Brooks, a 108-year old American sports equipment company designs and markets high-performance running shoes, apparel and accessories, which are sold in over sixty countries around the world. Headquartered in Seattle, Washington, Brooks is a subsidiary of Berkshire Hathaway, one of the top ten largest public companies in the world. Ryan Fried is the senior security engineer at Brooks. He is part of a five-person security staff of two engineers and three analysts. Ryan’s team is tightly integrated with multiple business units. “We have security embedded pretty early on, as well as our security management tactics such as network segmentation, security automation, firewall and network security, amongst whatever else comes up. We like to build things to help our security analysts do their job.”
Brooks is growing rapidly which means a growing list of potential vulnerabilities. “We grew from a company doing $500 million in sales to $1 billion in a short amount of time. And, we’ve grown to close to 1,800 employees. That’s a lot more hits to our website and a lot more partners, which means more security events, more phishing emails, and potentially more risk.” Even with three analysts, the security team was running fast to stay one step ahead of the alerts.
Ryan implemented InsightConnect, Rapid7’s security orchestration, automation and response (SOAR) solution to accelerate their traditionally manual, time-intensive incident response and vulnerability management processes. InsightConnect has helped the security team meet the challenges head on. “InsightConnect helps us scale. It doesn’t really care how many integrated systems there are,” states Ryan.
Ryan notes that Brooks had no previous experience with SOAR. “We did a POC with another SOAR product but it was super convoluted.” That’s when Ryan, who used Rapid7 InsightConnect at a previous company, recommended Brooks consider the product. “We did the POC to prove the value and went with Rapid7 InsightConnect.”
Ryan takes a proactive approach to SOAR noting that traditional SOAR solutions, “focus on no hands on, just automate to reduce FTEs. I feel the total opposite. I’ve been able to build a ton of enrichment workflows with InsightConnect so that our Teams channel becomes our central command. I think in terms of the number of tabs our analysts need to have open in their browser, I’ve reduced it from 10 to 20 to just one or two when it comes to an incident investigation. I give them a super repeatable process that works the same for every analysis.”
InsightConnect is saving the analysts time, but even more importantly to Ryan is that InsightConnect has increased analyst engagement and made their jobs easier. “Now they can do the things they actually want to do. They’re not spending 60 minutes looking at a phishing email or 20 to 30 minutes blocking URLs.” And, notes Ryan, InsightConnect eliminates the drudge work. “When we block a URL, or domain, or IP address, there are three or four different places we need to block it. If we use InsightConnect workflows, it’ll be blocked in the right places, every single time. This consistency is huge.”
InsightConnect has definitely improved their response coverage. “Previously, we were a nine to five, Monday through Friday kind of shop. We didn’t have any paging or anything like that. With InsightConnect we’ve become a 24/7 shop - without expanding our staff. Now we have three to four different alert types and we predefined which alerts we should be woken up for in the middle of the night. We couldn’t have done that without InsightConnect.” Ryan also has seen improved response times, especially in critical situations like potential ransomware attacks. “We’ve taken our paging system and integrated it, leveraging InsightConnect, with our alerts. Now our analysts only are getting woken up in the middle of the night when it really matters, so our response time is super-fast. If it’s ransomware, our analyst can isolate the host directly from their phone instead of waiting 20 minutes for the computer to boot up and log in. That is so critical. That’s been a huge value for us.”
With InsightConnect, Ryan can quickly find and build a myriad of workflows leveraging the work of others.“One of the reasons I love InsightConnect is if I’m stumped, I can find a workflow in the Rapid7 Extensions Library. If it’s not the exact workflow I need, I can import it, see how it was done, and then apply that to my own workflow.” As Ryan explains, each workflow is often comparable to a previous one, so he can add multiple workflows pretty quickly. Looking ahead, the Brooks team will begin working with the Active Directory team to use InsightConnect to automate user account termination.
“In security, a third of your job is proving it’s not your fault when stuff breaks,” continues Ryan. “I have workflows that look at configuration logs for the tools I own, such as firewalls, and it shows all configuration changes over the last 24 hours. With that I would know if I made the change or if a teammate made it. With InsightConnect, it is much faster to prove it’s not your fault. We’ve used it in many different ways. A lot of what we do is ad hoc workflows through Teams. That’s new. We’ve found a lot of value from that.”
Ryan believes InsightConnect has helped his security team deal effectively with the company’s surging growth. “We’re adopting additional security tools as we grow. As we add more IT and security systems, we integrate them into InsightConnect. If we had all these different security tools, that’s more time we would need to spend on different consoles and bouncing from one to the other. But a new security tool that’s API capable doesn’t add more complexity, just more available functionality. Having the automation benefits of InsightConnect is almost like working with an operating system. You just plug in the next app and it integrates with other users and systems,” Ryan says.
For Ryan, the time-saving benefit of InsightConnect automation is clear and compelling. “In terms of metrics and looking at the dashboard, InsightConnect has definitely freed up analyst time. I’d estimate it is saving us about 11 days or 88 hours of manpower each month, just based on the workflows we run. InsightConnect also reduces our time to response and resolution, which helps mitigate any threats that do make their way into the company.”
“If you took InsightConnect away from our analysts, that would be demoralizing,” continues Ryan. “They would have to do the manual processes all over again. InsightConnect helps us scale our team more efficiently. As we get more events and add new businesses and more processes, InsightConnect helps us keep up. We just had a new analyst start and he said, “I’ve never seen anything like this before [referring to the level of existing automation]. His job’s been easier because he doesn’t have to learn where to get all the information. And, now he has a channel that shows him all the commands he can use, and he doesn’t need to log in everywhere. The security processes are consistent no matter what.”