A leading customer identity and access management (CIAM) platform, the company makes it easy for developers and application teams to add authentication and authorization services to their applications in a way that maximizes security, privacy, and user experience.
With a rapidly-expanding customer base, the CIAM platform company needed a way to scale its thoughtful approach to platform security for customers around the world.
As critical infrastructure, the company has contractual obligations to its customers around security – one of the most important being a requirement for 24×7 detection and response (DnR). Combined with its large existing security operations center (SOC) team, the company wanted to outsource additional capabilities to continue meeting the requirement.
The goal was also to allow the company’s security team to concentrate on other strategic priorities – including an increased focus on custom monitoring of its core product, and continuing to expand in-house expertise in multiple cloud platforms, like Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS).
The company’s authentication and authorization services are the digital front door for thousands of consumer and SaaS applications. Security with a great user experience needs to come first in all of the company’s decisions.
So, what does a worst-case scenario look like? For the DnR manager, Corporate Security at the CIAM platform company, it’s encountering incidents without a playbook.
“The scariest scenarios are the ones you never envision,” the manager explained. “Anything completely new, when there’s no historical tabletop to reference or tools available. We never want to be in a situation where we don’t have the incident response tools, the exposure, or depth of experience to allow us to take ownership. It’s the unknown.”
Like any service provider faced with the risk of the unknown, the DnR manager considered how to best protect both the company’s product unit and its customers. The team had to ask: Where are the potential gaps? And what does the company need to be focused on to drive business priorities forward?
With most of the team’s experience and exposure in AWS, they needed to find a vendor to augment and expand the company’s cloud monitoring in the newer environments, while continuing to meet customer requirements in existing ones.
The team looked for a provider that would be more than just a vendor, but a partner for the team, and found Expel.
“We saw all the expertise that Expel was bringing right on the blog – publishing and talking about automation, and pushing the envelope forward in security,” the DnR manager shared. “We saw the chance to work with someone aligned on automation and focused on the same security concerns we had prioritized.”
With their interest piqued, the company began the process with Expel – first meeting with sales, then solution architects, and finally sitting down with the DnR team.
“Expel not only covered all of the company’s cloud providers, but really showed us their entire detection strategy,” said a staff security engineer, corporate security at the company. “And, it was really, really good.”
After hearing these sentiments echoed from others in the industry, the CIAM platform company chose Expel as its new managed detection and response (MDR) and security partner.
We saw all the expertise that Expel was bringing right on the blog – publishing and talking about automation, and pushing the envelope forward in security. ”⎯Detection & Response Manager
How Expel helps
Expel Workbench™ proved to be a valuable tool for the company from the onset. Presenting key information in an easy-to-understand interface helped the company’s team to make smart decisions more efficiently.
Expel quickly adapted to the company’s environment and recommended a penetration test. This test early on in the partnership helped the company identify potential gaps and focus on areas of its product that needed additional attention. Expel followed up after the test to discuss and workshop what happened to improve the experience in the future.
The DnR manager said communications like these following any test or incident, with proactive outreach from Expel, is what makes the relationship feel more like a partnership – especially when compared with their previous experience with other providers.
Another area where Expel was able to customize to the company’s specific needs was triaging a subset of Guarduty alerts, triggered by the company’s customers’ making changes in their company tenant (a key product feature). These alerts are noisy, making them difficult to understand and triage due to volume and false positives. The team wasn’t sure if they’d find a vendor that was able to handle their custom use case. Cue, Expel.
Right away, “I was able to share context about our environment right in Workbench, which Expel DnR engineers could use to filter and approve access,” said the DnR manager. “Expel is really on top of our custom requirements for our environment.”
Not only did the services Expel provided meet the company’s contractual language for customer requirements, but the Expel analysts also included answers and recommended next steps with every investigation. This process made it easy for the d team to quickly engage other organizational teams for remediation next steps.
The DnR manager said, “This allowed us to take a deep breath because we didn’t have to become Azure and GCP experts overnight when we initially branched out to becoming multi-cloud. We have confidence in Expel and the detections in place, which gives us the capacity to focus on our backlog for other issues we know we need to invest in — it enables us to scale better.”
I was able to share context about our environment right in Workbench, which Expel D&R engineers could use to filter and approve access. Expel is really on top of our custom requirements for our environment.”⎯Detection & Response Manager
For the CIAM platform company, the benefits became clear as early on as the onboarding process. “Talking to Expel was like talking to someone else on our team,” the manager said. “They knew our environments and the potential threats we were focused on. It was an easy, natural transition.”
Benefits of partnering with Expel
- Streamlined onboarding process and easy transition
- Data-driven reporting right in Workbench
- Transparent and reliable automation, accelerating quality response – giving engineers the time and space to focus on other improvements
- Augmenting detection; in this case, with cloud coverage across AWS, Azure, and GCP
Expel’s visibility and expertise in the cloud has been helpful as the company continues to invest more heavily in multiple cloud infrastructures. While the company continues its strong relationship with AWS, it recognized the need to expand its team’s tooling and knowledge.
Through automated enrichment and correlation, the Expel SOC has the ability to detect potential risks even earlier. Customer context provided by the company team allows the SOC to prioritize the most business critical assets and alerts. So when the Expel team opens an investigation and assigns remediation actions to the company team, they have everything they need to compare with the other systems that Expel isn’t monitoring to understand and deliver on next steps.
Expel’s emphasis on data-driven reporting enables the manager and his team to readily communicate goals and achievements to the company’s leadership. These reports have helped the company identify places where it could be more efficient overall.
The team also regularly analyzes the metrics to hone in on potential areas for improvement — such as identifying common false positives, and why some alerts consistently show up in different environments.
“With the help of Expel, knowing you’re in good hands with a trusted vendor in the space, we are confident that our team can turn their attention to areas where we need to continue building,” the manager said.
With Expel’s transparent platform, reliable automations, and coverage across cloud environments, the company’s security team can shift their focus back to improving their core product to meet (and exceed) the needs of a rapidly expanding customer base.