Augmenting the SIEM: How RONA’s New Approach Boosted Threat Detection and Response

Patrick Gilbert
Senior Director, Information Security, CISO at Rona

If your only tool is a hammer, you see every problem as a nail. It’s the same with security information and event management (SIEM). If your strategy is to use the SIEM to “log everything just in case”, you have set yourself up for a classic (and expensive) dilemma.

At RONA, we found a solution, which may sound counter-intuitive at first, but ultimately augments the value provided by the SIEM by reducing our ingestion of logs by 75%—and saving on license fees and becoming more proactive along the way.  Interested?  Read further.

Today’s threat actors are moving faster, and their attacks are growing more sophisticated by the day. From zero-day exploit availability to weaponization and initial compromise of your environment, the race is on and the clock is ticking. Latest digital forensics and incident response (DFIR) reports total compromise of an environment in under eight hours. Can you react before it is too late? The Gilbert Litmus test (patent pending) is to react in a window of under 20 minutes. This means, eye-on-glass alert acknowledgments to remediation, you need to have the situation neutralized in under 20 minutes.

If a SIEM is your only cybersecurity tool, you see everything as a log, and that can cause you to miss signals and alerts critical to your security posture.

If you’re using a SIEM-centric detection strategy—regardless of whether you manage it yourself or pay a co-managed vendor to do the work for you—you’re essentially treating these alerts by yourself. While sophisticated, your correlated alerts are unique to your organisation. You’ve enriched your alerts under your specific conditions (does your log ingestion and use cases keep growing year over year, why is that?) – which comes with the caveat that you are probably the only one to interpret and act on them. When there is a gimme, there is always a gotcha. But what if you were part of a larger community with access to telemetry data from hundreds of other companies? Cyberattacks don’t happen in a vacuum, and if there’s a new exploit in the wild, it’s going to hit someone quite rapidly in hopes of catching a company off guard. That’s why I believe the best approach to cybersecurity is community-oriented. Technologies used in similar-sized companies are remarkably similar and so are the native alerts that trigger from their security tech stacks. If you can see what is attacking your peers’ environments, you get that much needed heads up and can better defend yours. If ever we meet, remind me to tell you the story of how to outrun a bear.

I often see companies that feel the symptoms but don’t treat the underlying disease. It’s the same as in life: an ounce of prevention is worth a pound of cure.

It’s very resource consuming and complex to build and constantly maintain a detection and response strategy around a SIEM. It’s a little like a runaway train: you have to spend more to log more data and then the co-managed SIEM vendor charges more and more to make sense of the logs. Don’t get me wrong, I believe there is a use case for regulatory compliance or to meet the terms of your company’s insurance policy. Custom rules in your SIEM will help you bring context to unique risks to your business, but they are very specific and have surgically targeted log sources.

I came to Canada-based RONA in 2021, and in 2022, we were sold to a private equity firm. I had to reverse a lot of SecOps integrations—and I only had 90 days to do it. I didn’t have the time or the budget to build up a 24×7 SOC bench, so I had to find an alternative.

We were already using a SIEM and logging everything in case we missed something important. It sounds great in theory, but in practice wasn’t optimal and horribly resource / cost inefficient. We needed a technology-agnostic vendor that could respond from eye-on-glass alert acknowledgments to remediation in under 20 minutes—which is about the time it takes to hit a point of no-return if you get hit by ransomware.

Automation costs a lot less and is far more effective than triaging alerts manually.

I was also looking for a highly automated solution, because to me automation is the best way to handle an environment where technology, the volume of data, and required skill sets are constantly changing. That supplier is Expel. The automation built into Expel takes all the noise, filters and shapes it, and adds context regardless of changes in tools or security architecture.

Expel is tech-agnostic, with extensive APIs that integrate with our existing security tech stack, including signal from our endpoint detection and response (EDR) tool, network tooling, SaaS apps and SIEM. With Expel, onboarding was surprisingly easy. We didn’t have to upend everything we were doing to migrate, which was a tremendous benefit, given our accelerated time frame.

Leading indicators provide real-time insight into your infrastructure, while lagging indicators remain buried in logs.

Then there’s the matter of real-time alerts. SIEMs serve up a never-ending quantity of logs and alerts. Even if you’re able to detect malicious activity, it’s probably getting lost in the rest of the noise. Once the SIEM log is correlated, it essentially becomes a lagging indicator. Expel leverages leading indicators through native API-based integrations with our current security stack, which then provides real-time insight into what is currently unfolding in your environment. It detects a problem as it’s developing, giving teams a chance to remediate the situation under that 20 minute mark.

Finally, Expel gives us centralized eyes-on-glass cybersecurity. We can monitor our systems 24/7 and react in a live environment. We also have the benefit of sharing Expel with hundreds of other customers. Expel Workbench™, the company’s security operations platform, leverages telemetry data from our security peers, helping it learn and alerting us to new cybersecurity threats before they can breach our systems. With our SIEM-based approach, we were completely on our own. Nobody was tapping us on the shoulder to warn us about what was coming, which left us open to risks.

But through the API-led approach and streamlining our signals through Workbench, we no longer need to log everything through our SIEM. We got the visibility and data we had always hoped for, and focused the logs our SIEM ingested, which reduced costs and hands-on management. Logging only very specific use cases in our SIEM (and ingesting 75% less data) allowed us to focus our efforts like asset management and ensuring that we covered all of our assets. Expel’s approach was delivering both external intel and internal monitoring that combined to dramatically improve our posture and be far more proactive in our approach.

We use a suite of Expel tools, including Expel® Managed Detection and Response (MDR), to protect our on-prem infrastructure, cloud infrastructure, and Microsoft Office applications, and Expel® Phishing to triage incoming emails and identify accounts that may have been targeted or compromised. Just like large language models (LLMs) are able to rationalize and synthesize large amounts of data for informed decision making, Expel uses bots like Josie® and Ruxie™ to normalize vast amounts of signal from your security tooling to bring a SOC analyst the exact context they need to make a high-stakes decisions, fast.

My internal SOC team works closely with the Expel team via Slack. Together, we triage threats, and if a problem exceeds our capacity to resolve it, we request help from their team. Sometimes, they’ll alert us to an emerging threat in other environments so we can take action and patch our systems before we get hit.

On many occasions, we learn from their “ninjas.” Despite having a small team, we are currently leveraging Expel to help grow our internal team and recruit and train from within our organisation. By working so closely with the experts at Expel, my crew is upskilling and learning every day. The collaboration is awesome, and one of the additional benefits from adopting Expel.

Like many organizations, we had the mission to consolidate our vendors and platforms. Expel offers a comprehensive live dashboard in Workbench that allows me to see telemetry data from different tools and devices across my stack. Expel collects and consolidates data from all of them in a centralized single pane of glass—and the platform also removes the need for us to manage our own detection library, which would be very time consuming. Expel constantly writes and publishes new detections and we can access that detection library right in Workbench.

Expel’s automated detections take the lead on any alerts that come in. They investigate, triage, and only push actual issues to us for review. For example, we’ve had more than 43 million live alerts and events since we deployed Expel in April and increased our coverage of IT assets to 99%. Of those 43 million, Expel bots triaged and closed nearly all of them (99%) as benign. The bots prioritized less than 1,500 alerts to the human Expel SOC analysts to review and supported their investigations with information and analysis that I can see right in Workbench. My team was left with only some 20 Expel-enriched investigations and remediation actions to follow up on.

Expel bots and their human analysts have enabled my team to respond and fix issues, on average, in 20 minutes or less. If we were only running an in-house SIEM, we’d have less telemetry data. We’d be suffering from alert fatigue as we struggled to decipher what’s important and what’s not, responding to events after the fact and contributing to team burnout.

Another pain point for us was dealing with phishing. I asked Expel if they could do something about the situation, and they have, with Expel Phishing. The process is automated using the same template for MDR, and their team supports it as well. It costs us less time and less money for Expel to handle phishing than if we were to develop something in house or pay external hires to do it. Expel puts us ahead of the curve at a price we can afford.

Malicious actors know when to strike. I have a heat map in the Expel Service Review Dashboard so I can see when alerts fire. As might have already guessed, threat actors attempt attacks after 3:30 on a Friday afternoon, when everyone wants to go home (or has already left).

The true value of Expel is that it provides visibility at all times and enables us to be proactive and stay ahead of threats. If you’re using a standalone SIEM, your network manager won’t get the mobile alert in time when your system is breached. But if you’re using a service like Expel in addition to your SIEM, you’ll have advanced knowledge of what might be coming and take some simple precautions so you can enjoy your weekend.

To succeed in cybersecurity, you need to improve your signal-to-noise ratio, eliminating superfluous data and focusing on what matters.

To succeed in cybersecurity, you need to improve your signal-to-noise ratio. That means eliminating superfluous data and focusing on what matters, like real-time telemetry sourced using APIs from your security tech stack. Expel allows us to target and resolve issues before they can take out our IT infrastructure, with automated tools and expert human advisors that point us in the right direction, regardless of the situation.