Faster response, smarter reporting: IDEMIA’s story with TheHive

IDEMIA is an international company whose mission is to make the world a safer place through biometrics and cryptography. It develops cutting-edge, government-grade identity verification and next-gen encryption for advanced security. The company is trusted by 600+ governments, state and federal organizations and around 2,5K customers worldwide. It has more than 15K employees from over 80 countries.

IDEMIA’s SOC is spread over three different countries around the world, using the “follow-the-Sun” principle. A new team entity is soon to be launched in the 4th country. Such an approach allows the SOC to work around the clock, always being in control of what’s happening in the infrastructure.

The size and the status of the company means an ever-growing number of internal and external operations possibly becoming the targets of cyber-attacks. To efficiently manage and tackle them, the distributed cybersecurity teams need a convenient way to collaborate on an international level and to provide visibility not only for themselves but also for the management and other stakeholders.

In average, IDEMIA’s cybersecurity teams receive around 90 alerts to investigate per month. To ensure the best results, they should not leave more than 10 unmanaged at the same time, but sometimes, when threat activity is at its peak, they have up to 50.

In 2023, they tried TheHive as their single pane of glass—and it changed everything.

They started using the platform for all their cyber activities, making it the central control and communication “tower,” as they like to call it. The cybersecurity teams especially appreciated automatically sharing reports by mail, which enhanced visibility on ongoing incidents.

TheHive has made incident management much more structured and transparent. The analysts could finally see every step and track every action of the process, with each incident now being attributed to its own case. They could now also dedicate more time to their duties—handling security events and incidents,—with the platform optimizing the routine processes.

The results of all this were significant:

TheHive is integrated with several tools in IDEMIA’s cybersecurity landscape, like cutting-edge EDR and SIEM systems. This allows for centralized incident management and getting actionable alert data.

The platform automatically receives alert information from the other tools. The analysts get context-enriched information from the start, which facilitates further case management and incident response. CTI (cyber threat intelligence), Dark Web monitoring and other insights from MSSP-provided platforms are also fed to TheHive.

The company’s cybersecurity teams also use a lot of automated reporting to quickly share post-incident knowledge with each other. The reports are sent by email via TheHive.

Being the central panel collecting the data from other cybersecurity tools, TheHive has allowed IDEMIA’s cybersecurity teams to have unified 360° alert visibility. Together with the platform’s comprehensive case management features and automation capabilities, this helps to not miss anything during the investigation and response phases, significantly accelerating the overall incident handling and elevating its efficiency.

TheHive’s customizable reporting has allowed analysts to easily communicate and share information with each other, the management and other stakeholders.

Using an N8N playbook, IDEMIA’s analysts have also developed an automated process featuring the platform. Each week, a report is now sent to stakeholders of various entities via email. It includes details of incidents opened during the week, those still ongoing, the current backlog and closed cases.

To further improve communication between teams, IDEMIA’s analysts are considering synchronizing tickets between TheHive and other tools (such as Jira).

They are also planning to use the platform’s Email Intake feature to directly read emails and therefore, act upon them straightaway. This would enable automatic, direct ticket creation and allow to save time.

In addition to setting up the weekly email reports, the company wishes to implement more automated processes through TheHive.

IDEMIA’s analysts also plan to add more Cortex analyzers and responders to their workflows to further enhance their investigations and incident handling.

To more easily adapt TheHive to possible changes in their infrastructure, the analysts are considering switching for TheHive’s SaaS version—TheHive Cloud Platform.