Case Study

Why a major US-based Tech Company Chose Cortex Xpanse over RiskIQ


Identify, Monitor, and Secure High-Risk Internet-Facing Assets and Services


In brief

Customer

Major U.S.-Based Tech Company

Industry

Technology

Country

United States of America


Challenge

A major tech company needed a way to identify, monitor, and secure high-risk internet-facing assets and services. Because the company conducts a large number of acquisitions, it was also looking for a way to easily and automatically identify all internet assets belonging to acquired companies.

Solution

The company had worked with RiskIQ for multiple years but found its services insufficient to meet these challenges due to inaccurate and stale data, an inability to scale across the organization, and insufficient coverage across all internet-facing risks. The company turned to Xpanse to identify its global attack surface as well as help ensure secure M&A cyber due diligence and network integrations.

Outcome

The company’s SOC team has streamlined processes for reducing the company’s internet attack surface by automating the identification of risky internet assets and services through Xpanse. The SOC team can also easily and seamlessly identify, integrate, and secure the internet assets of new acquisitions.

Download PDF Share

ACQUIRING THE BEST

A major US-based tech company and member of the Fortune 1000 was facing a challenge. Its security operations center (SOC) team was composed of the best of the best, but its top players didn’t have the necessary technology solutions at hand. After three years as a RiskIQ Digital Footprint® customer, the SOC team leader didn’t feel the product was meeting the company’s needs or simplifying his team’s work enough on a day-to-day basis. He had a straightforward focus: he wanted to understand the company’s complete internet-facing footprint and reduce risks associated with that footprint. RiskIQ would conduct domain-based scans and share certain open ports, but it would not verify the services on those ports. How was he to know if the open ports posed a risk to the organization or not?

“Ports don’t really matter. It’s the services running on the ports that matter,” the SOC team leader says.“You can run a really risky service like Microsoft Remote Desktop Protocol (RDP) from any port you want. Knowing that port 3389 is open isn’t nearly as interesting as RDP is open on a certain IP address that we know is ours. So, the alignment that Xpanse offers directly toward understanding high-risk services that are public-facing is something we weren’t able to get out of RiskIQ or any other vendor.”

The SOC team leader also appreciates that Cortex® Xpanse™ provides guidance to the company on different risky services to focus on. His philosophy is that the SOC team should get in front of any security risks before they become an incident. The SOC team should never be reactive; instead, they want to be proactive in discovering any high-risk vulnerabilities and misconfigurations. “Xpanse has already done the work of suggesting the severity of a lot of different services we hadn’t even thought of,” he says. “Xpanse has done a better job of monitoring and identifying risks as the landscape evolves.”

A FOCUS ON SERVICES

The company regularly acquires smaller companies to broaden its portfolio and stay current with market trends. Whenever a new company is acquired, it is the job of the SOC team to understand that company’s internet-facing footprint. In the past, the SOC team leader had relied on RiskIQ to help understand any security risks posed by new acquisitions, but he found that RiskIQ’s data was incomplete, out of date, and required far too much time-consuming, manual verification from his team.

“Understanding what risks are associated with an acquisition from an external perspective is really important to us,” the SOC team leader says. “We also have a separate vulnerability management team, and they continually struggle to identify the true network footprint of these companies.”

Whenever the company would acquire a new company, RiskIQ required the SOC team to go in and manually verify that the new assets were attributed correctly—a challenging task since they were looking at assets belonging to what was previously a separate company.

“RiskIQ has a discovery mechanism where I or someone on my team would need to log in and add a domain through that mechanism,” the SOC team leader says. “And then the searches would come in, and then I would have to go through and click a button 100 times to approve an asset or not. This was outsourcing a lot of that work to me, whereas what I want is to outsource the work to the vendor and have the vendor handle that for me.”

With Xpanse, on the other hand, the SOC team received an automatic, high-confidence inventory of all internet assets and services belonging to new acquisitions so the team could set to work immediately reducing risk rather than working through painful manual processes.

AUTOMATING ATTACK SURFACE REDUCTION

Reducing risk around acquisitions wasn’t the only area where Xpanse was able to simplify and automate work for the SOC team. The SOC team leader found that for inventory management, Xpanse simplified the process for him rather than constantly requiring manual verification.

“RiskIQ continually requires pruning and button-clicking to maintain an accurate inventory of what’s ours,” he says. “While RiskIQ is extremely manual, Xpanse is very ‘set it and forget it.’”

Part of what made Xpanse easier to use was not just the verification process, but also the higher level of accuracy of Xpanse data versus data from RiskIQ. For example, the SOC team leader found that RiskIQ often had out-of-date domains and subdomains it had attributed to the company. In one case, RiskIQ had flagged certain IPs on Amazon Web Services as belonging to the company, but the IPs were associated with one of the company’s domains nine months prior, and even at that time didn’t actually belong to it. So, the information being provided by RiskIQ was both stale and incorrect. With Xpanse, the company was able to get more accurate attribution as well as daily scans of its full internetfacing inventory of assets and services.

One benefit of Xpanse that the SOC team leader appreciated was that it not only did protocol-validated scanning (as opposed to port-based and domain-based scans), but also looked at certificates, which allowed it to surface additional risks that were not uncovered by RiskIQ. In one case, Xpanse helped find an asset that an employee in the company’s UK arm had spun up without notifying the IT team. There was no way to find that asset other than through the associated certificate.

Another benefit was Xpanse’s more accurate coverage of cloud risks. Because the services associated with a given IP address can change constantly—including services from multiple different companies running on a given IP address in the public cloud at different points in time—cloud discovery and attribution can be particularly tricky. Using Xpanse’s cloud discovery capabilities, the SOC is now able to accurately identify and attribute assets to the company even from multitenant public cloud environments. This means not only discovering services that RiskIQ didn’t find, but also eliminating false positives that otherwise would waste large quantities of the SOC team’s valuable investigation time.

PUTTING CUSTOMER SERVICE FIRST

Ultimately, the company appreciated that Xpanse helped it operationalize its technology across the full security team rather than implementing guardrails that would hold them back from getting the most value from their subscription. Case in point: Xpanse included licenses for the company’s entire team, whereas RiskIQ only included five seats for the company and charged more for additional seats. The SOC team leader has roughly a dozen people on his team and wants to share across other information security teams, such as the vulnerability, pen testing, and red teams. With RiskIQ, the user seat limit made it a challenging and manual process to share information across teams, rather than helping all stakeholders at the company align and take action to drive down risk.

With Xpanse, the SOC team leader, his team, and other security leaders at the company have a true partner in discovering, monitoring, and reducing risk to create a more secure organization. As the company completes new acquisitions and the SOC team evolves to respond to ever-changing internet threat vectors, they can sleep more easily at night knowing that Xpanse will always automatically find and surface risks as well as partner with them on their security journey.

To learn more about Cortex® Xpanse™, visit paloaltonetworks.com/cortex/cortex-xpanse.