After building their own log analytics and incident response capabilities, the Norlys team faced a range of challenges, from repetitive tasks and too many tools to slow webUIs and cumbersome processes.
With the Splunk platform, Norlys has integrated threat intelligence, automated repetitive tasks and centralized investigations for faster response times and more productive employees.
As Denmark’s largest power, utility and telecommunications company servicing 1.5 million customers, Norlys understands the need for fast response to security alerts. Since they didn’t have incident response or security capabilities when the security department was formed, the Norlys team built their own log analytics and incident response capabilities from the ground up.
This homegrown approach presented challenges, from manual workflows, repetitive tasks and too many tools to a lack of context, slow webUIs and difficult-to-maintain processes. To solve these problems, Norlys turned to Splunk, choosing Splunk Enterprise Security (ES) as its SIEM tool and Phantom as its security orchestration, automation and response (SOAR) platform.
Norlys now combats threats with actionable intelligence, using Splunk ES for everything from threat hunting and feed ingestion to investigation dashboards and correlation searches. “If we have suspicious activity on an endpoint, we go to that specific dashboard in ES and can see all of the movements,” says Tibor Földesi, security automation analyst at Norlys. “I just enter the hostname for a single machine, and I can see all of the endpoint response logs. ES lets you see everything going on in your environment to find the bad guys.”
To maximize its investment, Norlys receives support from Splunk Professional Services. “If we are unable to do something the best way we think possible, we reach out to the Splunk Professional Services team. Professional Services are really key to success,” says Földesi. “With Professional Services, we learned that we could get immediate value out of ES and Phantom by automating opening tickets between systems. I don't want to open tickets every day, and now I don’t have to.”
Thanks to the automation and orchestration of Splunk Phantom, Norlys now solves security problems faster.
With Phantom, Földesi first created a specific playbook for responding to an antivirus alert. Upon receipt of the alert, the Phantom playbook automatically triggers an endpoint detection and response (EDR) tool to analyze the endpoint for suspicious activity, retrieve the quarantined file, submit it to a malware sandbox for detonation and analysis, and then generate a report for the security analyst. Before this playbook was created, Norlys encountered these alerts many times a day, each of which demanded the team’s time and attention.
“This is a very advanced playbook,” says Földesi. “A hundred percent of the investigation is automatic, and no human interaction is needed. I used to do this part manually before, but with Phantom, I only have to step in at the end of the analysis and make an educated decision about what actions to take.”
The Norlys security team operates on a specific promise: if something is annoying, automate it. As a result, the team uses 20 different playbooks every day to save time and money. “Phantom saves us 35 hours per week — about five hours per day. We can now finally focus on the important tasks.” says Földesi.
With Splunk implemented in day-to-day workflows, Norlys security analysts have been able to better protect their organization. “Automation is changing how teams traditionally use a SIEM,” says Földesi. “We heavily rely on Phantom and Enterprise Security. They complement each other in a very good way and allow us to improve security capabilities for the entire company.”