Louisiana scales security using AI-driven Cortex XSIAM

SUMMARY

The State of Louisiana’s Office of Technology Services (OTS) provides centralized IT services for 34 agencies and 35,000 users. It serves to prevent potential threats to the state’s over 300,000 endpoints and protect citizen data.

Like an old, battered levee during a Category 5 hurricane, the state’s outdated firewalls and SIEM were causing frequent network outages, preventing threat visibility, and reducing security reliability. Having racked up $1.3 billion in technical debt, OTS looked to Palo Alto Networks for an integrated security platform to improve efficiencies.

RESULTS

167x

more data ingested into the SIEM per day, from 60 GB to 10 TB

$900 million

reduction in technical debt through modernization efforts

<2 minutes

median time to resolution, down from 24+ hours

challenges

Replacing an outdated security stack to improve efficiencies and adequately protect citizen data.

Lack of visibility: The existing SIEM was not able to ingest events generated by the firewalls. This resulted in near zero visibility into the network, allowing threats to go undetected.
Limited storage capacity: With the SIEM already at capacity, adding more data sources was impossible, which left critical blind spots across its environment.
Manual operations: The legacy security systems didn’t allow for meaningful automation, which meant that every alert had to be resolved manually.
Daily outages: With out-of-date appliances unable to handle the increasing amount of traffic, the state network would experience almost daily outages of 1–2 hours.

“We didn’t know what we were missing until we saw the capabilities of what XSIAM offered. It’s like removing a grainy film from my eyes, only I didn’t realize the film was there until I looked through the XSIAM lens. The possibilities are endless with these tools together.”

Chase Hymel

CISO, State of Louisiana

SOLUTION

An advanced, integrated security approach for integrated agencies.

In 2016, the State of Louisiana partnered with Palo Alto Networks® to replace and consolidate its historic firewalls with high-priority Next-Generation Firewalls (NGFWs). OTS installed and configured these across its 26 agencies and experienced immediate performance and visibility improvements. Over the next five years, OTS replaced more than 430 legacy firewalls to protect its branch offices, remote locations, data centers, and more.

It had also shifted its security operations to Cortex XSOAR during this time to improve and automate incident response. On its evolution to more advanced SOC capabilities, OTC sought to incorporate AI for greater efficiency and replace its outdated SIEM solution. It became an early adopter of Cortex XSIAM, which is now the foundation of the State of Louisiana’s security platform and enables the security operations team to more efficiently and effectively prevent and respond to threats. The advanced capabilities of XSIAM allowed OTS to combine its SIEM, security orchestration, automation, and response (SOAR), extended detection and response (XDR), attack surface management (ASM), and threat intelligence needs into one integrated platform. Also critically important, its 200+ XSOAR playbooks were not only seamlessly integrated into XSIAM, but they were also automatically updated with ongoing learnings and rules.

The Panorama network security management tool was deployed to collect logs and events from the various firewalls to provide a unified, single source of truth for XSIAM. Together, as part of the Palo Alto Networks platform, it enables centralized, real-time visibility across the infrastructure.

Path to a modernized SOC

Network security

Next-Generation Firewalls

Panorama

Learn more

Incident response automation

Cortex XSOAR

Learn more

SOC transformation

Cortex XSIAM

Learn more

Integrated platform and tools deliver unparalleled visibility

By implementing XSIAM and NGFWs, the OTS team went from having limited visibility of alerts to knowing not only the exact source and location of the alert but also gaining additional contextual information that helped expedite the resolution. Hymel says the improved visibility gained was, by far, the biggest benefit.
Advanced automation capabilities improve efficiencies across parish lines

Louisiana relied on limited resources and a small security operations team, so the idea of transitioning from manual processes to automated systems had huge appeal. OTS immediately witnessed the impact of Cortex XSIAM automation capabilities on the team’s efficiency.

It could now automate firewall data to feed XSIAM for a true threat intelligence program. With NGFWs deployed in all counties, when OTS wants to block a threat across the state, it’s added to the XSIAM threat intel feed, and hundreds of firewalls uptake that information to block the suspicious event.

Using AI analytics and automation for incident investigation has doubled the incident close-out rate and offloaded several traditional Tier 1 analyst duties. With XSIAM handling the initial alert monitoring, prioritizing, investigation, and threat blocking, there’s already contextual data for the incident when the team is ready to review it. Machine learning helps to flag critical incidents requiring attention, and it allows analysts to quickly query the system with natural language questions. This alleviates the need for specialized development experience and delivers instant data the team needs to proceed to the next steps. With these advanced AI and machine learning capabilities in place, analysts are able to offset responsibilities, freeing them to work on more complex issues, which is critical for this resource-limited team.
Cloud-based platform enables scalable security operations and greater operational efficiency

With the continual increase in the amount of data, the expanding attack surface, and the growing number of threats, scalability to handle larger loads is critical for the State of Louisiana. OTS had outgrown its on-premise SIEM, which couldn’t handle the increased demand for storage or throughput. XSIAM offered immediate relief, and it was able to upload all the source data that was missing from its old SIEM. Today, the state ingests nearly 10,000 GB of data per day, compared to the 60 GB it could ingest with its prior SIEM solution. And, the amount of data sources feeding into the system has increased fourfold from 10 to 40.

The fully hosted platform reduced the administrative work from engineers and analysts so they could focus on threat hunting and incident response instead of tool management. This equated to three full-time roles redeployed to other critical security functions. The XSIAM tool integration also enabled increased operational efficiency because analysts were now able to collapse four different controls into a single console.

* Incidents flagged = Potential security events flagged that require automated or manual investigation
† # of alerts resolved by automation playbook (including those that just need a final approval from SOC analyst to close)
‡ MTTR = Median time to resolution (time from alert to case resolution)
A trusted security partner for the long haul

The State of Louisiana was entering uncharted territory and a long, 10-year journey to security stability. It relied heavily on the team at Palo Alto Networks to support and advise the organization along the way. By integrating a comprehensive security platform with one technology partner, it was able to consolidate tool management, automate workflows, reduce complexity, improve efficiencies, gain greater visibility, and allow for more seamless and effective security operations.

Of course, modernization is a never-ending adventure. OTS continues to update legacy hardware and software while leveraging AI-driven tools to meet the evolving security, efficiency, and citizen data protection demands.

Find out more about how Palo Alto Networks best-in-class solutions can improve security for your organization. Learn more about Cortex XSIAM and Next-Generation Firewalls.