Expel brings auto-remediation and 24x7 support to enhance security operations

Privileged access management vendor relies on Expel’s automation, speed, and seamless integration to deliver excellence

The company

A global leader in intelligent identity and access security empowers organizations to protect identities, stop threats, and deliver dynamic access to empower and secure a work-from-anywhere world. Their advanced privileged access management (PAM) solution enables organizations to quickly shrink their attack surface across traditional, cloud, and hybrid environments and is trusted by 20,000 customers, including 75 of the Fortune 100.

The situation

As the company grew, its leaders had to evaluate the company’s security posture both internally and externally to get a sense of the risk the firm faced. Given the high-stakes nature of its offering, they couldn’t afford to allow a security breach to damage the brand’s reputation—and its bottom line—the same way they had seen incidents impact other large companies. Leadership recognized the critical need for additional threat detection and automated remediation for assets worldwide. This approach was necessary to complement their existing identity and access security solutions for complete coverage of on-premise and cloud assets.

“All the high-profile breaches we saw in the news had the same things in common: the victims hadn’t performed the right level of due diligence across their toolsets and processes, resulting in security gaps,” explains the company’s Director of Information Security. “We decided we needed to strengthen our security efforts to mitigate our risk of attack including future integrations into our own PAM solutions.”

The company sought an adaptable and automated solution for faster detection and remediation to protect the company while keeping up with its rapid growth. In addition to its employee base growing exponentially over the last five years, the company had also gained a more expansive network of third-party and internal solutions that called for increasingly complex integrations. Integrated enterprise-level security information and event management (SIEM) and proper visibility became a top priority to prevent and manage potential attacks.

Best-in-class security isn't a one-and-done solution. We made the business decision to continue to build and invest in our program to achieve a high degree of security maturity, because that's what our business—and, ultimately, our customers—need.”

⎯Director of Information Security

Evaluating options

In its first years of operation, the company employed a do-it-yourself approach to cybersecurity, adding more and more security tools to combat emerging threats. But as those threats grew in complexity and number, this approach was no longer scalable. The team knew that scaling in this way was inefficient and would soon lead to a constant deluge of alerts that would be difficult to investigate and manage on their own. This prompted company leaders to initiate a search for an external, managed security provider to help manage the company’s increasingly complex environment.

“Best-in-class security isn’t a one-and-done solution,” the Director of Information Security explains. “We made the business decision to continue to build and invest in our program to achieve a high degree of security maturity, because that’s what our business—and, ultimately, our customers—need.”

The company needed a solution that monitored a remote workforce with connectivity to both cloud and on-premises applications. They sought a partner that could help protect employee identities by plugging into both its cloud infrastructure and endpoints, while comprehensively monitoring systems and those identities.

The organization selected and onboarded a managed detection and response (MDR) provider with the hope that it would integrate with all the company’s security tools and enable the advanced capabilities it required. However, it quickly became evident that the MDR’s slow response times and inadequate communication approach jeopardized its ability to quickly neutralize threats. “We were limited to communication over email, and multiple days would pass before we received a response from the MDR,” the Director of Information Security explains. “That was a major hurdle. We have to be able to talk to somebody on a 24×7 basis. Basically, we felt like the managed security solution was ghosting us.”

This left the company’s security team constantly wondering what its MDR partner was doing, especially without KPIs and measurables. “In a world where attacks happen so quickly, slow response times make threats very hard to find and stop,” says the Director of Information Security. “We were stressed. It was hard to sleep at night just thinking about what we were missing.” The security team identified auto-remediation and 24×7 support as a “must-have” for its security program.

Eventually, the company faced a difficult choice: whether to renew with its existing partner and try to fix the long list of issues, or start fresh and evaluate alternatives. With the lessons learned from its legacy MDR partner fresh in the team’s mind, the team decided to let its previous partner go and start its search for the ideal MDR partner anew. The firm’s chief security officer (CSO) approached Expel after reading analyst reports in Gartner® and Forrester®. The company saw the uniqueness of Expel early on: “Expel was the only vendor that didn’t require a bunch of proprietary technology to onboard and set up,” explains the Director of Information Security. “It was just plug-and-play. This strategy was new, unique to the market, and scalable. It became evident that that’s exactly where our strategy needed to go.”

Expel was the only vendor that didn't require a bunch of proprietary technology to onboard and set up. It was just plug-and-play. This strategy was new, unique to the market, and scalable. It became evident that that's exactly where our strategy needed to go.”

⎯Director of Information Security

How Expel helps

Expel’s plug-and-play capabilities meant that it easily and directly integrated with the company’s existing technology stack via APIs. Additionally, if Expel doesn’t provide an out-of-the-box integration, the Expel team still finds a way to connect, as it does with the company’s SIEM. Expel accesses security-related logs, providing the security team with the visibility needed to improve detections and contextual data relevant to specific alerts. The time freed up from reviewing SIEM logs and writing rules has allowed the security team to focus on improving processes, migrating new technology, and advancing the company’s overall security posture.

The company was also thrilled with Expel’s rapid response to potential threats, partially enabled by Expel’s bot Ruxie™, which adds enrichment to interesting cases and auto-remediates events that don’t require an analyst investigation. “We just had a scenario where a signal came in from our EDR [endpoint detection and response] technology,” the Director of Information Security explains. “Expel grabbed that alert and kicked off auto-remediation actions within a minute. Potentially hours of work were all reduced into a single action. It was super fast to isolate the risk, which is what we’re looking for.”

Expel’s real-time, comprehensive communication in jargon-free language keeps the security team in the loop without delays caused by incomplete or indecipherable data. The inconsistent communications of previous providers forced the team to waste valuable time asking follow-up questions, sometimes putting them days behind the curve. “Expel provides contextualized alerts in a couple of minutes,” the director says. “And we can ask very specific, significant questions throughout the process to improve and work more efficiently.” Plus, Expel provides the security team with clear and straightforward reports that they can easily share with cross-functional stakeholders, enabling speedy and inclusive decision-making. “Expel frees up all that time we spent monitoring alerts. Now we can actually work on improving our responses and focus on high-fidelity alerts.” With a small security team, the impact of Expel’s solution is significant.

When it comes to cost, Expel also exceeds expectations. “The budget associated with our previous MDR was able to move directly over to Expel,” the director says. “We could reduce an agent and save money, and we were able to reallocate dollars to improve our security posture. The return on investment—the value—that we’re experiencing with Expel as our MDR service is tangible.”

Benefits of partnering with Expel

  • Response time reduced from multiple hours to immediate action in minutes
  • Efficient alert triage promoting only necessary alerts
  • Contextualized, clear, actionable communication
  • Integrations with third-party technology, such as EDR and SIEM allowing for more flexibility
  • Auto-remediation that allows for automation action on endpoint tool to reduce time to resolution

Expel frees up all that time we spent monitoring alerts. Now we can actually work on improving our responses and focus on high-fidelity alerts.”

⎯Director of Information Security

Looking ahead

Going forward, the company is looking to expand Expel into other portions of its cloud infrastructure for continued coverage and automation. “As we grow, we’ll want Expel’s expertise and eyes on other parts of our network,” says the director. Security leadership hopes to create even greater connectivity between the company and Expel’s solutions in the future.