Without integrated security tools, McGraw Hill was manually responding to thousands of malicious emails every day, which slowed MTTR and increased the possibility of a successful attack or infiltration.
By increasing automation with Splunk Phantom, McGraw Hill has achieved faster response times, centralized investigations and event management, increased ROI and accelerated productivity.
As a learning sciences company, McGraw Hill provides customized educational content, software and services for pre-school through postgraduate education. The organization also has a large digital products group that develops learning sciences platforms. McGraw Hill currently operates in 28 countries, has more than 5,000 employees globally, and offers products and services to over 135 countries in 60+ languages.
Because they provide an essential product globally, it is critical that the McGraw Hill team do so securely — and they learned how through experience.
“We had an incident when copies of our internal user addresses were released, and we received tons of phish to exploit the situation,” says Jason Mihalow, senior cloud cyber security architect. “When something like this hits, the clock starts.” These incidents were monitored through a simple email inbox, and with few people to monitor this inbox, it was impossible to clear them all. “It's a completely manual process,” says Mihalow. “When you’re targeted by a few of these waves, you come to realize there's no number of people who can solve the problem. Automation is the only solution.”
The Right Tool for the Job
With Phantom, McGraw Hill is able to automate its response to these threats. Now, the McGraw Hill team automatically puts all of these reports into Phantom and pulls them into a container. “A container case management–based system prevents us from having to chase down emails in an inbox,” says Mihalow. “We have everything in a single system, and we know everything's been addressed. We have a record of what happened and what the analyst has done, which has been a generational leap for us.”
Before Phantom, Mihalow says all of this information lived in 10 different tools and completely disparate logs. Consolidating this all into Phantom has been a huge help to the team. “Instead of having to go into other tools and do that blocking there, I've created playbooks that can automatically do that stuff,” says Mihalow. “Analysts now don't have to leave Phantom to respond to the malicious emails.”
This shift has saved McGraw Hill time on training new analysts who join the team. “Phantom has enabled us to consolidate our SOC. Previously, when we hired someone, we had to say, ‘here are your 10 tools and how to use them,’” says Mihalow. “Now, I can abstract all of that and just introduce Phantom. It brought all of our operations into a single place that we can maintain.”
The Phantom Advantage
Since McGraw Hill implemented Phantom, team members have seen a variety of changes in how they handle security. “We have found many use cases for Phantom,” says Mihalow. “In total, we have 40 something playbooks that I've created. We use it for everything.”