One of the world’s largest Fortune 500 engineering firms designs, builds, finances and operates infrastructure assets for transportation, environmental, energy, oil and gas, water, private and public-sector government clients in more than 150 countries worldwide. The company’s Global Security Operations Center supports more than 75,000 employees around the globe, including architects, engineers, designers, planners, scientists and management professionals. The SOC is staffed by a small group of 17 security professionals that is spread across four countries worldwide and is divided into five different teams: SIEM, Monitoring, Incident Response, Intel and Forensics.
After a recent merger and acquisition, the company’s security operations team was overwhelmed with integrating two different ticketing systems and a variety of security point solutions to manage 300 SIEM alerts on average each day or 9,000 alerts per month. The security operations team needed more help triaging incoming alerts and decided to begin researching security operations platforms to orchestrate and automate alert handling and incident response while providing reporting and compliance capabilities around time to containment and remediation.
Syncurity’s IR-Flow security operations platform was selected because it was purpose-built by security analysts, for security analysts, not just an IT help desk tool. IR-Flow allowed analysts to separate alerts from incidents in a unified triage queue instead of a shared, color-coded Outlook inbox that led to duplicate tickets. Alerts were automatically enriched with relevant context from security tools, without opening multiple browser tabs, copying and pasting information or running command line queries. Analysts were easily able to improve the consistency of operations by escalating critical alerts, attaching historical notes and assigning tickets to the incident response team.
IR-Flow allowed the security operations team to significantly improve efficiency, reduce alert dwell time and process more alerts in a shorter period of time. Security analysts were able to create custom triage checklists and incident response playbooks within IR-Flow based on defined processes that allowed new team members to get up to speed quickly without extensive training or referencing paper manuals. Unlike other security tools, IR-Flow’s ability to serve as a security system of record and capture all events, actions and timestamps allows SOC Managers to more formally review incident timelines, measure analyst performance and report on key metrics.
“IR-Flow saves my team hours each day. Instead of spending 5-10 minutes copying and pasting data into each ticket, IR-Flow lets us create a ticket with all of the relevent information in a matter of seconds … IR-Flow allows us to handle alert triage and incident response in a way that rivals much larger teams.”
Monitoring Team Lead,
Global Security Operations,
Fortune 500 Engineering Firm