1. NATIONAL HEALTHCARE PROVIDER
Premise Health manages approximately 600 worksite and nearsite health and wellness centers in the U.S. for some of the nation’s premier corporations, many of them among the Fortune 1000. Formed in 2014 when Take Care Employer Solutions (a Walgreens’ subsidiary) merged with CHS Health Services, Premise Health manages patient-centered medical homes, onsite primary care, occupational health programs, pharmacies, physical therapy centers and laboratories. After the merger, Premise Health’s Chief Information Security Officer centralized security operations functions, which had previously been outsourced, by building an internal Security Operations Center.
The CISO’s objective was to build a robust, scalable security program from the ground up to defend Premise Health’s “crown jewels” — the company’s infrastructure and highly-sensitive personal health information (PHI). To safeguard these assets, the company needed to recruit and retain top security talent, integrate multiple security tools and IT ticketing systems, monitor emerging attack surfaces and ensure its new team could keep up with the increasing pace of threats, all while maintaining visibility into the newly expanded security operations function.
Premise Health implemented IR Flow to quickly and efficiently process alerts, manage incidents and improve overall security. Syncurity’s patent-pending Triage Scoring Engine automatically analyzed incoming alerts from any source, generated risk scores for each alert and identified true positives for escalation. IR Flow also allowed Premise to compile existing alert and incident handling procedures into repeatable “playbooks” that helped security analysts standardize incident response workflows and orchestrate investigation, containment and remediation. IR Flow also provided an auditable system of record of all security operations activity for reporting and compliance purposes.
In addition to defending Premise Health’s data and IT assets from ongoing cyber attacks, IR Flow helped security analysts quickly determine whether a threat was targeting a critical asset and prioritize incident response activities according to overall business risk. Syncurity also helped Premise Health demonstrate the effectiveness of its new Security Operations Center, measure the ROI of its security investment and validate its decision to centralize SOC functions internally. IR Flow has also enabled Premise Health to scale its security operations function in support of ongoing M&A expansion as well as other strategic initiatives that continue to drive business growth.
“IR Flow has force multiplied our SOC resources, enabling our team to seamlessly incorporate new data sources with little-to-no impact on analysts’ overall workload. The platform dynamically scores alerts based on our unique risk definitions so we can identify and address the most critical alerts first.”
Joey Johnson, CISO, Premise Health
One of the world’s largest Fortune 500 engineering firms designs, builds, finances and operates infrastructure assets for transportation, environmental, energy, oil and gas, water, private and public-sector government clients in more than 150 countries worldwide. The company’s Global Security Operations Center supports more than 75,000 employees around the globe, including architects, engineers, designers, planners, scientists and management professionals. The SOC is staffed by a small group of 17 security professionals that is spread across four countries worldwide and is divided into five different teams: SIEM, Monitoring, Incident Response, Intel and Forensics.
After a recent merger and acquisition, the company’s security operations team was overwhelmed with integrating two different ticketing systems and a variety of security point solutions to manage 300 SIEM alerts on average each day or 9,000 alerts per month. The security operations team needed more help triaging incoming alerts and decided to begin researching security operations platforms to orchestrate and automate alert handling and incident response while providing reporting and compliance capabilities around time to containment and remediation.
Syncurity’s IR Flow security operations platform was selected because it was purpose-built by security analysts, for security analysts, not just an IT help desk tool. IR Flow allowed analysts to separate alerts from incidents in a unified triage queue instead of a shared, color-coded Outlook inbox that led to duplicate tickets. Alerts were automatically enriched with relevant context from security tools, without opening multiple browser tabs, copying and pasting information or running command line queries. Analysts were easily able to improve the consistency of operations by escalating critical alerts, attaching historical notes and assigning tickets to the incident response team.
IR Flow allowed the security operations team to significantly improve efficiency, reduce alert dwell time and process more alerts in a shorter period of time. Security analysts were able to create custom triage checklists and incident response playbooks within IR Flow based on defined processes that allowed new team members to get up to speed quickly without extensive training or referencing paper manuals. Unlike other security tools, IR Flow’s ability to serve as a security system of record and capture all events, actions and timestamps allows SOC Managers to more formally review incident timelines, measure analyst performance and report on key metrics.
“IR Flow saves my team hours each day. Instead of spending 5-10 minutes copying and pasting data into each ticket, IR Flow lets us create a ticket with all of the relevent information in a matter of seconds … IR Flow allows us to handle alert triage and incident response in a way that rivals much larger teams.”
Monitoring Team Lead,
Global Security Operations,
Fortune 500 Engineering Firm