Through some 350 offices, Banco de Galicia y Buenos Aires S.A. offers loans to a client base primarily of businesses and individuals. It also provides consumer, corporate, investment banking, insurance, and other services. Security is a top priority for this company that relies on the principles of banking responsibly.
With such companies constantly under the threat of getting attacked by phishing, malware, data exfiltration, ransomware, and privilege escalation, the SOC team is overwhelmed with low-level tasks.
Banco Galicia’s security challenge was automating incident response at its SOC. NeoSecure also needed to prepare playbooks to integrate Banco Galicia’s different technologies and perform automated response to incidents.
Banco de Galicia required automation and the possibility to integrate with multiple platforms, plus operative efficiency.
Jointly with our partner, NeoSecure, we carried out a test in which the bank’s platforms were integrated with XSOAR. The customer was able to see XSOAR’s capabilities for simple use cases and the potential to automate more advanced processes, leading to a more efficient SOC.
NeoSecure worked jointly with Palo Alto Networks to do a full implementation. NeoSecure also engaged a sales engineer and a project manager to oversee the correct deployment of XSOAR.
XSOAR is integrated with a variety of solutions, including Arbor, CrowdStrike, Trend Micro, FortiGate, Office 365, as well as content services, such as VirusTotal, BrightCloud, X-Force, and AbuseIPDB, to automate and orchestrate the management of indicators of compromise (IoCs), phishing incidents, DLP, and privilege escalation.
A playbook was defined for a known IoC.
Playbook “Alimentación IoCs”: This playbook will extract IoCs from received emails and then validate if the IoCs are classified as malicious in VirusTotal, X-Force and AbuseIPDB. The playbook will also verify that the IoCs exist in the ecosystem and load them.
Playbook “Detección de Phishing”: This playbook validates if the email message is phishing. It analyzes domains and IP addresses and their reputation. If malicious, they will be blocked in Office 365, CrowdStrike and Apex One.
Playbook “Investigación IoCs”: This playbook searches for and validates that the IoCs are classified as malicious in VirusTotal, X-Force, CrowdStrike and Trend Micro. The IoCs are manually loaded in the war room and could be URLs, IPs, or hashes.
Playbook “DLP”: This playbook automates notifying when there is an email to a help desk alias, searches in Active Directory® for the user’s manager, and then sends a notification via email to the manager and the user.
Playbook “Bloqueo IoCs”: This playbook generates a specific tag so that the necessary IoC blocking tasks can be executed on the defined integrations and consoles.To learn more about Cortex XSOAR, visit https://www.paloaltonetworks.com/cortex/cortex-xsoar.