Daylight Transport chooses Expel’s 24x7 managed detection and response (MDR) for better visibility and faster response.
Transportation company gains full coverage of cloud and on-prem environment, cuts time spent on alerts by 66%.
Daylight Transport is a privately-held expedited LTL (less-than-truckload) transportation and logistics company. Daylight Transport offers expedited LTL freight delivery across the U.S., that guarantees time definite service. The company takes pride in its customer service and has been nationally recognized as Inbound Logistics’ Top 100 Motor Carriers, Los Angeles Business Journal’s 100 fastest-growing companies four years in a row, and one of Los Angeles Business Journal’s 100 largest privately held companies.
Expel uses automation to gather as much information as possible. That means Ruxie™ [Expel’s bot that automates investigative actions] can pull info from the EDR tool, our SaaS applications, and the cloud and append all of that right to the investigation. Expel uses my whole stack to paint the picture of what happened, if it’s bad, and what my team needs to do about it. ”⎯Mark King | Security Engineer
Over the past several years, Daylight Transport experienced rapid growth. At the same time, the importance of transportation within the US supply chain became increasingly apparent as the COVID-19 pandemic and widely-publicized, targeted cyber attacks impacted supply chains.
As a result of Daylight Transport’s expansion, its increasing transition to cloud infrastructure, and the critical nature of security for both the company and the logistics industry, Daylight Transport Director of Information Technology, Ed Kasch, wanted to build a more proactive approach to cybersecurity.
The company was already security-conscious — its team understood the major risks facing the industry. As Daylight Transport Security Engineer, Mark King, explained, “In our industry, we see a lot of threats. A ransomware attack could be devastating. We can’t stop moving freight. The downstream impact to our customers, and our customers’ customers would be huge. So we’re monitoring as closely as we can.”
Understanding the severity of these potential threats and wanting to protect its growing cloud presence, Daylight Transport was extremely cautious about what went in and out of its networks. It had invested in a security technology stack that offered broad coverage across all ingress and egress points. Kasch had also brought in King to lead a dedicated security function that didn’t rely on the company’s IT operations and engineering team to respond to security concerns.
However, one piece of the puzzle was still missing. Daylight Transport felt that its existing MSSP was too reactive and didn’t provide the information and visibility that their team needed. They received alerts from their MSSP but no answers, and would have to spend hours digging into the alerts. At times, a team of three Daylight Transport employees were working through over 1,000 alerts sent back from their MSSP each week.
The MSSP also didn’t provide monitoring and visibility across Daylight Transport’s environment, particularly in the cloud — and to get more coverage, Daylight Transport would have needed to send additional logs from their SIEM, increasing both their MSSP and data transfer costs.
As a result, Kasch knew it was time for a change to align with his more proactive security goals.
As Daylight Transport began to evaluate vendors to replace their MSSP, they knew three things were critically important in their new vendor:
- Having full integration, visibility, and monitoring across Daylight Transport’s tech stack, both on-prem and cloud that offered broad coverage across all ingress and egress points. Kasch and team didn’t want to risk missing something in their environment because of monitoring gaps with their service provider, particularly as they transitioned more to the cloud.
- Cutting down time spent responding to alerts by receiving answers and expertise from their provider, not just alerts thrown back for Daylight Transport to investigate.
- Avoiding the hidden costs they’d experienced with their MSSP to get the broad coverage they needed across their environment while also receiving valuable alert triage, investigation, and response.
The latter was a major pain point for Daylight Transport because it was preventing their team from focusing on more strategic priorities. As King said, “Our previous MSSP was only monitoring our SIEM. When an alert was raised, they couldn’t go out to the original source for investigation, so they had to send every alert over to us to research. We were spending six to eight hours investigating every time they sent something our way.”
Daylight Transport made an investment in a virtual CISO to help Kasch build out their proactive security program. The v-CISO then recommended that Kasch and team speak to Expel.
As Daylight Transport met with Expel, several things stood out:
During a 30-day proof of concept (POC) that coincided with the SolarWinds breach, Expel quickly demonstrated the 24×7 value it could provide Daylight Transport, particularly during a period of high concern. Because of the trust Expel instilled during the POC, Daylight Transport chose Expel as its MDR and new security partner.
We want to make sure we’re getting the value for what we’re spending, and Expel’s ability to auto-remediate helps us save valuable minutes — in an industry where every minute counts. ”⎯Mark King | Security Engineer
How Expel helps
Expel used APIs to easily integrate with and begin monitoring Daylight Transport’s existing tech stack. This meant that Daylight Transport had 24×7 monitoring and response of its full environment up and running within days of onboarding.
As for alerts, the answers, remediation actions, and resilience recommendations that Expel provides quickly made a difference to Kasch and his team. For them, one of the most valuable parts of working with Expel was being able to see every step of every alert investigation in real time in the Expel Workbench™ dashboard.
According to King, “With Expel, when I get an investigation notification, we can just see the work being done in Workbench. And if we have questions, I can pick up the phone and call our dedicated engagement manager to get even more detail on what’s happening. Expel’s detection strategy and Expel-driven alerts raise the value of the alerts we do see and filter out all of the noise that we experienced and would have had to investigate with our previous SIEM-based strategy. ”
For context, Daylight Transport receives over 70,000 alerts from its security tech each month. After Expel’s bots research and triage these alerts, less than 40 require further review by Expel analysts, and less than 10 require action from the Daylight Transport team.
Daylight Transport even put Expel to the test with logins from an overseas service provider situated on the border of two countries, with an IP range spanning both. A login with an IP from the country across the border was immediately blocked by O365, and Expel quickly notified Daylight Transport of the details and recommended actions.
In King’s experience, “Expel uses automation to gather as much information as possible. That means Ruxie™ [Expel’s bot that automates investigative actions] can pull info from the EDR tool, our SaaS applications, and the cloud and append all of that right to the investigation. Expel uses my whole stack to paint the picture of what happened, if it’s bad, and what my team needs to do about it.”
In fact, this emphasis on communication was another thing that stood out to Daylight Transport’s team. When the Log4j vulnerability arose in December 2021 and the Daylight Transport team was working to make sure they were patched, “Expel was proactive in communicating about the IOCs and told us exactly how the SOC was responding,” said King.
With Expel’s rapid onboarding process and integration with Daylight Transport’s existing tech stack, the team quickly gained peace of mind that their visibility gaps were plugged and their whole environment was monitored.
Benefits of partnering with Expel
- 66% less time spent sifting through alerts
- 24×7 monitoring, investigation, and answers from an expert SOC — extremely helpful for the 56% of alerts occurring after business hours
- Full visibility across on-prem and cloud environments
- Integration and signal correlation that amplifies value of existing tech investments
- Freed time for strategic priorities including accelerating cloud migration, new tech deployment, and improved reporting
One of the greatest benefits for Daylight Transport after working with Expel is the time their team has gained back from sifting through alerts that they can now use for more strategic security priorities.
King and his team have reduced the time they spend going through alerts each day by 66% because “rather than getting a phone call saying ‘here’s an alert, what do you want to do?’ it’s just handled,” he said. This is particularly important when over half of the company’s alerts come in after hours, and are fully covered by the Expel 24×7 Security Operations Center (SOC).
Working with Expel for detection, response, and remediation has led to faster incident response times (within the times Expel promised or better, according to King) and the opportunity to focus on security priorities related to Daylight Transport’s continued growth.
For King, this means supporting the company’s continued transition to the cloud. “Cloud migration gives us scalability, expandability, and manageability of our infrastructure,” said King. “Expel has helped reduce our workload for alerts enough that our next hire can now take over my daily responsibilities so I can do more security engineering work in the cloud.” Time back in their day also enabled the Daylight Transport team to deploy new security tech and improve their reporting.
Another benefit Daylight Transport has appreciated is the expertise in Expel’s SOC — something that was lacking at their previous MSSP. Specifically, the Expel team’s technology expertise when it comes to understanding threats gives King confidence to trust Expel to remediate automatically to prevent threats from spreading. King noted, “We want to make sure we’re getting the value for what we’re spending, and Expel’s ability to auto-remediate helps us save valuable minutes — in an industry where every minute counts.”
Now, when King and his team see something they don’t quite understand or want more context on, they check out Expel Workbench and in King’s words, “Expel is all over it.”
A look ahead
Daylight Transport has exciting plans for continued security growth. These goals include moving from a hybrid environment fully into the cloud. For King, Expel’s leadership in cloud security is a reassurance as Daylight Transport expands in that area.
With Expel’s 24×7 monitoring, investigation, and response, Daylight Transport gained the visibility it needed across its environment, enabling the more proactive approach to security that Kasch envisioned. With Expel’s rapid response and thorough investigations, the Daylight Transport team can spend its time on strategic security priorities like cloud migration with the peace of mind that they won’t miss the alerts that matter most.