Expel delivers much-needed security visibility with fewer alerts to a major children’s clothing company

Apparel brand boosts data protection and improves quality of life for the security team

The company

A leading children’s clothing retailer in the United States, this company has been a recognized name for generations. It markets a variety of clothing lines, including its own exclusive brand and other well-regarded labels. Renowned for the quality and resilience of its garments, the company maintains a loyal customer following.

The situation

The company’s security team has a full plate. The security team is tasked with protecting not only its own systems and data but also extensive customer data and a robust e-commerce presence, along with the infrastructure of its distribution centers and retail locations across North America. The Chief Information Security Officer (CISO) of the company highlights the challenge of staying ahead of malicious actors to protect its varied environment. “We have a vast landscape our security team is protecting,” says the CISO. “The threats and the threat actors are constantly changing. The challenge is all about staying ahead of people who have more time to cook up ways to get where they’re not supposed to be.”

The company must protect both digital and physical infrastructures, so it’s critical that its security operations effectively and efficiently protect the entire environment. “A few years back, our security team was smaller than it is now, so it was focused on building security capabilities rather than monitoring tools and investigating alerts. We brought in an MDR provider to augment the value of a SIEM with real-time alerts to handle that for us and help get us better visibility into our security tools,” recalls the Senior Manager of Information Security. “Unfortunately, it didn’t work out the way we expected. We were getting too many false positives, and it was common for on-call team members to be woken up in the middle of the night three or four times per week for what would end up being false-positive alerts. When adding in alerts during waking hours, we might get up to 15 calls for false positives every week, and only one or two actual alerts that needed investigation. It was very frustrating.”

It wasn’t just the number of alerts that frustrated the team—it was also the quality of the investigations. “Our MDR had little automation when it came to investigations. They were all human-driven,” recounts the Senior Manager. “Sometimes our team would have an analyst assigned to work on our alerts for a week, and then a different analyst the next week, and they did things completely differently, and even violated our own standard operating procedures. There was no consistency.”

Despite everyone’s best efforts, the security team didn’t get the visibility and investigation capabilities it needed, so it set out to line up a partner that could better support its complex environment.

Evaluating options

The company’s security team had a list of requirements for a new MDR provider, and at the top of that list was the ability to understand its varied security and business environment, followed closely by being able to close out minor alerts while only escalating actual incidents to the security team. Achieving this goal would require a more innovative approach to security operations, especially given that the company had a slate of security tools to monitor its extensive threat landscape.

Everyone involved was focused on helping us, rather than selling to us. And they let the technology speak for itself. After we saw what Expel could do, we were sold—and we haven’t looked back.

“We have a full stack of SecOps tools to monitor our cloud, network, email, endpoints, and everything in between,” notes the CISO. “We saw with our previous provider that if we don’t have an effective strategy for managing those tools, the alerts will overwhelm the team, and we won’t get the visibility those tools are supposed to be delivering. We also have a SIEM for log monitoring, so we needed an MDR that could help us make sense of all the signals we had coming at us.”

The CISO also knew that they needed a partner that was well-established in the security space, one with a proven track record of delivering answers and solving real security challenges for its customers. The CISO turned to their network of security leaders for their opinions. “I kept hearing from my peers that Expel is a great partner that does good work with its tools,” the CISO remembers. “We did some more research and also found the Forrester Wave for Managed Detection and Response (MDR). Once we saw that third-party experts considered Expel to be a Leader in the space, we became very interested.”

The company’s security team contacted Expel to learn more, and came away impressed not only with the technology, but also with the sales process. “I really liked that the sales team was focused on understanding our challenges and environment, and also being informative and consultative,” says the Senior Manager. “Everyone involved was focused on helping us, rather than selling to us. And they let the technology speak for itself. After we saw what Expel could do, we were sold—and we haven’t looked back.”

How Expel helps

Following Expel’s implementation, the most visible benefit was naturally the decrease in alert volume. “Expel filtered out the noise we were used to seeing from our security tools,” notes the Senior Manager. “The alerts we got from Expel were of higher quality and were more actionable. They helped us make quicker and more informed decisions.”

Expel’s strategy is to prioritize only those alerts that matter, helping security teams focus on the right things and reducing alert fatigue. And since Expel’s security operations platform, Expel Workbench™, integrated with more of the company’s security tools than the previous MDR, the alerts the team received were even more useful. “Because Expel Workbench natively ingests signals from a multitude of sources, we’re getting a much more complete picture of our security posture, without needing to investigate unnecessary alerts,” says the Senior Manager.

The alerts we got from Expel were of higher quality and were more actionable. They helped us make quicker and more informed decisions.

Expel® Managed Detection and Response (MDR) is delivered through its security operations platform, Expel Workbench to enable extensive automation capabilities to triage the alerts it receives from each of the security tools in a consistent way. This translates into knowing what information the security team will see in an Expel alert, every time.

“Alert quality and consistency has dramatically improved,” notes the Senior Manager. “The team knows what information it’s going to get, which is exactly the data and intel it needs to make the right decisions quickly. Expel helps us spend less time reviewing SIEM logs. We’re able to focus on more activities that matter, which has been critical to the security of the business.”

Benefits

Likely the biggest benefit Expel delivers to the company’s security team is the dramatic reduction in false vendor alerts, which previously required investigation even for routine activities. “Expel has helped us reduce irrelevant, low-quality alerts by about 80%,” the Senior Manager estimates. “Since Expel natively ingests sources we had no visibility into before, the alerts we do get are real. If Expel flags something for us, we know they’ve vetted it and it’s worth investigating.”

The Senior Manager continues: “Another thing we like about Expel MDR is that there’s a difference between investigations and incidents. Expel either filters out or takes care of the investigations, and only escalates real incidents to us. With our old MDR, every little thing was an incident. If any alert came in, they considered it an incident, which led to a phone call, and then a manual investigation. It was always a ‘fire drill.’ We rely on Expel analysts’ determination, and we know that if they say something is worth investigating or they recommend a remediation action, we know it’s good information—and not a ‘drop everything’ scenario.”

The benefits Expel delivers aren’t limited to the security team. The CISO uses the data Expel provides in reporting to the company’s senior leadership and board. The CISO reports on high-level metrics like the number of alerts vendor tools generate, how Expel filters those down to actual alerts that require investigation, and the number of incidents Expel identified. The CISO then provides deeper insights around which tools are firing the most alerts and alert-to-fix times, as well as summaries of incidents. “We get monthly reports from Expel that provide a good pulse check on our security posture. It provides leadership with exactly what they need to know,” notes the Senior Manager.

Expel has helped us reduce irrelevant, low-quality alerts by about 80%

When asked how the company’s security team knows the partnership with Expel is working the way they need it to, the company will sometimes test Expel to see what the system and its analysts will catch. “We occasionally run penetration tests, and Expel delivers alerts from that activity—sometimes before the wider team even knows we’re pen testing,” explains the Senior Manager.

Confidence and ultimately peace of mind are the main benefits that the company’s security team gets with Expel. Fewer and better alerts, higher-quality intel, ‌data they can act on right away, quicker remediation, and fewer sleepless nights make all the difference to the company’s security team.

“Expel will only contact us if something is serious. Working with Expel has actually improved our quality of life, and that’s something that’s tough to beat,” explains the Senior Manager.

Benefits of partnering with Expel

  • Reduces unnecessary alerts by more than 80%, allowing the team to stay focused on other security initiatives
  • Delivers higher-quality intel on threats and incidents, more than 78% faster than previously
  • Informs the company’s leadership about security posture using Expel data
  • Improves quality of life for security team