Picture this: It's 4 a.m. A security analyst jolts awake to a ping on their phone. Another alert. Another potential threat. Another disrupted night of tackling manual processes and painstaking investigations. Another day, another strong pot of coffee.
This scene, unfortunately, is all too common in today's cybersecurity landscape. But, there is a way to transform fire drills into smooth, automated processes. Security teams can spend less time chasing false positives and more time strategizing against real threats. See how three of our customers across various industries and regions are leveraging Cortex XSOAR. They transform their security operations from a constant state of firefighting into a strategic tool that anticipates and neutralizes threats before they escalate.
Unifying Security Operations with Cortex XSOAR
Cortex XSOAR simplifies security operations by unifying automation, case management, real-time collaboration and threat intelligence management. This integrated approach allows security teams to manage alerts across all sources, standardize processes with playbooks, take action on threat intelligence, and automate response for virtually any use case.
Customer Story #1 — BCA: Standardizing Security Response and Boosting Efficiency
PT Bank Central Asia Tbk (BCA), Indonesia's largest lender by market value, faced significant challenges with multiple security tools and manual processes. Like many large organizations, BCA's security team was grappling with a multitude of security tools, each with its own set of guidelines and configurations. This fragmented approach led to inefficiencies, increased the potential for human error, and hindered the team's ability to respond quickly to threats. Hans Christianto, AVP of IT Security at BCA, explained their predicament:
"We did not have a standardized method for security response, as we had multiple tools from various brands. We needed to integrate these numerous solutions and use automation to achieve our goal of faster detection and response capabilities."
By deploying XSOAR, BCA achieved significant improvements across multiple areas:
- Automated 30,000 out of 740,000 security tickets handled in 2023, reducing the manual workload for the SOC team.
- Developed and deployed 85 custom playbooks, streamlining security processes and enhancing operational efficiency.
- Decreased incident response times by replacing limited Java-based scripts with comprehensive war room capabilities, improving both mean time to detect (MTTD) and mean time to respond (MTTR).
BCA's implementation aligned with best practices for security automation:
- Starting Simple – BCA began by focusing on integrating their existing security tools and automating repetitive tasks. This approach allowed them to achieve quick wins and demonstrate the value of automation to their organization.
- Gradual Implementation – Following the "crawl-walk-run" approach, BCA steadily expanded their use of XSOAR, developing and customizing playbooks to suit their stakeholders’ specific needs.
- Leveraging Prebuilt Content – BCA took advantage of XSOAR's extensive library of prebuilt integrations and playbooks, which helped accelerate their automation journey.
- Standardizing Processes – Created consistent, repeatable workflows for incident response, improving efficiency and reducing errors.
Lily Wongso, EVP of IT Security at BCA, highlighted the platform's comprehensive capabilities: "Cortex XSOAR marries threat intelligence with SOAR, providing us with extensive threat intelligence capabilities and complete control over threat data management."
Customer Story #2 — State of North Dakota: Automation Helps Staff Scale
The State of North Dakota Information Technology (NDIT) faced the monumental task of scaling security from 20,000 endpoints to 250,000 while maintaining their current staffing levels and budget. They also needed to unify over 600 state entities, each with its own siloed security tooling and unique processes. Their objectives were clear and without automation, seemingly impossible to achieve.
By implementing Cortex XSOAR, NDIT achieved remarkable results:
- 57% reduction in false positives for phishing incidents, leading to 21,000 fewer incidents a year.
- Automated 60% of total incidents with the help of 196 playbooks.
- Achieved operational efficiencies equivalent to 8-10 SOC analysts.
These impressive outcomes were the result of a well-planned, strategic approach to implementing Cortex XSOAR. Let's delve into the key elements of NDIT's implementation strategy that drove their success:
Starting with Core Integrations: NDIT began by integrating XSOAR with their most critical security tools. This allowed them to immediately address the challenge of unifying the disparate security systems across state entities.
Scalable Automation: To meet their ambitious scaling goals, NDIT focused on creating scalable automation workflows. They started with high-volume, low-complexity tasks to quickly demonstrate the value of automation.
Leveraging Threat Intelligence: NDIT took advantage of XSOAR's threat intelligence capabilities to enhance their detection and response times, contributing to their dramatic improvement in identifying true positives.
Standardizing Across Entities: With XSOAR, NDIT created standardized playbooks that could be applied statewide. This not only improved efficiency but also ensured consistent security practices across all entities.
These strategic implementations allowed NDIT to efficiently manage their expanded security responsibilities, showcasing the power of automation in improving large-scale security operations.
We had a vision to build, manage and maintain the best state cyber operations center in the United States. Working with Palo Alto Networks, we’ve been able to bring that forward.
—Michael Gregg, chief information security officer North Dakota IT
Customer Story #3 – Playtika: Transforming Incident Response and Resource Allocation
Playtika, a leading global gaming company, struggled with limited visibility and delayed incident response times. Liran Sheinbox, Head of Cyber Security at Playtika, described their goal: "We wanted a consistent, holistic approach to cybersecurity, using modern technologies, like AI and automation to efficiently safeguard the organization."
To achieve this vision, Playtika implemented a similar approach with Cortex XSOAR:
Focused Use Case Implementation – Playtika began their XSOAR journey by targeting their most pressing challenge: phishing responses. This allowed them to quickly demonstrate value and gain buy-in for further automation initiatives.
Gradual Expansion of Automation – Following initial successes, Playtika steadily expanded their use of XSOAR. This measured approach allowed them to refine their processes and adapt to the new workflow.
Customizing for Gaming-Specific Needs – Playtika leveraged XSOAR's flexibility to create custom playbooks tailored to the unique security challenges of the gaming industry, integrating with their game analytics and performance marketing tools.
Empowering Analysts with a Chatbot – In an innovative move, Playtika implemented the XSOAR chatbot to assist analysts, providing guided assistance for various security tasks and facilitating team upskilling.
This strategic implementation yielded impressive results, upleveling Playtika's security operations:
- Reduced mean time to respond (MTTR) from 3.5 hours to 45 minutes.
- Automated 50% of average daily incidents within six months.
- Achieved an estimated 15% time savings for analysts through the Cortex XSOAR chatbot.
The impact of these improvements was substantial, as Sheinbox emphasized: "Without Cortex XSOAR, we'd need twice the number of people we have now to manage events."
By leveraging Cortex XSOAR's capabilities, Playtika not only enhanced their security posture but also optimized resource allocation, allowing their team to focus on more strategic initiatives while maintaining robust incident response capabilities.
Automating Phishing Response
Across these organizations, one of the most impactful use cases for Cortex XSOAR has been automating phishing responses. BCA, for example, developed a playbook that parses information from reported phishing emails, checks against threat intelligence, and responds accordingly. It even blocks incidents on their Palo Alto Networks firewall if necessary.
Playtika also highlighted their phishing response playbook as their most frequently used automation. This playbook handles specific cases and automates the entire process, allowing analysts to mitigate incidents with a single click.
Proactive Integrated Threat Intelligence
Cortex XSOAR's ability to ingest and act on threat intelligence has been a game-changer for many organizations. BCA leveraged this capability to automate the detection of anomalies within their threat intelligence database. Christianto explained, "By integrating this data with our internal systems, we are able to identify and promptly block any malicious activities, thereby providing a robust safeguard against potential threats."
This proactive approach to threat intelligence has allowed organizations to stay ahead of potential threats, reducing the risk of successful attacks.
Shifting Left — Integrating Security Earlier in the Development Lifecycle
For organizations like Playtika that develop their own software, Cortex XSOAR's integration with other Palo Alto Networks products, like Prisma Cloud, has enabled a "shift left" approach to security. This means incorporating security testing earlier in the development lifecycle, leading to faster and safer software development.
Sheinbox emphasized the importance of this approach, "I'm a shift-left guy. With Palo Alto Networks Prisma Cloud, we can mitigate vulnerabilities earlier in the development lifecycle. This in turn helps us create exciting, compliant video games more quickly and at lower risk."
Upskilling Security Teams
An often-overlooked benefit of implementing SOAR solutions, like Cortex XSOAR, is the opportunity for security team upskilling. By automating routine tasks, analysts have more time to focus on complex problems and continuous learning.
BCA noted that their analysts are being upskilled on an ongoing basis, with the latest automation processes through the use of the XSOAR war room and communication between team members. This addresses the common challenge of skill shortages in the cybersecurity industry.
Automation Fuels the Future of Security Operations
With Cortex XSOAR, automation takes center stage to revolutionize security operations, dramatically reducing response times, minimizing human error and empowering security teams to focus on strategic initiatives rather than repetitive tasks. This intelligent automation not only streamlines workflows but also enhances threat detection capabilities, enables consistent execution of security protocols, and provides scalability to handle the ever-increasing volume of security alerts without proportionally increasing staff.
Regardless of industry or size, SecOps teams can leverage automation to improve efficiencies and strengthen their security posture.
The experiences of BCA, the State of North Dakota and Playtika demonstrate the transformative power of Cortex XSOAR in modern security operations. By unifying security functions, increasing automation capabilities and centralizing incident management, organizations can significantly enhance their security posture while improving operational efficiency.
These implementation strategies underscore several key principles for successful XSOAR deployments:
- Start with clear objectives and focus on areas where automation can provide the most significant impact.
- Leverage prebuilt content while also customizing for industry-specific needs.
- Customize playbooks to fit your organization's unique requirements.
- Invest in training to ensure your team can leverage the full potential of your SOAR platform.
- Continuously review and refine your automated processes to stay ahead of evolving threats.
- Start with high-impact, achievable goals to demonstrate value quickly.
- Gradually expand automation capabilities, allowing teams to adapt and learn.
- Focus on standardizing processes to improve efficiency and consistency.
- Think creatively about how to use XSOAR's features to address unique organizational challenges beyond the SOC.
As cyberthreats become increasingly sophisticated, the adoption of advanced SOAR platforms, like Cortex XSOAR, is no longer just an option; it's a necessity for organizations seeking to stay ahead in the cybersecurity race. By embracing automation and orchestration, security teams can not only keep pace with the growing volume of alerts but also preemptively defend against emerging threats, allowing them to focus on strategic initiatives that drive business value.
Don’t Just Take Our Word for It. See What the Experts Are Saying
See why KuppingerCole has once again ranked Cortex XSOAR as the Overall Leader in their 2024 SOAR Leadership Compass. Download the SANS product review on Cortex XSOAR.