Security teams in just about every industry today are inundated with threats and alerts—but for those in the financial industry, the numbers are exponentially higher. Security orchestration, automation, and response (SOAR) solutions like Rapid7 InsightConnect can help the financial sector stay on top of issues, rather than be buried by them, by accelerating processes for speed and efficiency.
InsightConnect helps security teams strategically build their workflows and processes so they can shave hours—or even days—of time off their workload every single week. We spoke with Michael Cochran, security analyst for financial holdings company Hilltop Holdings, about his experience using InsightConnect and the timing savings his organization has experienced. Here are the highlights:
Q: What makes it difficult for a security analyst in the financial sector?
A: This space gets targeted a lot because we process and store people’s financial and personally identifiable information. From data theft to wire fraud, we are constantly targeted and on any given day can receive hundreds of phishing emails.
Q: Were you automating any processes prior to using InsightConnect, and what are you automating now?
A: Prior to using InsightConnect, we weren’t automating anything. It was all manual step-by-step processes that took quite a bit of time to do.
The first step we automated was our phishing triage workflow. This requires data enrichment and then an investigation of URLs and file attachments. To do these steps manually involves taking everything out of the email, sending it to a bunch of different sites, and validating whether it’s malicious or not. Using InsightConnect’s phishing workflow, these steps are automatically running for us in the background.
Q: How many hours a week was spent triaging prior to InsightConnect, and how much time today are you spending?
A: Before we automated the phishing workflow with InsightConnect, it was a full-time job for one of our team members. Whoever was tasked with phishing investigations that day, that was all they did from the time they got in the office until the time they left. We typically receive a couple hundred potential phishing emails a day and had to go through each one manually to review and inspect for malicious links or attachments.
After we implemented the workflow from InsightConnect, it drastically reduced the time we spend manually handling phishing emails. It went from being an all-day thing to now opening InsightConnect and looking at the results to see which ones need a decision to be made. The time spent on phishing went from hours down to minutes.
Q: What have you and your team learned from building automation workflows?
A: In building these workflows, we’ve learned to take a step back to look at what we were actually doing so we could build out a whole procedure instead of everyone on our team doing it their own way. We thought we had a good process, but as we started to build it out within InsightConnect, it turned out to be a big ugly workflow that didn’t work. So, we went in and moved things around to make them flow logically from step A to B to C, and so on. It was really helpful to have a solid base plan to work from.
Q: As an earlier adopter of security orchestration and automation, what advice do you have for teams considering implementing a SOAR solution?
A: It does require some work upfront to get the workflows up and running, depending on what you’re doing, but it’s very worthwhile and is some of the most fun I’ve had in my job. Rapid7 has been extremely helpful to us in the process—whenever we had an issue, they got right on the phone with us, even late at night, to help us work through it. Whenever we needed something new, within days they were able to either create it for us or find a way to make it happen. There hasn’t been anything I’ve asked Rapid7 for that they haven’t stepped up and created a solution for. It’s been a really awesome relationship with them.
Q: What are some other SOAR use cases you’re looking into?
A: Some other workflows we’re looking to build out with InsightConnect is with other Rapid7 tools we use. We’d like to further build out our remediation and response workflows so that when we receive an alert from InsightIDR, Rapid7’s incident detection and response solution, about unauthorized access to an account, a workflow triggers and shuts down that account. This would save us time from having to create a ticket for someone in IT who can do it and waiting on a response. This integration would shut down the account right then and there.
We’re also looking into automating auto-blocking on firewalls. When our phishing workflow finds a URL we deem bad, we want to have another workflow to then take that URL and send it to our firewalls so that if anyone in our company clicks it, they’re not going anywhere.
Learn more about Rapid7 InsightConnect
Looking to achieve the same type of automation success as Hilltop Holdings? InsightConnect helps accelerate and streamline time-intensive processes by connecting your tools together so that each tool is used to its maximum potential. Connecting the dots between solutions better informs your security teams and enriches your data and security alerts, leading to major improvements in operational efficiency.