Success Story: Forging a Day-1, Audit-Ready SecOps Program for a Global Insurance Spin-Off

Client: (A new entity resulting from the AIG restructuring)

Project: Greenfield SecOps Program Implementation for a Divestiture

Team: Virtuserv Cybersecurity Architects & SecOps Engineers

The Challenge: Building an Independent, Compliant Security Operation Under a Hard Deadline

Born from one of the largest restructurings in the financial services industry, our partner (Name Obfusced due to NDA) was launched as a major new player in the global market. This divestiture from AIG created a formidable challenge: Our client had to build a fully independent, enterprise-grade Security Operations Center from the ground up.

The firm inherited a complex portfolio of applications, terabytes of sensitive policyholder data, and a “starter pack” of best-of-breed security tools as part of the separation. However, these tools—including Qualys, Palo Alto Networks, CrowdStrike, and Okta—were not integrated. Our partner’s new CISO was faced with the mandate to not just stand up a functional SOC, but to deliver a “Day 1” program that was immediately compliant with stringent regulations (e.g., NYDFS Part 500), resilient against sophisticated threats, and capable of defending its high-value brand from inception. Failure to do so would result in significant operational and regulatory risk.

The Solution: Operationalizing a Multi-Tower Defense on Azure Sentinel

Our team of security architects was engaged to engineer and operationalize a state-of-the-art SecOps platform, architecting the cloud-native Azure Sentinel as the central nervous system to accelerate deployment and provide immediate scalability. The strategy was to rapidly integrate our partner’s inherited security investments into a single, cohesive, and intelligent defense fabric.

Our technical execution was comprehensive and deadline-focused:

1. Cloud-Native SIEM Deployment: We established Azure Sentinel as the authoritative SIEM, bypassing the months-long procurement and setup time required for an on-premise alternative. We immediately began configuring data connectors to ingest telemetry from all critical security towers. This included threat and traffic logs from Palo Alto Next-Generation Firewalls, advanced endpoint detection and response (EDR) alerts from CrowdStrike Falcon, identity and authentication logs from Okta, and vulnerability assessment data from Qualys.
2. Orchestrating the Defense Towers for Insurance: We moved beyond simple log collection to create a deeply integrated, context-aware defense fabric tailored to financial services:
   • Network to Endpoint Correlation: Palo Alto NGFW alerts, configured with policies to protect sensitive policyholder data stores, were correlated against CrowdStrike EDR data in real-time, allowing an analyst to instantly pivot from a suspicious network connection to the specific process on a potentially compromised endpoint.
   • Identity Fabric for Zero Trust: By fusing Okta’s identity context with all telemetry, we enabled the SOC to track and respond to threats against financial adjusters and underwriters, such as impossible travel scenarios, privilege escalations, and MFA fatigue attacks.
   • Risk-Based Compliance & Vulnerability Management: We ingested Qualys vulnerability data into Sentinel and correlated it against live threat intelligence. This allowed Verity to prioritize patching not just based on CVSS score, but on which vulnerabilities were actively being targeted against the financial services industry, providing a defensible, risk-based posture for regulators.
3. Automated Incident Response (SOAR) for Rapid Containment: We designed and deployed Azure Sentinel Logic App playbooks to automate response to common threats against the insurance enterprise. For example, a confirmed phishing attack leading to a compromised endpoint could automatically:
   • Isolate the endpoint via the CrowdStrike API.
   • Suspend the user’s Okta session and force a password reset.
   • Block the malicious domain on the Palo Alto NGFWs.
   • Populate an incident ticket with all correlated data for review by the response team.
4. Audit-Ready Reporting & Intelligence: We built custom dashboards and workbooks in Sentinel to provide real-time visibility and generate reports necessary for regulatory audits, demonstrating effective security controls and incident response capabilities from the moment the company went live.

The Result: Successful Day-1 Operations and a Resilient, Compliant Security Posture

Our engagement allowed our partner to meet its aggressive divestiture timeline and launch with a world-class security program, delivering immediate and measurable results.

• Met Critical Divestiture Deadline: The new SOC was fully operational and independent, ensuring a seamless business transition and eliminating significant contractual and operational risk.
• Audit-Ready from Inception: The platform was built to be inherently compliant, providing the centralized logging, controls, and reporting required to immediately satisfy financial and insurance industry regulators.
• Dramatically Reduced Incident Response Times: Within the first quarter of operations, the integrated platform reduced Mean Time to Detect (MTTD) to under 30 minutes and Mean Time to Respond (MTTR) to minutes, demonstrating a highly effective defense against threats.
• Achieved End-to-End Visibility: Verity’s security team gained a single pane of glass for their entire hybrid environment, providing complete situational awareness from the network edge (Palo Alto), to the endpoint (CrowdStrike), to the user’s identity (Okta).
• Established a Scalable, Cost-Effective Foundation: By building on a cloud-native SIEM, Verity avoided millions in upfront capital expenditure and established a flexible, consumption-based security model that can scale with their growth as a new leader in the insurance market.