SkiStar
SkiStar operates the five most renowned ski resorts in Scandinavia as well as the charming Alpine ski resort St Johann in the Austrian Tirol and the city ski slope Hammarbybacken in central Stockholm. Together, this wide array of ski resorts offer a smorgasbord of winter holiday experiences for skiers of all levels.
SkiStar can quickly find the needle in the haystack to address security breaches
SkiStar AB (publ) is listed on Nasdaq Stockholm, Mid Cap segment. The group owns and operates alpine ski resorts in Sälen, Åre, and Vemdalen, as well as Hammarbybacken (Stockholm) in Sweden, Hemsedal and Trysil in Norway, and St. Johann in Tirol in Austria. The market share is 53% in Sweden, 29% in Norway, and a total of 43% in Scandinavia.
The core business is alpine skiing with the guest’s skiing experience at the center. The operations are divided into two segments: operation of ski resorts and property development & exploitation. SkiStar’s business idea is to create memorable mountain experiences as the leading operator of European alpine destinations, which creates value for guests, employees, and other stakeholders, in turn creating value for shareholders.
We are a small company and lack the capacity and resources to set up our own SOC. Our reasoning has been heavily based on needing tools that can assist us in analysis and detection work.
Finding the needle in the haystack
Detecting relevant security threats that require action can be likened to finding a needle in a haystack. The background is a dizzying array of threats, from ransomware and file-less attacks to malicious data breaches and cyber espionage.
SkiStar works strategically with cybersecurity through a balance of effective preventive measures, with the ability to detect “signals from the noise” when something is amiss.
Like many other organizations, SkiStar operates in an efficient and streamlined IT organization where time-consuming manual efforts need to be reduced through smart automation. A notable example was the challenge of identifying real security threats in the ocean of security logs, reports, and alarms. Here, smart technology was required to effectively draw attention only when necessary, without making excessive demands on time or expertise from the IT department. Simply assuming that the IT environment was secure and letting the problem go until a potential incident occurred was not an option either.
Automated machine analysis detects relevant security issues
For many years, SkiStar has collaborated with NetNordic regarding strategies around cybersecurity. SkiStar highlighted its need to detect threats and attacks without spending more time or resources on the work.
The requirements for the solution included the ability to alert for IOCs (Indicators of Compromise) through a process that could address threats but also adapt and sharpen preventive measures through policy updates. Protection and alerts would simply need to be interconnected, enabling a comprehensive understanding of the sequence of events and root causes.
NetNordic helped SkiStar implement the Cortex solution from Palo Alto Networks. The solution is based on sophisticated machine learning where data from endpoints (clients and servers) creates a baseline (normal state) to trigger alerts for deviations and malicious behaviors. The list of what the automated analysis engine searches for is extensive and constantly growing, and it also creates unique profiles for each endpoint and user. These profiles allow the analysis engine to contextualize events and activities, as well as compare different endpoints and users against each other.
The solution provides a very high accuracy rate, not triggering unnecessary alerts, while also contributing to understanding the sequence of events and root causes. By identifying and then eliminating the root cause, the threat or attack can be prevented from recurring.
Peace of mind and freed-up time
SkiStar continues its strategic work in cybersecurity. The Cortex solution has practically meant that IT staff no longer feel inadequate in their work to detect various types of security issues. When the solution draws attention from the staff, they can often resolve issues independently without being professional analysts in cybersecurity. If SkiStar needs support in human analysis or response measures, NetNordic is available.
The solution’s accuracy and relevance, with built-in analytical tools, generally save time in all response processes. Perhaps most importantly, when the solution is quiet, it creates the necessary peace of mind to focus on preventive protection work.
How long does it take to get started with normalizing the environment?
-I also had some concerns about knowing what the normal state is and how it is found. The clever thing about AI and ML is that this is where it is most powerful. It is extremely fast to analyze 1500 endpoints and their normal behaviors. Then you just look at deviations, says Peter Larsson, IT manager, Skistar.