As Denmark’s largest power, utility and telecommunications company servicing 1.5 million customers, Norlys understands the need for fast response to security alerts. When the company first started, the Norlys security team built their own log analytics and incident response capabilities from the ground up. This homegrown approach presented challenges, including manual workflows, too many repetitive tasks and difficult-to-maintain processes.
Automate with Security Orchestration, Automation and Response
We spoke with Tibor Földesi, security automation analyst at Norlys, to hear why Norlys chose Splunk Enterprise Security (ES) as its SIEM tool, and Phantom as its security orchestration, automation and response (SOAR) platform.
Földesi told us that Splunk Enterprise Security has helped Norlys to combat threats with actionable intelligence.
“If we have suspicious activity on an endpoint, we go to that specific dashboard in ES and can see all of the movements,” says Földesi. “ES lets you see everything going on in your environment to find the bad guys.”
After seeing the benefit of ES — and receiving support from the experts at Splunk Professional Services — Norlys learned they could get even more immediate value out of ES by automating opening tickets between systems with Splunk Phantom. With Phantom, Földesi first created a specific playbook for responding to an antivirus alert. Upon receipt of the alert, the Phantom playbook automatically triggers an endpoint detection and response (EDR) tool to analyze the endpoint for suspicious activity, retrieve the quarantined file, submit it to a malware sandbox for detonation and analysis and then generate a report for the security analyst.
“This capability in Phantom saves us 35 hours per week — about five hours per day,” says Földesi. “In Denmark, that’s almost one full-time employee.”
With Splunk implemented in day-to-day workflows, Norlys security analysts have been able to save time and money, and better protect their organization.
“Automation is changing how teams traditionally use a SIEM,” says Földesi. “We heavily rely on Phantom and Enterprise Security. They complement each other in a very good way and allow us to improve security capabilities for the entire company.”