We changed our name from IT Central Station: Here's why
Get our free report covering Palo Alto Networks, Splunk, Siemplify, and other competitors of Swimlane. Updated: January 2022.
565,304 professionals have used our research since 2012.

Read reviews of Swimlane alternatives and competitors

Cyber Security Engineer / Cyber Investigation / Incident Handler at a government with 5,001-10,000 employees
Real User
Top 20
Enables the investigators to go through the review process a lot quicker
Pros and Cons
  • "Palo Alto has gotten the investigators more presence to actually go in the report because being that the platform will email the investigator that it's been assigned to, now the investigators will jump in there and start going through the review process a lot quicker."
  • "In terms of improvement, it needs to be more modular. It's not. When you're working in layouts and you create specific apps within layouts, there's no portability right now in order to reuse that code across multiple layouts. I can't take a tab and say I want to use this tab on these other layouts. I have to physically go in there and recreate it from scratch, which is maddening."

What is our primary use case?

We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. 

Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing.

Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.

How has it helped my organization?

Palo Alto has gotten the investigators more presence to actually go in the report because being that the platform will email the investigator that it's been assigned to, now the investigators will jump in there and start going through the review process a lot quicker.

When my juniors receive an email, I have trained them to jump on it quickly in order to remediate it quickly. The sooner we get it remediated, the less likely a user that hasn't reported it will click on the link and become a victim.

Palo Alto has reduced the time that it takes to go through the process of investigating a reported abuse. Rather than one individual, which was the process before, that would handle the abuse mailbox, now we have a team of 15 individuals that all share in the remediation of those reported abuse messages.

The process is a lot quicker, nothing seems to slip between the cracks. We've been able to quickly contain phishing campaigns that were launched by external actors against our environment and been able to quickly identify users that have clicked on links and then had them change their passwords in order to reduce the risk of having those accounts used in order to perpetuate additional attacks.

What needs improvement?

In terms of improvement, it needs to be more modular. It's not. When you're working in layouts and you create specific apps within layouts, there's no portability right now in order to reuse that code across multiple layouts. I can't take a tab and say I want to use this tab on these other layouts. I have to physically go in there and recreate it from scratch, which is maddening.

From an analyst perspective, it's not that hard to use. From a developer, it takes a little while in order to get to understand exactly how one would go about creating a playbook. The automation part is not that hard. It's relatively easy. It's just creating the flowchart.

For how long have I used the solution?

I have been using this solution for one and a half to two years. 

What do I think about the stability of the solution?

I have not had an issue with stability yet. 

What do I think about the scalability of the solution?

It is scalable. If I noticed that there wasn't any impact in performance, then I'd simply launch another instance and then cluster them together in order to provide shared resources between the two in a cluster. If a particular integration is misbehaving because there aren't sufficient resources on the one instance that we currently have, then I can detach that instance or that integration from the instance into its own VM. That way it has enough resources on another VM in order to actually run that integration.

There are 15 investigators using this solution. 

In terms of increasing usage, we're looking at bringing in our audit vulnerability and assessment team and having them do their vulnerability assessments from within the platform. I'm going to have to reach out to them to get them to start looking at the vulnerability layout, the incident type, the playbook, and the Nessus connectors in order to be able to have them perform that through XSOAR and then follow up through XSOAR with regards to remediation.

How are customer service and support?

Anytime I have any issues, I'll open up a TAC ticket and then they'll contact a customer support engineer and they'll hand it over to him.

From the aspect of the actual people that work in the technical support area, I would rate them an eight out of ten. I would rate it higher just for the technical aspect. 

Which solution did I use previously and why did I switch?

We're taking what we have inside of our incident management system and building it into XSOAR. The way case management works now is completely different from the default case management system that is currently in XSOAR.

They wanted to free up the guy that was actually doing all of the work. For some reason, we decided we didn't want it in-house. As far as our in-house solution, it was built on CodeFusion and CodeFusion had a number of vulnerabilities that were identified in the last 15 years. They wanted to move away from that. In order to be able to move away from that, we had to find a solution that would allow us the customizability in order to be able to mimic what we already have.

How was the initial setup?

The initial setup was straightforward. I had assistance with the pre-sales support engineer and the pre-sale support architect. Both helped me to get it set up. As far as our proof of concept, I had to prove that it was customizable enough in order to have it mimic what we already use because we already had a homegrown internal incident management system that we've been using for 15 years.

The initial setup took 90 days. As far as the proof of concept and to set up the first playbook, we ran into some issues where Palo Alto said that the EWS integration worked with on-prem and that we could actually do expungements in an automated fashion. It turned out not to be the case. That took approximately four and a half months to determine that it was not going to function the way it was stated that it would function within the EWS integration. I was hoping to have it done within six months, but it actually took a little over a year to get everything done and into production because of the couple of hiccups that we had with EWS.

I had to reach out to Microsoft and talk to their developers with regards to EWS on-prem and then contact the developers inside of Palo Alto which at first didn't want to talk to me, but I finally got them to talk to me, and then I got them to talk to each other and then came to find out that it doesn't really work.

That took four and a half months of trying to negotiate the communications between Microsoft and Palo Alto. Finally, I had to bypass the expungement enforcement action because there's no way we could do it with our on-prem devices. As far as that's concerned, that's a manual process. We have to send an email out to our Exchange team in order to get the expungement done.

What was our ROI?

We have seen ROI in the time spent on the investigations.

What's my experience with pricing, setup cost, and licensing?

The pricing model could be better. When I first looked at Demisto, it had a price tag of $250,000 but when we finally purchased it, it was $345,000.

My boss thinks that it was a competitive price though compared to other solutions. My thoughts are we could have done a lot better with the price.

Which other solutions did I evaluate?

We evaluated Phantom, Siemplify, SOC 3D,  Swimlane, and a plethora of other solutions. 

Demisto led the field. At the time I was looking at it, it was Demisto. Palo Alto had not purchased it. When I started this endeavor, it was six years ago when Demisto was its own company, when Phantom was its own company, SOC 3D was still a company out of Israel, Siemplify was still a company out of Israel, but it was actually starting to set up its US operations. There were a number of other ones. Resilient was another one that I was looking at before they were picked up by IBM.

A lot of these didn't have what I needed, which was the ability to customize and the ability to integrate with a lot of vendors that we already have in-house. The two that came to the very top were Phantom and Demisto, and my final decision was to actually go with Demisto because Phantom was acquired by Splunk and I hate Splunk.

I was ready to buy, but my management was dragging its feet and they didn't want to loosen up the purse strings in order to make the purchase. But as soon as Palo Alto picked them up, then they were okay with it.

What other advice do I have?

I would rate Palo Alto a nine out of ten. 

My advice would be to do the same type of research I did to ensure that it's the appropriate fit for your use case. If it's an organization that has an already existing incident management system, make sure that you can customize it so you can reduce the learning curve for your investigators in order to be able to transition from your old IMS over to the new IMS, which would be XSOAR.

That's the reason why I took so much time in order to ensure that the customization was there in order to allow me to mimic what we already had in IMS and transition that over to XSOAR. That way, the investigators had a lot less of a learning curve. The only learning curve they had was, "Here's the investigation tab. There's all the data that you need in order to make your verdict. Make your verdict." But as far as writing all the reports, call-down lists, and all that other stuff, that's all part of our original process that I transitioned over to XSOAR.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Get our free report covering Palo Alto Networks, Splunk, Siemplify, and other competitors of Swimlane. Updated: January 2022.
565,304 professionals have used our research since 2012.