Blocking as a Service: How a Global Financial Services Company Leveraged Itential for Vendor-Agnostic SOAR Integration
INDUSTRY
Financial Services
GOALS
- Eliminate Security Vulnerabilities Post-Merger
- Real-Time Response to Security Threats
- Reduce Tool Sprawl
USE CASES
Blocking as a Service
INTEGRATIONS
Key Results
Reduced blocking response time from minutes to seconds.
Orchestrated responses seamlessly across post-merger network infrastructure.
Orchestrated responses across multiple SOAR vendors.
Eliminated vendor lock-in.
Blocking & Cyber Defense in the Distributed Infrastructure Era
When an entity such as a URL, domain, or IP address is flagged for blocking by a network security system, this change must be reflected in many different end systems.
Doing that manually, like this company’s SOC team had done traditionally, would mean delaying for vital seconds or even minutes while potential security threats maintain access to components of their network due to its size and complexity.
For example, if a domain needed to be blocked under the traditional model, SOC team members would have first gone to Zscaler to make the change. Then, they would swivel-chair over to Infoblox to make a similar change. Then, any end systems or integrated tools would require manual attention as well. Each step takes valuable time.
On top of that “organic” challenge, where the natural pressures of modern infrastructure pushed the team toward change, the company faced two specific scenarios that accelerated the automation initiative. First, the team had begun an initiative to adopt new SOAR solutions to support certain parts of the network, which required additional work. Second, a recent merger had left the network team managing two separate networks connected to each other, with their own Zscalers and their own lists of entities to be blocked. These incongruencies only added difficulty to manual operations.
These additional challenges raised the priority level of an automation initiative that was already a significant part of the company’s network architecture goals. They aimed to find a way to unify everything, providing a framework where the SOC team could leverage any SOAR (security orchestration, automation, and response) solutions, add new networks, and ensure blocking would be reflected accurately and instantaneously across every integrated end system.
After the merger, it took our engineers a lot more manual time to block any flagged entity across all the different parts of the network. It was already something we wanted to solve, but it quickly became a top priority.
Director of Network Architecture
Why They Chose Itential to Automate Blocking as a Service
An early step in their security transformation involved exploring SOAR options to coordinate and automate security tasks. This approach helps accelerate response time: the SOAR solution is able to ingest alert data and then trigger the right set of responses quickly.
However, the company’s network leadership took a longer-term view and realized that it would be a mistake to rely entirely on one SOAR solution. The chosen approach had to be able to integrate with multiple SOAR solutions and with every relevant system in their digital infrastructure, all in a way that enables a consistent, unified set of processes.
Instead of building a large, complex, end-to-end solution themselves, the network team and IT leadership decided to leverage their Itential partnership. The Itential Automation Platform was the only solution that could easily integrate their SOAR systems together for a cohesive Blocking as a Service strategy.
They were able to achieve vendor-agnostic security across distributed global network infrastructure by leveraging Itential’s:
- Rapid integration with all network and IT systems, enabling end-to-end process orchestration for zero-touch automation of blocking requests.
- Patented integration model that enables full flexibility for current and future technology decisions.
- Automated data transformations, so any payload, be it a domain, a bad IP address, or anything else, can be instantly translated to any format required.
- Built-in RBAC so automations can only be run by trusted users/systems.
- No-code developmentand execution environment that allows non-developers to create automations based on their technology domain expertise.
Itential’s vendor-agnostic integration model means we’re free to use lots of different security vendors without changing our core process. All the options are there and we can choose solutions based on really the technical need, confident that it’ll always work.
Director of Network Architecture
Accelerated Security Response: Vendor-Agnostic Blocking as a Service
This financial services company leveraged Itential’s integration capabilities to build a universal middle layer between their threat response systems and their network and IT systems. Now, regardless of which security system or service makes a blocking request, it kicks off the same process — a given system generates a payload, and then an Itential automation workflow takes in that payload, translates it into different formats, and kicks off a chain of automation logic to complete the request.
Today, they’ve been able to expose blocking capabilities as a service to every security system and agent in their distributed global network. In the future, when they need to adopt new SOAR platforms or migrate away from old ones, they can use Itential to do it seamlessly. Across the company’s complex hybrid infrastructure, across every system and location, any entity that’s flagged by any security system — domain, IP, URL, anything — can be blocked in a matter of seconds. In fact, their SOC team stated that this same process could take up to several minutes, a window during which the network would continue to be at risk.
The result? Today, this company has eliminated the friction between their two connected networks post-merger. They’ve built a framework where any SOAR platform and any network system can easily be adopted and integrated with their network security approach. They’ve achieved full vendor flexibility for network security, and they’ve reduced threat response time from minutes to seconds across a complex, global, hybrid network.
