My organization is in the financial services industry and the majority of services that we offer are financial services centric. We operate or support almost every industry in the marketplace. We restore processes and transmit highly sensitive information. Sometimes that information is premarket. Other times that information is personally identifiable information, personal health information, etc. It is dependent upon our client's requirements. Security is cornerstone in all that we do. It's in our DNA, as we would like to say internally. Being in a position to understand when we are at risk of a cyber attack is paramount.
We have a strong desire to understand who did what, where, when, and why internally. empow's near real-time, high fidelity, security monitoring capabilities are our primary use case. Other use cases revolve around:
- Gaining as much insight from a threat intelligence perspective, being able to correlate that back to an alarm, and doing so in an automated fashion.
- The automated mitigation capability.
- The general reporting and analytics within the platform.
We have a significantly higher confidence in our ability to automate mitigations. We've had technologies across SOAR and cyber threat intelligence integrated into our platforms for over four years now. We would like to tell ourselves that we're reasonably experienced with both of those technology categories.
One of the most impressive accomplishments that we were able to showcase internally was building metrics around the fidelity of our playbooks when they're executed. We have a high degree of confidence that we have the right playbooks in place. It's also worth mentioning that we're a global organization. We are corporate focused, primarily, not consumer focused. We know where our clients are from a geographic perspective, as an example, but our clients travel. We want to be hyperconservative on those mitigation techniques as to not adversely affect the client experience with our product lines. I was quite surprised, even though we took a very conservative approach initially, the degree of accuracy and percentages of false positive were almost zero when the mitigation playbooks were involved. The enablement of automated mitigations that the empow product line has provided us with is incredibly impressive.
One of the most impressive capabilities of the empow product line to our security analyst team is just how little maintenance is required to ensure that we are focusing on the right threats. The correlation rules themselves require effectively little to no maintenance from a client perspective, which is tremendous. This is leaps forward compared to other product lines and SIEMs over the last 10 years.
Correlation rules maintenance has been one of the most time consuming bodies of work required. It is one of the areas where we had a higher degree of risk of focusing in the wrong areas. We spent an enormous amount of time being hyperfocused on ensuring that we have the right correlation rules in place, the fidelity of those rules was sound, etc. We just can't begin to mention how pleased we are that, for the most part, this is no longer something we have to be concerned about.
The power of the AI and the natural language processing capability is best measured by the outputs. The fidelity of the alarms that we receive is just night and day compared to SIEM platforms and other platforms we've used in the past. I also feel it is a leading reason (major theme) why our overall alarm volume is significantly lower, because we deal with far less alert fatigue. We are dealing with a lot less false positives as a direct result of the AI and NLP capabilities.
Our overall false positive rates are significantly fewer. It's definitely removed about 60 percent of the total volume of alarms that we have needed to respond to each month over the last year. Also, it's worth mentioning that we spent considerable amounts of time in years' past focusing on managing correlation rules, ensuring that we have the right prioritization applied to those rules, that the rules were accounted for, or they took into account our technology deployments, such as a general shift in our portfolio, adding/removing devices, retiring products and services, and adding new innovative solutions for our customers. This was to the extent that we had a 90-minute session twice a month with a partner of ours dedicated just to that session. Today, we don't have any meetings per month. We're focused on correlation rules as a direct result of our transition to empow.
Their ability to focus on an event with a high degree of fidelity really drives our level of confidence. Therefore, we are quick to respond with a high degree of urgency when we do receive an alarm because we recognize that there is a very high probability that the alarm is accurate and the fidelity is very high. This enables us to focus on other areas throughout the day. However, once we do receive an alarm from empow, we recognize it's something that needs to be responded to with a high degree of urgency.
The integration between Elastic and empow has been quite impressive for a couple of reasons:
- We're a prime example of an organization who must have a high degree of flexibility in our deployments. We have full cloud-native deployments of products and corporate systems. We have on-prem deployments of both. Our cloud deployments span many cloud providers. Therefore, I need to be able to orchestrate and scale up and down my footprint, depending on geography, cloud providers, the tempos of the business relative to lifecycles with some of our products, and so on and so forth. Having a lot of leverage to pull on Elasticsearch has proven to be very attractive to us for supporting our set of requirements and flexibility.
- They play a big role in making it incredibly easy to plug into other security tools, network platforms, and application platforms, whether they are internally developed or commercial offerings. The API model that the empow product provides has simplified the integration of almost any technology into their product lines.
empow has impacted our network security posture in a truly dramatic way, particularly in that we have a higher confidence when we are responding to an event that it is actionable and we should be concerned about. Secondly, it has positively impacted our network security posture by way of automated mitigations defined within the system. The playbooks that we define and can take a conservative approach to, they help us avoid any negative impact to our clients. The accuracy of those playbooks define the automated mitigations, and we have tremendous amount of confidence in them. Those playbooks are triggered daily and that reduces risk. They reduce the amount of time spent to contain and mitigate them. Overall, from a security perspective, there have been quite dramatic steps forward.
It also directly supports our compliance programs. We're very easily able to measure when we have events and what actions were taken because the vast majority of them are addressed through automation.
I had worked using empow with a previous organization, but our requirements were very different. We are definitely enterprise-focused, but we are also corporate user-focused. Our client community is primarily that of mid to large enterprise organizations across the globe. How well a product organization in the services team responds to support calls is critically important. I give empow a lot of very high marks. The responsiveness has been very high, but more important than the responsiveness is the quality and accuracy of their recommended next steps to resolve whatever issue we may have.