This global software company helps its more than 175,000 users organize data, discover the truth, and act on it. Its comprehensive e-discovery platform is used in over 40 countries by the likes of the U.S. Department of Justice, Deloitte and NBCUniversal, more than 70 Fortune 100 companies and 199 of the Am Law 200. The company’s SaaS product offers all the functionality of the on-prem product in a secure and comprehensive SaaS product, providing users with added flexibility and extensibility during their review process for things like investigations, litigation and lawsuits. When handling billions of highly sensitive documents, security is of utmost importance.
While security had always been a priority for the company, rapid growth and introduction of its SaaS product prompted the management team to create a new security team led by a new Chief Security Officer (CSO).
According to the CSO, “You’ve got to understand your organization’s challenges before you can create a vision for security and refine it across your organization.” The CSO spent those first few months assessing what the company already had in place and learning from key stakeholders. A series of nearly 50 one-on-ones with directors and vice presidents helped her understand the company’s key risks and identify what mattered most to stakeholders.
Once the assessment phase was over, the company completed a gap analysis. When it came to security tools, the CSO was already using or was in the process of implementing Carbon Black, Palo Alto Networks, Recorded Future, RedLock and Splunk. All of those decisions, the CSO recalls, were made after careful review with her team and thorough analysis about what would be the best fit for the company, its product, and its teams.
But, as the CSO looked at what it would take to implement their vision for security, the CSO quickly came to the conclusion that they needed a partner whose full-time job was monitoring the company’s environment 24×7. “I just wanted some peace of mind,” the CSO recalls. “I needed someone I could trust, who had an SLA to watch our environment nonstop. I also wanted someone who had used our products across multiple environments and industries to give us a more diverse perspective.”
I needed someone I could trust, who had an SLA to watch our environment nonstop. I also wanted someone who had used our products across multiple environments and industries to give us a more diverse perspective.”⎯Chief Security Officer (CSO)
The company evaluated three different managed security providers: Symantec, Trustwave and Expel. “I wanted to look at one legacy provider and one big name that I hadn’t worked with before,” the CSO said. “But for the third vendor, I wanted to look at a newer player that was innovative and could pivot off of my crazy ideas when I said I want to do ‘this’ or ‘that.’ Cloud is still a new enough arena that we have to be able to reject the norms of security and apply some out of boundaries thinking.”
As the security team put the vendors through their evaluation process, the CSO explains, “it quickly became obvious that one of the MSSPs was barely taking us seriously because we weren’t big enough for them.” In other cases, vendors would show up to calls without people who could dig into the technical details, even when the CSO had warned them to come prepared. “Expel was different. They were totally transparent about what they were going to do for us and how it would work. It was easy for me and the technical team to understand.”
The company ultimately selected Expel because of the passion and approach. In explaining the decision, the CSO says it was rooted in the company’s core values. “We value our spirit of transparency. That’s true across teams, as well as with our third-party partner relationships,” the CSO said. “As I compared the capabilities and strategic direction of the traditional MSSPs and Expel, it quickly became clear that Expel was much more aligned with our own principles.”
Expel was different. They were totally transparent about what they were going to do for us and how it would work. It was easy for me and the technical team to understand.”⎯Chief Security Officer (CSO)
How Expel helped
From the beginning, the CSO says, Expel communicated well with their organization, and had a shared passion. The CSO recounted how, on an early call with Expel the discussion quickly got into a detailed back and forth exchange on issues that were top of mind for the technical team. “It was great,” the CSO said. “I just muted the line and they solved it.”
That ease of communication has yielded dividends. Recounting one example of how closely the teams collaborate, the CSO recalls, “It was 2:00 a.m. and it was the first time we’d had an incident of interest to examine. Expel alerted on it, and I was able to jump on our Slack channel with the Expel analysts. We got to compare notes even as they were still investigating it. We moved so fast internally that we were able to put blocks in place before anything bad happened.”
In another example, the company observed a signature that they thought should have generated more attention from the Expel team. After raising the issue, a correlation engineer at Expel walked through the rationale and approach in detail. Through that interaction, the company got insight into Expel’s thinking, while Expel took the opportunity to learn more about how the company prefers to work.
“It’s not very often that you’ve got a Slack channel with your CSO, your analyst and your managed security provider all talking together at 2:00 a.m.,” the CSO observed. “It’s a great feeling. It feels like our analysts aren’t alone in the middle of the night.”
The transparency means so much. There’s no haggling, no negotiations. We know exactly what Expel is doing and how they are doing it – so it’s clear to me and my technical team about exactly what we’re getting for our money.”⎯Chief Security Officer (CSO)
When the company talks about the benefits it’s getting from its partnership with Expel, all roads lead back to Expel technical know-how, transparency, and passion.
Some of the specific benefits the company has realized include:
Rapid detection and response to threats
One of the biggest benefits the company is getting is the peace of mind that comes with having a trusted partner watching their environment. When Expel detects new threats or suspicious activity, they quickly investigate and resolve them. “From deeply technical team calls to midnight consults via Slack, we can see exactly what they’re doing and we really understand each other,” the CSO said. “This has produced an organic and collaborative relationship in one of the most important functions of our work: ensuring that we keep our customers’ data secure.”
Clear value for the money
The company is also seeing clear value for what they’re paying. They like the fact that Expel is willing to adapt the service to their environment. “The transparency means so much. There’s no haggling, no negotiations. We know exactly what Expel is doing and how they are doing it – so it’s clear to me and my technical team about exactly what we’re getting for our money,” the CSO observed.
The company also sees significant benefit in the experience Expel brings from working with a range of companies across different industries. They like that Expel analysts aren’t “binary thinkers” who are going to blindly follow a playbook. “I like that they say, ‘Hey, I think I saw something similar over here. Let me go check this out,’” the CSO said. “That doesn’t always happen at a larger MSSP. If you push others, the tendency can be to push back at customers, say ‘it is what it is,’ and describe how they followed their 861 guidelines.”
Another, softer benefit, is the fact that the company knows they can get answers immediately. In one case, the CSO was reviewing some activity in the Expel Workbench and asked the investigating analyst for more info. The analyst flipped over to the Slack channel and within 10 seconds they were getting a response.
“I’m trusting Expel with my company. Security is about talent and passion. You can’t code these people or their abilities,” the CSO explained. “There’s nothing crazy in my network right now, and with Expel I have peace of mind that nothing is going to get a chance to do much damage in the future.”
I’m trusting Expel with my company. Security is about talent and passion. You can’t code these people or their abilities. There’s nothing crazy in my network right now, and with Expel I have peace of mind that nothing is going to get a chance to do much damage in the future.”⎯Chief Security Officer (CSO)
A Look Ahead
Now that they have a solid foundation in place with the right monitoring, aggregation of activity, and an intel driven program, the company is looking forward to focusing on automation and digging in with “hunt missions.” User and entity behavior analytics will bring it all together as they hone in on what “normal” is and what falls outside the norm.