Telecommunications and technology services
More than 39 million customers
Turkcell was experiencing up to 300 alerts per day across its MSSP service. Each incident was managed manually, with a commensurate delay in the incident closure process. This was impacting customer incident notification service level agreements (SLAs).
Palo Alto Networks Cortex XSOAR
Turkcell is a converged telecommunication and technology services provider headquartered in Turkey. It serves more than 39 million customers with voice, data, TV, and value-added consumer and enterprise services on mobile and fixed networks.
In response to advanced cybersecurity threats and data privacy regulations such as the Turkish KVKK personal data law, Turkcell launched the Cyber Defence Center (CDC). Established seven years ago, the CDC comprises a team of 28 people tasked with planning, analysis, and incident response. Besides securing Turkcell’s internal operations, the CDC supports more than 100 enterprise customers on a fully managed or co-managed MSSP basis.
With more than 550 data sources, the CDC processes eight billion data logs every day. These are filtered down to three billion and then aggregated into 1.8 billion logs. These eight billion logs are filtered, aggregated, and correlated down to 400 million logs, which can result in up to 300 daily alerts requiring action.
Faced with a growing number of MSSP clients and endpoints to manage, the Turkcell CDC needed to automate monitoring. The specific requirements were to:
Turkcell deployed Palo Alto Networks Cortex XSOAR in the CDC to deliver modern, agile security orchestration, automation, and response. The platform unifies alerts and incidents from almost any customer source on a single system for lightning-quick search, query, and investigation.
The initial deployment of Cortex XSOAR took approximately one week.
“The speed of the system is remarkable,” says Cihan Yuceer, Cyber Defence Center Associate Director, Turkcell. “We can automate multiple incident tasks in just a few clicks, such as blocking URLs on a proxy or blocking IPs on a firewall. Using the Cortex XSOAR search tool, our analysts can notify customers immediately and accelerate the investigation process.”
The multitenancy support is also vital in this MSSP scenario. “Customer data is separated into individual hosts and tenants, although we have a single view of every tenant. We can manage alerts whatever the source, take action on threat intelligence, and automate response for any type of customer situation,” says Yuceer. Security information and event management (SIEM) data from MSSP customers is integrated directly into Cortex XSOAR. Yuceer continues, “XSOAR complements SIEM for incident response. Connecting the two supports the selection of the best workflow to respond to the incident. XSOAR automates the execution of the workflows that respond to the incident, significantly reducing our response time.”
Playbook automation is also helping to standardise processes and reduce the mean time to repair (MTTR). “For all incidents, we use one custom playbook,” says Yuceer. “It orchestrates the most critical tasks such as formatting incidents or customer email notifications. We have XSOAR incident reminders and incident closure playbooks as part of the security operations service. Using these playbooks, we are closing the incident handling process without any analyst intervention.”
Cortex XSOAR is transforming the way the Turkcell MSSP service manages customer security. The benefits include: