Automating With Splunk Phantom: How Norlys Does It

Some tasks are better off automated. Paying bills on time? Automated payments. Orchestrating a coordinated response to security alerts and triaging security events? There’s Splunk Phantom for that. Monotonous tasks, in our work and personal lives, should and can be automated in order to free up time and energy to focus on the things that matter. 

One organization that has embraced automation is Norlys, Denmark’s largest power, utility and telecommunications company servicing 1.5 million customers. They turned to Splunk Phantom, Splunk’s security orchestration, automation and response (SOAR) technology, to automate manual workflows, repetitive tasks and difficult-to-maintain processes. As a result, Splunk Phantom has helped the Norlys team save 35 hours per week. Processes that once took 30 minutes to complete manually now take a mere 30 seconds.

Norlys Uses Automation to Accelerate and Simplify Their Security Operations in These Five Ways:

1. Forwarding notables from Splunk Enterprise Security to Splunk Phantom: By forwarding notables from your SIEM to your automation platform, the security team can centralize (and easily automate) post-alert enrichment, threat hunting and containment. For Norlys, forwarding notables manually can take three minutes per event. The Norlys team performs this action 50 times a week. Using automation, this action takes two seconds instead of three minutes, saving the team 2.5 hours per week while reducing mean time to detect (MTTD).

2. Investigating antivirus (AV) alerts: Manually reviewing an antivirus alert is tedious and time-consuming;- it takes Norlys about 40 minutes per investigation. By automating the investigation of AV alerts, the process takes approximately 10 minutes per alert, without the need for human interaction. The automated action collects information immediately after the event occurs, reducing forensic data loss and mean time to respond (MTTR).

3. Investigating IOCs from a threat feed: Investigating indicators of compromise (IoCs) from a threat feed can take the Norlys team 15 minutes per event, if performed manually. For instance, if investigating IP reputation, the team may need to cross reference IP intelligence, query for related IPs and eventually add the IP to a block list (among other tasks). By automating these actions using Splunk Phantom, Norlys has transformed a 15-minute exercise into a 10-second exercise. 

4. Obtain browser history and other important artifacts from an endpoint: Manually obtaining artifacts from an endpoint during an investigation takes time, effort and countless clicks from the UI of your endpoint security technology (EDR or EPP). Furthermore, this workflow can be messy and prone to error. It took Norlys 30 minutes on average to perform this task manually. Using Splunk Phantom automation, it now takes 20 seconds.

5. Opening tickets in external systems: Manually opening tickets is one of the main causes of analyst burnout in a high-volume alert environment. In some cases where the security alert is ambiguous, an analyst can choose not to open a ticket simply because of the inconvenience. By automating this process, Norlys reduced the time to open tickets from 10 minutes to 10 seconds. 

Want to dig deeper to see how Norlys achieved these results using automated playbooks? Check out our webinar, “The Top 5 Boring Tasks Every Security Team Should Automate,” to see how automated playbooks can revolutionize your security operations. 

----------------------------------------------------
Thanks!
Olivia Courtney