Real-World Cybersecurity Success

Explore Neko Security's Case Studies and see our proven cybersecurity solutions in action. From advanced threat detection to robust security infrastructure design, these stories demonstrate how our specialist team delivers tangible results. Discover how we protect businesses from evolving cyber threats with our expert-led approach.

CLlENT

A Leading Multinational Education Provider, committed to maintaining a strong security posture across its global operations, sought to enhance its Security Operations Center (SOC) efficiency and responsiveness. The organization aimed to leverage Splunk Security Orchestration, Automation and Response (SOAR) to automate key aspects of incident investigation and response. This initiative was designed to reduce manual effort, shorten response times, and enable SOC analysts to focus on more complex threats.

CHALLENGE

The Multinational Education Provider needed to overcome several challenges to effectively implement SOC automation:

• Manual Investigation Overhead: SOC analysts were spending significant time on repetitive, manual tasks for initial incident investigation, such as gathering user details, checking system activity, and performing reputation analysis on indicators of compromise.

• Delayed Response Times: The manual nature of investigations could lead to delays in responding to security incidents, potentially increasing the window of opportunity for attackers.

• Integration Complexity: The SOAR solution needed to integrate seamlessly with existing security tools, including Splunk Enterprise Security (ES) for incident generation, Splunk Mission Control for SOC operations, Microsoft 365 components (Azure AD and Windows Defender ATP) for user and endpoint actions, and threat intelligence sources like VirusTotal.

• Need for Tailored Playbooks: Generic automation would not suffice. The Provider required playbooks specifically designed for common incident types they encountered, such as malware, suspicious account access, email forwarding, and phishing attempts.

• Phased Automation Adoption: The organization recognized the need for a staged approach to automation, starting with investigative playbooks and gradually introducing automated response actions as confidence and maturity grew.

SOLUTION

Neko Security collaborated with the Education Provider to develop and implement a series of Splunk SOAR playbooks tailored to their specific needs. This involved integrating key security technologies and creating workflows to automate various stages of the incident lifecycle.

STRATEGIC SOAR INTEGRATIONS

To enable comprehensive automation, Neko Security configured several critical Splunk SOAR integrations:

• Microsoft Graph for Active Directory: Used to interact with Azure AD for obtaining user account attributes and performing actions like enabling/disabling user accounts.

• Windows Defender ATP: Integrated to carry out investigative and response actions on endpoints, such as quarantining or unquarantining devices.

• VirusTotal: Utilized for performing reputation checks on suspicious domains, IPs, and file hashes found in incident details.

Splunk Enterprise Security & Mission Control: Leveraged for event ingestion from ES notables and for presenting findings and actions within Mission Control.

DEVELOPMENT OF CUSTOMIZED SOAR PLAYBOOKS

Neko Security developed three categories of playbooks to address different aspects of incident handling:

• Investigation Playbooks: These master playbooks run automatically when an incident is created in Mission Control. Examples include:

  • Malware Investigation: Performs reputation analysis, and searches host and user activity.

  • Access Investigation: Gathers access events for suspicious users.

  • Email Forwarding Investigation: Performs reputation analysis and searches for emails sent to the same recipient.

  • Phishing Investigation: Conducts reputation analysis and searches for other recipients of the same phishing email (distinct from user-reported phishing triage).

• Enrichment Playbooks: Called by investigation playbooks or run manually by analysts, these gather contextual information. Examples include retrieving Azure AD user details (position, manager, etc.), user activity packages from Splunk, host activity packages, and reputation analysis for domains/IPs/hashes.

• Response Playbooks: Executed manually by analysts after assessing an incident. These automate remediation actions such as:

  • Creating a ServiceNow ticket.

  • Disabling/Enabling a user in Azure AD (including disabling tokens).

  • Resetting a user's password in Azure AD (including disabling tokens).

  • Quarantining/Unquarantining a device via MS Defender ATP.

These playbooks were designed to present findings automatically to SOC analysts in Mission Control for assessment and resolution, with response templates assigned to respective incident types.

RESULTS & IMPACTS

The implementation of these Splunk SOAR playbooks is designed to deliver significant improvements to the Multinational Education Provider’s SOC capabilities:

• Reduced Mean Time to Respond (MTTR): Automation of initial investigation and some response actions significantly shortens the time taken to handle security incidents.

• Increased SOC Efficiency: Automating repetitive tasks frees up SOC analysts to focus on more complex threat analysis, strategic initiatives, and proactive threat hunting.

• Consistent Incident Handling: SOAR playbooks ensure that a standardized process is followed for each incident type, leading to more consistent and reliable outcomes.

• Improved Security Posture: Faster and more consistent responses to threats help to minimize the potential impact of security incidents.

• Enhanced Analyst Experience: By automating mundane tasks and providing enriched data directly within Mission Control, analysts can make quicker, more informed decisions.

• Scalable Security Operations: Automation allows the SOC to handle a growing volume of alerts without a linear increase in staffing.

• Foundation for Advanced Automation: This initial phase provides a solid foundation for adding more automated steps and developing more sophisticated playbooks as the organization’s security strategy evolves.

"We are extremely pleased with the outcomes of our collaboration with Neko Security on the implementation of Splunk SOAR. The tailored playbooks have significantly transformed our Security Operations Center's efficiency and effectiveness."

Jack

CTO