How a recreation and lifestyle brand leader uses global threat intelligence to prevent attacks. CASE STUDY Organization snapshot Company: Brunswick Corporation Headquarters: Lake Forest, Illinois. Number of users protected: 10,000 Challenge: Bolster network security by preventing attacks. Solution: Cisco Umbrella Investigate Security Partner: Optiv Security Inc. Impact: • Strengthened security by increasing visibility into threats on the internet and better defending against attacks • Reduction in investigation time • Improved productivity by streamlining threat intelligence gathering process “Investigate delivers living, breathing data that’s always changing and being continuously updated, so we can make decisions and act on the best possible data.” Alex Herrick Security Solution Architect Brunswick Corporation
How a recreation and lifestyle brand leader uses global threat intelligence to prevent attacks.
CASE STUDY
Organization snapshot
Company: Brunswick Corporation
Headquarters: Lake Forest, Illinois.
Number of users protected: 10,000
Challenge: Bolster network security by preventing attacks.
Solution: Cisco Umbrella Investigate
Security Partner: Optiv Security Inc.
Impact:
• Strengthened security by increasing visibility into threats on the internet and better defending against attacks
• Reduction in investigation time
• Improved productivity by streamlining threat intelligence gathering process
“ Investigate delivers living, breathing data that’s always changing and being continuously updated, so we can make decisions and act on the best possible data.”
Alex Herrick Security Solution Architect Brunswick Corporation
The challengeOutdated, unreliable threat data weakened security defenses and responses
When John Brunswick’s small machine shop opened to build horse-drawn carriages in 1845, the United States numbered 27, the start of the Civil War was still 16 years away, and international telegraph was not yet a reality. Today, the business of the multinational, multidivisional operation now called Brunswick Corporation has built around some 30+ marine, fitness and billiards brands.
Just as it’s been key to the company’s longevity and fiscal health, diversification has helped strengthen Brunswick’s network security health by automating threat intelligence from multiple sources. “The more intelligence we can access, the better our opportunity to identify threats before the kill chain begins,” notes Alex Herrick, Brunswick Security Solution Architect.
“Even with a number of existing data sources, which included proxy, firewall, antivirus and security information and event management (SIEM) tools, we felt we lacked context about the indicators of compromise (IOC) that we were seeing,” he says. “We knew we were missing important information, and we knew we needed to find a way to get fresh, dynamic data to reinforce our network security and enable us to stay ahead of attacks and respond to security events faster.”
“ High quality, real-time data means we can respond to an incident quickly, rather than being forced to wait for antivirus or one of our other security solutions to catch it.”
Alex Herrick Security Solution Architect Brunswick Corporation
The solutionEnrich security data with real-time, internet-wide intelligence
“Initially, we looked at a couple of vendors that specialized in threat intelligence feeds, and we just weren’t impressed with how they delivered the information,” Herrick recounts. “While there was some quality information there, much of the intelligence was outdated and didn’t correlate to what we were seeing with the IOCs.”
When trusted security advisor Optiv recommended Cisco Umbrella Investigate, Herrick explored Investigate firsthand. “We have a longstanding and positive partnership with Optiv,” noted Herrick.
“The threat intelligence from Investigate is very valuable to me. While we were evaluating it, I liked the fact that Investigate could deliver live intelligence about the domains and IP addresses that I was seeing on my network, which I could then leverage to speed up my incident investigations,” he recalls.
“Since the domains and IP addresses, which are pulled from our proxy, DNS, and firewall logs, are ingested into our SIEM, Splunk, I can perform data enrichment on any indicators in question,” says Herrick. “Using Investigate’s scoring models and correlations, I can easily identify potentially suspicious activity and prioritize it for my incident response team.”
“ Prior to implementing Investigate, the same incidents would have gone undetected and we would not have been able to remediate at all.”
Alex Herrick Security Solution Architect Brunswick Corporation
Decreased response time, increased incident prevention
After integrating the Investigate API, all of Brunswick’s network data and threat intelligence was consolidated into a single interface for their incident responders and they could also dig deeper into the threat intelligence using the Investigate console.
“Having one central location in which to see things like WHOIS data, first-seen information and other relevant data points has been very valuable and has allowed us to seamlessly manage the increased flow of threat intelligence,” says Herrick. “Some of that information is findable in various places on the internet, but having it all correlated in one central location is a big benefit, and the scale of Investigate’s dataset ensures we don’t miss anything.”
“The console is a good source of indicators of compromise and enables me to pivot around easily. I can discover other malicious domains that a given IP address may be hosting just by clicking on it in the console,” Herrick continues. “The console also provides co-occurrences and related domains, which can be especially useful while investigating drive-by downloads and exploit kits, since we can use the DNS time series analysis to pinpoint where an attack originates and what other domains might be involved.”
“Since Investigate delivers classification and categorization data from a dedicated Cisco security research team, I can always trust the data to be accurate and updated. That helps my team better protect Brunswick by allowing us to rapidly identify an infected system such as a machine communicating out on a botnet, or a machine that visited a compromised webpage that led to an exploit kit. High quality, real-time data means we can respond to an incident quickly, rather than being forced to wait for antivirus or one of our other security tools to catch it,” points out Herrick. “Instead, we can rely on our logs to alert us right away so we can address issues and remediate where necessary.”
“Our investigation time has been significantly reduced, and now we can detect and remediate security incidents within a day,” he notes. “Prior to implementing Investigate, the same incidents would have gone undetected and we would not have been able to remediate at all.”
“The ability to query an always up-to-date database of any domain on the internet and instantly receive information about it is immensely valuable. Investigate gives us the most current information available — it delivers living, breathing data that’s always changing and being continuously updated,” Herrick concludes, “so we can make decisions and act on the best possible data to stay ahead of attacks while enriching our security data with Investigate’s global intelligence.”
