Deploy Bravely — Secure your AI transformation with Prisma AIRS

Norlem claims “unfair advantage” for its SOC and clients from unified Cortex platform

SUMMARY

Norlem is a technology partner dedicated to delivering industry-leading cybersecurity expertise to its clients across all verticals. The managed security services provider (MSSP) exclusively resells and services the Palo Alto Networks platform of products, allowing its engineers to develop deep expertise and its customers to benefit from ​​best-in-class solutions.

RESULTS

80%

reduction in false positives

<1

minute median time to resolution

3x

higher case closure rate, to over 95%

12

FTE's worth of labor saved from Cortex XSIAM
CHALLENGE

Drowning in telemetry. Zero inspection for almost all data.

As an MSSP, Norlem manages billions of monthly events for its customers. Before switching to the Palo Alto Networks platform, the company faced a number of challenges to both security and efficiency:

  • The volume of telemetry overwhelmed analysts, leaving countless data points uninspected.
  • Manual collection and assessment of data caused delays in making high-confidence forensic determinations—a process that took 48 hours.
  • Dispersed data prevented the company from leveraging machine learning and automation.
  • The sprawling environment often required pivoting between 4–7 separate tools to investigate a case.
  • A lack of cloud visibility made it difficult for analysts to assess posture and respond to cases across complex environments like AWS.
SOLUTION

The platform that scales human expertise.

Norlem recognized that to solve its challenges, it needed more than a collection of point solutions; it needed a platform. The company chose the Palo Alto Networks Cortex platform to revolutionize its clients’ security operations—and its own.

The AI-driven SOC

Almost immediately, Cortex XSIAM provided the solution to the alert fatigue and scaling problem, fundamentally changing Norlem’s own SOC as well as its XMDR service. The platform stitches together disparate data sources and creates a causality chain in just 90 seconds—enabling forensic determinations in minutes rather than the 48 hours (or 18 desk hours) previously required.

“The analytics and machine learning models that XSIAM brings—combined with the automation—give people an unfair technical advantage and a unique way to make sure that every piece of telemetry and log data is being used in some way.”

Bobby Brillhart

VP of Engineering, Norlem

Cortex XSIAM’s unified data model is equally valuable for security teams of any size or experience level. After easily onboarding data into the platform, machine learning begins generating high-quality issues, without an analyst having to manually create correlations, and AI-driven correlation cuts false positives by up to 80%. This capability is instrumental in reducing the daily flood of hundreds of noisy issues into a manageable 20–40 enriched cases, enabling Norlem’s team to close over 95% of cases (compared to 30–40% previously).





Massive gains in efficiency

Efficiency in resource allocation has become exponentially scalable since deploying Cortex XSIAM. “Instead of a one-to-one mapping of person to task,” Bobby Brillhart, VP of Engineering explains, “XSIAM helps us decide where our humans need to go.” He estimates that Norlem has been able to re-allocate a trove of employee hours—what amounts to 12 full-time workers—to higher-value tasks within the SOC. The platform is reaping similar rewards for the company’s clients.

“There’s always going to be value in creating cool correlations and making our own alerts, but XSIAM is like a SOC in a box—and nobody else out there is doing it that way.”

Bobby Brillhart

VP of Engineering, Norlem

  • Multilayered defense and automation for clients

    While Norlem uses XSIAM to orchestrate its own security operations (and many of its client’s SOCs), the organizations it works with have widely varying infrastructure and security needs. For that reason, the firm also offers Cortex XDR and XSOAR.

    • A step change in response. Before offering XDR to clients, most of Norlem’s endpoint detection was signature-based, with minimal AI capabilities. XDR introduced a sophisticated, multilayered defense model—and with it, a big boost in confidence. Previously, if there wasn’t known threat intelligence, Brillhart’s team had no confidence in its ability to stop an attack. With XDR, his team doesn’t have to operate on prior threat intelligence.
    • Automation for everyone. For clients with mature existing processes, XSOAR captures those processes and automates where it makes sense. For more nascent SOCs, XSOAR allows every process to be documented. in a playbook, with automation added as comfort grows. Norlem has scaled its custom playbooks from fewer than 16 to approximately 300—even expanding beyond security to cover business use cases like onboarding new hires—which it provides to customers for long-term posture uplift.

  • Taming the cloud environment

    Migrating from Prisma Cloud to Cortex Cloud solved a major operational friction point for Norlem: integrating cloud security into the SOC workflow. By moving cloud security closer to Cortex, the company’s SOC analysts—who operate entirely within Cortex—found it much easier to respond to cloud cases. Cortex Cloud provides:

    • Visibility: It makes all public cloud activity visible and accessible, a challenge in cloud-native environments like AWS, where it’s difficult for novices to assess their footprint.
    • Security and development alignment: It allows security analysts to speak more knowledgeably with developers, enabling them to address configuration issues without needing to be an expert in every public cloud service.

    Beyond its visibility and ease of use, Norlem President Bryan Norman appreciates that Cortex Cloud tackles the broader challenge of cloud risk management—allowing the organization and its customers to meet regulatory compliance while delivering runtime visibility into traffic flows and threat actor activity. Rather than discovering vulnerabilities after deployment, “Cortex Cloud allows you to really understand how you’re consuming risk in real time, and then effectively mitigate that risk,” explains Norman. In an environment where new cloud services appear almost daily, this feature has proved essential to the business.

The power of the platform.

For both Norlem and its customers, a standout benefit of platformization is interoperability. Every existing security investment now stitches together in a way that consistently adds value to the entire organization. This seamless integration creates comprehensive security coverage that ensures no telemetry goes uninspected, no matter the volume. “What’s been so unique as a service provider for us—and the distinguished privilege we’ve had,” says Brillhart, “is being able to hand-over-heart look people in the eye and guarantee them scenarios that we know they’re not getting elsewhere.”

“We consider Cortex XSIAM to be completely disruptive and transformative in the industry, and we are excited to continue to take that journey with Palo Alto Networks.”

Bryan Norman

President, Norlem

Download article

Customer Details

High Technology

United States

norlemtc.com

Products & Services Used

Cortex Cloud

Cortex XDR

Cortex XSIAM

Cortex XSOAR

Download article

It doesn’t stop here.

SOC operations are just part of the security picture. Discover how Norlem saved 15 hours per week and established defensible architecture with platformization spanning Network Security.

Get in touch

Find out how to revolutionize your SOC with the Cortex platform.

Get the latest news, invites to events, and threat alerts