10/01/2023
Challenge
The Bank suffered from a large number of security alerts from different security tools and anti-fraud system. Even after the implementation of the SIEM system, that number did not decrease significantly. With the size of the organization, there were so many alerts that it was physically impossible to hire as many analysts as needed to cover all the notifications. The approach to prioritizing incidents also needed to be reconsidered as several departments of the Bank would merge within the Security Operations Centre.
Defensys products
It was a classical PoC project with a playbook for automatic response on one type of incident that was designed and implemented. One of the results of this procedure was the reduction of false positives from security tools.
During the PoC was developed, structured and updated the Bank’s asset model. In fact, it was consolidated in one place from different sources as other departments only worked with a portion. Eventually the problem of continuously searching for affected device data was completely solved.
Implementation
The PoC project gave the opportunity to create a document to scale test results on other types of incidents. So it was only a matter of time to cover all the incidents registered daily in the Bank.
One of the most important parts of implementing response playbooks was the ability to automatically notify the Central Bank of the country about incidents needed to be sent to the regulator. Central Bank has its own system for registering such incidents and Defensys playbooks launched automatic API integration with it on specific stages of investigation. All the launch criteria fit the adjusted rules (criteria included criticality and type of assets, enrichment data from the customer Banking system and other). This was one of the first case when a Bank registered incidents for the regulator automatically. All other dialogs with the Central Bank representatives were held just in cards of these incidents.
Results
The Defensys SOAR drastically reduced the time spent on actions demanded not the most of intellectual power. Analysts finally managed to spent enough time for investigating really crucial incidents and started thinking of the threat intelligence process in the Bank.
As a part of this implanted process was the vulnerability management features of the solution that automated collaboration between Cybersecurity personnel and their IT colleagues. This was accomplished in the form of automatically generated tickets for patching after the scanning process is completed.
As of writing this study the Bank has already started PoC projects for Defensys TIP and Defensys SENSE.