shutterstock_1468991960_3758x1206

About the Client

  • One of the top 20 largest airlines globally

  • Multi award-winning airline

  • 85 years of operation and a fleet of more than 400 aircraft

  • Serving more than 220 destinations on six continents

  • Carrying more than 50 million passengers a year


Security Situation

  • Small in-house security team
  • MSSPs too expensive, provided little value
  • SIEM alerts lacked context
  • Too much time spent on alerts and false positives

icon-accurate@2x Challenges

The small security operations team for a major national airline was stretched thin and suffering from alert fatigue trying to keep up with cyberthreats. While they had robust security stack, and consolidated events in their SIEM, the alerts lacked important context, requiring time-consuming manual follow-up.

The in-house team was supplemented with an MSSP, but the service provider bombarded them with too many alerts, far too many false positives, and didn’t provide analysis or context on security events.

While the team needed help, they wanted to build on to their existing security stack, while consolidating alerts and automating incident response.

icon-fast@2x Solution

The initial use case was for continuous security checks on threat bulletins from Anomali. Evaluating and acting on each threat manually was time-consuming and cumbersome. Instead, LogicHub automatically parses relevant threat bulletins, uses GREP to look for relevant CVEs, submits results to Randori for attack profiling, and automates incident response and case management.

Working in close collaboration with LogicHub experts, the security team developed custom playbooks to automate all steps without human interaction.

Subsequent playbooks have been developed for a wide range of use cases including vulnerability checks, threat hunting, reconnaissance validation, detecting malicious website traffic, stopping credential-based attacks, and reviewing threat bulletins.



icon-fast@2xResults

  • Initial use case was running in under two weeks, immediately reducing false positive rate by 75%
  • LogicHub triages all L1/L2 alerts saving over 40 hours per week (1 FTE)
  • Dramatically improvement in accuracy and faster response time (MTTR)
  • Replaced legacy MSSP with significant cost savings
  • Close collaboration with LogicHub experts on playbooks
  • Rapid incident response with one-click automation

icon-fast@2xWhy LogicHub

  • Out-of-the-box integration with Anomali, QRadar, Randori, and other key security tools
  • Decision Automation capturing analyst expertise while automating detection and response
  • Dramatically better speed and accuracy than manual processes
  • Close collaboration with LogicHub experts on playbooks
  • Rapid time-to-value for initial a wide range of use cases

Similar case studies

Automatically Quarantining Infected Hosts
Quarantine infected host automatically or with one-click authorization.
Automating EDR Alert Triage
Automatically analyze, investigate and triage EDR events and alerts at scale.
Automating Phishing Triage
Automatic analysis, detection and triage of potential phishing attempts.
Automating SIEM Alert Triage
Automatically analyze, investigate and triage SIEM events and alerts at scale.
Detecting and Disabling Compromised Credentials
Automatically detect and disable compromised user and admin credentials.
Detecting Exposed AWS Keys
Find and disable AWS keys that have been inadvertantly exposed.
Hunting for Insider Threats
Automatically hunt for and detect insider threats.
Malicious Powershell Commands
Detect the malicious user of Powershell commands.
Managed O365 Detection and Response
Cloud productivity managed detection and response for O365 users.
Threat Hunting in GitHub
Using automated playbooks to deliver continuous threat hunting.
Using TIP to Automatically Triage Network Events
Using threat intelligence platforms to accurately triage network events.
Managed Detection and Response for G-Suite
Cloud productivity managed detection and response for G-Suite users.
MDR After Hours Incident Response
Managed detection and response for after hours threat protection.
Respond to User Reported Incident
Automate incident response to issues reported by users.
Automating Threat Hunting in AWS CloudTrail Logs
LogicHub has developed a playbook to hunt for risks in one such solution, AWS CloudTrail logs. This conducts seven investigations in parallel to identify risks within the CloudTrail logs.
Automating Threat Hunting in Web Proxy Logs
By running the LogicHub Playbook for Web Proxy Threat Hunting, Security Operations Centers (SOCs) can discover surreptitious communications with remote Command and Control (C2) applications that play an integral part in security attacks.
Automating Threat Intelligence Searches
One of the many use cases that LogicHub customers have implemented and benefited from is that of automating the search for Indicators of Compromise (IOCs), that are distributed from various 3rd party sources within their environment.
Monitoring Files Written to USB
LogicHub customers have implemented and benefited from automating the monitoring of users writing files to external USB drives.