Transportation company chooses Expel’s 24x7 managed detection and response (MDR) for better visibility and faster response

This privately-held expedited less-than-truckload (LTL) transportation and logistics company specializes in time-definite freight delivery across the US. The organization is committed to exceptional customer service and has earned national recognition, including placement among Inbound Logistics’ Top 100 Motor Carriers, as well as regional accolades for rapid growth and private company leadership.

Over the past several years, the company has experienced rapid growth. At the same time, the importance of transportation within the US supply chain became increasingly apparent as the COVID-19 pandemic and widely-publicized, targeted cyber attacks impacted supply chains.

As a result of the company’s expansion, increasing transition to cloud infrastructure, and the critical nature of security for both the company and the logistics industry, the director of information technology wanted to build a more proactive approach to cybersecurity.

The company was already security-conscious—its team understood the major risks facing the industry. As the security engineer explained, “In our industry, we see a lot of threats. A ransomware attack could be devastating. We can’t stop moving freight. The downstream impact to our customers, and our customers’ customers would be huge. So we’re monitoring as closely as we can.”

Understanding the severity of these potential threats and wanting to protect its growing cloud presence, the company was extremely cautious about what went in and out of its networks. It had invested in a security technology stack that offered broad coverage across all ingress and egress points. The director had also tapped an internal security engineer to lead a dedicated security function that didn’t rely on the company’s IT operations and engineering team to respond to security concerns.

However, one piece of the puzzle was still missing. The company felt that its existing MSSP was too reactive and didn’t provide the information and visibility that their team needed. Despite receiving alerts from their MSSP, they lacked proper guidance and had to invest substantial time investigating each notification. At times, a three-person team struggled to process more than 1,000 weekly MSSP alerts.

The company faced a costly dilemma: their MSSP’s monitoring was incomplete, particularly in cloud environments, and achieving full coverage would mean paying more for both expanded MSSP services and increased SIEM log transfers.

As a result, the director knew it was time for a change to align with more proactive security goals.

As the company began to evaluate vendors to replace their MSSP, they knew three things were critically important in their new vendor:

1. Full integration, visibility, and monitoring across their tech stack, both on-premises and cloud, offering broad coverage across all ingress and egress points. The team didn’t want to risk missing anything due to monitoring gaps, particularly as they transitioned more to the cloud.
2. Reducing time spent responding to alerts by receiving answers and expertise from their provider, not just alerts thrown back for the company to investigate.
3. Avoiding the hidden costs they’d experienced with their MSSP while getting broad coverage and valuable alert triage, investigation, and response.

The last item was a major pain point because it prevented their team from focusing on more strategic priorities. As the security engineer said, “Our previous MSSP was only monitoring our SIEM. When an alert was raised, they couldn’t go out to the original source for investigation, so they had to send every alert over to us to research. We were spending six to eight hours investigating every time they sent something our way.”

The company invested in a virtual CISO (vCISO) to help build out their proactive security program. The vCISO then recommended that the director and team speak to Expel.

During a 30-day proof of concept (POC) that coincided with the SolarWinds breach, Expel quickly demonstrated the 24×7 value it could provide, particularly during a period of high concern. Based on the trust established during the POC, the company chose Expel as its MDR and new security partner.

Through API integration, Expel rapidly deployed comprehensive monitoring of the company’s technology infrastructure. Within days of onboarding, they achieved round-the-clock security monitoring and response coverage across their entire environment.

The security team saw immediate value in their new partnership. Each alert now came with detailed analysis, specific remediation steps, and strategic recommendations to prevent future incidents. The team particularly appreciated the transparency—they could observe investigations unfolding in real-time through their security dashboard, Expel WorkbenchTM, tracking every step of the analysis and response process.

According to the security engineer, “With Expel, when I get an investigation notification, we can just see the work being done in Workbench. And if we have questions, I can pick up the phone and call our dedicated engagement manager to get even more detail on what’s happening. Expel’s detection strategy and Expel-driven alerts raise the value of the alerts we do see and filter out all of the noise that we experienced and would have had to investigate with our previous SIEM-based strategy. ”

For context, the company receives over 70,000 alerts from its security tech each month. After Expel’s bots research and triage these alerts, less than 40 require further review by Expel analysts, and less than 10 require action from the company’s security team.

The organization even put Expel to the test with logins from an overseas service provider operating on the border of two countries, with IP addresses spanning both nations. When a login originated from an IP address on the wrong side of the border, Office 365 blocked the attempt, and Expel promptly delivered both comprehensive incident details and actionable response recommendations.

The security engineer noted, “Expel uses automation to gather as much information as possible. That means RuxieTM [Expel’s bot that automates investigative actions] can pull info from the EDR tool, our SaaS applications, and the cloud and append all of that right to the investigation. Expel uses my whole stack to paint the picture of what happened, if it’s bad, and what my team needs to do about it.”

This emphasis on communication was another standout feature for the security team. When the Log4j vulnerability arose in December 2021 and the team was working to ensure proper patching, “Expel was proactive in communicating about the IOCs and told us exactly how the SOC was responding,” said the security engineer.

Through swift onboarding and seamless integration with their existing technology infrastructure, the company rapidly achieved comprehensive security visibility across their entire environment, eliminating previous monitoring gaps.

Benefits of partnering with Expel

• 66% less time spent sifting through alerts
• 24×7 monitoring, investigation, and answers from an expert SOC—extremely helpful for the 56% of alerts occurring after business hours
• Full visibility across on-prem and cloud environments
• Integration and signal correlation that amplifies value of existing tech investments
• Freed time for strategic priorities including accelerating cloud migration, new tech deployment, and improved reporting

Partnering with Expel yielded a significant advantage: the team reclaimed countless hours previously spent investigating alerts, allowing them to focus on strategic security initiatives.

The security engineer and team reduced alert processing time by 66% because “rather than getting a phone call saying ‘here’s an alert, what do you want to do?’ it’s just handled,” they explained. This is particularly important when over half of the company’s alerts come in after hours, and are fully covered by the Expel 24×7 security operations center (SOC).

Working with Expel for detection, response, and remediation has led to faster incident response times and the opportunity to focus on security priorities related to the company’s continued growth.

For the security engineer, this means supporting the company’s continued transition to the cloud. “Cloud migration gives us scalability, expandability, and manageability of our infrastructure,” they explained. “Expel has helped reduce our workload for alerts enough that our next hire can now take over my daily responsibilities so I can do more security engineering work in the cloud.” Time back in their day also enabled the security team to deploy new security tech and improve their reporting.

Another benefit has been the expertise in Expel’s SOC—something lacking at their previous MSSP. Specifically, the Expel team’s technology expertise gives the Security Engineer confidence to trust Expel to remediate automatically to prevent threats from spreading. The Security Engineer noted, “We want to make sure we’re getting the value for what we’re spending, and Expel’s ability to auto-remediate helps us save valuable minutes — in an industry where every minute counts.”

Now, when the Security Engineer and his team see something they don’t quite understand or want more context on, they check out Expel Workbench and in their words, “Expel is all over it.”

The company has exciting plans for continued security growth, including moving from a hybrid environment fully into the cloud. For the Security Engineer, Expel’s leadership in cloud security is a reassurance as they expand in that area.

With Expel’s 24×7 monitoring, investigation, and response, the transportation and logistics company gained the visibility it needed across its environment, enabling the more proactive approach to security that the director envisioned. With Expel’s rapid response and thorough investigations, the team can focus on strategic security priorities like cloud migration, confident they won’t miss the alerts that matter most.