Achieving 98% noise reduction and 100% peace of mind with Expel

Justin Oldham
Security Operations Manager at mobile food-ordering and delivery marketplace

I didn’t always like computers. In fact, I used a typewriter until the 11th grade. That changed when I joined the military and was assigned to Information Operations. With no experience and super admin credentials, I had to learn on the fly.

My training over my years in service was equivalent to a master’s degree, and when I left military service, I dove into a new field called threat hunting. Throughout my time as a government contractor I became a jack-of-all-trades for a three-letter agency, teaching anything from basic networking to advanced penetration (pen) testing.

Ten years of teaching kept me up to date with much of the latest technologies and techniques within the government. I learned to play to my strengths, and eventually this led me to the private sector.

My experiences proved useful after I joined the information security team for one of the largest food-ordering and delivery marketplaces. ​​I was tasked with responsibilities, including monitoring three technology stacks, generating incident reports, and managing our day-to-day InfoSec operations. I was then promoted to manager of security operations.

The move to manager tasked me with building out a team, and meant a shift in my thinking. The focus was no longer on my self growth but the growth of others, and with a training background, I knew I had to look for opportunities where I could merge the lessons I taught everyday with the organizational tasks of a large enterprise. My move was strategic and a chance for me to get back in the weeds, get my hands dirty again, and apply my knowledge to a new organization. And now I was in charge of bringing others along with me.

I started with a basic premise: good security requires consistent investment from the company and top-level buy-in from the C-suite. The other part of good security comes by building a security culture. The desire to be more secure will then inform every aspect of your operations.

Good security is an investment in the company and requires top-level buy-in from the C-suite.

Our company places security at the heart of our engineering processes, which makes my job easier. Today, if I spot a security issue, I have the support I need to resolve the issue. I have this support because of the investments we made over time. When I was building out my team, I decided to hire a security analyst and a technical project manager. Between the two of them, they would anticipate and prevent cyberattacks while organizing and assigning tasks for incident response and remediation teams. The goal was to respond and stay organized while doing it. Having these positions would allow me to focus on the big picture.

Of course, these team members had to have the technical expertise required to do the job. But just as importantly, these team members also had to have two qualities:

1. The ability to communicate complex ideas. An executive team will only increase a cybersecurity budget or allocate more resources if you can clearly explain the threat and succinctly describe the problem.
2. A hunger to grow. There’s a great deal to master in cybersecurity, and technology moves quickly. Those who succeed are lifelong learners, constantly upskilling and improving their knowledge. The business benefits from that kind of initiative.

As I was finding and onboarding the new security operations team, I had a not-so-secret weapon: Expel, our managed detection and response (MDR) provider.

An executive team will only increase a cybersecurity budget or allocate more resources if you can clearly explain the threat and succinctly describe the problem.

I wouldn’t have been able to do my job without Expel. Even as our team has grown, Expel continues to do a lot of the heavy lifting. The Expel team filtered out unnecessary noise from our alerting, flagging only those events that needed our attention, and reducing the noise to my team by over 98%.

These days, we’ve connected more of our tools to Expel but the advanced automation capabilities from Expel ensure we still only receive the alerts that matter. Recently, our cybersecurity team ran a pen test, and Expel immediately opened an investigation and sent me a notification. The alert included a recommendation to action-defined next steps, and my team followed through with the process. That’s how our teams work together, with one crew transitioning actions to the other. The system worked exactly as expected in a situation designed to take us by surprise.

I’ve learned a lot from working with Expel, especially through tracking activity and investigations in Expel Workbench™, its security operations platform. If a bad actor is trying to exploit an unpatched vulnerability in a new version of a particular software, for example, I can see what they’ve tried and how they’ve failed. Expel weeds out those false positives silently, but they show their work in each investigation so I can see and understand what happened, and even work with the Expel team to determine if we need to do anything differently going forward.

Expel weeds out false positives silently, but they show their work in each investigation so I can see and understand what happened, and even work with the Expel team to determine if we need to do anything differently going forward.

Security is serious business, but the Expel team is personable, and our relationship isn’t merely transactional. Some vendors only pay attention when renewals come around, but Expel always provides support. Our CSM takes my requests like a champ, and handles whatever I throw their way. They also recognize learning opportunities and are quick to fix or address the issue. We all benefit from a respectful back and forth. It’s not, “We know the security better than you do, so we’re not going to listen to you.” It’s more like, “We’re partners in this, so let’s work together.”

An AI-powered SOC maximizes operations

One of Expel’s biggest benefits is its use of automation and AI tools to filter through alerts to determine if there’s something that warrants further investigation from our analysts.

Of the millions of raw alerts we sent to Expel, I can see the number of events they identified to investigate, the number of events AI resolves, and the number of events escalated to a human being to review and investigate. It’s a learning opportunity for me to explore false positives and have conversations with Expel on fresh ways to maximize operations.

I don’t think AI will ever replace an analyst—you have to make sure you’re applying it for the right things—but it can help us focus our time on the events that matter most.

Expel also seamlessly integrates with our other tools, including our AWS environment. Expel ingests the signals from all those other tools and applies what it knows about our environment—as well as aggregated intel from its entire customer base—to only surface actual events that need attention. It improves the ROI of our other security investments.

Expel also seamlessly integrates with our other tools. Expel ingests the signal from those tools and applies what it knows about our environment to surface actual events that need attention. It improves the ROI of our security investments.

Expel helps me sleep at night, by being that 24/7 SOC and identifying the alerts out of millions that require further investigation. Because we have Expel, we can hire strategically in order to best position our cybersecurity program.

A more mature InfoSec team

After two years with my company, I have grown a strong security operations team. Expel was instrumental as we grew this team and honed our security operations strategy. Thanks to Expel, I’ve been able to give my team the tools it needs to succeed.

I am confident that I can further scale the security operations team’s threat response capacity to meet future needs as our company grows, technologies evolve, and new threats emerge. Leveraging Expel has allowed us to tackle big challenges, analyze threat intelligence, and prioritize vulnerabilities, delivering tremendous value to our organization.