Expel brings auto-remediation and 24x7 support to BeyondTrust security operations

Privileged access management vendor relies on Expel’s automation, speed, and seamless integration to deliver excellence

The company

BeyondTrust is the worldwide leader in intelligent identity and access security, empowering organizations to protect identities, stop threats, and deliver dynamic access to empower and secure a work-from-anywhere world. BeyondTrust offers the industry’s most advanced privileged access management (PAM) solution, enabling organizations to quickly shrink their attack surface across traditional, cloud, and hybrid environments and is trusted by 20,000 customers, including 75 of the Fortune 100.

The situation

As BeyondTrust grew, company leaders had to evaluate the company’s security posture both internally and externally to get a sense of the risk the firm faced. Given the high-stakes nature of BeyondTrust’s offering, they couldn’t afford to allow a security breach to damage the brand’s reputation—and its bottom line—the same way they had seen incidents impact other large companies. BeyondTrust leadership recognized the critical need for additional threat detection and automated remediation for assets across the world. This approach was needed to complement BeyondTrust’s own identity and access security solutions for complete coverage of on-premise and cloud assets.

“All the high-profile breaches we saw in the news had the same things in common: the victims hadn’t performed the right level of due diligence across their toolsets and processes, resulting in security gaps,” explains Austin Caver, BeyondTrust’s Director of Information Security. “We decided we needed to strengthen our security efforts to mitigate our risk of attack including future integrations into our own PAM solutions.”

BeyondTrust wanted an adaptable and automated solution for faster detection and remediation to protect the company while keeping up with its rapid growth. In addition to its employee base growing exponentially over the last five years, BeyondTrust had also gained a more expansive network of third-party and internal solutions that called for increasingly complex integrations. Integrated enterprise-level security information and event management (SIEM) and proper visibility became a top priority to prevent and manage potential attacks.

Evaluating options

In its first years of operation, BeyondTrust employed a do-it- yourself approach to cybersecurity, adding more and more security tools to combat emerging threats. But as those threats grew in complexity and number, this approach was no longer scalable. The team knew that scaling in this way was inefficient and would soon lead to a constant deluge of alerts that would be difficult to investigate and manage on their own. This prompted BeyondTrust leaders to initiate a search for an external, managed security provider to help manage the company’s increasingly complex environment.

“Best-in-class security isn’t a one-and-done solution,” Caver explains. “We made the business decision to continue to build and invest in our program to achieve a high degree of security maturity, because that’s what our business — and, ultimately, our customers — need.”

BeyondTrust needed a solution that monitored a remote workforce with connectivity to both cloud and on-premises applications. The firm wanted a partner that could help protect employee identities by plugging into both its cloud infrastructure and endpoints, while comprehensively monitoring systems and those identities.

BeyondTrust selected and onboarded a managed detection and response (MDR) provider with the hope that it would integrate with all the company’s security tools and enable the advanced capabilities it required. BeyondTrust soon realized, however, that its MDR’s slow response times and inadequate communication approach jeopardized its ability to quickly neutralize threats. “We were limited to communication over email, and multiple days would pass before we received a response from the MDR,” Caver says. “That was a major hurdle. We have to be able to talk to somebody on a 24×7 basis. Basically, we felt like the managed security solution was ghosting us.”

This left the BeyondTrust security team constantly wondering what its MDR partner was doing, especially without KPIs and measurables. “In a world where attacks happen so quickly, slow response times make threats very hard to find and stop,” says Caver. “We were stressed. It was hard to sleep at night just thinking about what we were missing.” The BeyondTrust team identified auto-remediation and 24×7 support as a “must-have” for its security program.

Eventually, BeyondTrust faced a difficult choice: whether to renew with its existing partner and try to fix the long list of issues, or start fresh and evaluate alternatives. With the lessons learned from its legacy MDR partner fresh in the team’s mind, BeyondTrust decided to let its previous partner go and start its search for the ideal MDR partner anew. The firm’s chief security officer (CSO) approached Expel after reading analyst reports in Gartner® and Forrester®. BeyondTrust saw the uniqueness of Expel early on:

Expel was the only vendor that didn't require a bunch of proprietary technology to onboard and set up. It was just plug-and-play. This strategy was new, unique to the market, and scalable. It became evident that that's exactly where our strategy needed to go.”

⎯Austin Caver | Director of Information Security, BeyondTrust

How Expel helps

Expel’s plug-and-play capabilities meant that it easily and directly integrated with BeyondTrust’s existing technology stack via APIs. Additionally, if Expel doesn’t provide an out-of-the-box integration, the Expel team still finds a way to connect, as it does with BeyondTrust’s SIEM. Expel accesses security-related logs, providing the security team with the visibility needed to improve detections and contextual data relevant to specific alerts. The time freed up from reviewing SIEM logs and writing rules has allowed Caver’s team to focus on improving processes, migrating new technology, and advancing BeyondTrust’s overall security posture.

BeyondTrust was also thrilled with Expel’s rapid response to potential threats, partially enabled by Expel’s bot Ruxie™, which adds enrichment to interesting cases and auto-remediates events that don’t require an analyst investigation. “We just had a scenario where a signal came in from our EDR [endpoint detection and response] technology,” Caver explains. “Expel grabbed that alert and kicked off auto-remediation actions within a minute. Potentially hours of work were all reduced into a single action. It was super fast to isolate the risk, which is what we’re looking for.”

Expel’s real-time, comprehensive communication in jargon-free language keeps Caver’s team in the loop without delays caused by incomplete or indecipherable data. The inconsistent communications of previous providers forced the team to waste valuable time asking follow-up questions, sometimes putting them days behind the curve. “Expel provides contextualized alerts in a couple of minutes,” Caver says. “And we can ask very specific, significant questions throughout the process to improve and work more efficiently.” Plus, Expel provides Caver with clear and straightforward reports that he can easily share with cross-functional stakeholders, enabling speedy and inclusive decision-making. “Expel frees up all that time we spent monitoring alerts,” says Caver. “Now we can actually work on improving our responses and focus on high-fidelity alerts.” With his small team, the impact of Expel’s solution is significant.

Expel frees up all that time we spent monitoring alerts. Now we can actually work on improving our responses and focus on high-fidelity alerts.”

⎯Austin Caver | Director of Information Security, BeyondTrust


When it comes to cost, Expel also exceeds expectations. “The budget associated with our previous MDR was able to move directly over to Expel,” says Caver. “We could reduce an agent and save money, and we were able to reallocate dollars to improve our security posture. The return on investment — the value — that we’re experiencing with Expel as our MDR service is tangible.”

Benefits of partnering with Expel

  • Response time reduced from multiple hours to immediate action in minutes
  • Efficient alert triage promoting only necessary alerts
  • Contextualized, clear, actionable communication
  • Integrations with third-party technology, such as EDR and SIEM allowing for more flexibility
  • Auto-remediation that allows for automation action on endpoint tool to reduce time to

Looking ahead

Going forward, BeyondTrust is looking to expand Expel into other portions of its cloud infrastructure for continued coverage and automation. “As we grow, we’ll want Expel’s expertise and eyes on other parts of our network,” says Caver. He hopes to create even greater connectivity between BeyondTrust and Expel’s solutions in the future.