupled with limited personnel, security alerts were stacking up.   It was time-consuming for the analysts to repeat the same sequence of manual tasks for each incident, usually while straddling multiple screens and security products. These menial tasks kept the analysts from being able to focus on data interpretation and problem solving, which ultimately led to painfully long resolution times.   To overcome these challenges, the analysts needed a security operations toolkit in addition to traditional security information and event management (SIEM) logging and event correlation.   The Solution The customer deployed CortexTM XSOAR as a connective security platform for its products and teams. Using Cortex XSOAR as a common layer across a host of tools, such as user login, endpoint monitoring, network detection, and log collection solutions, the analysts could harmonize actions across their platforms without needing to switch screens or chase fragmented information.   By creating formalized playbooks and automating quantity-heavy action blocks, the analysts ensured there was a single source of truth for security investigations in the security operations center (SOC). Automation also meant that previously laborious tasks—such as scouring log sources for relevant entries—could be distilled into sub-playbooks that analysts could chain together with a few values and clicks.   Outcomes with Cortex XSOAR     The Results The most tangible benefit was an exponential decrease in investigation times. One common incident type that had previously taken four or more hours to get through before the deployment of Cortex XSOAR now took an average of 10 minutes—a 95% decrease in investigation time. This increased efficiency saw an increase in enrichment quality. By quickly gathering and cross-referencing data across a host of sources, Cortex XSOAR playbooks provided rich context analysts could take advantage of to rapidly resolve issues.   Cortex XSOAR also helped the SOC extract maximum value from the company’s existing security products. By coordinating actions across products and automating repetitive tasks, the analysts could leverage the product stack without a higher rate of error, stress, or dead time.   Ultimately, Cortex XSOAR freed up the analysts’ time to focus on more mission-critical objectives, benefited SOC managers through increased workforce productivity, and helped security leaders realize lower business risk and higher return on their security investments. ... View more