Jeffrey Gardner, director of information security at Landmark Health, was on a mission to consolidate vendors and processes around incident response and their security operations center (SOC). See how he leveraged Rapid7 Managed Detection and Response (MDR), including our cloud SIEM InsightIDR, to be his single source of truth for monitoring and alerting, along with InsightConnect, our security orchestration and automation solution, to automate rote processes his SOC team performs daily.
The result? Four hours saved every day, with the expectation that will only grow over time.
My name is Jeffrey Gardner, I'm the Director of Information Security for Landmark Health in Huntington Beach, California.Show more Show less
I started looking for a new security partner because we had a number of different vendors in the environment and they all did separate things. So I really wanted to consolidate down to a single vendor for many of our applications, if possible.
So, one of the major things that I was looking for in a SIEM being, you know, from an incident response background, is the ability for it to be focused on incident response. A lot of SIEMs out there are just glorified log management systems. In my opinion, a SIEM is something that ties together your intel, all the logs, and gives you the ability to build cases and do case management within the platform.
So we were actually just looking at IDR and then our sales rep said, hey, have you heard we have MDR. It comes at a very nominal cost to IDR, but if you get MDR, you get IDR with it. So well, that's kind of a no brainer for me, I don't have to worry about that. So I'm buying a SIEM but I get a SOC with it, great.
So even though we have MDR, there still is value in building out and maintaining IDR. For example, they have their own set of alerts, they can customize things the way we want it, but sometimes IT has certain requests like,’ hey, we need to monitor this account’ or,’hey, we need usage data on these accounts,’ or which accounts are the riskiest in our environment. Which systems are the riskiest in our environment. That's the MDR team is just going to spit out in a report for you, that's not their focus. That's a generic security IT question. So there's a lot of day-to-day things where it's kind of the single source of truth because we tie everything in there. Everything is going into one source, so if I want to look, instead of going into 15 different tools, I can just log right into MDR, build a query in five minutes, if that's something I want to alert off of, I can set up a custom alert, and I'm good to go.
Prior to bringing in InsightConnect, none of our security processes were automated. Everything was manual and we were doing a lot of the same processes every single day. The problem with automating it was a lack of experience in programming languages, because we only have three people, I'm the director, I can't write the scripts, nor does my analyst have the time to go run out and learn really in depth Python or Ruby or Java or anything else that may want to write it in, we just don't have the time.
When we integrated InsightConnect, the first thing that we did was get my team together and say, okay, what are the processes that you're doing every day, because I'm two steps removed? What do you do ten times a day? What alerts do you get from the SOC, what kind of enrichment do you need? So we built out a list of the top five things, which not to get into vendors, but one was we have a software review process, where we have to submit applications through the same process every single time. Phishing emails, doing research on the header, submitting it to PhishTank, looking on VirusTotal for the attachments, running it through a Sandbox. A lot of those tasks that were taking my guys 10, 15 minutes at a time, now we just have a workflow set up in InsightConnect, and it takes care of it, and you don't have to worry about it.
Future state, integrating MDR and InsightConnect because of the new tools that we have in place over the year, the amount of data, the amount of action we're able to take on those new tools, it's easy for us to go, okay, we have an alert from MDR, there's a suspicious file on the machine. Instead of having to go into an EDR tool and then this and then that tool, we can create a workflow, which will pull the file, submit it to the Sandbox, blast off a ticket to the help desk, remove the file, alert the user, anything that we want to do automatically. Or build the workflow to give us the flexibility to put those actions in an email, or logging in to the InsightConnect console. And we can just click buttons as opposed to going out to all of our tools, and it will automatically do that for us, saving us a great deal of time.
With regards to cost savings, we've already kind of done the math on it, so just with one workflow, with one analyst, it will be four hours a day of savings, for our primary workflow. Once we get the other workflows integrated, we estimate, among the team, we'll save probably six hours of time a day, because a lot of it is rote work that can easily be automated and scripted. Prior to InsightConnect we weren't able to do that, now there's no reason why we shouldn't. We have the tool.